=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 21-12-2016 18:00 − Donnerstag 22-12-2016 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** MS16-DEC - Microsoft Security Bulletin Summary for December 2016 - Version: 1.2 ***
---------------------------------------------
V1.2 (December21, 2016): The December 13, 2016, Security and Quality Rollups updates 3210137 and 3210138 contain a known issue that affects the .NET Framework 4.5.2 running on Windows 8.1, Windows Server 2012 R2, and Windows Server 2012. The issue was also present in the November 15, 2016, Preview of Quality rollup updates that were superseded by the December 13, 2016 Rollup updates. The issue causes applications that connect to an instance of Microsoft SQL Server on the same computer to generate the following error message: “provider: Shared Memory Provider, error: 15 - Function not supported”
For more information please refer to Knowledge Based Article 3214106
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS16-DEC
*** NIST Asks Public For Help With Quantum-Proof Cryptography ***
---------------------------------------------
chicksdaddy quotes a report from The Security Ledger: With functional, quantum computers on the (distant?) horizon, The National Institute of Standards and Technology (NIST) is asking the public for help heading off what it calls "a looming threat to information security:" powerful quantum computers capable of breaking even the strongest encryption codes used to protect the privacy of digital information. In a statement Tuesday, NIST asked the public to submit ideas for...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/_VC9qbMlmm8/nist-asks-publi…
*** HTTPS-Zwang für Apps: Apple verlängert Deadline ***
---------------------------------------------
Eigentlich sollten iPhone- und iPad-Apps ab Jahresende nicht mehr über ungesicherte HTTP-Verbindungen kommunizieren, nun hat Apple zusätzliche Zeit für die Umstellung eingeräumt.
---------------------------------------------
https://heise.de/-3579891
*** vSphere Data Protection: VMware entfernt hart-codierten Root-Key ***
---------------------------------------------
Angreifer sollen die Backup- und Recovery-Lösung für virtuelle Maschinen mit vergleichsweise wenig Aufwand übernehmen können. Sicherheitspatches stehen zum Download bereit.
---------------------------------------------
https://heise.de/-3579872
*** Security Alert: Malicious Script Injections Spread Cerber Ransomware, Make Use of Nemucod Downloader ***
---------------------------------------------
This ongoing ransomware campaign packs a big punch against its victims, aiming for a high success rate in terms of infected systems. Using a malware cocktail to drive infection rates The cybercriminals behind the campaign are compromising legitimate websites by injecting malicious scripts. The injects then redirect the victims' Internet traffic to a Cerber gateway...
---------------------------------------------
https://heimdalsecurity.com/blog/security-alert-malicious-script-injections…
*** Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units ***
---------------------------------------------
In June CrowdStrike identified and attributed a series of targeted intrusions at the Democratic National Committee (DNC), and other political organizations that utilized a well known implant commonly called X-Agent. X-Agent is a cross platform remote access toolkit, variants have been identified for various Windows operating systems, Apple's iOS, and likely the MacOS. Also known as Sofacy, X-Agent has been tracked by the security community for almost a decade, CrowdStrike associates the...
---------------------------------------------
https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian…
*** Writing Burp Extensions (Shodan Scanner) ***
---------------------------------------------
In this article, we will have an overview of writing Burp extensions. At the end of the post, we will have an extension that will take any HTTP request, determine the IP address of domain and get specific information using Shodan API. I have divided the article in the following hierarchy so that you can...
---------------------------------------------
http://resources.infosecinstitute.com/writing-burp-extensions-shodan-scanne…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 20-12-2016 18:00 − Mittwoch 21-12-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** PrestaShop Attack Steals Login Credentials ***
---------------------------------------------
Attackers compromise sites with a number of goals in mind – also referred to as actions on objective. In some instances they aim to abuse resources or gain SEO power, and in others they are seeking access to sensitive data, also known as data exfiltration. The ..
---------------------------------------------
https://blog.sucuri.net/2016/12/prestashop-attack-steals-login-credentials.…
*** Data Center Physical Security ***
---------------------------------------------
A data center is the epicenter of any online infrastructure. A data center’s size can vary widely, depending on an organization’s needs. Broadly speaking, a ..
---------------------------------------------
http://resources.infosecinstitute.com/data-center-physical-security/
*** DSA-3741 tor - security update ***
---------------------------------------------
It was discovered that Tor, a connection-based low-latency anonymouscommunication system, ..
---------------------------------------------
https://www.debian.org/security/2016/dsa-3741
*** Kaspersky updates RannohDecryptor to decrypt CryptXXXs Crypt, Cryp1, and Crypz Extensions ***
---------------------------------------------
If you are a CryptXXX Ransomware victim who didnt pay the ransom and instead decided to store their encrypted files and ransom notes for future fixes then you ..
---------------------------------------------
https://www.bleepingcomputer.com/news/security/kaspersky-updates-rannohdecr…
*** 33c3-Programm: Was vom Hacker-Kongress zu erwarten ist ***
---------------------------------------------
Von 27. bis 30. Dezember findet in Hamburg zum 33. Mal das jährliche Hackertreffen des Chaos Computer Club (CCC) statt. Fahrplan und Wiki geben eine erste Programmübersicht.
---------------------------------------------
https://futurezone.at/netzpolitik/33c3-programm-was-vom-hacker-kongress-zu-…
*** Netgear-Sicherheitslücke: Updates für vier betroffene Router fertig ***
---------------------------------------------
Für die Router R6250, R6400, R7000 und R8000 stehen ab sofort Firmware-Updates zur Verfügung. Die Installation der Updates wird dringend empfohlen. Für weitere sieben Router mit Sicherheitslücke steht bisher nur die Beta-Version zum Download bereit.
---------------------------------------------
https://heise.de/-3578415
*** Antivirensoftware: Die Schlangenöl-Branche ***
---------------------------------------------
Antivirenprogramme gelten Nutzern und Systemadministratoren als unverzichtbar. Doch viele IT-Sicherheitsexperten sind extrem skeptisch. Antivirensoftware ist oft selbst voller Sicherheitslücken - und hat sehr grundsätzliche Grenzen.
---------------------------------------------
http://www.golem.de/news/antivirensoftware-die-schlangenoel-branche-1612-12…
*** Panasonic Plays Down Security Bugs Found in Airplane In-Flight Entertainment Systems ***
---------------------------------------------
Security firm IOActive published research yesterday detailing security flaws in ..
---------------------------------------------
https://www.bleepingcomputer.com/news/security/panasonic-plays-down-securit…
*** How Skype fixes security vulnerabilities ***
---------------------------------------------
This post describes my fruitless effort to convince Microsoft employees that their service is vulnerable, and the humiliation one has to go through should one’s account be blocked by a hacker. This is a story of ignorance, pain and despair.
---------------------------------------------
https://hub.zhovner.com/geek/how-skype-fixes-security-vulnerabilities/
*** Beliebte Passwörter: "Arschloch" unter den Top Ten ***
---------------------------------------------
http://derstandard.at/2000049660283
*** Berlin-Anschlag: DDOS-Angriff auf Hinweisportal ***
---------------------------------------------
http://derstandard.at/2000049672324
*** Linux/Rakos, the new Linux malware threatening devices and servers ***
---------------------------------------------
A new Linux malware, dubbed Linux/Rakos is threatening devices and servers. The malware searches for victims via SSH scan. A new Linux malware, dubbed ..
---------------------------------------------
http://securityaffairs.co/wordpress/54603/malware/linuxrakos-malware.html
*** XSA-203 ***
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-203.html
*** XSA-202 ***
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-202.html
*** Auswertung: "Hallo" ist Deutschlands meistgenutztes Passwort ***
---------------------------------------------
Eine Auswertung von Passwörtern aus frei zugänglichen Daten-Leaks hat ergeben, dass die meistgenutzten Passwörter in Deutschland alles andere als sicher sind. Nach "hallo" finden sich auch die Klassiker "passwort" und "passwort1" in der Liste.
---------------------------------------------
http://www.golem.de/news/auswertung-hallo-ist-deutschlands-meistgenutztes-p…
*** Cisco CloudCenter Orchestrator Docker Engine Privilege Escalation Vulnerability ***
---------------------------------------------
A vulnerability in the Docker Engine configuration of Cisco CloudCenterOrchestrator (CCO; formely CliQr) could allow an unauthenticated, remote ..
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 19-12-2016 18:00 − Dienstag 20-12-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** OpenSSH verabschiedet sich von SSHv1 ***
---------------------------------------------
Die gerade veröffentlichte Version OpenSSH 7.4 entfernt die Unterstützung für das veraltete Protokoll SSHv1 auf Server-Seite. Im August soll es ganz beerdigt werden. Darüber hinaus gibt es auch ein paar Bug-Fixes.
---------------------------------------------
https://heise.de/-3576071
*** Adobe Releases Flash Player 24 for Linux Four Years After the Last Major Update ***
---------------------------------------------
Adobe released today Flash Player 24 for Linux, after previously abandoning the application without explanation in 2012. Flash Player for Linux is now on par with Windows and ..
---------------------------------------------
https://www.bleepingcomputer.com/news/software/adobe-releases-flash-player-…
*** ShadowBrokers Dump Came from Internal Code Repository, Insider ***
---------------------------------------------
Researchers at Flashpoint said their analysis of the latest ShadowBrokers dump of NSA tools leads them to believe an insider with access to a code repository stole the data.
---------------------------------------------
http://threatpost.com/shadowbrokers-dump-came-from-internal-code-repository…
*** Raiding the Piggy Bank: Webshell Secrets Revealed ***
---------------------------------------------
Introduction A recent investigation into credit card fraud that was enabled by a webshell revealed several ..
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/Raiding-the-Piggy-Bank-…
*** Unrestricted Backend Login Backdoor on OpenCart ***
---------------------------------------------
>From the attacker’s perspective, creating ways to maintain access to a compromised website is desirable. We call them backdoors. Backdoors can be done in different ways, either by adding fake admin users to the site, or ..
---------------------------------------------
https://blog.sucuri.net/2016/12/unrestricted-backend-login.html
*** "How do you say Ground Hog Day in Ukrainian?" ***
---------------------------------------------
http://ics.sans.org/blog/2016/12/20/how-do-you-say-ground-hog-day-in-ukrain…
*** XSA-204 ***
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-204.html
*** Ubuntu: Schwerer Fehler erlaubt Einschmuggeln von Schadcode ***
---------------------------------------------
Crash-Reporter erwies sich als unbeabsichtigtes Einfallstor – Canonical bereinigt Bug mit Update
---------------------------------------------
http://derstandard.at/2000049548961
*** Krypto-Messenger Signal in Ägypten blockiert ***
---------------------------------------------
In Ägypten wird offenbar seit dem Wochenende Signal blockiert. Der Betreiber des Krypto-Messengers ..
---------------------------------------------
https://heise.de/-3576578
*** Nagios Core ist angreifbar: Sicherheitslücken in Server-Überwachungssoftware ***
---------------------------------------------
Nagios Core, eine Software zur Server-Überwachung, weist derzeit zwei kritische Sicherheitslücken auf. Angreifer können durch sie die absolute Systemkontrolle erhalten. Die aktuelle Version 4.2.4 schließt die Lücken.
---------------------------------------------
https://heise.de/-3576359
*** Project Wycheproof: Krypto-Implementierung auf Sicherheit abklopfen ***
---------------------------------------------
Von AES über ECDH bis RSA: Admins können mit Googles Project Wycheproof eine Sammlung von Tests auf ihre Server loslassen, um die Sicherheit der Konfiguration von Krpyto-Funktionen zu testen.
---------------------------------------------
https://heise.de/-3576686
*** Ethereum Cryptocurrency Forum Suffers Data Breach ***
---------------------------------------------
Administrators of the Ethereum Project have announced today a data breach that affected over 16,500 users of the platforms community forums. The breach took place ..
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ethereum-cryptocurrency-foru…
*** Türkei blockiert wohl mit Deep Packet Inspection Zugang zu Tor ***
---------------------------------------------
Türkische Provider blockieren offenbar seit dem Wochenende den direkten Zugang zum Anonymisierungsdienst Tor. Um die Verbindungsversuche zu identifizieren, kommt offenbar Deep Packet Inspection zum Einsatz.
---------------------------------------------
https://heise.de/-3577109
*** Alice: A Lightweight, Compact, No-Nonsense ATM Malware ***
---------------------------------------------
Trend Micro has discovered a new family of ATM malware called Alice, which is the most stripped down ATM malware family we have ever encountered. Unlike other ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweigh…
*** Offizielles Forum der Krypto-Währung Ethereum gehackt ***
---------------------------------------------
Unbekannte Angreifer haben Daten von rund 16.500 Nutzern abgezogen. Darunter finden sich auch Passwörter, die aber zum Großteil mit einem als sicher geltenden Verfahren geschützt sind.
---------------------------------------------
https://heise.de/-3577111
*** Op-ed: Why I’m not giving up on PGP ***
---------------------------------------------
http://arstechnica.com/information-technology/2016/12/signal-does-not-repla…
*** Gefälschte card complete-Mail: Ihre Karte wurde gesperrt! ***
---------------------------------------------
Kriminelle versenden eine gefälschte card complete-Nachricht. Darin behaupten sie, dass die Bank die Karte gesperrt habe. Kund/innen sollen sie deshalb ..
---------------------------------------------
https://www.watchlist-internet.at/phishing/gefaelschte-card-complete-mail-i…
*** VMSA-2016-0023 ***
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2016-0023.html
*** Sicherheitslücke bei Routern: Netgear liefert erste finale Firmware-Updates ***
---------------------------------------------
Nach der schwerwiegenden Sicherheitslücke stellt Netgear erste Updates zur Verfügung. Für sieben betroffene Router liegen weiterhin nur Beta-Versionen vor.
---------------------------------------------
http://www.golem.de/news/sicherheitsluecke-bei-routern-netgear-liefert-erst…
*** Report: $3-5M in Ad Fraud Daily from ‘Methbot’ ***
---------------------------------------------
New research suggests that an elaborate cybercrime ring is responsible for stealing between $3 million and $5 million worth of revenue from online publishers and video ..
---------------------------------------------
https://krebsonsecurity.com/2016/12/report-3-5m-in-ad-fraud-daily-from-meth…
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 16-12-2016 18:00 − Montag 19-12-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Vuln: Exim CVE-2016-9963 Unspecified Information Disclosure Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/94947
*** Blocking Powershell Connection via Windows Firewall. ***
---------------------------------------------
In my last post, I mapped controls to stop a malicious doc calling out via Powershell. Im now going to cover how using the Windows firewall can stop the attack ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21829
*** The banker that encrypted files ***
---------------------------------------------
Many mobile bankers can block a device in order to extort money from its user. But we have discovered a modification of the mobile banking Trojan Trojan-Banker.AndroidOS.Faketoken that went even further – it can encrypt user data. In addition to that, this modification is attacking more than 2,000 financial apps around the world.
---------------------------------------------
http://securelist.com/blog/research/76913/the-banker-that-encrypted-files/
*** IBM Security Bulletin: Code execution vulnerability in IBM MessageSight (CVE-2016-5983) ***
---------------------------------------------
There is a potential code execution vulnerability in WebSphere Application Server Liberty Profile ..
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21995510
*** IBM Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application Server ***
---------------------------------------------
The following security issues have been identified in WebSphere Application Server ..
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21995683
*** IBM Security Bulletin: Multiple vulnerabilities in IBM WebSphere affect IBM Control Center (CVE-2016-5983, CVE-2016-2923, CVE-2016-3092) ***
---------------------------------------------
IBM WebSphere Application Server is shipped as a component of IBM Control Center. Multiple ..
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21995686
*** IBM Security Bulletin: Reflected XXS vulnerability in IBM Campaign (CVE-2016-0265) ***
---------------------------------------------
Reflected cross-site scripting vulnerability affecting IBM Campaign has been addressed. CVE(s): CVE-2016-0265 ..
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21986033
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 15-12-2016 18:00 − Freitag 16-12-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** My Yahoo Account Was Hacked! Now What? ***
---------------------------------------------
Many readers are asking what they should be doing in response to Yahoos disclosure Wednesday that a billion of its user accounts were hacked. Here are a few suggestions and pointers, fashioned into a good old Q&A format.
---------------------------------------------
https://krebsonsecurity.com/2016/12/my-yahoo-account-was-hacked-now-what/
*** 0-days hitting Fedora and Ubuntu open desktops to a world of hurt ***
---------------------------------------------
If your desktop runs a mainstream release of Linux, chances are youre vulnerable.
---------------------------------------------
http://arstechnica.com/security/2016/12/fedora-and-ubuntu-0days-show-that-h…
*** One, if by email, and two, if by EK: The Cerbers are coming!, (Fri, Dec 16th) ***
---------------------------------------------
Introduction One, if by land, and two, if by sea is a phrase used by American poet Henry Wadsworth Longfellow in his poem Paul Reveres Ride first published in 1861. Longfellows poem tells a somewhat fictionalized tale of Paul Revere in 1775 during the American revolution. If British troops came to attack by land, Paul would hang one lantern in a church tower as a signal light. If British troops came by sea, Paul would hang two lanterns. Much like the British arriving by land or by sea, Cerber
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21823&rss
*** Phishing: "Es gibt immer noch genügend Opfer" ***
---------------------------------------------
Olaf Schwarz, Information Security Officer bei der Direktbank ING-DiBa Austria, über Phishing und andere Betrugsmethoden bei Bankgeschäften im Internet.
---------------------------------------------
https://futurezone.at/digital-life/phishing-es-gibt-immer-noch-genuegend-op…
*** Hackerangriff auf Thyssenkrupp: Winnti spioniert deutsche Wirtschaft aus ***
---------------------------------------------
Der Angriff auf Thyssenkrupp soll auf das Konto der Hackergruppe Winnti gehen, die früher Gaming-Plattformen attackiert hat. Weitere deutsche Firmen sollen betroffen sein.
---------------------------------------------
http://www.golem.de/news/hackerangriff-auf-thyssenkrupp-winnti-spioniert-de…
*** Microsoft to ditch Flash - sort of ***
---------------------------------------------
Edge is getting more granular Flash controls, but that means you wont have to have it on for all sites just so its on for one.
---------------------------------------------
https://nakedsecurity.sophos.com/2016/12/16/microsoft-to-ditch-flash-sort-o…
*** Mac-Passwort lässt sich über Thunderbolt auslesen ***
---------------------------------------------
Mit Hardware von der Stange kann ein Angreifer in rund 30 Sekunden das im Klartext vorliegende Passwort abgreifen und so Apples Festplattenverschlüsselung FileVault überwinden.
---------------------------------------------
https://heise.de/-3573385
*** Linux-Sicherheit: Ubuntu-Bug ermöglicht das Ausführen von Schadcode ***
---------------------------------------------
Ein schwerer Fehler in Ubuntus Crash-Handler Apport ermöglicht es Angreifern, auf einem Zielrechner beliebigen Code aus der Ferne auszuführen.
---------------------------------------------
http://www.golem.de/news/linux-sicherheit-ubuntu-bug-ermoeglicht-das-ausfue…
*** Smart Airports: How to protect airport passengers from cyber disruptions ***
---------------------------------------------
ENISA publishes a study on "Securing smart airports" providing airport decision makers and security personnel a concrete guide on preventing cyber-attacks and disruptions.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/smart-airports-how-to-protect-a…
*** Security Advisory - Input Validation Vulnerability in Wi-Fi Driver of Huawei Smart Phones ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161216-…
*** SSA-856492 (Last Update 2016-12-16): Limited Entropy in PRNG of Desigo PX Web Modules ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-856492…
*** Bugtraq: [security bulletin] HPSBMU03684 rev.1 - HPE Version Control Repository Manager (VCRM), Multiple Remote Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539934
*** DFN-CERT-2016-2081: Red Hat JBoss Core Services: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-2081/
*** Security Advisory: TMM vulnerability CVE-2016-9247 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/33/sol33500120.html?…
*** Security Advisory: BIG-IP TMM iRules vulnerability CVE-2016-5024 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/92/sol92859602.html?…
*** Sentinel 8.0.0 P1 (Sentinel 8.0.0.1) Build 3404 ***
---------------------------------------------
Abstract: Sentinel 8.0.0. upgrade patch for Sentinel 7 and 8Document ID: 5264730Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:sentinel_opensourcecomponents-8.0.0.1-3404.tar.gz (65.02 MB)sentinel_opensourcecomponents-8.0.0.1-3404.tar.gz.sha256 (117 bytes)sentinel_server-8.0.0.1-3404.x86_64.tar.gz (2.09 GB)sentinel_server-8.0.0.1-3404.x86_64.tar.gz.sha256 (109 bytes)Products:Sentinel 7SentinelSentinel 7.3Sentinel 7.3.1Sentinel 7.3.2Sentinel 7.4Sentinel 7.3.3Sentinel
---------------------------------------------
https://download.novell.com/Download?buildid=3iJxPcG2H9M~
*** Fatek Automation PLC WinProladder Stack-Based Buffer Overflow Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a stack-based buffer overflow vulnerability in Fatek Automation's PLC WinProladder application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-350-01
*** OmniMetrix OmniView Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for vulnerabilities in OmniMetrix's OmniView web application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-350-02
*** Mutiple SONY Videoconference Systems do not properly perform authentication ***
---------------------------------------------
Mutiple SONY Videoconference Systems do not properly perform authentication.
---------------------------------------------
http://jvn.jp/en/jp/JVN42070907/
*** ZDI-16-670: Avira Free Antivirus ssmdrv Kernel Driver Memory Corruption Privilege Escalation Vulnerability ***
---------------------------------------------
This vulnerability allows attackers to escalate privileges on vulnerable installations of Avira Free Antivirus. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-670/
*** ZDI: Autodesk Design Review Remote Code Execution Vulnerabilities ***
---------------------------------------------
*** ZDI-16-669: Autodesk Design Review JFIF Buffer Overflow Remote Code Execution Vulnerability ***
http://www.zerodayinitiative.com/advisories/ZDI-16-669/
---------------------------------------------
*** ZDI-16-668: Autodesk Design Review PNG Use-After-Free Remote Code Execution Vulnerability ***
http://www.zerodayinitiative.com/advisories/ZDI-16-668/
---------------------------------------------
*** ZDI-16-667: Autodesk Design Review BMP Buffer Overflow Remote Code Execution Vulnerability ***
http://www.zerodayinitiative.com/advisories/ZDI-16-667/
---------------------------------------------
*** ZDI-16-666: Autodesk Design Review FLI Buffer Overflow Remote Code Execution Vulnerability ***
http://www.zerodayinitiative.com/advisories/ZDI-16-666/
---------------------------------------------
*** ZDI-16-665: Autodesk Design Review GIF LZW Out-Of-Bounds Indexing Remote Code Execution Vulnerability ***
http://www.zerodayinitiative.com/advisories/ZDI-16-665/
---------------------------------------------
*** ZDI-16-664: Autodesk Design Review JPEG DHT Out-Of-Bounds Indexing Remote Code Execution Vulnerability ***
http://www.zerodayinitiative.com/advisories/ZDI-16-664/
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM StoredIQ (CVE-2016-2177, CVE-2016-2178, CVE-2016-2180) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21994870
---------------------------------------------
*** IBM Security Bulletin: Sweet32 vulnerability that impacts Triple DES cipher affects Communications Server for Data Center Deployment, Communications Server for AIX, Linux, Linux on System z, and Windows (CVE-2016-2183) ***
http://www.ibm.com/support/docview.wss?uid=swg21995057
---------------------------------------------
*** IBM Security Bulletin: Multiple security vulnerabilities affect IBM WebSphere Application Server for Bluemix ***
http://www-01.ibm.com/support/docview.wss?uid=swg21993842
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM InfoSphere Information Server (CVE-2016-3485 CVE-2016-5597) ***
http://www.ibm.com/support/docview.wss?uid=swg21990635
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSH affect IBM Flex System Manager (FSM) ***
http://www-01.ibm.com/support/docview.wss?uid=isg3T1024669
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 14-12-2016 18:00 − Donnerstag 15-12-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** No More Ransom Project Expands with 34 New Partners, 32 New Free Decryption Tools ***
---------------------------------------------
The "No More Ransom" project, set up in July by Intel Security, Kaspersky Lab, Europol, and the Dutch National police to help victims of ransomware infections, has expanded today with 34 new partners, and 32 new decryptors that can help ransomware victims unlock their files for free. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/no-more-ransom-project-expan…
*** Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe ***
---------------------------------------------
Targeted attacks are typically carried out against individuals to obtain intellectual property and other valuable data from target organizations. These individuals are either directly in possession of the targeted information or are able to connect to networks where the information resides. Microsoft researchers have encountered twin threat activity groups that appear to target individuals for...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-p…
*** Yahoo muss erneut Massenhack beichten: Eine Milliarde Opfer ***
---------------------------------------------
Im September hatte Yahoo einen Hack von über einer halben Milliarde Nutzerkonten bekanntgegeben. Den Rekord hat Yahoo nun gebrochen. Diesmal geht es um über eine Milliarde Konten. Dazu kommen gezielte Attacken mittels Cookies.
---------------------------------------------
https://heise.de/-3570674
*** Mobile Ransomware: How to Protect Against It ***
---------------------------------------------
In our previous post, we looked at how malware can lock devices, as well as the scare tactics used to convince victims to pay the ransom. Now that we know what bad guys can do, well discuss the detection and mitigation techniques that security vendors can use to stop them. By sharing these details with other researchers, we hope to improve the industrys collective knowledge on mobile ransomware mitigation.
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/XaGWjnUqHoY/
*** DefCamp Romania 2016 Videos and Slides ***
---------------------------------------------
November 10-11, 2016, Bucharest, Romania
---------------------------------------------
https://def.camp/archives/2016/
*** The Kings in Your Castle, Pt #5 ***
---------------------------------------------
The last part in the article series about analyzing modern APTs deals with naming and attribution of APTs. This is far less trivial than it sounds. Analysts are often facing the same enemy all over again without realizing it.
---------------------------------------------
https://blog.gdatasoftware.com/2016/12/29379-the-kings-in-your-castle-pt-5
*** Sicherheitslücken: Updates auch für ältere macOS-Versionen ***
---------------------------------------------
Neben den in macOS Sierra und dem Browser Safari gestopften Schwachstellen hat Apple auch Sicherheits-Updates für OS X El Capitan und Yosemite veröffentlicht. Diese beheben eine kritische Schwachstelle.
---------------------------------------------
https://heise.de/-3572108
*** Ask Sucuri: How to Stop Brute Force Attacks? ***
---------------------------------------------
Again, there is no mystery to this: Enforce a strong password for all the users and a brute force attack will not succeed. The underlying problem, however, is a bit more complicated
---------------------------------------------
https://blog.sucuri.net/2016/12/ask-sucuri-how-to-stop-brute-force-attacks.…
*** A Backdoor in Skype for Mac OS X ***
---------------------------------------------
Trustwave recently reported a locally exploitable issue in the Skype Desktop API Mac OS-X which provides an API to local programs/plugins executing on the local machine. The API is formally known as the Desktop API (previously known as the Skype...
---------------------------------------------
http://trustwave.com/Resources/SpiderLabs-Blog/A-Backdoor-in-Skype-for-Mac-…
*** 5 Best Password Auditing Tools ***
---------------------------------------------
A single weak password exposes your entire network to an external threat. Password hacking is one of the most critical and commonly exploited network security threats. In many ways, passwords should be viewed as your first line of defense where protecting your company's data is concerned. The huge number of data breaches occurs because someone...
---------------------------------------------
http://resources.infosecinstitute.com/5-best-password-auditing-tools/
*** DFN-CERT-2016-2040: Netgear Router: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes mit Administratorrechten ***
---------------------------------------------
Version 3 (2016-12-15 15:42)
Der Hersteller aktualisiert den referenzierten Sicherheitshinweis und bestätigt auch die Verwundbarkeit von DSL-Modems mit den Modellnummern D6220 und D6400. Für alle verwundbaren WLAN- und DSL-Router stehen mittlerweile Firmwareupdates im Beta-Status als temporäre Lösung zur Verfügung. Netgear arbeitet weiter an einer Produktionsversion der Firmware für alle betroffenen Geräte.
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-2040/
*** Remote shell execution vulnerability affects Good Enterprise Mobility Server (BSRT-2016-008) ***
---------------------------------------------
This advisory addresses a remote shell execution vulnerability that has been discovered in Good Enterprise Mobility Server (GEMS). BlackBerry is not aware of any exploitation of this vulnerability. Customer risk is limited by the requirement that a potential attacker possess access to the internal network and by the functionality of the Karaf command shell.
---------------------------------------------
http://support.blackberry.com/kb/articleDetail?articleNumber=000038814
*** Bugtraq: Nagios Core < 4.2.2 Curl Command Injection leading to Remote Code Execution [CVE-2016-9565] ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539925
*** F5 Security Advisory: Kerberos vulnerability CVE-2014-4343 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/15000/500/sol15553.htm…
*** Sentinel 7.4 SP4 (Sentinel 7.4.4.0) Build 2904 ***
---------------------------------------------
Abstract: Sentinel 7.4.3 upgrade for Sentinel 7.4Document ID: 5264470Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:sentinel_server-7.4.4.0-2904.x86_64.tar.gz (1.74 GB)sentinel_server-7.4.4.0-2904.x86_64.tar.gz.sha256 (109 bytes)Products:SentinelSentinel 7.4.4Sentinel 7.XSentinel 7.2Sentinel 7.4Sentinel 7.3Sentinel 7.2.1Sentinel 7.2.2Sentinel 7.3.1Sentinel 7.3.2Sentinel 7.4.1Sentinel 7.4.2Sentinel 7.3.3Sentinel 7.4.3Sentinel 7.3.4Superceded Patches:Sentinel 7.4 SP3
---------------------------------------------
https://download.novell.com/Download?buildid=RaGN-vIdupQ~
*** Security Advisory - Stack Overflow Vulnerability in Drive of Huawei Smart Phones ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161215-…
*** SAP ***
---------------------------------------------
*** Vuln: SAP Mobile Defense & Security Remote Authorization Bypass Vulnerability ***
http://www.securityfocus.com/bid/94902
---------------------------------------------
*** Vuln: SAP HANA Cockpit Cross Site Scripting Vulnerability ***
http://www.securityfocus.com/bid/94897
---------------------------------------------
*** Vuln: SAP HANA Remote Authorization Bypass Vulnerability ***
http://www.securityfocus.com/bid/94898
---------------------------------------------
*** Vuln: SAP HANA XS Classic Information Disclosure Vulnerability ***
http://www.securityfocus.com/bid/94896
---------------------------------------------
*** Vuln: SAP HANA Cockpit Information Disclosure Vulnerability ***
http://www.securityfocus.com/bid/94910
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager appliances allow web pages to be stored locally (CVE-2016-3024) ***
http://www.ibm.com/support/docview.wss?uid=swg21995340
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager appliances are affected by an information exposure vulnerability (CVE-2016-3021) ***
http://www.ibm.com/support/docview.wss?uid=swg21995436
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager appliances are affected by an information exposure vulnerability (CVE-2016-3023) ***
http://www.ibm.com/support/docview.wss?uid=swg21995348
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager appliances are affected by a vulnerability due to incorrect permission assignment (CVE-2016-3022) ***
http://www.ibm.com/support/docview.wss?uid=swg21995360
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager appliances are affected by cross-site scripting vulnerabilities (CVE-2016-3018) ***
http://www.ibm.com/support/docview.wss?uid=swg21995347
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager appliances are affected by a vulnerability due to misconfiguration (CVE-2016-3017) ***
http://www.ibm.com/support/docview.wss?uid=swg21995519
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager appliances are affected by a vulnerability related to code integrity checking (CVE-2016-3016) ***
http://www.ibm.com/support/docview.wss?uid=swg21995518
---------------------------------------------
*** IBM Security Bulletin: IBM Notes is affected with Open Source Apache Struts Vulnerabilities (CVE-2016-1181, CVE-2016-1182) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21988182
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in libxml2 affects IBM BigFix Compliance Analytics. (CVE-2016-4447, CVE-2016-4448, CVE-2016-4449) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21989337
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in libxml2 affects IBM BigFix Compliance Analytics. (CVE-2016-3627) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991909
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM Java SDK affects multiple IBM Rational products based on IBM Jazz technology (CVE-2016-5597) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995989
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSLaffect IBM WebSphere MQ V6.0 on OpenVMS Alpha and Itanium platforms ( CVE-2016-2183 ) ***
http://www.ibm.com/support/docview.wss?uid=swg21995922
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in RubyOnRails affects IBM BigFix Compliance Analytics. (CVE-2016-6316, CVE-2016-6317 ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991913
---------------------------------------------
*** IBM Security Bulletin: Cross-site request forgery vulnerability in IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware and IBM Tivoli Storage FlashCopy Manager for VMware (CVE-2016-6033) ***
http://www.ibm.com/support/docview.wss?uid=swg21995545
---------------------------------------------
*** IBM Security Bulletin: IBM InfoSphere Information Server is vulnerable to Cross-Frame Scripting issue (CVE-2016-5984) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991682
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affects IBM BigFix Compliance Analytics. (CVE-2016-3485, CVE-2016-3498, CVE-2016-3552, CVE-2016-3503) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991910
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager appliances are affected by an SQL Injection vulnerability (CVE-2016-3046) ***
http://www.ibm.com/support/docview.wss?uid=swg21995527
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager appliances are affected by an information disclosure vulnerability (CVE-2016-3045) ***
http://www.ibm.com/support/docview.wss?uid=swg21995435
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager appliances are affected by an information exposure vulnerability (CVE-2016-3043) ***
http://www.ibm.com/support/docview.wss?uid=swg21995446
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in libxml2 affects IBM BigFix Compliance Analytics. (CVE-2016-4483) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991911
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 13-12-2016 18:00 − Mittwoch 14-12-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Facebook helps companies detect rogue SSL certificates for domains ***
---------------------------------------------
Facebook has launched a tool that allows domain name owners to discover TLS/SSL certificates that were issued without their knowledge.The tool uses data collected from the many Certificate Transparency logs that are publicly accessible. Certificate Transparency (CT) is a new open standard requiring certificate authorities to disclose the certificate that they issue.Until a few years ago, there was no way of tracking the certificates issued by every certificate authority (CA). At best,...
---------------------------------------------
http://www.cio.com/article/3149737/security/facebook-helps-companies-detect…
*** MS16-DEC - Microsoft Security Bulletin Summary for December 2016 - Version: 1.0 ***
---------------------------------------------
This bulletin summary lists security bulletins released for December 2016.
For information about how to receive automatic notifications whenever Microsoft security bulletins are issued, visit Microsoft Technical Security Notifications.
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS16-DEC
*** Patchday: Kritische Lücken in Edge, Windows & Co. ***
---------------------------------------------
Microsoft veröffentlicht im Dezember insgesamt zwölf Sicherheitsupdates. Im schlimmsten Fall können Angreifer Computer von Opfern durch den bloßen Aufruf einer manipulierten Webseite kapern.
---------------------------------------------
https://heise.de/-3569916
*** MSRT December 2016 addresses Clodaconas, which serves unsolicited ads through DNS hijacking ***
---------------------------------------------
In this month's Microsoft Malicious Software Removal Tool (MSRT) release, we continue taking down unwanted software, the pesky threats that force onto our computers things that we neither want nor need. BrowserModifier:Win32/Clodaconas, for instance, displays ads when you're browsing the internet. It modifies search results pages so that you see unsolicited ads related to your...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/12/13/msrt-december-2016-addr…
*** "Statistisch gesehen": Verschlüsselungstrojaner - ein Millionengeschäft ***
---------------------------------------------
Petya, Goldeneye - diese und andere Erpressungstrojaner haben weltweit viele Nutzer zur Kasse gebeten. Die Zahlungsmoral hängt nicht zuletzt von Empfehlungen der Behörden ab. Wie viel bisher wo gezahlt wurde, zeigt ein neues...
---------------------------------------------
https://heise.de/-3569888
*** Malvertising Campaign Infects Your Router Instead of Your Browser ***
---------------------------------------------
Malicious ads are serving exploit code to infect routers, instead of browsers, in order to insert ads in every site users are visiting. Discovered by security researchers from US security firm Proofpoint, this malvertising campaign is powered by a new exploit kit called DNSChanger EK. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malvertising-campaign-infect…
*** Modbus Stager: Using PLCs as a payload/shellcode distribution system ***
---------------------------------------------
This weekend I have been playing around with Modbus and I have developed a stager in assembly to retrieve a payload from the holding registers of a PLC. Since there are tons of PLCs exposed to the Internet, I thought whether it would be possible to take advantage of the processing and memory provided by them to store certain payload so that it can be recovered later (from the stager).
---------------------------------------------
http://www.shelliscoming.com/2016/12/modbus-stager-using-plcs-as.html
*** UAC Bypass in JScript Dropper ***
---------------------------------------------
What makes this sample different? After the classic execution of the PE files, it tries to bypass the Windows UAC using a "feature" present in eventvwr.exe. This system tool runs as a high integrity process and uses HKCU / HKCR registry hives to start mmc.exe which opens finally eventvwr.msc.
---------------------------------------------
https://isc.sans.edu/diary/UAC+Bypass+in+JScript+Dropper/21813
*** Sophos schließt Dirty-Cow-Lücke in Sicherheitspaket UTM ***
---------------------------------------------
Die Unified-Thread-Management-Lüsung von Sophos bekommt Sicherheitsupdates, die mehrere Schwachstellen schließen.
---------------------------------------------
https://heise.de/-3570179
*** Electronic Safe Lock Analysis: Part 2 ***
---------------------------------------------
After performing an initial tear-down, we were able to map out the device's behaviors and attack surface. We then narrowed our efforts on analyzing the device's BLE wireless communication. The Prologic B01's main feature is that it can be unlocked by a mobile Android or iOS device over BLE. The end result was a fully-automated attack that allows us to remotely compromise any Prologic B01 lock up to 100 yards away.
---------------------------------------------
http://www.somersetrecon.com/blog/2016/10/14/electronic-safe-lock-analysis-…
*** Microsoft Fixes Windows 10 Issue That Knocked People off the Internet ***
---------------------------------------------
Microsft has released KB3206632, a Windows update that fixes an issue introduced in an earlier update that crashed the CDPSVC service and prevented some users from receiving IP address information via the DCHP protocol, used by both home and enterprise-grade routers to connect users to the Internet. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-10-…
*** Xen Security Advisory 200 (CVE-2016-9932) - x86 CMPXCHG8B emulation fails to ignore operand size override ***
---------------------------------------------
Impact: A malicious unprivileged guest may be able to obtain sensitive information from the host.
---------------------------------------------
http://seclists.org/oss-sec/2016/q4/662
*** PHP: imagefilltoborder stackoverflow on truecolor images (CVE 2016-9933) ***
---------------------------------------------
Invalid color causes stack exhaustion by recursive call to function gdImageFillToBorder when the image used is truecolor. This was tested on a 64 bits platform.
---------------------------------------------
https://bugs.php.net/bug.php?id=72696
*** Joomla! Security Announcements ***
---------------------------------------------
*** [20161203] - Core - Information Disclosure ***
http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/EY3UcBwQtzI/666-20161203-c…
---------------------------------------------
*** [20161202] - Core - Shell Upload ***
http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/fI7Ty93n-Rk/665-20161202-c…
---------------------------------------------
*** [20161201] - Core - Elevated Privileges ***
http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/OjvlaBoXTCU/664-20161201-c…
---------------------------------------------
*** [20161204] - Misc. Security Hardening ***
http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/jYB3ItEGbWQ/667-20161204-m…
---------------------------------------------
*** Novell Patches ***
---------------------------------------------
*** Filr 2.0 - Security Update 3 ***
https://download.novell.com/Download?buildid=Am-_TGOll0g~
---------------------------------------------
*** Filr 3.0 - Security Update 1 ***
https://download.novell.com/Download?buildid=Qct0ao9jRAI~
---------------------------------------------
*** IDM 4.5 Delimited Text Driver 4.0.2.0 ***
https://download.novell.com/Download?buildid=hX_xlukrkNY~
---------------------------------------------
*** Huawei Security Advisories ***
---------------------------------------------
*** Security Advisory - Buffer Overflow Vulnerability in Wi-FI Driver of Huawei Smart Phone ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161214-…
---------------------------------------------
*** Security Advisory - DoS Vulnerability in Huawei Firewall ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161214-…
---------------------------------------------
*** Security Advisory - E-mail Information Leak Vulnerability in Android System ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161214-…
---------------------------------------------
*** Security Advisory - Memory Leak Vulnerability in Some Huawei Products ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161214-…
---------------------------------------------
*** ICS-CERT Advisories ***
---------------------------------------------
*** Visonic PowerLink2 Vulnerabilities ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-348-01
---------------------------------------------
*** Moxa DACenter Vulnerabilities ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-348-02
---------------------------------------------
*** Delta Electronics WPLSoft, ISPSoft, and PMSoft Vulnerabilities ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-348-03
---------------------------------------------
*** Siemens SIMATIC WinCC and SIMATIC PCS 7 ActiveX Vulnerability ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-348-04
---------------------------------------------
*** Siemens S7-300/400 PLC Vulnerabilities ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-348-05
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Oct 2016 - Includes Oracle Oct 2016 CPU affect Content Collector for IBM Connections ***
https://www-01.ibm.com/support/docview.wss?uid=swg21988356
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Asset analyzer. (CVE-2016-5597) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995883
---------------------------------------------
*** IBM Security Bulletin: Sweet32 Birthday attacks on 64-bit block ciphers in TLS affect Content Manager for z/OS (CVE-2016-2183) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995455
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in BIND affects IBM Netezza Host Management ***
http://www.ibm.com/support/docview.wss?uid=swg21994505
---------------------------------------------
*** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009647
---------------------------------------------
*** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified. ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009554
---------------------------------------------
*** IBM Security Bulletin: Multiple Security Vulnerabilities in OpenSSL affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) ***
http://www.ibm.com/support/docview.wss?uid=swg21995129
---------------------------------------------
*** IBM Security Bulletin: Password disclosure vulnerability in IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware vSphere GUI (CVE-2016-6034) ***
http://www.ibm.com/support/docview.wss?uid=swg21995544
---------------------------------------------
*** IBM Security Bulletin: Potential Information Disclosure vulnerability in WebSphere Application Server affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2016-5986 ***
http://www.ibm.com/support/docview.wss?uid=swg21995745
---------------------------------------------
*** IBM Security Bulletin: Potential Information Disclosure in WebSphere Application Server ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991469
---------------------------------------------
*** IBM Security Bulletin: Multiple Vulnerabilities affect IBM Spectrum Control formerly Tivoli Storage Productivity Center (CVE-2016-8941, CVE-2016-8942, CVE-2016-8943) ***
http://www.ibm.com/support/docview.wss?uid=swg21995128
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 12-12-2016 18:00 − Dienstag 13-12-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** (Adobe) Security Bulletins Posted ***
---------------------------------------------
- Adobe Animate (APSB16-38)
- Adobe Flash Player (APSB16-39)
- Adobe Experience Manager Forms (APSB6-40)
- Adobe DNG Converter (APSB16-41)
- Adobe Experience Manager (APSB16-42)
- Adobe InDesign (APSB16-43)
- Adobe ColdFusion Builder (APSB16-44)
- Adobe Digital Editions (APSB16-45)
- Adobe RoboHelp (APSB16-46)
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1426
*** The importance of cryptography for the digital society ***
---------------------------------------------
Following the Council meeting on 8th and 9th December 2016 in Brussels, ENISA's paper gives an overview into aspects around the current debate on encryption, while highlighting the Agency's key messages and views on the topic.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/the-importance-of-cryptography-…
*** Vuln: PHP ext/wddx/wddx.c Denial of Service Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/94846
*** Vuln: PHP ext/standard/var.c Incomplete Fix Use After Free Remote Code Execution Vulnerability ***
---------------------------------------------
Use After Free in PHP7 unserialize()
---------------------------------------------
http://www.securityfocus.com/bid/94849
*** Unrestricted Backend Login Backdoor Method Seen in OpenCart ***
---------------------------------------------
>From the attacker's perspective, creating ways to maintain access to a compromised website is desirable. This allows them to further distribute malware and perform different kinds of malicious activities. One of the ways attackers try to secure their access is by adding admin users, or pieces of malicious code throughout the site. This allows them to regain access easily, if needed. However, we recently found a unique way to achieve this kind of breach in OpenCart version 1.5.6.4.
---------------------------------------------
https://blog.sucuri.net/2016/12/unrestricted-backend-login.html
*** State of the Web 2016: Jede zweite Website ist ein Sicherheitsrisiko ***
---------------------------------------------
Schwachstellen im Internet werden immer mehr, stellt Menlo Security in seinem Bericht über den "State of the Web" fest. Eine wichtige Rolle spielt das Nachladen externer Inhalte über Werbe-Netzwerke und Content Delivery Networks.
---------------------------------------------
https://heise.de/-3569114
*** Netgear-Lücke dramatischer als angenommen, erste Sicherheits-Updates ***
---------------------------------------------
Die hochkritische Lücke im Web-Interface betrifft deutlich mehr Netgear-Router als bislang angenommen. Für eine Handvoll Gerät hat der Hersteller inzwischen eine Beta-Firmware herausgegeben, die das Problem löst.
---------------------------------------------
https://heise.de/-3569299
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Installation Manager and IBM Packaging Utility (CVE-2016-5597) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995588
---------------------------------------------
*** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU Oct 2016 Includes Oracle Oct 2016 CPU affect Content Collector for File Systems ***
https://www-01.ibm.com/support/docview.wss?uid=swg21995474
---------------------------------------------
*** IBM Security Bulletin: Vulnerability CVE-2016-7099 and CVE-2016-5325 in Node.js affects IBM i ***
http://www-01.ibm.com/support/docview.wss?uid=nas8N1021765
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Enterprise Content Management System Monitor (CVE-2016-6304, CVE-2016-2177) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995038
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM Java SDK affect IBM Enterprise Content Management System Monitor (CVE-2016-3485) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995042
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in Samba, BIND and Libreswan affect IBM Netezza Host Management ***
http://www.ibm.com/support/docview.wss?uid=swg21994231
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Open Source Apache Tomcat , Commons FileUpload affect IBM Enterprise Content Management System Monitor (CVE-2016-3092) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995043
---------------------------------------------
*** IBM Security Bulletin: Multiple security issues in IBM Tealeaf Customer Experience on Cloud Network Capture Add-On ***
http://www.ibm.com/support/docview.wss?uid=swg21994534
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL and PHP affect IBM Tealeaf Customer Experience (CVE-2016-2107, CVE-2016-6290, CVE-2016-7125) ***
http://www.ibm.com/support/docview.wss?uid=swg21992307
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in IBM WebSphere Application Server and IBM Java Runtime affect IBM Tealeaf Customer Experience (CVE-2016-0378, CVE-2016-3485, CVE-2016-5986) ***
http://www.ibm.com/support/docview.wss?uid=swg21994537
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 09-12-2016 18:00 − Montag 12-12-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Windows 10: protection, detection, and response against recent Depriz malware attacks ***
---------------------------------------------
A few weeks ago, multiple organizations in the Middle East fell victim to targeted and destructive attacks that wiped data from computers, and in many cases rendering them unstable and unbootable. Destructive attacks like these have been observed repeatedly over the years and the Windows Defender and Windows Defender Advanced Threat Protection Threat Intelligence teams...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-d…
*** Microsoft Edges malware alerts can be faked, researcher says ***
---------------------------------------------
Fiddle with a URL and you can pop up and tell users to do anything Technical support scammers have new bait with the discovery that Microsofts Edge browser can be abused to display native and legitimate-looking warning messages.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/12/12/microsoft_e…
*** New Ransomware Offers The Decryption Keys If You Infect Your Friends ***
---------------------------------------------
MalwareHunterTeam has discovered "Popcorn Time," a new in-development ransomware with a twist. Gumbercules!! writes: "With Popcorn Time, not only can a victim pay a ransom to get their files back, but they can also try to infect two other people and have them pay the ransom in order to get a free key," writes Bleeping Computer. Infected victims are given a "referral code" and, if two people are infected by that code and pay up -- the original victim is given their...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/BAJPIfARkR0/new-ransomware-…
*** Escaping a restricted shell ***
---------------------------------------------
help command outputs this list of available commands we can use, It's almost basically the web interface disguised as a shell session; Well not really but i'm sure you guys got the point. So let's begin with command substitution (a.k.a command injection) technique:...
---------------------------------------------
https://humblesec.wordpress.com/2016/12/08/escaping-a-restricted-shell/
*** Zcash, or the return of malicious miners ***
---------------------------------------------
Despite this dramatic drop from the initial values (which was anticipated), Zcash mining remains among the most profitable compared to other cryptocurrencies. This has led to the revival of a particular type of cybercriminal activity - the creation of botnets for mining. A few years ago, botnets were created for bitcoin mining, but the business all but died out after it became only marginally profitable.
---------------------------------------------
https://securelist.com/blog/research/76862/zcash-or-the-return-of-malicious…
*** 5 Questions to Ask your IoT Vendors; But Do Not Expect an Answer. ***
---------------------------------------------
1 - For how long, after I purchase a device, should I expect security updates?
2 - How will I learn about security updates?
3 - Can you share a pentest report for your device?
4 - How can I report vulnerabilities?
5 - If you use encryption, then disclose what algorithms you use and how it is implemented
---------------------------------------------
https://isc.sans.edu/diary/5+Questions+to+Ask+your+IoT+Vendors%3B+But+Do+No…
*** VB2016 paper: Modern attacks on Russian financial institutions ***
---------------------------------------------
Today, we publish the VB2016 paper and presentation (recording) by ESET researchers Jean-Ian Boutin and Anton Cherepanov, in which they look at sophisticated attacks against Russian financial institutions.
---------------------------------------------
https://www.virusbulletin.com/blog/2016/december/vb2016-paper-modern-attack…
*** Pentesting ICS Systems ***
---------------------------------------------
Security of ICS systems is one of the most critical issues of this last year. In this article, we will have a brief introduction to ICS systems, risks, and finally, methodology and tools to pentest ICS based systems Introduction Industrial control system (ICS) is a term that includes many types of control systems and instrumentation...
---------------------------------------------
http://resources.infosecinstitute.com/pentesting-ics-systems/
*** Ongoing Windows update bug woes affecting all ISPs ***
---------------------------------------------
Virgin also advising customers knocked offline An ongoing software update bug on Windows 8 and 10 appears affecting users of several UK ISPs, with Virgin Media the latest provider to admit the problem is knocking a number of its customers offline.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/12/12/ongoing_win…
*** Netgear-Router trivial angreifbar, noch kein Patch in Sicht ***
---------------------------------------------
Im Web-Interface einiger Netgear-Router klafft offenbar eine kritische Sicherheitslücke, die Angreifer leicht ausnutzen können, um Code mit Root-Rechten auszuführen. Schutz verspricht bisher nur ein unorthodoxer Weg: Man soll die Lücke selbst ausnutzen.
---------------------------------------------
https://heise.de/-3568679
*** DDoS tool encourages users to compete against each other for points ***
---------------------------------------------
Sledgehammer tool encourages hackers to launch DDoS attacks - but theres a sting in the tail
---------------------------------------------
https://nakedsecurity.sophos.com/2016/12/12/ddos-tool-encourages-users-to-c…
*** VU#582384: Multiple Netgear routers are vulnerable to arbitrary command injection ***
---------------------------------------------
Vulnerability Note VU#582384 Multiple Netgear routers are vulnerable to arbitrary command injection Original Release date: 09 Dec 2016 | Last revised: 09 Dec 2016 Overview Netgear R7000 and R6400 routers and possibly other models are vulnerable to arbitrary command injection. Description CWE-77: Improper Neutralization of Special Elements used in a Command (Command Injection) Netgear R7000, firmware version 1.0.7.2_1.1.93 and possibly earlier, and R6400, firmware version 1.0.1.6_1.0.4 and...
---------------------------------------------
http://www.kb.cert.org/vuls/id/582384
*** DSA-3730 icedove - security update ***
---------------------------------------------
Multiple security issues have been found in Icedove, Debians version ofthe Mozilla Thunderbird mail client: Multiple memory safety errors,same-origin policy bypass issues, integer overflows, buffer overflowsand use-after-frees may lead to the execution of arbitrary code ordenial of service.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3730
*** Vuln: McAfee VirusScan Enterprise Multiple Security Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/bid/94823
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: One vulnerability in IBM Java SDK affects IBM Application Delivery Intelligence v1.0.1 and v1.0.1.1 (CVE-2016-5597) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995653
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities may affect IBM SDK for Node.js ***
http://www.ibm.com/support/docview.wss?uid=swg21993007
---------------------------------------------
*** IBM Security Bulletin: Open Source Apache Tomcat Commons FileUpload Vulnerabilities affects Atlas Policy Suite (CVE-2016-3092) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995382
---------------------------------------------
*** IBM Security Bulletin: Potential Information Disclosure vulnerability in IBM MessageSight (CVE-2016-5986) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995246
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager appliances are affected by vulnerabilities in OpenSSH (CVE-2015-5352, CVE-2015-6563, CVE-2015-6564) ***
http://www.ibm.com/support/docview.wss?uid=swg21992610
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Tivoli Access Manager for e-business and IBM Security Access Manager for Web version 7 software (CVE-2016-3550, CVE-2016-3485) ***
http://www.ibm.com/support/docview.wss?uid=swg21993132
---------------------------------------------
*** IBM Security Bulletin: Open Redirect vulnerability in IBM MessageSight (CVE-2016-3040) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995247
---------------------------------------------
*** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Apr 2016 - Includes Oracle Apr 2016 CPU affect for IBM Connections (CVE-2016-0264 ) ***
https://www-01.ibm.com/support/docview.wss?uid=swg21988365
---------------------------------------------
*** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Apr 2016 - Includes Oracle Apr 2016 CPU affect Content Collector for Email (CVE-2016-0264) ***
https://www-01.ibm.com/support/docview.wss?uid=swg21988357
---------------------------------------------
*** IBM Security Bulletin: Information Disclosure in IBM MessageSight (CVE-2016-0378) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995238
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 07-12-2016 18:00 − Freitag 09-12-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Produktwarnung für Joomla! ***
---------------------------------------------
[...] In den Joomla! Versionen 3.4.4 bis einschließlich 3.6.4 wurde eine Sicherheitslücke entdeckt, die es einem Angreifer aus dem Internet ermöglicht, beliebigen Programmcode auszuführen und dadurch erheblichen Schaden auf einem betroffenen...
---------------------------------------------
https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/warnmeldung_…
*** Root-Rechte durch Linux-Lücke ***
---------------------------------------------
Seit fünf Jahren klafft eine Lücke im Linux-Kernel, durch die sich lokale Nutzer erhöhte Rechte verschaffen können. Auch Android ist betroffen.
---------------------------------------------
https://heise.de/-3565365
*** Mobile Ransomware: Pocket-Sized Badness ***
---------------------------------------------
A few weeks ago, I spoke at Black Hat Europe 2016 on Pocket-Sized Badness: Why Ransomware Comes as a Plot Twist in the Cat-Mouse Game. While watching mobile ransomware from April 2015 to April 2016, I noticed a big spike in the number of Android ransomware samples. During that year, the number of Android ransomware increased by 140%. In certain areas, mobile ransomware accounts for up to 22 percent of mobile malware overall! (These numbers were obtained from the Trend Micro Mobile App...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/hPA6z0gnzFE/
*** Managed-Exchange-Dienst: Telekom-Cloud-Kunde konnte fremde Adressbücher einsehen ***
---------------------------------------------
Durch einen Konfigurationsfehler konnte ein Nutzer der Telekom-Cloud-Dienste kurzzeitig auf fremde Adressbücher zugreifen, darunter sollen auch Strafverfolgungsbehörden gewesen sein. Schuld war wohl ein Berechtigungsfehler im Exchange-Dienst. (Telekom, Datenschutz)
---------------------------------------------
http://www.golem.de/news/managed-exchange-dienst-telekom-cloud-kunde-konnte…
*** Crooks Start Deploying New "August" Infostealer ***
---------------------------------------------
During the month of November 2016, a cyber-crime group has started deploying a new malware family nicknamed "August," used mainly for information gathering and reconnaissance on the infected targets computer. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/crooks-start-deploying-new-a…
*** PowerShell threats surge: 95.4 percent of analyzed scripts were malicious ***
---------------------------------------------
Symantec analyzed 111 threat families that use PowerShell, finding that they leverage the framework to download payloads and traverse through networks.
---------------------------------------------
https://www.symantec.com/connect/blogs/powershell-threats-surge-954-percent…
*** Kaspersky Security Bulletin 2016. The ransomware revolution ***
---------------------------------------------
Between January and September 2016 ransomware attacks on business increased three-fold - to the equivalent of an attack every 40 seconds. With the ransomware-as-a-service economy booming, and the launch of the NoMoreRansom project, Kaspersky Lab has named ransomware its key topic for 2016.
---------------------------------------------
http://securelist.com/analysis/kaspersky-security-bulletin/76757/kaspersky-…
*** Banking Trojan Uses Gmail Popup to Extend Infection to Victims Android Phone ***
---------------------------------------------
A group of malware authors has come up with a new method of transcending an infection from the users computer to his Android smartphone. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/banking-trojan-uses-gmail-po…
*** Industriespionage: Wie Thyssenkrupp seine Angreifer fand ***
---------------------------------------------
Wie schützt man sein Netzwerk, wenn man 150.000 Mitarbeiter und 500 Tochterunternehmen hat? Thyssenkrupp lernte nach einem Angriff, dass es zwei Dinge braucht: Ausreichend Ressourcen und Freiheit für das Team.
---------------------------------------------
http://www.golem.de/news/industriespionage-wie-thyssenkrupp-seine-angreifer…
*** Now Mirai Has DGA Feature Built in ***
---------------------------------------------
Nearly 2 weeks ago, 2 new infection vectors (aka TCP ports of 7547 and 5555) were found being used to spread MIRAI malwares . My colleague Gensheng quickly set up some honeypots for that sort of vectors and soon had his harvests: 11 samples were captured on Nov 28th. Till now 53 unique samples have been captured by our honeypots from 6 hosting servers.
---------------------------------------------
http://blog.netlab.360.com/new-mirai-variant-with-dga/
*** Krypto-Trojaner: Lockys gieriger Bruder verlangt über 2000 Euro Lösegeld ***
---------------------------------------------
Nicht nur der Erpressungs-Trojaner GoldenEye ist derzeit ein Ärgernis, auch die Verwandschaft des berüchtigten Locky-Trojaners geht weiter auf Raubzug. Eine Osiris genannte Variante schlägt derzeit vermehrt zu und verlangt ein saftiges Lösegeld.
---------------------------------------------
https://heise.de/-3564812
*** Bugtraq: AST-2016-009: ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539888
*** Bugtraq: AST-2016-008: Crash on SDP offer or answer from endpoint using Opus ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539887
*** DFN-CERT-2016-2010: Sophos UTM: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-2010/
*** DFN-CERT-2016-1991: FreeBSD: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-1991/
*** DSA-3729 xen - security update ***
---------------------------------------------
Multiple vulnerabilities have been discovered in the Xen hypervisor. TheCommon Vulnerabilities and Exposures project identifies the followingproblems:...
---------------------------------------------
https://www.debian.org/security/2016/dsa-3729
*** Cisco Email Security Appliance Content Filter Bypass Vulnerability ***
---------------------------------------------
A vulnerability in the content filtering functionality of Cisco AsyncOS Software for Cisco Email Security Appliances could allow an unauthenticated, remote attacker to bypass user filters that are configured for an affected device.The vulnerability is due to improper filtering of certain TAR format files that are attached to email messages. An attacker could exploit this vulnerability by sending an email message that has a crafted TAR file attachment through an affected device.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** F5 Security Advisories ***
---------------------------------------------
*** Security Advisory: libxml2 vulnerabilities CVE-2016-4447 and CVE-2016-4449 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/24/sol24322529.html?…
---------------------------------------------
*** Security Advisory: PHP vulnerability CVE-2016-6290 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/15/sol15850913.html?…
---------------------------------------------
*** Security Advisory: libarchive vulnerability CVE-2016-5844 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/24/sol24036027.html?…
---------------------------------------------
*** Security Advisory: PHP vulnerability CVE-2016-7126 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/40/sol40564589.html?…
---------------------------------------------
*** Security Advisory: OpenSSL vulnerability CVE-2016-6302 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/70/sol70844615.html?…
---------------------------------------------
*** Security Advisory: libxml2 vulnerability CVE-2016-1836 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/48/sol48220300.html?…
---------------------------------------------
*** Security Advisory: libarchive vulnerability CVE-2015-8932 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/90/sol90412202.html?…
---------------------------------------------
*** Security Advisory: libarchive vulnerability CVE-2016-5418 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/35/sol35246595.html?…
---------------------------------------------
*** Security Advisory: libxml2 vulnerability CVE-2016-1835 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/43/sol43314223.html?…
---------------------------------------------
*** Security Advisory: libxml2 vulnerability CVE-2016-1837 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/05/sol05937379.html?…
---------------------------------------------
*** Security Advisory: libxml2 vulnerability CVE-2016-1833 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/62/sol62030064.html?…
---------------------------------------------
*** Security Advisory: libxml2 vulnerability CVE-2016-1762 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/14/sol14338030.html?…
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple security vulnerabilities affect Liberty for Java for IBM Bluemix (CVE-2016-5573, CVE-2016-5597, CVE-2016-5983) ***
http://www.ibm.com/support/docview.wss?uid=swg21994945
---------------------------------------------
*** IBM Security Bulletin: IBM i is affected by networking BIND vulnerabilities (CVE-2016-2775, CVE-2016-2776, CVE-2016-8864 and CVE-2016-6170) ***
http://www.ibm.com/support/docview.wss?uid=nas8N1021750
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Power Hardware Management Console (CVE-2016-2180, CVE-2016-2182, CVE-2016-6306) ***
http://www.ibm.com/support/docview.wss?uid=nas8N1021733
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Tivoli Network Manager IP Edition 3.9 Fix Pack 4 HTTPS support for Perl Collector ***
http://www.ibm.com/support/docview.wss?uid=swg21990532
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in DHCP affect Power Hardware Management Console (‪CVE-2015-8605 and CVE-2016-2774‬‬) ***
http://www-01.ibm.com/support/docview.wss?uid=nas8N1021703
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities affect IBM Security AppScan Enterprise ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995118
---------------------------------------------
*** IBM Security Bulletin: Open Source Apache Tomcat , Commons FileUpload Vulnerabilities affecting IBM Algo Audit and Compliance (CVE-2016-3092) ***
http://www.ibm.com/support/docview.wss?uid=swg21993305
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Flex System Manager (FSM) Storage Manager Install Anywhere (SMIA) configuration tool ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024507
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Network Advisor (CVE-2016-3425, CVE-2016-3427, CVE-2016-0695). ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009640
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM b-type SAN switches and directors and IBM Network Advisor (CVE-2016-0705, CVE-2016-0797, CVE-2016-0799, CVE-2016-0702, CVE-2016-0704, CVE-2016-0704, CVE-2016-2842). ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009631
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in pConsole impacts AIX (CVE-2016-0266) ***
http://aix.software.ibm.com/aix/efixes/security/pconsole_advisory2.asc
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Fabric Manager (CVE-2016-2183) ***
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099504
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Struts affects IBM Social Media Analytics (CVE-2016-4003) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21994399
---------------------------------------------
*** IBM Security Bulletin: Apache Commons FileUpload Vulnerability affects IBM Rational ClearQuest (CVE-2016-3092) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21993816
---------------------------------------------
*** IBM Security Bulletin:Vulnerabilities in OpenSSL affect IBM SONAS ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009648
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affects IBM Rational ClearCase (CVE-2016-2177, CVE-2016-2178, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6306) ***
http://www.ibm.com/support/docview.wss?uid=swg21993514
---------------------------------------------
*** IBM Security Bulletin: Tivoli Storage Manager (IBM Spectrum Protect) AIX Client Buffer Overflow (CVE-2016-5985) ***
http://www.ibm.com/support/docview.wss?uid=swg21993695
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in IBM Websphere affects IBM Tivoli Netcool Configuration Manager (ITNCM) (CVE-2016-5983) ***
http://www.ibm.com/support/docview.wss?uid=swg21992640
---------------------------------------------
*** IBM Security Bulletin: Multiple security vulnerabilities affect the Report Builder and Data Collection Component that are shipped with Jazz Reporting Service (CVE-2016-5898, CVE-2016-5899, CVE-2016-6054, CVE-2016-6047) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991154
---------------------------------------------
*** IBM Security Bulletin: Multiple security vulnerabilities affect the Lifecycle Query Engine (LQE) that is shipped with Jazz Reporting Service (CVE-2016-5897, CVE-2016-6039) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991153
---------------------------------------------
*** IBM Security Bulletin:Samba vulnerability issue on IBM Storwize V7000 Unified (CVE-2016-2119) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009567
---------------------------------------------
*** IBM Security Bulletin:Apache Tomcat vulnerability affects IBM Storwize V7000 Unified (CVE-2016-3092) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009566
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL, OpenVPN and GNU glibc affect IBM Security Virtual Server Protection for VMware ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995039
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 06-12-2016 18:00 − Mittwoch 07-12-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Onlinewerbung: Forscher stoppen monatelange Malvertising-Kampagne ***
---------------------------------------------
Über eine Malvertising-Kampagne ist in den vergangenen Monaten Schadcode verteilt worden. Die Macher des Stegano-Exploit-Kits versteckten dabei unsichtbare Pixel in Werbeanzeigen und nutzen Exploits in Flash und dem Internet Explorer.
---------------------------------------------
http://www.golem.de/news/onlinewerbung-forscher-stoppen-monatelange-malvert…
*** Petya-Variante: Goldeneye-Ransomware verschickt überzeugende Bewerbungen ***
---------------------------------------------
Kurz vor dem Jahresende gibt es erneut eine größere Ransomware-Kampagne in Deutschland. Kriminelle verschicken mit Goldeneye professionell aussehende Bewerbungen an Personalabteilungen - und nutzen möglicherweise Informationen des Arbeitsamtes.
---------------------------------------------
http://www.golem.de/news/petya-variante-goldeneye-ransomware-verschickt-ueb…
*** Kriminelle könnten Daten von Visa-Kreditkarten vergleichsweise einfach erraten ***
---------------------------------------------
In einer Studie zeigen Sicherheitsforscher, wie sie CVV-Nummern und andere Kreditkarten-Daten in wenigen Sekunden erraten und damit anschließend Geld überweisen.
---------------------------------------------
https://heise.de/-3564898
*** Flash Exploit Found in Seven Exploit Kits ***
---------------------------------------------
An Adobe Flash Player vulnerability used by the Sofacy APT gang was also found in seven of the top exploit kits, according to an analysis by Recorded Future.
---------------------------------------------
http://threatpost.com/flash-exploit-found-in-seven-exploit-kits/122284/
*** Explained: Domain Generating Algorithm ***
---------------------------------------------
Domain Generating Algorithms are in use by cyber criminals to prevent their servers from being blacklisted or taken down. The algorithm produces random looking domain names. The idea is that two machines using the same algorithm will contact the same domain at a given time.Categories: Security world TechnologyTags: algorithmdgadomainDomain Generating AlgorithmgeneratinggenerationPieter Arntz(Read more...)
---------------------------------------------
https://blog.malwarebytes.com/security-world/2016/12/explained-domain-gener…
*** Attacking NoSQL applications, (Tue, Dec 6th) ***
---------------------------------------------
In last couple of years, the MEAN stack (MongoDB, Express.js, Angular.js and Node.js) became the stack of choice for many web application developers. The main reason for this popularity is the fact that the stack supports both client and server side programs written in JavaScript, allowing easy development. The core database used by the MEAN stack, MongoDB, is a NoSQL database program that uses JSON-like documents with dynamic schemas allowing huge flexibility. Although NoSQL databases are not...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21787&rss
*** MSRT December 2016 addresses Clodaconas, which serves unsolicited ads through DNS hijacking ***
---------------------------------------------
In this month's Microsoft Malicious Software Removal Tool (MSRT) release, we continue taking down unwanted software, the pesky threats that force onto our computers things that we neither want nor need. BrowserModifier:Win32/Clodaconas, for instance, displays ads when you're browsing the internet. It modifies search results pages so that you see unsolicited ads related to your...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/12/06/msrt-december-2016-addr…
*** Unrestricted Backend Login Method Seen in OpenCart ***
---------------------------------------------
>From the attacker's perspective, creating ways to maintain access to a compromised website is desirable. This allows them to further distribute malware and perform different kinds of malicious activities. One of the ways attackers try to secure their access is by adding admin users, or pieces of malicious code throughout the site. This allows them to regain access easily, if needed. However, we recently found a unique way to achieve this kind of breach.
---------------------------------------------
https://blog.sucuri.net/2016/12/unrestricted-backend-login.html
*** Crims using anti-virus exclusion lists to send malware to where it can do most damage ***
---------------------------------------------
When vendors tell you what to whitelist, crims are reading too Advanced malware writers are using anti-virus exclusion lists to better target victims, researchers say.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/12/07/clever_crim…
*** Deep Analysis of the Online Banking Botnet TrickBot ***
---------------------------------------------
TrickBot aims at stealing online banking information from browsers when victims are visiting online banks. The targeted banks are from Australia, New Zealand, Germany, United Kingdom, Canada, United States, Israel, and Ireland, to name a few.
---------------------------------------------
http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-bot…
*** Debugging war story: the mystery of NXDOMAIN ***
---------------------------------------------
The following blog post describes a debugging adventure on Cloudflares Mesos-based cluster. This internal cluster is primarily used to process log file information so that Cloudflare customers have analytics, and for our systems that detect and respond to attacks.The problem encountered didnt have any effect on our customers,
---------------------------------------------
https://blog.cloudflare.com/debugging-war-story-the-mystery-of-nxdomain/
*** Popular smart toys violate children's privacy rights? ***
---------------------------------------------
My Friend Cayla and i-Que, two extremely popular "smart" toys manufactured by Los Angeles-based Genesis Toys, do not safeguard basic consumer (and children's) rights to security and privacy, researchers have found. The toys come with companion apps, and the latter use services by Nuance Communications, a company headquartered in Massachussetts that specializes in voice-and speech-recognition services for a variety of industries.
---------------------------------------------
https://www.helpnetsecurity.com/2016/12/07/smart-toys-privacy-rights/
*** Bugtraq: [ESNC-2041217] Critical Security Vulnerability in PwC ACE Software for SAP Security ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539883
*** Security Advisory - Privilege Escalation Vulnerability in Some Huawei Storage Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161207-…
*** Security Advisory - Dirty COW Vulnerability in Huawei Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161207-…
*** Security Advisory - FRP Bypass Vulnerability in Huawei Smart Phones ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161207-…
*** Tesla Gateway ECU Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a Gateway ECU vulnerability in Teslas Model S automobile.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-341-01
*** Locus Energy LGate Command Injection Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a command injection vulnerability in Locus Energy's LGate application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-231-01-0
*** F5 Security Advisories ***
---------------------------------------------
*** Security Advisory: Python urllib and urllib2 library vulnerability CVE-2016-5699 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/10/sol10420455.html?…
---------------------------------------------
*** Security Advisory: libxml2 vulnerability CVE-2016-1839 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/26/sol26422113.html?…
---------------------------------------------
*** Security Advisory: libxml2 vulnerability CVE-2016-1840 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/14/sol14614344.html?…
---------------------------------------------
*** Security Advisory: PHP vulnerability CVE-2016-7127 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/89/sol89002224.html?…
---------------------------------------------
*** Security Advisory: PHP vulnerabilities CVE-2016-6288 and CVE-2016-6289 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/34/sol34985231.html?…
---------------------------------------------
*** Security Advisory: libxml2 vulnerability CVE-2016-1838 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/71/sol71926235.html?…
---------------------------------------------
*** Cisco Security Advisories ***
---------------------------------------------
*** Cisco AnyConnect Secure Mobility Client Local Privilege Escalation Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Web Security Appliance Drop Decrypt Policy Bypass Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Web Security Appliance HTTP URL Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Firepower Management Center Information Disclosure Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Unified Communications Manager IM and Presence Service Information Disclosure Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Prime Collaboration Assurance Cross-Site Scripting Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Identity Services Engine Cross-Site Scripting Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Identity Services Engine Active Directory Integration Component Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco IOS XR Software Default Credentials Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco IOS and Cisco IOS XE Software Zone-Based Firewall Feature Bypass Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco IOS XR Software HTTP 2.0 Request Handling Event Service Daemon Denial of Service Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco IOS and IOS XE Software SSH X.509 Authentication Bypass Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco IOS Frame Forwarding Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Intercloud Fabric Director Static Credentials Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Hybrid Media Service Privilege Escalation Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco FirePOWER Malware Protection Bypass Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Firepower Management Center and Cisco FireSIGHT System Software Malicious Software Detection Bypass Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco FireAMP Connector Endpoint Software Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Expressway Series Software Security Bypass Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Email Security Appliance SMTP Cross-Site Scripting Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Email Security Appliance and Web Security Appliance Content Filter Bypass Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Unified Communications Manager Unified Reporting Upload Tool Directory Traversal Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Unified Communications Manager Administration Page Cross-Site Scripting Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco ONS 15454 Series Multiservice Provisioning Platforms TCP Port Management Denial of Service Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Emergency Responder Directory Traversal Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Emergency Responder Cross-Site Request Forgery Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco IOx Application-Hosting Framework Directory Traversal Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Security Appliances AsyncOS Software Update Server Certificate Validation Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco ASR 5000 Series IKEv2 Denial of Service Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco ASR 5000 Series IPv6 Packet Processing Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
Next End-of-Shift report: 2016-12-09
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 05-12-2016 18:00 − Dienstag 06-12-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Dirty Cow Vulnerability Patched in Android Security Bulletin ***
---------------------------------------------
Todays Android Security Bulletin included a patch for the Dirty Cow vulnerability, a seven-year-old Linux bug that had yet to be patched by Google.
---------------------------------------------
http://threatpost.com/dirty-cow-vulnerability-patched-in-android-security-b…
*** BlackBerry powered by Android Security Bulletin - December 2016 ***
---------------------------------------------
http://support.blackberry.com/kb/articleDetail?articleNumber=000038813
*** Arista CloudVision Portal bug revealed, plus evidence its been used ***
---------------------------------------------
You know the drill: face-palm, download, patch, grumble about state of security, relax Arista customers: if youre running a version of CloudVision Portal (CVP) older than 2016.1.2.1, get an update or risk getting p0wned.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/12/06/arista_clou…
*** Printer security is so bad HP Inc will sell you services to fix it ***
---------------------------------------------
Finally, FINALLY, someone is turning off Telnet and FTP Printer security is so awful HP Inc is willing to shut off shiny features and throw its own dedicated bodies at the perennial problem.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/12/06/printer_sec…
*** GNU Netcat 0.7.1 Out-Of-Bounds Write ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016120029
*** In the three years since IETF said pervasive monitoring is an attack, whats changed? ***
---------------------------------------------
IETF Security director Stephen Farrell offers a report card on evolving defences
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/12/06/ietf_report…
*** [2016-12-06] Backdoor vulnerability in Sony IPELA ENGINE IP Cameras ***
---------------------------------------------
Sony IPELA Engine IP Cameras contain multiple backdoors. Those backdoor accounts allow an attacker to run arbitrary code on the affected IP cameras. An attacker can use cameras to take a foothold in a network and launch further attacks, disrupt camera functionality, send manipulated images/video, add cameras into a Mirai-like botnet or spy on people.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016…
*** DailyMotion anscheinend gehackt: 87,6 Millionen Nutzer betroffen ***
---------------------------------------------
Unbekannte Hacker sollen in das Server-System die Videoportals eingestiegen sein und neben E-Mail-Adressen auch geschützte Passwörter kopiert haben.
---------------------------------------------
https://heise.de/-3559563
*** Vuln: Joomla! Core CVE-2016-9836 Arbitrary File Upload Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/94663
*** International Phone Fraud Tactics ***
---------------------------------------------
This article outlines two different types of international phone fraud.
---------------------------------------------
https://www.schneier.com/blog/archives/2016/12/international_p.html
*** Aufgepasst: Neuer Verschlüsselungstrojaner Goldeneye verbreitet sich rasant ***
---------------------------------------------
Ein bisher unbekannter Verschlüsselungstrojaner tarnt sich als Bewerbungs-E-Mail und versucht, Systeme in ganz Deutschland zu verschlüsseln. Momentan wird er von vielen Virenscannern noch nicht erkannt.
---------------------------------------------
https://heise.de/-3561396
*** Roundcube 1.2.2: Command Execution via Email ***
---------------------------------------------
In this post, we show how a malicious user can execute arbitrary commands on the underlying operating system remotely, simply by writing an email in Roundcube 1.2.2 (>= 1.0). This vulnerability is highly critical because all default installations are affected. We urge all administrators to update the Roundcube installation to the latest version 1.2.3 as soon as possible.
---------------------------------------------
https://blog.ripstech.com/2016/roundcube-command-execution-via-email/
*** Xen Security Advisory 199 (CVE-2016-9637) - qemu ioport array overflow ***
---------------------------------------------
hen qemu is used as a device model within Xen, io requests are generated by the hypervisor and read by qemu from a shared ring. The entries in this ring use a common structure, including a 64-bit address field, for various accesses, including ioport addresses. Xen will write only 16-bit address ioport accesses. However, depending on the Xen and qemu version, the ring may be writeable by the guest. If so, the guest can generate out-of-range ioport accesses, resulting in wild pointer accesses
---------------------------------------------
https://lists.xen.org/archives/html/xen-announce/2016-12/msg00001.html
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Fabric Manager. ***
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099503
---------------------------------------------
*** IBM Security Bulletin: Lotus Protector for Mail Security Affected By Open Source Linux Kernel Vulnerabilities (CVE-2016-5195) ***
http://www.ibm.com/support/docview.wss?uid=swg21994535
---------------------------------------------
*** IBM Security Bulletin: A busybox vulnerability affects IBM DataPower Gateways (CVE-2014-4607) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21993006
---------------------------------------------
*** IBM Security Bulletin: Apache POI as used in IBM QRadar SIEM is vulnerable to various CVEs. ***
http://www.ibm.com/support/docview.wss?uid=swg21994719
---------------------------------------------
*** IBM Security Bulletin: Multiple Security Vulnerabilities in Expat affect IBM Netezza Analytics ***
http://www-01.ibm.com/support/docview.wss?uid=swg21994401
---------------------------------------------
*** IBM Security Bulletin: IBM QRadar SIEM is vulnerable to various CGI vulnerabilities. (CVE-2016-5385, CVE-2016-5387, CVE-2016-5388) ***
http://www.ibm.com/support/docview.wss?uid=swg21994725
---------------------------------------------
*** IBM Security Bulletin: Open Source Apache Xerces-C XML parser vulnerabilities affect IBM Integration Bus and WebSphere Message Broker (CVE-2016-4463, CVE-2016-0729) ***
http://www.ibm.com/support/docview.wss?uid=swg21985691
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in libxml2 affects IBM Streams (CVE-2016-3705) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991065
---------------------------------------------
*** IBM Security Bulletin: Multiple Vulnerabilities in NTP and OpenSSL affect IBM Netezza Firmware Diagnostics Tools ***
http://www-01.ibm.com/support/docview.wss?uid=swg21994484
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 02-12-2016 18:00 − Montag 05-12-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Bug des Tages: Forwarding issues related to MACs starting with a 4 or a 6 ***
---------------------------------------------
OK aber wieso sollte denn ausgerechnet 4 oder 6 am Anfang ein Problem sein? Weil bei IPv4 und IPv6 die Header mit der "Version" anfangen, die ersten vier Bits sind bei IPv4 immer 4 und bei IPv6 immer 6. Nun kommt der IP-Header nach dem Ethernet-Header, d.h. da gibt es an sich keine Verwechslungsgefahr. Du weißt ja, worauf du gerade guckst. Aber anscheinend haben da einige Hersteller versucht, "selbstdenkende" Geräte zu bauen, die sich die ersten 4 Bits angucken,...
---------------------------------------------
https://blog.fefe.de/?ts=a6bc62fc
*** Studie: Herzschrittmacher lassen sich leicht hacken ***
---------------------------------------------
Sicherheitsforscher aus Belgien und Großbritannien konnten mehrere verschiedene Modelle von Implantaten für Patienten mit Herzrhythmusstörungen aus der Ferne hacken.
---------------------------------------------
https://futurezone.at/digital-life/studie-herzschrittmacher-lassen-sich-lei…
*** Anti-Schnüffler-Tool SAMRi10 soll Windows-Netzwerke schützen ***
---------------------------------------------
Mit dem kostenlosen PowerShell-Skript sollen Admins Schnüfflern den Zutritt zum Security Account Manager effektiver versperren können.
---------------------------------------------
https://heise.de/-3550115
*** The Kings in Your Castle, Pt #4 ***
---------------------------------------------
Oftentimes, there is talk about a "sophisticated" malware-based attack against an individual or an organization. The prevalent assumption is that a great deal of development work has gone into the attack tools. In the 4th part of the article series, Marion Marschalek and Raphael Vinot will demonstrate what sophistication means and what it actually looks like.
---------------------------------------------
https://blog.gdatasoftware.com/2016/12/29343-the-kings-in-your-castle-pt-4
*** Identitätsdiebstahl mit gefälschter PayPal-Nachricht ***
---------------------------------------------
Mit einer gefälschten PayPal-Nachricht wollen Kriminelle die Identität von Empfänger/innen stehlen. Damit sie ihr Ziel erreichen, behaupten sie, dass das Unternehmen das fremde PayPal-Konto deaktiviert habe. Es könne dieses nur reaktiveren, wenn es eine Personalausweis-Kopie der Kund/innen erhalte. Das ist falsch.
---------------------------------------------
https://www.watchlist-internet.at/sonstiges/identitaetsdiebstahl-mit-gefael…
*** Putting security risks on simmer with Chef ***
---------------------------------------------
To remain PCI-compliant, I conduct quarterly security assessments of our infrastructure. This means external testing of our internet-facing PCI resources, using an approved scanning vendor (ASV), and what I call internal PCI full-population scans.Trouble TicketAt issue: Too many servers with too many different configurations make it tough to stay in compliance.Action plan: Use Chef and the CIS guidelines to ensure that servers are properly configured.We do the external scanning every month,...
---------------------------------------------
http://www.cio.com/article/3147055/security/putting-security-risks-on-simme…
*** Vuln: Alcatel-Lucent OmniVista 8770 CVE-2016-9796 Remote Code Execution Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/94649
*** FortiOS Local Admin Password Hash Leak Vulnerability ***
---------------------------------------------
http://fortiguard.com/advisory/FG-IR-16-050
*** Bugtraq: CVE-2016-8740, Server memory can be exhausted and service denied when HTTP/2 is used ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539873
*** IBM Security Bulletin: Vulnerability in Apache Commons FileUpload affects IBM InfoSphere Information Server (CVE-2016-3092) ***
---------------------------------------------
An Apache Commons FileUpload vulnerability while processing file upload requests was addressed by IBM InfoSphere Information Server. CVE(s): CVE-2016-3092 Affected product(s) and affected version(s): The following product, running on all supported platforms, is affected: IBM InfoSphere Information Server: versions 8.5, 8.7, 9.1, 11.3, and 11.5 IBM InfoSphere Metadata Asset Manager: versions 8.7, 9.1, 11.3, and...
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21988564
*** IBM Security Bulletin: Vulnerability has been identified in IBM Cloud Orchestrator teamwork API (CVE-2016-0206 ) ***
---------------------------------------------
A potential denial of service vulnerability has been identified in IBM Cloud Orchestrator teamwork executeServiceByName API if an invalid URL is provided by local authenticated user. IBM Cloud Orchestrator, formerly known as IBM SmartCloud Orchestrator has addressed the issue. CVE(s): CVE-2016-0206 Affected product(s) and affected version(s): IBM Cloud Orchestrator V2.3, V2.3.0.1 V2.4, V2.4.0.1, V2.4.0.2 Refer...
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg2C1000141
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 01-12-2016 18:00 − Freitag 02-12-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** BitUnmap: Attacking Android Ashmem ***
---------------------------------------------
Posted by Gal Beniamini, Project ZeroThe law of leaky abstractions states that "all non-trivial abstractions, to some degree, are leaky". In this blog post we'll explore the ashmem shared memory interface provided by Android and see how false assumptions about its internal operation can result in security vulnerabilities affecting core system code.
---------------------------------------------
http://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-as…
*** Exploited Script in WordPress Theme Sends Spam ***
---------------------------------------------
As WordPress continues to grow in popularity, so does its library. New and experienced developers are creating themes and plugins - which creates diverse directories. While this is useful to the WordPress community, the nature of mass creation can account for coding errors and vulnerabilities. Even premium themes have security issues. We often find code that is developed with good intentions but without taking security measures into consideration.
---------------------------------------------
https://blog.sucuri.net/2016/12/exploited-script-wordpress-themes-send-spam…
*** Blockchain Technology Explained - An Executive Summary ***
---------------------------------------------
This article provides an executive summary on the Blockchain technology, what it is, how it works, and why everyone is excited about it.
---------------------------------------------
https://www.whitehatsec.com/blog/blockchain-technology/
*** [0day] Bypassing Apples System Integrity Protection ***
---------------------------------------------
Read how an attacker can bypass Apples SIP, via the local OS upgrade process
---------------------------------------------
https://objective-see.com/blog/blog_0x14.html
*** One Bit To Rule A System: Analyzing CVE-2016-7255 Exploit In The Wild ***
---------------------------------------------
Recently, Google researchers discovered a local privilege escalation vulnerability in Windows which was being used in zero-day attacks, including those carried out by the Pawn Storm espionage group. This is an easily exploitable vulnerability which can be found in all supported versions of Windows, from Windows 7 to Windows 10. By changing one bit, the attacker can elevate the privileges of a thread, giving administrator access to a process that would not have it under normal circumstances.
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/bcdzgHcT2VE/
*** Protecting Powershell Credentials (NOT), (Fri, Dec 2nd) ***
---------------------------------------------
If youre like me, youve worked through at least one Powershell tutorial, class or even a how-to blog. And youve likely been advised to use the PSCredential construct to store credentials. The discussion usually covers that this a secure way to collect credentials, then store them in a variable for later use. You can even store them in a file and read them back later. Awesome - this solves a real problem you thought - or does it? For instance, to collect credentials for a VMware vSphere...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21779&rss
*** Remote management app exposes millions of Android users to hacking ***
---------------------------------------------
Poor implementation of encryption in a popular Android remote management application exposes millions of users to data theft and remote code execution attacks.According to researchers from mobile security firm Zimperium, the AirDroid screen sharing and remote control application sends authentication information encrypted with a hard-coded key. This information could allow man-in-the-middle attackers to push out malicious AirDroid add-on updates, which would then gain the permissions of the app...
---------------------------------------------
http://www.cio.com/article/3146916/security/remote-management-app-exposes-m…
*** DFN-CERT-2016-1971: Google Chrome: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-1971/
*** ZDI-16-617: Dell SonicWALL Universal Management Suite ImagePreviewServlet SQL Injection Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Dell SonicWALL Universal Management Suite. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-617/
*** F5 Security Advisory: Apache Tomcat vulnerability CVE-2016-6816 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/50/sol50116122.html?…
*** F5 Security Advisory: Apache Tomcat vulnerability CVE-2016-8735 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/49/sol49820145.html?…
*** USN-3148-1: Ghostscript vulnerabilities ***
---------------------------------------------
Ubuntu Security Notice USN-3148-11st December, 2016ghostscript vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryGhostscript could be made to crash, run programs, or disclose sensitiveinformation if it processed a specially crafted file.Software description ghostscript - PostScript and PDF interpreter DetailsTavis Ormandy discovered multiple vulnerabilities in the way that
---------------------------------------------
http://www.ubuntu.com/usn/usn-3148-1/
*** ICS-CERT Advisories ***
---------------------------------------------
*** Siemens SICAM PAS Vulnerabilities ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-336-01
---------------------------------------------
*** Moxa NPort Device Vulnerabilities ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-336-02
---------------------------------------------
*** Mitsubishi Electric MELSEC-Q Series Ethernet Interface Module Vulnerabilities ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-336-03
---------------------------------------------
*** Advantech SUSIAccess Server Vulnerabilities ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-336-04
---------------------------------------------
*** Smiths-Medical CADD-Solis Medication Safety Software Vulnerabilities ***
https://ics-cert.us-cert.gov/advisories/ICSMA-16-306-01
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in PHP affect PowerKVM ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024545
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in the Linux kernel affect PowerKVM ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024478
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server October 2016 CPU (CVE-2016-5573, CVE-2016-5597) that is bundled with IBM WebSphere Application Server Patterns. ***
http://www.ibm.com/support/docview.wss?uid=swg21993759
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in redis affect PowerKVM (CVE-2015-4335, CVE-2013-7458) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024538
---------------------------------------------
*** IBM Security Bulletin: Authentication vulnerability affects IBM Integration Bus V10.0.0.4 onwards (CVE-2016-8918 ) ***
http://www.ibm.com/support/docview.wss?uid=swg21995079
---------------------------------------------
*** IBM Security Bulletin: The WebAdmin context for WebSphere Message Broker Version 8 allows directory listings (CVE-2016-6080) ***
http://www.ibm.com/support/docview.wss?uid=swg21995004
---------------------------------------------
*** IBM Security Bulletin: IBM Mobile Connect is vulnerable to the Sweet32: Birthday Attacks (CVE-2016-2183) ***
http://www.ibm.com/support/docview.wss?uid=swg21994927
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Process Designer used in IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2016-5573, CVE-2016-5597, CVE-2016-3485) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21994297
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in Apache Tomcat affect SAN Volume Controller, Storwize family and FlashSystem V9000 products ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009581
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSource libxml2 affect IBM Security Guardium (CVE-2016-2073) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21984606
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 30-11-2016 18:00 − Donnerstag 01-12-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** 0-Day: Tor und Firefox patchen ausgenutzten Javascript-Exploit ***
---------------------------------------------
Tor und Mozilla haben schnell reagiert und veröffentlichen einen außerplanmäßigen Patch für eine kritische Sicherheitslücke. Der Fehler lag in einer Animationsfunktion für Vektorgrafiken.
---------------------------------------------
http://www.golem.de/news/0-day-tor-und-firefox-patchen-kritische-schwachste…
*** Avalanche Takedown ***
---------------------------------------------
Am 30. November 2016 wurde durch ein breit angelegte Kooperation von Polizei (Europol, Eurojust, FBI, ...), Staatsanwälten und IT Sicherheitsorganisationen (BSI, Shadowserver, CERTs) das Avalanche Botnet übernommen. Die Zahlen von Shadowserver sind eindrucksvoll:...
---------------------------------------------
http://www.cert.at/services/blog/20161201172722-1851.html
*** IBM warns of rising VoIP cyberattacks ***
---------------------------------------------
Cyber-attacks using the VoIP protocol Session Initiation Protocol (SIP) have been growing this year accounting for over 51% of the security event activity analyzed in the last 12 months, according to a report from IBM's Security Intelligence group this week."SIP is one of the most commonly used application layer protocols in VoIP technology... we found that there has been an upward trend in attacks targeting the SIP protocol, with the most notable uptick occurring in the second...
---------------------------------------------
http://www.cio.com/article/3146209/security/ibm-warns-of-rising-voip-cybera…
*** Shamoon 2: Return of the Disttrack Wiper ***
---------------------------------------------
In August 2012, an attack campaign known as Shamoon targeted a Saudi Arabian energy company to deliver a malware called Disttrack. Disttrack is a multipurpose tool that exhibits worm-like behavior by attempting to spread to other systems on a local network using stolen administrator credentials. More importantly, its claim to fame is the ability to destroy data and to render infected systems unusable. The attack four years ago resulted in 30,000 or more systems being damaged. Last week, Unit 42...
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-…
*** Fatal flaws in ten pacemakers make for Denial of Life attacks ***
---------------------------------------------
Brit/Belgian research team decipher signals and devise wounding wireless attacks A global research team has hacked 10 different types of implantable medical devices and pacemakers finding exploits that could allow wireless remote attackers to kill victims.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/12/01/denial_of_l…
*** New SmsSecurity Variant Roots Phones, Abuses Accessibility Features and TeamViewer ***
---------------------------------------------
In January of 2016, we found various "SmsSecurity" mobile apps that claimed to be from various banks. Since then, weve found some new variants of this attack that add new malicious capabilities. These capabilities include: anti-analysis measures, automatic rooting, language detection, and remote access via TeamViewer. In addition, SmsSecurity now cleverly uses the accessibility features of Android to help carry out its routines in a stealthy manner, without interaction from the...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/ckweihUN7n8/
*** SAMRi10: Windows 10 hardening tool for thwarting network recon ***
---------------------------------------------
Microsoft researchers Itay Grady and Tal Be'ery have released another tool to help admins harden their environment against reconnaissance attacks: SAMRi10 (pronounced "Samaritan"). User2 (non-admin) gets access denied by SAMRi10 when calling Net User remotely to a hardened Domain Controller Both the Net Cease tool they released in October and SAMRi10 are simple PowerShell scripts and are aimed at preventing attackers that are already inside a corporate network from mapping it...
---------------------------------------------
https://www.helpnetsecurity.com/2016/12/01/samri10-windows-10-hardening/
*** Security Notice - Statement on Newsmth.net Forum Revealing Security Issue in Huawei P9 Smart Phone ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-notices/2016/huawei-sn-20161130-01-…
*** USN-3141-1: Thunderbird vulnerabilities ***
---------------------------------------------
Ubuntu Security Notice USN-3141-130th November, 2016thunderbird vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummarySeveral security issues were fixed in Thunderbird.Software description thunderbird - Mozilla Open Source mail and newsgroup client DetailsChristian Holler, Jon Coppeard, Olli Pettay, Ehsan Akhgari, Gary Kwong,Tooru Fujisawa, and Randell Jesup discovered multiple memory safety...
---------------------------------------------
http://www.ubuntu.com/usn/usn-3141-1/
*** Security Advisories Relating to Symantec Products - Norton App Lock Bypass ***
---------------------------------------------
Symantec has addressed an issue where on some Android devices, Norton App Lock could have been bypassed, which could have allowed locked applications to be opened.
---------------------------------------------
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=s…
*** OpenAFS Security Advisory 2016-003 ***
---------------------------------------------
Due to incomplete initialization or clearing of reused memory, OpenAFS directory objects are likely to contain "dead" directory entry information. This extraneous information is not active - that is, it is logically invisible to the fileserver and client. However, the leaked information is physically visible on the fileserver vice partition,...
---------------------------------------------
https://www.openafs.org/pages/security/OPENAFS-SA-2016-003.txt
*** Bugtraq: [security bulletin] HPSBHF03682 rev.1 - HPE Comware 7 Network Products using SSL/TLS, Local Gain Privileged Access ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539855
*** Bugtraq: [security bulletin] HPSBGN03677 rev.1 - HPE Network Automation using RPCServlet and Java Deserialization, Remote Code Execution ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539857
*** Bugtraq: [security bulletin] HPSBGN03680 rev.1 - HPE Propel, Local Denial of Service (DoS), Escalation of Privilege ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539863
*** Bugtraq: [security bulletin] HPSBUX03665 rev.3 - HP-UX Tomcat-based Servlet Engine, Remote Denial of Service (DoS), URL Redirection ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539864
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in wget affects PowerKVM ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024556
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in DHCP affects PowerKVM (CVE-2016-5410) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024551
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in krb5 affect PowerKVM (CVE-2016-3119, CVE-2016-3120) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024550
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in util-linux affects PowerKVM (CVE-2016-5011) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024543
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in powerpc-utils-python affects PowerKVM (CVE-2014-8165) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024540
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in fontconfig affects PowerKVM (CVE-2016-5384) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024533
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in sudo affects PowerKVM (CVE-2016-7091) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024532
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in Python-RSA affects PowerKVM (CVE-2016-1494) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024409
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in bind affect PowerKVM (CVE-2016-2776, CVE-2016-8864) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024402
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect PowerKVM ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024401
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 29-11-2016 18:00 − Mittwoch 30-11-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Kritische Sicherheitslücke in Mozilla Firefox - aktiv ausgenützt - keine Patches verfügbar ***
---------------------------------------------
Wie in diversen Medien berichtet wird, gibt es eine kritische Sicherheitslücke in aktuellen Versionen des Mozilla Firefox Browsers, für die noch kein Patch zur Verfügung steht. Diese wird auch bereits aktiv ausgenützt.
---------------------------------------------
https://cert.at/warnings/all/20161130.html
*** Port 7547 in Österreich ***
---------------------------------------------
seit meinem letzten Blogpost zu Mirai/TR-069 sind ein paar neue Informationen dazugekommen
---------------------------------------------
https://cert.at/services/blog/20161130165710-1834.html
*** Ask Sucuri: Can Your cPanel Page Be Maliciously Redirected? ***
---------------------------------------------
Many webmasters may not be aware that hackers are able to maliciously redirect cPanel pages. The specific tactic we describe in this article is unique. Included are recommendations to prevent it, along with other suspicious issues, through logs kept on cPanel servers.
---------------------------------------------
https://blog.sucuri.net/2016/11/ask-sucuri-can-cpanel-page-maliciously-redi…
*** Vuln: Dell iDRAC7 and iDRAC8 Devices CVE-2016-5685 Code Injection Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/94585
*** Emerson Liebert SiteScan XML External Entity Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for an XML External Entity vulnerability affecting Emerson's Liebert SiteScan application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-334-01
*** Emerson DeltaV Easy Security Management Application Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a vulnerability that affects Emerson's DeltaV Easy Security Management application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-334-02
*** Emerson DeltaV Wireless I/O Card Open SSH Port Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a vulnerability in the Emerson DeltaV Wireless I/O Card.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-334-03
*** Security Advisory: BIG-IP FastL4 profile vulnerability ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/36/sol36300805.html?…
*** Security Advisory - XSS Vulnerability in Huawei eSpace IAD ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161130-…
*** Security Advisory - DoS Vulnerability in Huawei Switches ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161130-…
*** DFN-CERT-2016-1960/">Apache Subversion: Eine Schwachstelle ermöglicht Denial-of-Service-Angriffe ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-1960/
*** Security Advisory - Command Injection Vulnerability in Huawei FusionAccess ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161130-…
*** GCHQ presents CyberChef, an Open Source Data Analysis Tool ***
---------------------------------------------
The GCHQ has released the code of a new open source web tool dubbed CyberChef, specifically designed for analyzing and decoding data.
---------------------------------------------
http://securityaffairs.co/wordpress/53908/intelligence/gchq-cyberchef.html
*** Multiple I-O DATA network camera products multiple vulnerabilities ***
---------------------------------------------
Multiple network camera products provided by I-O DATA DEVICE, INC. contain multiple vulnerabilities.
---------------------------------------------
http://jvn.jp/en/jp/JVN25059363/
*** New Cerber Variant Leverages Tor2Web Proxies, Google Redirects ***
---------------------------------------------
Researchers have discovered that criminals behind the latest Cerber ransomware variant are leveraging Google redirects and Tor2Web proxies in a new and novel way to evade detection.
---------------------------------------------
http://threatpost.com/new-cerber-variant-leverages-tor2web-proxies-google-r…
*** An overview of the Payment Card Industry (PCI) ***
---------------------------------------------
The payment card industry consists of all the organizations which store, process and transmit cardholder data and carry transactions through debit and credit cards. Many standards are developed to conduct these types of services in a secure way. The well-known standard for this purpose is Payment Card Industry Data Security Standards.
---------------------------------------------
http://resources.infosecinstitute.com/an-overview-of-the-payment-card-indus…
*** Großstörung bei der Telekom: Was wirklich geschah ***
---------------------------------------------
Ein Sicherheitsexperte hat die Reaktion eines der anfälligen Speedport-Modelle analysiert und kommt zu einer überraschenden Erkenntnis: Die Geräte waren gar nicht anfällig für die TR-069-Sicherheitslücke.
---------------------------------------------
https://heise.de/-3520212
*** GET pwned: Web CCTV cams can be hijacked by single HTTP request ***
---------------------------------------------
An insecure web server embedded in more than 35 models of internet-connected CCTV cameras leaves countless devices wide open to hijacking, it is claimed.
---------------------------------------------
http://www.theregister.co.uk/2016/11/30/iot_cameras_compromised_by_long_url/
*** Vuln: OpenJPEG CVE-2016-9675 Incomplete Fix Multiple Remote Heap Based Buffer Overflow Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/bid/94589
*** Cobalt Malware Threatens ATM Security ***
---------------------------------------------
The hackers typically initiated the malware infection through phishing and spearphishing attacks. They sent malware laced emails to employees working at the banks. If some how a cyber security naive-employee clicked on a malicious link in an email or opened an attachment then their system would get infected.
---------------------------------------------
https://blog.comodo.com/malware/cobalt-malware-threatens-atm-security/
*** Android-Malware Gooligan soll über 1 Million Google-Konten gekapert haben ***
---------------------------------------------
Der Tojaner soll Smartphones rooten und Authentifizierungs-Tokens von Google-Accounts kopieren. Über einen Online-Service kann man prüfen, ob das eigene Konto betroffen ist.
---------------------------------------------
https://heise.de/-3520778
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSH affects IBM i (CVE-2016-8858) ***
http://www-01.ibm.com/support/docview.wss?uid=nas8N1021734
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways ***
http://www-01.ibm.com/support/docview.wss?uid=swg21992996
---------------------------------------------
*** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Worklight and IBM MobileFirst Platform Foundation ***
http://www-01.ibm.com/support/docview.wss?uid=swg2C1000213
---------------------------------------------
*** IBM Security Bulletin: Multiple Vulnerabilities affect IBM Domino & IBM iNotes ***
http://www.ibm.com/support/docview.wss?uid=swg21992835
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Struts affects IBM Social Media Analytics (CVE-2016-0785) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21994386
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 28-11-2016 18:00 − Dienstag 29-11-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Bruce Schneier zur Netz-Sicherheit: "Die Ära von Spaß und Spielen ist vorbei" ***
---------------------------------------------
Der renommierte Sicherheits-Experte warnte auf dem Security-Kongress der Telekom vor einer grenzenlosen Vernetzung. Staatliche Regulierung sei unausweichlich.
---------------------------------------------
https://www.heise.de/newsticker/meldung/Bruce-Schneier-zur-Netz-Sicherheit-…
*** PayPal Fixes OAuth Token Leaking Vulnerability ***
---------------------------------------------
PayPal fixed an issue that could have allowed an attacker to hijack OAuth tokens associated with any PayPal OAuth application. The vulnerability was publicly disclosed on Monday by Antonio Sanso, a senior software engineer at Adobe, after he came across the issue while testing his own OAuth client.
---------------------------------------------
http://threatpost.com/paypal-fixes-oauth-token-leaking-vulnerability/122136/
*** Vuln: WordPress Image Gallery Plugin HTML Injection Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/94565
*** A Rowhammer ban-hammer for all, and its all in software ***
---------------------------------------------
Sorry to go all MC Hammer on you, but boffins tell bit-flippers you cant touch this A group of German researchers reckon theyve cracked a pretty hard nut indeed: how to protect all x86 architectures from the 'Rowhammer' memory bug.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/11/29/a_rowhammer…
*** Tenda / D-Link / TP-Link DHCP Cross Site Scripting ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016110233
*** Every Windows 10 in-place Upgrade is a SEVERE Security risk ***
---------------------------------------------
[...] There is a small but CRAZY bug in the way the "Feature Update" (previously known as "Upgrade") is installed. The installation of a new build is done by reimaging the machine and the image installed by a small version of Windows called Windows PE (Preinstallation Environment).
---------------------------------------------
http://blog.win-fu.com/2016/11/every-windows-10-in-place-upgrade-is.html
*** F-Secure: QUICK TIP: How To Make Your Passwords Uncrackable ***
---------------------------------------------
TL;DR: 'The trick is to use a really long random password for each online account,' he tells us. 'The password length should be at least 20 symbols and numbers, but preferably 32.'
---------------------------------------------
https://safeandsavvy.f-secure.com/2016/09/14/quick-tip-how-to-make-your-pas…
*** Azure Security Best Practices ***
---------------------------------------------
Moving applications and workloads to the cloud is a big draw for organizations, primarily due to the favorable economics, ease of deployment, and the flexibility and scale that the cloud provides. Microsoft Azure is one cloud platform seeing rising adoption in the past year. You may be contemplating moving workloads to Azure, particularly if you are a Microsoft shop. But like most organizations moving to the cloud, you are probably concerned about the security of your Azure environment.
---------------------------------------------
https://www.alienvault.com/blogs/security-essentials/azure-security-best-pr…
*** TYPO3 CMS 7.6.14 released ***
---------------------------------------------
This version is a regression fix release for TYPO3 CMS 7.6.13 concerning the usage of the Composer mode with additional third party PHP libraries. This version contains bugfixes concerning Composer only.
---------------------------------------------
https://typo3.org/news/article/typo3-cms-7614-released/
*** Kontonummern und E-Mail: Daten von Mitfahrgelegenheit.de gestohlen ***
---------------------------------------------
Kontonummern und E-Mail-Adressen von ehemaligen Nutzern betroffen - Wenige Österreicher betroffen
---------------------------------------------
http://derstandard.at/2000048456695
*** TR-069 NewNTPServer Exploits: What we know so far, (Tue, Nov 29th) ***
---------------------------------------------
[This is a cleaned up version to summarize yesterdays diary about the attacks against DSL Routers] What is TR-069 TR-069 (or its earlier version TR-064) is a standard published by the Broadband Forum. The Broadband Forum is an industry organization defining standards used to manage broadband networks. It focuses heavily on DSL type modems and more recently included fiber optic connections. TR stands for Technical Report. TR-069 is considered the Broadband Forums Flagship Standard.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21763&rss
*** Security Advisory: BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/01/sol01587042.html?…
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Development Package for Apache Spark ***
http://www-01.ibm.com/support/docview.wss?uid=swg21994185
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in IBM Java Runtime affect WebSphere Dashboard Framework (CVE-2016-5573, CVE-2016-5597) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21994184
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in IBM Java SDK and IBM Java Runtime affect Web Experience Factory (CVE-2016-5573, CVE-2016-5597) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21994181
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities may affect IBM SDK, Java Technology Edition ***
https://www-01.ibm.com/support/docview.wss?uid=swg21985393
---------------------------------------------
*** IBM Security Bulletin: Multiple OpenSource Expat XML Vulnerabilities affect IBM DB2 Net Search Extender for Linux, Unix and Windows ***
http://www.ibm.com/support/docview.wss?uid=swg21992933
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Extreme Scale (CVEs-2016-3485) ***
http://www.ibm.com/support/docview.wss?uid=swg21993946
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect WebSphere Message Broker and IBM Integration Bus ( CVE-2016-2107,CVE-2016-2176) ***
http://www.ibm.com/support/docview.wss?uid=swg21992894
---------------------------------------------
*** IBM Security Bulletin: IBM Integration Bus and WebSphere Message Broker, upon installation, set incorrect permissions for an object ( CVE-2016-0394 ) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21985013
---------------------------------------------
*** IBM Security Bulletin: Vulnerability has been identified in View All User Domain Tasks of IBM Cloud Orchestrator (CVE-2016-0202 ) ***
http://www.ibm.com/support/docview.wss?uid=swg2C1000134
---------------------------------------------
*** IBM Security Bulletin: FileNet Workplace XT can be affected by the File Extension validation vulnerability (CVE-2016-8921) ***
http://www.ibm.com/support/docview.wss?uid=swg21994018
---------------------------------------------
*** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified. ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009589
---------------------------------------------
*** IBM Security Bulletin: GPFS security vulnerabilities in IBM Storwize V7000 Unified (CVE-2016-2985 and CVE-2016-2984) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009324
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 25-11-2016 18:00 − Montag 28-11-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Mirai goes TR-069 ***
---------------------------------------------
Zu Mirai hab ich hier schon viel geschrieben. Bis jetzt hat sich dieses Botnet rein über das Erraten von Passwörtern auf Telnet-Interfaces weiterverbreitet. Das hat sich jetzt geändert: Am 7. November hat jemand einen Proof-of-concept exploit für ein CPE (Customer premise equipment -- also DSL-Modem, Kabelmodem & co) veröffentlicht, der zeigt, wie man per TR-069 dem Gerät Schadsoftware unterschieben kann.
---------------------------------------------
http://www.cert.at/services/blog/20161128173929-1823.html
*** DSA-3725 icu - security update ***
---------------------------------------------
Several vulnerabilities were discovered in the International Componentsfor Unicode (ICU) library.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3725
*** [2016-11-28] Denial of service & heap-based buffer overflow in Guidance Software EnCase Forensic ***
---------------------------------------------
EnCase Forensic Imager and the EnCase Forensic suite are widely used by computer forensic experts to analyze hard disks. Due to flaws in these products an attacker could manipulate a hard disk to keep an investigator from fully analyzing it (denial of service). Potentially, an attacker could execute malicious code on the investigators machine.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016…
*** DFN-CERT-2016-1949/">ImageMagick: Mehrere Schwachstellen ermöglichen u.a. Denial-of-Service-Angriffe ***
---------------------------------------------
Mehrere Schwachstellen in ImageMagick ermöglichen einem entfernten, nicht authentisierten Angreifer die Durchführung verschiedener Denial-of-Service (DoS)-Angriffe sowie das Ausspähen von Informationen.
Debian stellt für die Distribution Debian Jessie (stable) ein Sicherheitsupdate bereit.
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-1949/
*** Erpressungs-Trojaner: Locky setzt auf .zzzzz-Endung, Cerber geht in Version 5.0.1 um ***
---------------------------------------------
Kriminelle sollen Berichten nach aktuell neue Versionen von Cerber und Locky verbreiten. Vorsicht: Viele Viren-Wächter springen offensichtlich noch nicht auf Cerber an.
---------------------------------------------
https://heise.de/-3506049
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 24-11-2016 18:00 − Freitag 25-11-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Kriminelle bieten Mirai-Botnetz mit 400.000 IoT-Geräten zur Miete an ***
---------------------------------------------
Was macht das Mirai-Botnetz gerade? Die beiden Sicherheitsforscher mit den Pseudonymen 2sec4u und MalwareTech überwachen das Mirai-Botnetz und teilen aktuelle Aktivitäten via Twitter und eine Webseite. Aus der Live Map der Webseite geht hervor, dass bislang über die ganze Welt verteilt insgesamt mehr als 3 Millionen Geräte im Mirai-Botnetz gefangen waren. In den letzten 24 Stunden waren es knapp unter 100.000.
---------------------------------------------
https://www.heise.de/security/meldung/Kriminelle-bieten-Mirai-Botnetz-mit-4…
*** Gehackte Zugänge: Kriminelle versenden Malware mit Mailchimp-Accounts ***
---------------------------------------------
Kriminelle nutzen offenbar übernommene Mailchimp-Accounts, um Malware zu verbreiten. Das geschieht vor allem über Mails mit angeblichen Rechnungen. Alle 2.000 betroffenen Accounts wurden vorläufig stillgelegt.
---------------------------------------------
http://www.golem.de/news/gehackte-zugaenge-kriminelle-versenden-malware-mit…
*** Locky hidden in image file hitting Facebook, LinkedIn users ***
---------------------------------------------
Malware masquerading as an image file is still spreading on Facebook, LinkedIn, and other social networks. Check Point researchers have apparently discovered how cyber crooks are embedding malware in graphic and image files, and how they are executing the malicious code within these images to infect social media users with Locky ransomware variants. The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file.
---------------------------------------------
https://www.helpnetsecurity.com/2016/11/25/locky-image-file-facebook-linked…
*** The Week in Ransomware - November 25th 2016 - Locky, Decryptors, Cerber, Open Source Ransomware sucks, and More ***
---------------------------------------------
Lots of ransomware stories this week. We have two new decryptors, quite a few new ransomware infections, PadCrypt being hidden inside a fake credit card generator, and a few new variants. The biggest news is two new variants of the Locky ransomware that append the .zzzzz and .aesir extensions for encrypted files. [...]
---------------------------------------------
http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-novemb…
*** Free Software Quick Security Checklist, (Fri, Nov 25th) ***
---------------------------------------------
Free software (open source or not) is interesting for many reasons. It can be adapted to your own needs, it can be easily integrated within complex architectures but the most important remains, of course, the price. Even if they are many hidden costs related to free software. In case of issues, a lot of time may be spent in searching for a solution or diving into the source code (and everybody knows that time is money!). Today, more and more organisationsare not afraid anymore to deployfree...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21751&rss
*** DFN-CERT-2016-1945: phpMyAdmin: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebiger SQL-Befehle ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-1945/
*** Security Advisory - Buffer Overflow Vulnerability in Huawei Firewall Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161125-…
*** Citrix XenServer Multiple Security Updates ***
---------------------------------------------
A number of security vulnerabilities have been identified in Citrix XenServer that may allow malicious code running within a guest VM to compromise the host. These vulnerabilities affect all currently supported versions of Citrix XenServer up to and including Citrix XenServer 7.0. CVE-2016-9379, CVE-2016-9380, CVE-2016-9381, CVE-2016-9382, CVE-2016-9383, CVE-2016-9385, CVE-2016-9386
---------------------------------------------
https://support.citrix.com/article/CTX218775
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 23-11-2016 18:00 − Donnerstag 24-11-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Don't let this Black Friday/Cyber Monday spam deliver Locky ransomware to you ***
---------------------------------------------
We see it every year: social engineering attacks that take advantage of the online shopping activities around Black Friday and Cyber Monday, targeting customers of online retailers. This year, we're seeing a spam campaign that Amazon customers need to be wary of.
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/11/23/dont-let-this-black-fri…
*** LXC CVE-2016-8649 Directory Traversal Vulnerability ***
---------------------------------------------
An attacker can exploit this issue using directory-traversal characters (../) to access or read arbitrary files that contain sensitive information or to access files outside of the restricted directory to obtain sensitive information and perform other attacks.
---------------------------------------------
http://www.securityfocus.com/bid/94498/info
*** Multiple Samsung Galaxy Product CVE-2016-9567 Security Bypass Vulnerability ***
---------------------------------------------
Multiple Samsung Galaxy products are prone to a security-bypass vulnerability. An attacker may exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. Samsung Galaxy devices with Marshmallow 6.0 are vulnerable.
---------------------------------------------
http://www.securityfocus.com/bid/94494/info
*** w3m Multiple Security Vulnerabilities ***
---------------------------------------------
Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions. Versions prior to w3m 0.5.3-33 are vulnerable.
---------------------------------------------
http://www.securityfocus.com/bid/94464/discuss
*** Research on unsecured Wi-Fi networks across the world ***
---------------------------------------------
We compared the situation with Wi-Fi traffic encryption in different countries using data from our threat database. We counted the number of reliable and unreliable networks in each country that has more than 10 thousand access points known to us
---------------------------------------------
https://securelist.com/blog/research/76733/research-on-unsecured-wi-fi-netw…
*** DFN-CERT-2016-1942/">RealNetworks RealPlayer: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ***
---------------------------------------------
Ein entfernter, nicht authentisierter Angreifer kann eine Schwachstelle im RealPlayer ausnutzen, mit Hilfe einer schädlichen präparierten QCP-Mediendatei, zu deren Wiedergabe er einen Benutzer verleitet, um einen Denial-of-Service (DoS)-Angriff durchzuführen.
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-1942/
*** Windows-Update für Secure-Boot-Fehler macht BIOS-Updates erforderlich ***
---------------------------------------------
Mit dem Patch 3193479 beziehungsweise 3200970 für aktuelle Windows-(Server-)Versionen korrigiert Microsoft einen Bug in UEFI Secure Boot, doch einige Server starten danach nicht mehr.
---------------------------------------------
https://heise.de/-3503589
*** Diagnosing cyber threats for smart hospitals ***
---------------------------------------------
ENISA presents a study that sets the scene on information security for the adoption of IoT in Hospitals. The study which engaged information security officers from more than ten hospitals across the EU, depicts the smart hospital ICT ecosystem; and through a risk based approach focuses on relevant threats and vulnerabilities, analyses attack scenarios, and maps common good practices.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/diagnosing-cyber-threats-for-sm…
*** Security Advisory: PHP vulnerability CVE-2016-6288 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/71/sol71814571.html?…
*** Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: November 2016 ***
---------------------------------------------
Multiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or modify the time being advertised by a device acting as a Network Time Protocol (NTP) server.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 22-11-2016 18:00 − Mittwoch 23-11-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** The November 2016 issue of our SWITCH Security Report is available! ***
---------------------------------------------
The topics covered in this report are:
* IT security researchers reveal vulnerabilities in photoTAN procedure for mobile banking
* DDoS attack via IoT botnet shuts down parts of Internet
* Triple record: Yahoo loses half a billion customers’ details, more trust than ever and USD 1 billion from its acquisition price
---------------------------------------------
https://securityblog.switch.ch/2016/11/23/the-november-2016-issue-of-our-sw…
*** Securing Drupal with ModSecurity and the Core Rule Set (CRS3) ***
---------------------------------------------
Here is a guide aimed at the Drupal community to learn how to work with ModSecurity. OWASP ModSecurity Core Rule Set is a horrible name for a project, that's why we speak of CRS3. This is a security project and for those not familiar with the CRS, I will first give a brief intro first.
---------------------------------------------
https://www.netnea.com/cms/2016/11/22/securing-drupal-with-modsecurity-and-…
*** DomainTools 101: How to Spot Phishy Domains on Cyber Monday ***
---------------------------------------------
Just as the Grumeti River in Tanzania harbors dangerous crocodiles just below its surface, a Phishing email usually contains malicious domains waiting for you to click. I read a great article by Bleeping Computer about finding some Google domains that were spoofed using what is known as small caps. This piqued my curiosity ...
---------------------------------------------
https://blog.domaintools.com/2016/11/domaintools-101-how-to-spot-phishy-dom…
*** [DSA 3722-1] vim security update ***
---------------------------------------------
CVE ID : CVE-2016-1248 Florian Larysch and Bram Moolenaar discovered that vim, an enhanced vi editor, does not properly validate values for the the filetype, syntax and keymap options, which may result in the execution of arbitrary code if a file with a specially crafted modeline is opened.
---------------------------------------------
https://lists.debian.org/debian-security-announce/2016/msg00305.html
*** Mapping Attack Methodology to Controls, (Wed, Nov 23rd) ***
---------------------------------------------
Recently weve seen lots of malicious documents make it through our first protection layers. (https://www.virustotal.com/en/file/79ff976c5ca6025f3bb90ddfa7298286217c2130…) . In the last week, these emails have a word document that spawns a command shell that kicks off a PowerShell script. When working incidents, it is important to map out the attacker lifecycle to determine where to improve your defenses.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21749&rss
*** Telegram API ransomware wrecked three weeks after launch ***
---------------------------------------------
Crypto so bad that getting around it is shooting fish in a barrel Ransomware scum abusing the protocol of the popular Telegram encrypted chat app have been wrecked and their malware ransom system decrypted.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/11/23/owned_teleg…
*** Vuln: TP-LINK TL-WA5210G Buffer Overflow and Information Disclosure Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/bid/94481
*** Pentest-Report cURL 08.2016 [PDF] ***
---------------------------------------------
This report documents findings of a source code audit dedicated to assessing the cURL software. The assessment of the tool was performed by Cure53 as part of the Mozilla's Secure Open Source track program. The results of the project encompass twenty-three security-relevant discoveries.
---------------------------------------------
https://wiki.mozilla.org/images/a/aa/Curl-report.pdf
*** Acunetix 10.0 DLL Hijacking ***
---------------------------------------------
Topic: Acunetix 10.0 DLL Hijacking Risk: Medium Text:Title: Acunetix 10 Multi DLL Hajacking Application: Acunetix Versions Affected: 10.0 Vendor URL: http://www.acunetix.com Di...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016110196
*** Schneider Electric Magelis HMI Resource Consumption Vulnerabilities (Update A) ***
---------------------------------------------
This updated advisory is a follow-up to the original advisory titled ICSA-16-308-02 Schneider Electric Magelis HMI Resource Consumption Vulnerabilities that was published November 3, 2016, on the NCCIC/ICS-CERT web site. This advisory contains mitigation details for resource consumption vulnerabilities affecting Schneider Electric's Magelis human-machine interface products.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-308-02
*** Security updates available in Foxit Reader 8.1.1 and Foxit PhantomPDF 8.1.1 ***
---------------------------------------------
Foxit has released Foxit Reader 8.1.1 and Foxit PhantomPDF 8.1.1, which address potential security and stability issues
---------------------------------------------
https://www.foxitsoftware.com/support/security-bulletins.php
*** Security Advisory: PHP vulnerability - CVE-2016-6288 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/71/sol71814571.html?…
*** Siemens ***
---------------------------------------------
*** Siemens SIMATIC CP 1543-1 Vulnerabilities ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-327-01
---------------------------------------------
*** Siemens SIMATIC CP 343-1/CP 443-1 Modules and SIMATIC S7-300/S7-400 CPUs Vulnerabilities ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-327-02
---------------------------------------------
*** Siemens Industrial Products Local Privilege Escalation Vulnerability (Update A) ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-313-02
*** Huawei ***
---------------------------------------------
*** Security Advisory - Multiple Security Vulnerabilities in Huawei Smart Phone Products ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161123-…
---------------------------------------------
*** Security Advisory - Privilege Escalation Vulnerability in the FusionStorage ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161123-…
---------------------------------------------
*** Security Advisory - Buffer Overflow Vulnerability in TP Driver of Huawei Smart Phone ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161123-…
---------------------------------------------
*** Security Advisory - Integer Overflow Vulnerability in Some Huawei Devices ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161123-…
---------------------------------------------
*** Security Advisory - Buffer Overflow Vulnerability in HIFI Driver of Huawei Smart Phone ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161123-…
*** VMware ***
---------------------------------------------
*** VMSA-2016-0022 ***
https://www.vmware.com/security/advisories/VMSA-2016-0022.html
---------------------------------------------
*** VMSA-2016-0021 ***
https://www.vmware.com/security/advisories/VMSA-2016-0021.html
---------------------------------------------
*** VMSA-2016-0018.3 ***
https://www.vmware.com/security/advisories/VMSA-2016-0018.html
*** Novell ***
---------------------------------------------
*** eDirectory 9.0.2 (non-root) for Linux ***
https://download.novell.com/Download?buildid=dgSdIXwk2Cc~
---------------------------------------------
*** iManager 2.7 Support Pack 7 - Patch 8 for Linux ***
https://download.novell.com/Download?buildid=OFnb6Ew8wPM~
---------------------------------------------
*** iManager 2.7 Support Pack 7 - Patch 8 for Windows ***
https://download.novell.com/Download?buildid=wPIC5t8Drqo~
---------------------------------------------
*** eDirectory 8.8 SP8 Patch 9 for Linux ***
https://download.novell.com/Download?buildid=zJBqj6SjCzg~
---------------------------------------------
*** iManager 3.0.2 for Linux ***
https://download.novell.com/Download?buildid=rIhWBDnLYU8~
---------------------------------------------
*** iManager 3.0.2 for Windows ***
https://download.novell.com/Download?buildid=iMupD_KbGcA~
---------------------------------------------
*** eDirectory 9.0.2 for Linux ***
https://download.novell.com/Download?buildid=TLXIiZ6uoho~
---------------------------------------------
*** eDirectory 9.0.2 for Windows ***
https://download.novell.com/Download?buildid=_N2FUsWAalg~
---------------------------------------------
*** eDirectory 8.8 SP8 Patch 9 (non-root) for Linux ***
https://download.novell.com/Download?buildid=Y9WDuLNbJxE~
---------------------------------------------
*** eDirectory 8.8 SP8 Patch 9 for Windows ***
https://download.novell.com/Download?buildid=aDcgeiAEaYc~
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 21-11-2016 18:00 − Dienstag 22-11-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Windows 10 Cannot Protect Insecure Applications Like EMET Can ***
---------------------------------------------
Recently, Microsoft published a blog post called Moving Beyond EMET that appears to make two main points: (1) Microsoft will no longer support EMET after July 31, 2018, and (2) Windows 10 provides protections that make EMET unnecessary. In this blog post, I explain why Windows 10 does not provide the additional protections that EMET does and why EMET is still an important tool to help prevent exploitation of vulnerabilities.
---------------------------------------------
https://insights.sei.cmu.edu/cert/2016/11/windows-10-cannot-protect-insecur…
*** SSA-603476 (Last Update 2016-11-21): Web Vulnerabilities in SIMATIC CP 343-1/CP 443-1 Modules and SIMATIC S7-300/S7-400 CPUs ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-603476…
*** Facebook Messenger: Malware via SVG ***
---------------------------------------------
Vorsicht bei Dateianhängen in Facebooks Chat: Gekaperte Accounts versenden Schadsoftware - neuerdings in Form einer SVG-Grafik.
---------------------------------------------
https://www.heise.de/newsticker/meldung/Facebook-Messenger-Malware-via-SVG-…
*** Moodle Vulns ***
---------------------------------------------
*** Vuln: Moodle MSA-16-0026 Information Disclosure Vulnerability ***
http://www.securityfocus.com/bid/94456
---------------------------------------------
*** Vuln: Moodle CVE-2016-8643 Security Bypass Vulnerability ***
http://www.securityfocus.com/bid/94457
---------------------------------------------
*** Vuln: Moodle CVE-2016-8644 Information Disclosure Vulnerability ***
http://www.securityfocus.com/bid/94458
*** Exploit Code Released for NTP Vulnerability ***
---------------------------------------------
NTP 4.2.8p9 includes a patch for a vulnerability that could crash ntpd with a single malformed packet.
---------------------------------------------
http://threatpost.com/exploit-code-released-for-ntp-vulnerability/122104/
*** The Kings in Your Castle, Pt. #3 ***
---------------------------------------------
In the third episode of Marion Marschaleks and Raphael Vinots series of articles on modern APTs, they will shine some light on the prevalence of Zero-Day vulnerabilities. In reality, the use of Zero-Days is far less common than expected. In fact, APT groups in some cases exploit vulnerabilities which are a couple of years old. On the side of the analysts, they will explain that identical hashes are by no means a reliable indicator for dealing with identical files.
---------------------------------------------
https://blog.gdatasoftware.com/2016/11/29302-kings-in-your-castle-pt-3
*** TYPO3 ***
---------------------------------------------
*** Path Traversal in TYPO3 Core ***
https://typo3.org/news/article/path-traversal-in-typo3-core/
---------------------------------------------
*** Insecure Unserialize in TYPO3 Backend ***
https://typo3.org/news/article/insecure-unserialize-in-typo3-backend/
*** Businesses as Ransomware's Goldmine: How Cerber Encrypts Database Files ***
---------------------------------------------
Possibly to maximize the earning potential of Cerber's developers and their affiliates, the ransomware incorporated a routine with heavier impact to businesses: encrypting database files.
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/KntWjaKLssw/
*** Android-Trojaner GT!tr.spy soll vor allem deutsche Bank-Kunden ins Visier nehmen ***
---------------------------------------------
Fortinet ist nach eigenen Angaben auf einen aktuellen Android-Trojaner mit der Bezeichnung GT!tr.spy gestoßen, der es in erster Linie auf Kreditkarten- und Log-in-Daten von deutschen und österreichischen Bank-Kunden abgesehen hat. Davon sollen Kunden von nicht näher beschriebenen 15 deutschen und fünf österreichischen Banken bedroht sein ...
---------------------------------------------
https://heise.de/-3494472
*** Exploit Code Released for NTP Vulnerability ***
---------------------------------------------
NTP 4.2.8p9 includes a patch for a vulnerability that could crash ntpd with a single malformed packet.
---------------------------------------------
http://threatpost.com/exploit-code-released-for-ntp-vulnerability/122104/
*** FortiOS flow-mode detection bypass under certain conditions ***
---------------------------------------------
A FortiGate configured to use flow-based protection will stop monitoring network sessions that are active when a scanning engine is reloaded after an update (nearly instantaneous process).This tends to impact long lived network sessions...
---------------------------------------------
http://fortiguard.com/advisory/fortios-flow-mode-detection-bypass-under-cer…
*** F5 Security Advisories ***
---------------------------------------------
*** Security Advisory: OpenSSL vulnerability CVE-2016-8610 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/11/sol11307303.html?…
---------------------------------------------
*** Security Advisory: ImageMagick vulnerabilities CVE-2015-8895 and CVE-2015-8896 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/30/sol30403302.html?…
---------------------------------------------
*** Security Advisory: ImageMagick vulnerability CVE-2015-8898 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/68/sol68785753.html?…
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Security Network Protection ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991724
---------------------------------------------
*** IBM Security Bulletin: IBM Tivoli Storage Manager FastBack for Bare Machine Recovery Stack-Based Buffer Overflow Elevation of Privilege Vulnerability (CVE-2016-6091) ***
http://www.ibm.com/support/docview.wss?uid=swg21993925
---------------------------------------------
*** IBM Security Bulletin: IBM Tivoli Storage Manager FastBack Stack-Based Buffer Overflow Elevation of Privilege Vulnerability (CVE-2016-6091) ***
http://www.ibm.com/support/docview.wss?uid=swg21993916
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in busybox affect IBM Security Network Protection (CVE-2014-4607, and CVE-2014-9645 ) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990083
---------------------------------------------
*** IBM Security Bulletin: Multiple Denial of Service vulnerabilities with Expat might affect IBM HTTP Server used with IBM Security Network Protection ***
http://www-01.ibm.com/support/docview.wss?uid=swg21989336
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in IBM Java SDK affect IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2016-3485) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21993565
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2016-0377 ***
http://www-01.ibm.com/support/docview.wss?uid=swg21993522
---------------------------------------------
*** IBM Vulnerabilities in BIND impact AIX (CVE-2016-2776, CVE-2016-2775) ***
http://aix.software.ibm.com/aix/efixes/security/bind_advisory13.asc
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect AIX ***
http://aix.software.ibm.com/aix/efixes/security/openssl_advisory21.asc
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 18-11-2016 18:00 − Montag 21-11-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Vuln: Huawei Smart Phones Multiple Local Denial of Service Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/bid/94404
*** Vuln: Multiple Lenovo ThinkPad Products CVE-2016-8222 Local Security Bypass Vulnerability ***
---------------------------------------------
Local attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions.
---------------------------------------------
http://www.securityfocus.com/bid/94409
*** Security Advisory: PHP vulnerability CVE-2016-6289 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/52/sol52430518.html?…
*** SSA-672373 (Last Update 2016-11-18): Vulnerabilities in SIMATIC CP 1543-1 ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-672373…
*** SSA-701708 (Last Update 2016-11-18): Local Privilege Escalation in Industrial Products ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-701708…
*** SAP NetWeaver AS ABAP 7.4 Directory Traversal ***
---------------------------------------------
The code provides access to the file specified after the READ DATASET
statement. The variable transmitted to the input of the statement is
entered in it by user input. Thus, the user can access the files
stored on the operating system. This vulnerability is called a
Directory Traversal.
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016110168
*** Update wichtig: Sicherheitswarnung zu Symantec-Software ***
---------------------------------------------
Das BSI hat eine Sicherheitswarnung der Stufe 4 bezüglich der Symantec-Produkte Endpoint Security herausgegeben und empfiehlt ein sofortiges Update.
---------------------------------------------
https://heise.de/-3492125
*** Second Chinese Firm In a Week Found Hiding a Backdoor In Android Firmware ***
---------------------------------------------
An anonymous reader quotes Bleeping Computer: Security researchers have discovered that third-party firmware included with over 2.8 million low-end Android smartphones allows attackers to compromise Over-the-Air (OTA) update operations and execute commands on the targets phone with root privileges. This is the second issue of its kind that came to light this week after researchers from Kryptowire discovered a similar secret backdoor in the firmware of Chinese firm Shanghai Adups Technology Co.
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/A1TnPdkseTU/second-chinese-…
*** Putty Cleartext Password Storage ***
---------------------------------------------
Putty.exe stores Passwords unencrypted for sessions that use a Proxy connection and specify a password to save.
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016110172
*** WordPress Plugin MailChimp 4.0.7 - Cross-Site Request Forgery / XSS ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016110174
*** Vuln: Apache OpenOffice CVE-2016-6803 Local Privilege Escalation Vulnerability ***
---------------------------------------------
Apache OpenOffice is prone to a local privilege-escalation vulnerability.
Local attackers can exploit this issue to gain elevated privileges.
Apache OpenOffice 4.1.2 and prior versions are vulnerable.
---------------------------------------------
http://www.securityfocus.com/bid/94418
*** DFN-CERT-2016-1916/">GStreamer-Plugin: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes ***
---------------------------------------------
Ein entfernter, nicht authentifizierter Angreifer kann mit Hilfe einer speziell präparierten Mediendatei einen Pufferüberlauf auf dem Heap erzeugen, dadurch große Speicherbereiche kontrollieren und in der Folge beliebigen Programmcode ausführen.
Die Schwachstelle kann im Kombination mit anderen Sicherheitslücken und Design-Entscheidungen auf bestimmten Linux-Systemen einfach durch den Besuch einer speziell präparierten Webseite ausgenutzt werden. Es ist dabei keine Interaktion des Benutzers notwendig.
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-1916/
*** Bugtraq: [security bulletin] HPSBHF03675 rev.1 - HPE Integrated Lights-Out 3 and 4 (iLO 3, iLO 4), Cross-Site Scripting (XSS) ***
---------------------------------------------
HPE has made the following firmware updates available to resolve the
vulnerability in iLO 3 and iLO 4:
For iLO3, please upgrade to firmware v1.88
For iLO4, please upgrade to firmware v2.44
---------------------------------------------
http://www.securityfocus.com/archive/1/539791
*** Oil and Gas Cybersecurity part 3: Midstream Security for Oil ***
---------------------------------------------
I hope you enjoyed the previous parts of Oil and Gas Cyber Security series (Upstream Cyber Security and Oil and Gas Cyber Security 101). Today we will talk about OT and ICS with a special focus on the Midstream sector of the petroleum industry.
---------------------------------------------
http://resources.infosecinstitute.com/oil-and-gas-cybersecurity-part-3-mids…
*** Nemucod Infections Spreading Locky Over Facebook ***
---------------------------------------------
Researchers have spotted an increase in Nemucod downloader infections moving via Facebook Messenger spam, with some victims being infected with Locky ransomware.
---------------------------------------------
http://threatpost.com/nemucod-infections-spreading-locky-over-facebook/1220…
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Cross-Site Scripting Vulnerability in IBM Social Rendering Templates for Digital Data Connector (CVE-2016-8936) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21993895
---------------------------------------------
*** IBM Security Bulletin: IBM Tivoli Netcool Configuration Manager (ITNCM) is affected by a vulnerability discovered in XSTREAM (CVE-2016-3674) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21992217
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Cisco MDS Directors and Switches (CVE-2016-0701, CVE-2015-3197) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009610
---------------------------------------------
*** IBM Security Bulletin: Security Bulletin: Vulnerabilities in OpenSSL affect IBM Cisco MDS Directors and switches (CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009608
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 17-11-2016 18:00 − Freitag 18-11-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Webseite aufgerufen, Linux gehackt ***
---------------------------------------------
Linux-Nutzer können sich durch das bloße Aufrufen einer Webseite Schadcode einfangen. Die Ursache ist eine Kombination eigentlich harmloser Ereignisse – und eine Zero-Day-Lücke. Betroffen ist vor allem Fedora Workstation.
---------------------------------------------
https://heise.de/-3489774
*** Google Removing SHA-1 Support in Chrome 56 ***
---------------------------------------------
Google released its final SHA-1 deprecation deadlines, and crypto services provider Venafi said that 35 percent of the web is still running weak SHA-1 certificates.
---------------------------------------------
http://threatpost.com/google-removing-sha-1-support-in-chrome-56/122041/
*** MacBook Pro 2016: Malware-Schutz teils ab Werk deaktiviert ***
---------------------------------------------
Apple hat offenbar verpasst, den macOS-Systemintegritätsschutz (System Integrity Protection) auf allen MacBook-Pro-Modellen mit Touch Bar zu aktivieren. SIP soll die Möglichkeiten von Schad-Software begrenzen.
---------------------------------------------
https://heise.de/-3491210
*** 8 million GitHub profiles scraped, data found leaking online ***
---------------------------------------------
Technology recruitment site GeekedIn has scraped 8 million GitHub profiles and left the information exposed in an unsecured MongoDB database. The backup of the database ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/11/18/8-million-github-profiles-scrape…
*** DSA-3718 drupal7 - security update ***
---------------------------------------------
Multiple vulnerabilities has been found in the Drupal content managementframework. For additional information, please refer to the upstream advisoryat https://www.drupal.org/SA-CORE-2016-005
---------------------------------------------
https://www.debian.org/security/2016/dsa-3718
*** Metadaten: Apple speichert Verbindungsdaten mehrere Monate in iCloud ***
---------------------------------------------
Apple bezeichnet sich gern als Datenschutzkonzern. Eine jetzt entdeckte Funktion zeigt aber, dass Apple Verbindungsdaten mehrere Monate im iCloud-Backup ablegt. Das dürfte nicht jedem gefallen.
---------------------------------------------
http://www.golem.de/news/metadaten-apple-speichert-verbindungsdaten-mehrere…
*** Top-Level-Domain .box macht Fritzbox-Routern Probleme ***
---------------------------------------------
Router ist im internen Netz über den Domainnamen fritz.box erreichbar
---------------------------------------------
http://derstandard.at/2000047782737
*** iPhone: Lockscreen-Lücke erlaubt Zugriff auf Kontakte und Fotos ***
---------------------------------------------
Angriffsmethode soll auch bei den neuesten Versionen von iOS funktionieren
---------------------------------------------
http://derstandard.at/2000047783306
*** Google Project Brillo: IoT-Android wird sicherer als Smartphone-Android ***
---------------------------------------------
Google krempelt die Zusammenarbeit mit Herstellern für sein Internet-of-Things-System Brillo im Vergleich zu Android völlig um. So gibt es nur einen Linux-Kernel, der ..
---------------------------------------------
http://www.golem.de/news/google-project-brillo-iot-android-wird-sicherer-al…
*** The Rampage of Locky ***
---------------------------------------------
Locky has been a constant in the malware zoo for a considerable time. And while we are aware that there are still victims being hit by the variant sporting the .ODIN extension, ..
---------------------------------------------
https://blog.gdatasoftware.com/2016/11/29310-the-rampage-of-locky
*** Filesharing: Hacker erbeuten Sourcecoude von Mega.nz ***
---------------------------------------------
Mehrere Gbyte an Quellcode und einige Admin-Zugänge wurden bei Kim Dotcoms Dienst Mega.nz kopiert. Nach Angaben des Unternehmens sind keine Nutzerdaten betroffen, die veröffentlichten Zugänge seien zudem veraltet.
---------------------------------------------
http://www.golem.de/news/filesharing-hacker-erbeuten-sourcecoude-von-mega-n…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 16-11-2016 18:00 − Donnerstag 17-11-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** VMSA-2016-0020 ***
---------------------------------------------
vRealize Operations update addresses REST API deserialization vulnerability
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2016-0020.html
*** VMSA-2016-0016.1 ***
---------------------------------------------
vRealize Operations (vROps) updates address privilege escalation vulnerability
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2016-0016.html
*** Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2016-005 ***
---------------------------------------------
https://www.drupal.org/SA-CORE-2016-005
*** VMSA-2016-0018.1 ***
---------------------------------------------
VMware product updates address local privilege escalation vulnerability in Linux kernel
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2016-00201.html
*** VMSA-2016-0018.1 ***
---------------------------------------------
VMware product updates address local privilege escalation vulnerability in Linux kernel
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2016-0018.html
*** Antivirus tools are a useless box-ticking exercise says Google security chap ***
---------------------------------------------
Advocates whitelists and other tools that genuinely help security Kiwicon Google senior security engineer Darren Bilby has asked fellow hackers to expend less effort ..
---------------------------------------------
www.theregister.co.uk/2016/11/17/google_hacker_pleads_try_whitelists_not_ju…
*** DSA-3716 firefox-esr - security update ***
---------------------------------------------
Multiple security issues have been found in the Mozilla Firefox webbrowser: Multiple memory safety errors, buffer overflows and otherimplementation errors may ..
---------------------------------------------
https://www.debian.org/security/2016/dsa-3716
*** Tails 2.7 is out ***
---------------------------------------------
https://tails.boum.org/news/version_2.7/
*** Malware Hunters Catch New Android Spyware For Governments In The Wild ***
---------------------------------------------
A group of malware hunters has caught a new Android spyware in the wild. The spyware is marketed to governments and police forces and was made in Italy—but it wasn’t built by the infamous surveillance tech vendor Hacking Team.
---------------------------------------------
https://motherboard.vice.com/read/malware-hunters-catch-new-android-spyware…
*** Internet of Things: US-Regierung veröffentlicht Security-Strategie ***
---------------------------------------------
Sechs Empfehlungen für ein weniger unsicheres Internet of Things hat die US-Regierung ausgearbeitet. Das offizielle Dokument könnte Entwicklern und Sicherheitsabteilungen Rückenwind geben.
---------------------------------------------
https://heise.de/-3488886
*** Erpressungs-Trojaner Ransoc soll Social-Media-Accounts ausspionieren ***
---------------------------------------------
Sicherheitsforschern zufolge droht Ransoc damit, persönliche Daten zu veröffentlichen. Dafür soll er eine individuelle Erpresserbotschaft mit privaten Bildern und Informationen bauen.
---------------------------------------------
https://heise.de/-3488976
*** Call for Papers Domain pulse 2017 ***
---------------------------------------------
Das Generalthema des Domain pulse 2017 lautet „Netzwerken in Netzwerken“ – im weitesten Sinne des Begriffs. Wer oder was wird vernetzt? Wie wichtig ist Vernetzung? Wo findet sie statt? Wie kann sie bestmöglich gelingen? Und welche Probleme kann sie lösen?
---------------------------------------------
http://www.domainpulse.at/de/call-for-papers
*** Forensik-Tool-Hersteller: Apple speichert iPhone-Anrufprotokolle in iCloud – für viele Monate ***
---------------------------------------------
Apple synchronisiert die Anrufhistorie von iCloud-Nutzern automatisch ohne darauf explizit hinzuweisen. Die Software des Herstellers soll Strafverfolgungsbehörden ..
---------------------------------------------
https://heise.de/-3490866
*** Confessions of a Google Spammer ***
---------------------------------------------
Before I became an inbound marketer, I once made $50,000 a month spamming Google. I worked a maximum of 10 hours a week. And I am telling you from the bottom of my heart: never, never ever follow in my footsteps.
---------------------------------------------
https://readthink.com/confessions-of-a-google-spammer-4f2e0c3e9869
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 15-11-2016 18:00 − Mittwoch 16-11-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Chinese company installed secret backdoor on hundreds of thousands of phones ***
---------------------------------------------
http://arstechnica.com/security/2016/11/chinese-company-installed-secret-ba…
*** Carbanak Attacks Shift to Hospitality Sector ***
---------------------------------------------
The Carbanak cybercrime gang has shifted strategy and targets the hospitality and restaurant industries with new techniques and malware.
---------------------------------------------
http://threatpost.com/carbanak-attacks-shift-to-hospitality-sector/121966/
*** Cloned Spam Sites in Subdirectories ***
---------------------------------------------
In a recent post, we covered how attackers were abusing server resources to create WordPress sites in subdirectories and distribute spam. By adding a complete WordPress CMS installation into a directory and using ..
---------------------------------------------
https://blog.sucuri.net/2016/11/cloned-spam-sites-in-subdirectories.html
*** Fake fax ushers in revival of a ransomware family ***
---------------------------------------------
“Criminal case against you” is a message that may understandably cause panic. That’s what a recent spam campaign hopes happens, increasing the likelihood of ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/11/15/fake-fax-ushers-in-revi…
*** Malspam distributing Troldesh ransomware ***
---------------------------------------------
Earlier this week on Monday 2016-11-14, I found an example of malicious spam (malspam) distributing Troldesh ransomware. Troldesh (also called ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21717
*** Lynxspring JENEsys BAS Bridge Vulnerabilities ***
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-320-01
*** VMware-Produkte abgesichert: Angreifer können aus Gast-System ausbrechen ***
---------------------------------------------
In Fusion und Workstation klafft eine kritische Sicherheitslücke.
---------------------------------------------
https://heise.de/-3484180
*** Ermittlungen gegen Skidata im Betriebsspionage-Verfahren eingestellt ***
---------------------------------------------
Salzburger Firma soll Kundendaten auf IT-Server eines Konkurrenten ausgespäht haben – Laut Staatsanwaltschaft kein widerrechtlicher Datenzugriff
---------------------------------------------
http://derstandard.at/2000047640813
*** Datenschutz bei Mac-App: Shazam will nicht mehr dauerhaft mithören ***
---------------------------------------------
Ein Mikrofon, das dauerhaft angeschaltet ist, dürfte vielen Nutzern Unbehagen bereiten. Genau das tat Shazam auf dem Mac mindestens seit 2014. Jetzt will das ..
---------------------------------------------
http://www.golem.de/news/datenschutz-bei-mac-app-shazam-will-nicht-mehr-dau…
*** Sicherheitsupdates: Symantec-Software kann sich an DLL verschlucken ***
---------------------------------------------
Verschiedene Symantec-Produkte sind angreifbar. Im schlimmsten Fall können Angreifer Systeme kapern.
---------------------------------------------
https://heise.de/-3484233
*** Analysts apply Occams razor to Tesco Bank breach ***
---------------------------------------------
Unexpected items in the banking area Analysis Security analysts have narrowed down the range of possible explanations for the Tesco Bank breach.
---------------------------------------------
www.theregister.co.uk/2016/11/16/tesco_bank_breach_competing_theories_analy…
*** Wickedly Clever USB Stick Installs a Backdoor on Locked PCs ***
---------------------------------------------
The proof-of-concept tool PoisonTap uses a series of subtle design flaws to steal a victims cookies and even hack their router or intranet.
---------------------------------------------
https://www.wired.com/2016/11/wickedly-clever-usb-stick-installs-backdoor-l…
*** IT-Sicherheit: Facebook kauft Passwörter im Darknet ***
---------------------------------------------
Die Doppelverwendung von Passwörtern bezeichnet der Sicherheitschef von Facebook als "größte Gefahr für ..
---------------------------------------------
http://www.golem.de/news/it-sicherheit-facebook-kauft-passwoerter-im-darkne…
*** Automobilzulieferer: Leoni schreibt nach 40-Millionen-Betrug Verluste ***
---------------------------------------------
Der Betrugsfall geht an Leoni nicht spurlos vorbei. Nachdem rund 40 Millionen Euro entwendet wurden, schreibt das Unternehmen im vergangenen Quartal Verluste. Die Ermittlungen gehen weiter.
---------------------------------------------
http://www.golem.de/news/automobilzulieferer-leoni-schreibt-nach-40-million…
*** Nach Adobe-Hack: Einigung auf eine Million US-Dollar Strafe ***
---------------------------------------------
Adobe hat sich mit insgesamt 15 US-Bundesstaaten auf eine Strafzahlung von zusammen einer Million US-Dollar geeinigt, weil das Unternehmen 2013 Millionen Nutzerdaten verloren hatte. Die hatten Angreifer bei einem Hack an sich gebracht.
---------------------------------------------
https://heise.de/-3485542
*** Cisco Email Security Appliance MIME Header Processing Filter Bypass Vulnerability ***
---------------------------------------------
A vulnerability in the email filtering functionality of Cisco AsyncOS Software for Cisco Email Security Appliances could allow an unauthenticated, remote ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 14-11-2016 18:00 − Dienstag 15-11-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Vuln: Git for Windows CVE-2016-9274 Unspecified Untrusted Search Path vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/94289
*** CVE-2016-4484: Cryptsetup Initrd root Shell ***
---------------------------------------------
An attacker with access to the console of the computer and with the ability to reboot the computer can launch a shell (with root permissions) when he/she is prompted for the password to unlock the system partition. The shell is executed in the initrd environment. Obviously, the system partition is encrypted and it is not possible to decrypt it (AFAWK). But other partitions may be not encrypted, and so accessible.
---------------------------------------------
http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.…
*** phpWebAdmin Version 1.0 SQL Injection Proof Of Concept Exploit ***
---------------------------------------------
The user parameter in the index.php file is vulnerable to a blind SQL time-based Injection attack. Proof of concept is exploit attached below
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016110127
*** ImageMagick MagickCore/fx.c Heap Buffer Overflow Vulnerability ***
---------------------------------------------
ImageMagick is prone to a heap-based buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it into an insufficiently sized buffer. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploits may result in denial-of-service condition.
---------------------------------------------
http://www.securityfocus.com/bid/94310/discuss
*** The Kings in Your Castle, Pt #2 ***
---------------------------------------------
The second part of Marion Marschaleks and Raphael Vinots article series deals with questions that surround the tools and the data used by analysts. They shine a light on some of the challenges facing analysts when it comes to Indicators of Compromise. While those are easily created and implemented, they can end up being outdated rather quickly. For an effective strategy, other metrics are required which are less easy to create.
---------------------------------------------
https://blog.gdatasoftware.com/2016/11/29304-the-kings-in-your-castle-pt-2
*** Beliebte Chrome-Erweiterungen zur Werbeschleuder mutiert ***
---------------------------------------------
Einige beliebte Chrome-Erweiterungen werden offenbar zur Verbreitung dubioser Werbeanzeigen missbraucht. Wer eine davon installiert hat, sollte sie umgehend entfernen.
---------------------------------------------
https://heise.de/-3465981
*** Windows Mobile Application Penetration Testing Part 4: Intercepting HTTP/HTTPS Traffic on Windows Phones ***
---------------------------------------------
Introduction and Background: In the previous article of the series, we have discussed Sideloading concepts associated with Windows Phone 8.1 apps and UWP apps. In this article, we will discuss how to get your phones/emulators ready for intercepting HTTP/HTTPS traffic to proceed with further analysis of the application.
---------------------------------------------
http://resources.infosecinstitute.com/windows-mobile-application-penetratio…
*** Bypassing Mixed Content Warnings - Loading Insecure Content in Secure Pages ***
---------------------------------------------
There are no doubts that the web is moving forward to HTTPS (secure) content. Most important names have today their certificates ready and their websites are in effect, secure. But have you ever wandered: secure to what extent?
---------------------------------------------
https://www.brokenbrowser.com/loading-insecure-content-in-secure-pages/
*** Cisco IOS XE Software Directory Traversal Vulnerability ***
---------------------------------------------
A vulnerability in the package unbundle utility of Cisco IOS XE Software could allow an authenticated, local attacker to gain write access to some files in the underlying operating system.The vulnerability is due to insufficient validation of files submitted to the affected installation utility. An attacker could exploit this vulnerability by uploading a crafted file to an affected system and running the installation utility command.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Single Sign-on: Eine Milliarde Accounts für Hijacking anfällig ***
---------------------------------------------
Single Sign-on ist praktisch, wird aber oft falsch implementiert. Sicherheitsforscher haben demonstriert, welche Fehler App-Entwickler dabei machen. Mehrere hundert Apps machten dabei Probleme.
---------------------------------------------
http://www.golem.de/news/single-sign-on-eine-milliarde-accounts-fuer-hijack…
*** DLL Loading Issue in Symantec Enterprise Products ***
---------------------------------------------
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se…
*** F5 Security Advisories ***
---------------------------------------------
*** Security Advisory: OpenSSL vulnerability CVE-2016-2180 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/02/sol02652550.html?…
---------------------------------------------
*** Security Advisory: BIG-IP ASM vulnerability CVE-2016-7472 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/17/sol17119920.html?…
---------------------------------------------
*** Security Advisory: Apache Tomcat vulnerabilities CVE-2016-5018, CVE-2016-6794, and CVE-2016-6796 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/65/sol65230547.html?…
---------------------------------------------
*** Security Advisory: Apache Tomcat vulnerability CVE-2016-6797 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/36/sol36302720.html?…
---------------------------------------------
*** Security Advisory: Apache Tomcat vulnerability CVE-2016-0762 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/36/sol36784855.html?…
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime IBM affect IBM Decision Optimization Center (CVE-2016-5554, CVE-2016-5556, CVE-2016-5568) ***
http://www.ibm.com/support/docview.wss?uid=swg21993861
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM ILOG CPLEX Optimization Studio and IBM ILOG CPLEX Enterprise Server (CVE-2016-5554, CVE-2016-5556, CVE-2016-5568, CVE-2016-5582) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21993857
---------------------------------------------
*** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple php vulnerabilities ***
http://www-01.ibm.com/support/docview.wss?uid=isg3T1024488
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Perl affects Power Hardware Management Console (‪‪CVE-2016-1238‬) ***
http://www.ibm.com/support/docview.wss?uid=nas8N1021704
---------------------------------------------
*** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple perl vulnerabilities (CVE-2016-1238, CVE-2016-2381, CVE-2016-8853) ***
http://www-01.ibm.com/support/docview.wss?uid=isg3T1024470
---------------------------------------------
*** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by a vulnerability in fontconfig (CVE-2016-5384) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024468
---------------------------------------------
*** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by a vulnerability in sqlite (CVE-2016-6153) ***
http://www-01.ibm.com/support/docview.wss?uid=isg3T1024467
---------------------------------------------
*** IBM Security Bulletin: IBM PowerVC Local escalation of privilege vulnerability in DB2 for Linux (CVE-2016-5995) ***
http://www-01.ibm.com/support/docview.wss?uid=nas8N1021652
---------------------------------------------
*** IBM Security Bulletin: Samba vulnerability issue in IBM SONAS (CVE-2016-2119) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009570
---------------------------------------------
*** IBM Security Bulletin: GPFS security vulnerabilities in IBM SONAS (CVE-2016-2985 and CVE-2016-2984 ) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009323
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 11-11-2016 18:00 − Montag 14-11-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** No payment necessary: Fighting back against ransomware ***
---------------------------------------------
Any IT professional who's ever had an experience with malware knows how fast an intrusive attack can happen, and how difficult it can be to educate employees to be vigilant against such threats. And with ransomware attacks only growing, having information, tools and technologies to help protect your network can mean the difference between serious...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/11/11/no-payment-necessary-fi…
*** New Guide on How to Fix Hacked Joomla! Sites ***
---------------------------------------------
Joomla! is one of the most popular open-source content management systems (CMS) on the market, powering a large percentage of websites on the internet today. For that reason, we are glad that our team includes a former contributor who helped create the official Joomla! docs on website security. We have also participated in various Joomla! events around the world, and our cofounder Dre Armeda is a keynote speaker at the upcoming Joomla! World Conference in Vancouver, Canada. Continue reading New
---------------------------------------------
https://blog.sucuri.net/2016/11/new-guide-fix-hacked-joomla-sites.html
*** Vuln: Docker Multiple Security Bypass Vulnerabilities ***
---------------------------------------------
Vulnerable: Docker 1.12, Docker 1.6.1, Docker 1.6, Docker 1.3.3, Docker 1.4.1, Docker 1.3.2, Docker 1.3.1, Docker 1.3.0, Docker 1.12.3, Docker 1.12.2, Docker 1.0.0
---------------------------------------------
http://www.securityfocus.com/bid/94272
*** Vuln: Sophos Web Appliance Privilege Escalation and Remote Code Execution Vulnerabilities ***
---------------------------------------------
Sophos Web Appliance is prone to a privilege-escalation vulnerability and remote code-execution vulnerabilities.
Attackers can leverage these issues to gain elevated privileges or execute arbitrary commands within the context of the affected application.
Sophos Web Appliance 4.2.1.3 is vulnerable; other versions may also be affected.
---------------------------------------------
http://www.securityfocus.com/bid/94274
*** OWASP ModSecurity Core Rule Set Version 3.0 Released ***
---------------------------------------------
Need a new set of generic attack detection rules for your web application firewall? Try the new OWASP ModSecurity Core Rule Set version 3.0.0! Long-time Slashdot reader dune73 writes: The OWASP CRS is a widely-used Open Source set of generic rules designed to protect users against threats like the OWASP Top 10. The rule set is most often deployed in conjunction with an existing Web Application Firewall like ModSecurity.
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/DKhaxHVZD-s/owasp-modsecuri…
*** MikroTik RouterOS 6.36.2 Cross Site Scripting ***
---------------------------------------------
Topic: MikroTik RouterOS 6.36.2 Cross Site Scripting
Risk: Low
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016110115
*** VMSA-2016-0019 ***
---------------------------------------------
VMware product updates address local privilege escalation vulnerability in linux kernel
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2016-0019.html
*** Kaspersky Lab Black Friday Threat Overview 2016 ***
---------------------------------------------
Our research shows that, over the last few years, the holiday period which starts on so-called Black Friday was marked by an increase in phishing and other types of attacks, which suggests that the pattern will be repeated this year.
---------------------------------------------
http://securelist.com/analysis/publications/76615/kaspersky-lab-black-frida…
*** [2016-11-14] Multiple vulnerabilities in I-Panda SolarEagle - Solar Controller Administration Software / MPPT Solar Controller SMART2 ***
---------------------------------------------
Attackers are able to control the SolarEagle V2.00 / MPPT Solar Controller SMART2 device as authentication is broken. Furthermore attackers can eavesdrop the unencrypted communication or denial service.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016…
*** Adult Friend Finder: 412 Milionen Accounts von Datingseite gehackt ***
---------------------------------------------
Nach dem Ashley-Madison-Hack gibt es einen weiteren großen Einbruch in ein Datingnetzwerk. Angreifer veröffentlichten 412 Millionen Accountdaten des Webseitennetzwerkes rund um Adult Friend Finder.
---------------------------------------------
http://www.golem.de/news/adult-friend-finder-412-milionen-accounts-von-dati…
*** Vuln: Jenkins Java Deserialization Remote Code Execution Vulnerability ***
---------------------------------------------
Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected application. Failed exploits will result in denial-of-service conditions.
---------------------------------------------
http://www.securityfocus.com/bid/94281
*** [TYPO3-announce] Vulnerabilities in multiple third party TYPO3 CMS extensions ***
---------------------------------------------
several vulnerabilities have been found in the following third party TYPO3 extensions:
- "Store Locator" (locator)
- "Code Highlighter" (mh_code_highlighter)
- "Shibboleth Authentication" (shibboleth_auth)
- "Secure Download Form" (rs_securedownload)
- "Member Infosheets" (if_membersheet)
- "TC Directmail" (tcdirectmail)
---------------------------------------------
http://lists.typo3.org/pipermail/typo3-announce/2016/000388.html
*** NIST Small Business Information Security guide for Small businesses ***
---------------------------------------------
The NIST Small Business Information Security: The Fundamentals guide aims to provide basic cybersecurity recommendations to small businesses.
---------------------------------------------
http://securityaffairs.co/wordpress/53423/breaking-news/nist-small-business…
*** [CVE-2016-8736] Apache Openmeetings RMI Registry Java Deserialization RCE ***
---------------------------------------------
Versions Affected: Apache OpenMeetings 3.1.0
Description: Apache Openmeetings is vulnerable to Remote Code Execution via RMI deserialization attack The issue was fixed in 3.1.2. All users are recommended to upgrade to Apache OpenMeetings 3.1.3
---------------------------------------------
http://www.securityfocus.com/archive/1/539751
*** Recordings from AppSecUSA 2016 in Washington, DC ***
---------------------------------------------
https://www.youtube.com/playlist?list=PLpr-xdpM8wG8DPozMmcbwBjFn15RtC75N
*** E-Mail-Sicherheitslücke in LTE-Router von Drei ***
---------------------------------------------
Jeder Nutzer, der sich mit einem Drei-Smartphone bei einem Drei-LTE-Router anmeldet, hat Zugriff auf die E-Mails des Router-Besitzers.
---------------------------------------------
https://futurezone.at/produkte/e-mail-sicherheitsluecke-in-lte-router-von-d…
*** Updated Good Practice Guide on National Cyber Security Strategies by ENISA ***
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/updated-good-practice-guide-on-…
*** Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: November 2016 ***
---------------------------------------------
On November 10, 2016, the OpenSSL Software Foundation released a security advisory that describes three vulnerabilities.
...
Cisco investigated its product line to determine which products may be affected by these vulnerabilities and the impact of the vulnerabilities on each affected product. For information about whether a product is affected, refer to the “Vulnerable Products” and “Products Confirmed Not Vulnerable” sections of this advisory.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Master Decryption Keys and Decryptor for the Crysis Ransomware Released. ***
---------------------------------------------
The master decryption keys for the CrySiS Ransomware have been released this morning in a post on the BleepingComputer.com forums. At approximately 1 AM EST, a member named crss7777 created a post in the CrySiS support topic at BleepingComputer with a Pastebin link to a file containing the master decryption keys and how to use them. [...]
---------------------------------------------
http://www.bleepingcomputer.com/news/security/master-decryption-keys-and-de…
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple security vulnerabilities have been addressed in LMS 5.0 on Cloud ***
http://www.ibm.com/support/docview.wss?uid=swg21993982
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Storwize V7000 Unified (CVE-2016-6304, CVE-2016-6303, CVE-2016-2178, CVE-2016-6306 and CVE-2016-2183) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009586
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Tivoli Provisioning Manager for OS Deployment and Tivoli Provisioning Manager for Images ***
http://www-01.ibm.com/support/docview.wss?uid=swg21992898
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM SONAS (CVE-2016-2183) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009585
---------------------------------------------
*** IBM Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty which may impact IBM Streams (CVE-2016-5986) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21993612
---------------------------------------------
*** IBM Security Bulletin: A Security Vulnerability has been fixed in IBM Security Privileged Identity Manager (CVE-2016-5964) ***
http://www.ibm.com/support/docview.wss?uid=swg21994065
---------------------------------------------
*** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS. ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009590
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Commons FileUpload affects IBM WebSphere Portal (CVE-2016-3092) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21989359
---------------------------------------------
*** IBM Security Bulletin: IBM Connections Security Update ***
http://www.ibm.com/support/docview.wss?uid=swg21990864
---------------------------------------------
*** IBM Security Bulletin: GPFS security vulnerabilities in IBM Storwize V7000 Unified (CVE-2016-0392) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009571
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 10-11-2016 18:00 − Freitag 11-11-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Benevolent malware? reincarna/Linux.Wifatch, (Fri, Nov 11th) ***
---------------------------------------------
In the new to me department. It looks like this one has been around for more thanthree years. Today I was doing some banner grabbing looking for a Mirainodethat had gotten away from me, and came across the Telnet banner below. It appears this device is infected with a piece of malware called Reincarna/Linux.Wifatch. It purports to being a memory resident malware that defends the device from more malicious malware.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21703&rss
*** BSI-Bericht zur Lage der IT-Sicherheit: Die Lage bleibt angespannt ***
---------------------------------------------
In seinem neuesten Bericht beurteilt das Bundesamt für Sicherheit in der Informationstechnik die aktuelle Gefährdungslage der IT-Sicherheit in Deutschland. Dabei zeigt es Schwachstellen auf und bewertet unter anderem Angriffsmethoden.
---------------------------------------------
https://www.heise.de/newsticker/meldung/BSI-Bericht-zur-Lage-der-IT-Sicherh…
*** CA Unified Infrastructure Management Directory Traversal Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a directory traversal vulnerability in CA Technologies Unified Infrastructure Management application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-315-01
*** F5 Security Advisory: Linux TCP stack vulnerability CVE-2016-5696 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/46/sol46514822.html?…
*** Vuln: Brocade NetIron OS CVE-2016-8203 Memory Corruption Vulnerability ***
---------------------------------------------
An attacker can exploit this issue to cause denial-of-service condition. Due to the nature of this issue, arbitrary code execution may be possible but this has not been confirmed.
Brocade NetIron OS 5.8.00 through 5.8.00e, 5.9.00 through 5.9.00bd, 6.0.00, and 6.0.00a are vulnerable.
---------------------------------------------
http://www.securityfocus.com/bid/94232
*** F5 Security Advisory: TMM vulnerability CVE-2016-7476 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/87/sol87416818.html?…
*** MyBB 1.8.6 Cross Site Scripting ***
---------------------------------------------
These issues may lead to the injection of JavaScript keyloggers, injection of content such as ads, or the bypassing of CSRF protection, which would for example allow the creation of a new admin user.
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016110096
*** Security Advisory - Path Traversal Vulnerability in Huawei Home Gateway Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2015/hw-462908
*** Vuln: Multiple I-O DATA Network Camera Products CVE-2016-7814 Information Disclosure Vulnerability ***
---------------------------------------------
An attacker can exploit this issue to obtain sensitive information. This may aid in further attacks.
The following products and versions are vulnerable:
TS-WRLP firmware version 1.00.01 and prior
TS-WRLA firmware version 1.00.01 and prior
---------------------------------------------
http://www.securityfocus.com/bid/94250
*** Security Advisory - Input Validation Vulnerability in Some Huawei Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161111-…
*** Windows Mobile Application Penetration Testing Part 3: Sideloading ***
---------------------------------------------
Introduction and Background: In the First article of the series, we have covered the introduction and background required to start learning Windows Mobile Application Penetration Testing. We have also seen the requirements for setting up Windows Phone 8.1 emulators as well as Windows 10 mobile emulators.
---------------------------------------------
http://resources.infosecinstitute.com/windows-mobile-application-penetratio…
*** TYPO3: Cross-Site Scripting in extension "HTML5 Video Player" (html5videoplayer) ***
---------------------------------------------
It has been discovered that the extension "HTML5 Video Player" (html5videoplayer) is susceptible to Cross-Site Scripting.
---------------------------------------------
https://typo3.org/news/article/cross-site-scripting-in-extension-html5-vide…
*** TYPO3: Multiple vulnerabilities in extension "TC Directmail " (tcdirectmail) ***
---------------------------------------------
It has been discovered that the extension "TC Directmail " (tcdirectmail) is susceptible to Cross Site-Scripting and SQL Injection.
---------------------------------------------
https://typo3.org/news/article/multiple-vulnerabilities-in-extension-tc-dir…
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in PAM affect Power Hardware Management Console (‪CVE-2013-7041 and CVE-2015-3238‬) ***
http://www.ibm.com/support/docview.wss?uid=nas8N1021702
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDKs affect IBM Virtualization Engine TS7700 April 2016 ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009348
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 09-11-2016 18:00 − Donnerstag 10-11-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** VMSA-2016-0018 VMware product updates address local privilege escalation vulnerability in linux kernel ***
---------------------------------------------
Relevant Products
* VMware Identity Manager
* vRealize Automation
* vRealize Operations
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2016-0018.html
*** FortiWLC Undocumented Hardcoded core Account ***
---------------------------------------------
FortiWLC comes with a hardcoded account named core which is used by Meru Access Points to send core dumps to the FortiWLC and has read/write privileges over various parts of the system.
Impact: Unauthorized read/write remote access
Affected Products: FortiWLC 7.0-9-1, 7.0-10-0, 8.1-2-0, 8.1-3-2 and 8.2-4-0
---------------------------------------------
https://fortiguard.com/advisory/fortiwlc-undocumented-hardcoded-core-account
*** Deepsec: "Unternehmen interessieren sich nicht für Privacy, außer zum Marketing" ***
---------------------------------------------
Sicherheitsexperte Marcus J. Ranum übt auch scharfe Kritik an eigener Branche: Teure Lösungen für wenig Nutzen
---------------------------------------------
http://derstandard.at/2000047306876
*** OpenSSL Security Advisory [10 Nov 2016] (CVE-2016-7054, CVE-2016-7053, CVE-2016-7055) ***
---------------------------------------------
CVE-2016-7054: TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash. This issue is not considered to be exploitable beyond a DoS.
CVE-2016-7053: Applications parsing invalid CMS structures can crash with a NULL pointer dereference.
---------------------------------------------
https://www.openssl.org/news/secadv/20161110.txt
*** ICMP Unreachable DoS Attacks (aka "Black Nurse"), (Thu, Nov 10th) ***
---------------------------------------------
It is not recommended to block all Type 3 ICMP messages. In particular Type 3 Code 4 (Fragmentation Needed and Don't Fragment was Set) messages are requied for path MTU discovery, which many modern operating systems use.
...
So what should you do?
* Don't panic. This is not a big deal. Test your firewall if you can, or check if is on the vulnerable list
* You are vulnerable if you use a smaller Cisco ASA firewall. Newer/Larger multi-core versions appear to be fine. SonicWall and "some" Palo Alto firewalls appear to be vulnerable too.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21699&rss
*** Bugtraq: Secunia Research: Oracle Outside In "GetTxObj()" Use-After-Free Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539732
*** Bugtraq: Secunia Research: Oracle Outside In "VwStreamRead()" Buffer Overflow Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539731
*** Internet Of Things: Sorgenkind Sicherheit ***
---------------------------------------------
Das Geschäft mit smarten Devices und vernetzten Produktionsanlagen brummt, doch die Sicherheit ist oft nur Nebensache. Auf einer Konferenz in Köln zeichneten Branchenvertreter ein düsteres Bild.
---------------------------------------------
https://heise.de/-3463589
*** Windows Mobile Application Penetration Testing Part 2: Understanding Applications ***
---------------------------------------------
In the First article of the series, we have covered the introduction and background required to start learning Windows Mobile Application Penetration Testing. We have also seen the requirements for setting up Windows Phone 8.1 emulators as well as Windows 10 mobile emulators. In this article, we will discuss the basics of Windows Phone 8.1 applications and UWP applications.
---------------------------------------------
http://resources.infosecinstitute.com/windows-mobile-application-penetratio…
*** [R3] Nessus 6.9 Fixes Multiple Vulnerabilities ***
---------------------------------------------
http://www.tenable.com/security/tns-2016-16
*** F5 Security Advisories ***
---------------------------------------------
*** Security Advisory: BIG-IP ASM Proactive Bot Defense vulnerability CVE-2016-7472 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/17/sol17119920.html?…
---------------------------------------------
*** Security Advisory: SSL renegotiation vulnerability CVE-2011-1473 ***
https://support.f5.com:443/kb/en-us/solutions/public/15000/200/sol15278.htm…
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in lquerylv in LVM impacts AIX (CVE-2016-6079) ***
http://aix.software.ibm.com/aix/efixes/security/lquerylv_advisory.asc
---------------------------------------------
*** IBM Security Bulletin: IBM Resilient Cross Site Scripting Vulnerability (CVE-2016-6062) ***
https://success.resilientsystems.com/hc/en-us/articles/213457065-Security-B…
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in Apache Struts affect IBM WebSphere Portal (CVE-2015-0899, CVE-2016-1181, CVE-2016-1182) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21988770
---------------------------------------------
*** IBM Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty which may impact IBM Streams (CVE-2016-0378) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21993571
---------------------------------------------
*** IBM Security Bulletin: HTTP response splitting attack affects IBM TS7700 Virtualization Engine (CVE-2015-2017) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1008115
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 08-11-2016 18:00 − Mittwoch 09-11-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Admins aufgepasst: SHA1-Zertifikate vor dem endgültigen Aus ***
---------------------------------------------
Ab Januar 2017 wird es ernst: die großen Browser werden ab dann richtige Fehlermeldungen anzeigen, wenn sie auf Zertifikate treffen, die eine Signatur mit SHA1 aufweisen. Die sind aber immer noch im Einsatz, wie ein Kurztest von heise Security zeigt.
---------------------------------------------
https://heise.de/-3460868
*** Adsense: Google entfernt Bankentrojaner aus Werbenetzwerk ***
---------------------------------------------
Erneut ist über ein Werbenetzwerk Schadsoftware verteilt worden. Eine Google-Adsense-Kampagne hatte versucht, Android-Nutzern einen Bankentrojaner unterzuschieben. Die entsprechenden Anzeigen wurden mittlerweile deaktiviert. (Malware, Virus)
---------------------------------------------
http://www.golem.de/news/adsense-google-entfernt-bankentrojaner-aus-werbene…
*** MS16-NOV - Microsoft Security Bulletin Summary for November 2016 - Version: 1.0 ***
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS16-NOV
*** App-Schwachstelle: Angreifer können iPhone-Anrufe auslösen ***
---------------------------------------------
Ein Fehler in populären iOS-Apps ermöglicht es, das iPhone zum automatischen Anwählen einer bestimmten Rufnummer zu bringen und den Nutzer zugleich am sofortigen Abbruch des Telefonats zu hindern.
---------------------------------------------
https://heise.de/-3460552
*** November 2016 security update release ***
---------------------------------------------
Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released. More information about this month's security updates and advisories can be found in the Security TechNet Library.
---------------------------------------------
https://blogs.technet.microsoft.com/msrc/2016/11/08/november-2016-security-…
*** Thoughts on the recent 'NtSetWindowLongPtr' vulnerability ***
---------------------------------------------
On October 31, Google security team has announced it has discovered a vulnerability, actively exploited the wild, in (unspecified) versions of Microsoft Windows. The vulnerability is a local privilege escalation, allowing an unprivileged user to gain kernel privileges.
---------------------------------------------
https://labs.bromium.com/2016/11/08/thoughts-on-the-recent-ntsetwindowlongp…
*** New XM1RPC SEO Spam and Backdoor Campaign ***
---------------------------------------------
We have been monitoring a new campaign specifically targeting WordPress sites, using hundreds of them for SEO spam distribution. We call it the XM1RPC campaign due to the common backdoor used across all of the compromised sites. The file is named in such a way as to confuse WordPress administrators who are familiar with XML-RPC. This malware usually infects all sites that share the same FTP account, which means cleaning just one website won't help...
---------------------------------------------
https://blog.sucuri.net/2016/11/xm1rpc-spam-backdoor.html
*** Phoenix Contact ILC PLC Authentication Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for authentication vulnerabilities in Phoenix Contact's ILC PLCs.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-313-01
*** Siemens Industrial Products Local Privilege Escalation Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a privilege escalation vulnerability that affects several Siemens industrial products.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-313-02
*** OSIsoft PI System Incomplete Model of Endpoint Features Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for an incomplete model of endpoint features vulnerability in OSIsoft's PI System software.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03
*** TrickBot Banking Trojan Adds New Browser Manipulation Tools ***
---------------------------------------------
The banking Trojan TrickBot is evolving fast, according to researchers, and within weeks will expand its victim list and attack scope.
---------------------------------------------
http://threatpost.com/trickbot-banking-trojan-adds-new-browser-manipulation…
*** DSA-3709 libxslt - security update ***
---------------------------------------------
Nick Wellnhofer discovered that the xsltFormatNumberConversion functionin libxslt, an XSLT processing runtime library, does not properly checkfor a zero byte terminating the pattern string. This flaw can be exploited to leak a couple of bytes after the buffer that holds thepattern string.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3709
*** Security Advisory - Input Validation Vulnerability in Wi-Fi Driver of Huawei Smart Phones ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161109-…
*** Pawn Storm Ramps Up Spear-phishing Before Zero-Days Get Patched ***
---------------------------------------------
The effectiveness of a zero-day quickly deteriorates as an attack tool after it gets discovered and patched by the affected software vendors. Within the time between the discovery of the vulnerability and the release of the fix, a bad actor might try to get the most out of his previously valuable attack assets.
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/QdtwFJ1RHyQ/
*** Vuln: SAP NetWeaver Java AS Webdynpro Component Information Disclosure Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/94174
*** New BEC scams seek to build trust first, request wire transfer later ***
---------------------------------------------
Business email compromise scammers have gradually changed their tactics to improve their scam success rate.
---------------------------------------------
https://www.symantec.com/connect/blogs/new-bec-scams-seek-build-trust-first…
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple OpenSSL vulnerabilities affect IBM Aspera Shares 1.9.4 or earlier and IBM Aspera Console 3.0.6 or earlier ***
https://support.asperasoft.com/hc/en-us/articles/229505687-Security-Bulleti… -IBM-Aspera-Console-3-0-6-or-earlier
---------------------------------------------
*** IBM Security Bulletin: The BigFix Platform has a vulnerability involving missing the HTTP Strict-Transport-Security Header (CVE-2016-0297) ***
http://www.ibm.com/support/docview.wss?uid=swg21993214
---------------------------------------------
*** IBM Security Bulletin: BigFix Platform has a vulnerability where information is exposed through Log Files (CVE-2016-0296) ***
http://www.ibm.com/support/docview.wss?uid=swg21993213
---------------------------------------------
*** IBM Security Bulletin: Lotus Protector for Mail Security Affected By Multiple Open Source CURL Vulnerabilities (CVE-2016-7167) ***
http://www.ibm.com/support/docview.wss?uid=swg21993246
---------------------------------------------
*** IBM Security Bulletin: IBM Connections Mobile Server Security Refresh for Apache Struts (CVE-2016-0785, CVE-2016-0785, CVE-2016-3093, CVE-2016-4003) ***
http://www.ibm.com/support/docview.wss?uid=swg21984206
---------------------------------------------
*** IBM Security Bulletin: IBM Connections Security Refresh for Apache Struts CVE-IDs: CVE-2016-0785 CVE-2016-2162 ***
http://www.ibm.com/support/docview.wss?uid=swg21985424
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 07-11-2016 18:00 − Dienstag 08-11-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Android: Sicherheitsupdate für November lässt kritische Lücke offen ***
---------------------------------------------
Linux-Kernel-Bug auf Nexus- und Pixel-Geräten noch nicht geschlossen - Update schließt Dutzende Sicherheitslücken
---------------------------------------------
http://derstandard.at/2000047142975
*** Android Security Bulletin November 2016 ***
---------------------------------------------
The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Alongside the bulletin, we have released a security update to Google devices through an over-the-air (OTA) update.
---------------------------------------------
https://source.android.com/security/bulletin/2016-11-01.html
*** DDoS attack halts heating in Finland amidst winter ***
---------------------------------------------
The systems that were attacked tried to respond to the attack by rebooting the main control circuit. This was repeated over and over so that heating was never working.
---------------------------------------------
http://metropolitan.fi/entry/ddos-attack-halts-heating-in-finland-amidst-wi…
*** Security Updates for Adobe Connect (APSB16-35) and Adobe Flash Player (APSB16-37) Available ***
---------------------------------------------
Adobe has published security bulletins for Adobe Connect (APSB16-35) and Adobe Flash Player (APSB16-37). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant bulletin.
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1420
*** MSRT November 2016: Unwanted software has nowhere to hide in this month's release ***
---------------------------------------------
We came across a browser modifier that sports rootkit capabilities. Not only does the threat, detected as BrowserModifier:Win32/Soctuseer, cross the line that separates legitimate software from unwanted, it also takes staying under the radar to the next level. Rootkit capabilities, which make it difficult to detect and remove applications, are usually associated with malware.
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/11/08/msrt-november-2016-unwa…
*** Vuln: phpMyAdmin CVE-2016-6610 Full Path Information Disclosure Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/94118
*** BlackBerry powered by Android Security Bulletin November 2016 ***
---------------------------------------------
http://support.blackberry.com/kb/articleDetail?articleNumber=000038666
*** Vuln: Multiple D-Link DIR Routers CVE-2016-6563 Remote Stack Overflow Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/94130
*** Piwik 2.16.0 PHP Object Injection ***
---------------------------------------------
Affected Versions: Version 2.16.0 and prior versions.
Vulnerability Description: The vulnerability can be triggered through the saveLayout() method defined in /plugins/Dashboard/Controller.php:
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016110055
*** f5 Security Advisories ***
---------------------------------------------
*** Security Advisory: Configuration utility CSRF vulnerability ***
https://support.f5.com:443/kb/en-us/solutions/public/k/21/sol21485342.html?…
---------------------------------------------
*** Security Advisory: Linux kernel vulnerability CVE-2016-7117 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/51/sol51201255.html?…
---------------------------------------------
*** Security Advisory: Multiple LibTIFF vulnerabilities ***
https://support.f5.com:443/kb/en-us/solutions/public/k/35/sol35155453.html?…
---------------------------------------------
*** Security Advisory: LibTIFF vulnerabilities CVE-2016-5320 and CVE-2015-8784 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/89/sol89096577.html?…
---------------------------------------------
*** Security Advisory: PHP vulnerabilities CVE-2015-6834, CVE-2015-6835, CVE-2015-6836, CVE-2015-6837, and CVE-2015-6838 ***
https://support.f5.com:443/kb/en-us/solutions/public/17000/300/sol17377.htm…
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Sterling Connect:Direct for HP NonStop (CVE-2016-2177, CVE-2016-6306, CVE-2016-2183) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21993601
---------------------------------------------
*** IBM Security Bulletin: Password Disclosure via application tracing in IBM Tivoli Storage Manager for Space Management (CVE-2016-0371) ***
http://www.ibm.com/support/docview.wss?uid=swg21990042
---------------------------------------------
*** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect the BigFix Platform ***
http://www.ibm.com/support/docview.wss?uid=swg21993215
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect the BigFix Platform ***
http://www.ibm.com/support/docview.wss?uid=swg21993210
---------------------------------------------
*** IBM Security Bulletin: The BigFIx platform has a vulnerability where WebReports executes with unnecessary privileges (CVE-2016-0396) ***
http://www.ibm.com/support/docview.wss?uid=swg21993206
---------------------------------------------
*** IBM Security Bulletin: BigFix Platform has a vulnerability allowing unrestricted file upload (CVE-2016-0214) ***
http://www.ibm.com/support/docview.wss?uid=swg21993203
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 04-11-2016 18:00 − Montag 07-11-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Sophos Web Appliance 4.2.1.3 Remote Code Execution ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016110036
*** Two Critical MySQL Bugs Discovered ***
---------------------------------------------
An anonymous reader quotes InfoWorld: Two critical privilege escalation vulnerabilities in MySQL, MariaDB, and PerconaDB can help take control of ..
---------------------------------------------
https://developers.slashdot.org/story/16/11/05/056227/two-critical-mysql-bu…
*** Tech support scammers use denial of service bug to hang victims ***
---------------------------------------------
Process pig keeps eyes glued on fraudsters phone number. Tech support fraudsters have taught an old denial of service bug new tricks to add a convincing layer of authenticity to scams.
---------------------------------------------
www.theregister.co.uk/2016/11/07/tech_support_scammers_use_denial_of_servic…
*** Vuln: cURL/libcURL CVE-2016-8625 Remote Security Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/94107
*** Disassembling a Mobile Trojan Attack ***
---------------------------------------------
In fact, any site using AdSense to display adverts could potentially have displayed messages that downloaded the dangerous Svpeng and automatically saved it to ..
---------------------------------------------
http://securelist.com/blog/research/76286/disassembling-a-mobile-trojan-att…
*** Hintergrund: Threat Intelligence: IT-Sicherheit zum Selbermachen? ***
---------------------------------------------
Viele IT-Sicherheitsfirmen erweitern ihr Portfolio derzeit um sogenannte Threat Intelligence. Die ist jedoch kein Allheilmittel sondern muss gezielt eingesetzt werden, um einen echten Mehrwert zu erzielen. Dr. Timo Steffens vom ..
---------------------------------------------
https://heise.de/-3453595
*** SSA-701708 (Last Update 2016-11-07): Local Privilege Escalation in Industrial Products ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-701708…
*** SSA-378531 (Last Update 2016-11-07): Vulnerabilities in SIMATIC WinCC, PCS 7 and WinCC Runtime Professional ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-378531…
*** IBM Security Bulletin: Vulnerability in IBM Java SDK affects Rational Lifecycle Integration Adapter for HP ALM (CVE-2016-5597) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21993700
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MessageSight (CVE-2016-3598) ***
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21992715
*** IBM Security Bulletin: IBM WebSphere Cast Iron Solution is affected by Apache Tomcat vulnerability (CVE-2016-5388) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21992977
*** Login Form Hijacking Vulnerability in Citrix NetScaler Gateway ***
---------------------------------------------
https://support.citrix.com/article/CTX213313
*** Citrix XenServer Security Update for CVE-2016-0800 ***
---------------------------------------------
A security vulnerability has been identified in Citrix XenServer that could, if exploited, allow a malicious attacker with access to the XenServer ..
---------------------------------------------
https://support.citrix.com/article/CTX208403
*** Multiple Security Vulnerabilities in Citrix NetScaler Platform ... ***
---------------------------------------------
A number of security vulnerabilities have been identified in firmware used in the Lights Out Management (LOM) component across all NetScaler ..
---------------------------------------------
https://support.citrix.com/article/CTX216642
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 03-11-2016 18:00 − Freitag 04-11-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Extracting Malware Transmitted Via Telnet, (Thu, Nov 3rd) ***
---------------------------------------------
One charactersitcs of many of the telnet explois we have seen over the last few years has been the transmission of malware using echo commands. Even the recent versions of Mirai used this trick. Reconstruction the malware from packet captures can be a little bit tricky, in particular if you are trying to automate the process. So here is what I have been doing for my honeypot DVR: First of all, the DVR is connected to a remote controlled power outlet, to make it easy to reboot it as needed. I do...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21673&rss
*** Moving Beyond EMET ***
---------------------------------------------
EMET - Then and Now Microsoft's Trustworthy Computing initiative was 7 years old in 2009 when we first released the Enhanced Mitigation Experience Toolkit (EMET). Despite substantial improvements in Windows OS security during that same period, it was clear that the way we shipped Windows at the time (3-4 years between major releases) was simply...
---------------------------------------------
https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/
*** Mobile subscriber identity numbers can be exposed over Wi-Fi ***
---------------------------------------------
For a long time, law enforcement agencies and hackers have been able to track the identity and location of mobile users by setting up fake cellular network towers and tricking their devices to connect to them. Researchers have now found that the same thing can be done much more cheaply with a simple Wi-Fi hotspot.The devices that pose as cell towers are known in the industry as IMSI catchers, with the IMSI (international mobile subscriber identity) being a unique number tied to a mobile...
---------------------------------------------
http://www.cio.com/article/3138469/security/mobile-subscriber-identity-numb…
*** Outlook Web Access Two-Factor Authentication Bypass Exists ***
---------------------------------------------
Two-factor authentication protecting Outlook Web Access and Office 365 portals can be bypassed-and the situation likely cannot be fixed, a researcher has disclosed.
---------------------------------------------
http://threatpost.com/outlook-web-access-two-factor-authentication-bypass-e…
*** DNS Analysis and Tools ***
---------------------------------------------
In this article, we will take a look at the complete DNS process, DNS lookup, DNS reverse lookup, DNS zone transfer, etc. along with some tools to analyze & enumerate DNS traffic. Domain Name System (DNS) is a naming system used to convert human readable domain names like infosecinstitute.com into a numerical IP address. The...
---------------------------------------------
http://resources.infosecinstitute.com/dns-analysis-and-tools/
*** Security Advisory: Configuration utility CSRF vulnerability ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/61/sol61045143.html?…
*** cURL/libcurl Multiple Bugs Let Remote Users Inject Cookies, Reuse Connections, and Execute Arbitrary Code and Let Local Users Obtain Potentially Sensitive Information and Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1037192
*** Security Notice - Statement on Black Hat Europe 2016 Revealing Security Vulnerability in Huawei Mate Smart Phone ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-notices/2016/huawei-sn-20161104-01-…
*** Moxa OnCell Security Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation vulnerabilities for authorization bypass and disclosed OS commanding vulnerabilities in Moxa's OnCell Security Software.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-308-01
*** Schneider Electric Magelis HMI Resource Consumption Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for resource consumption vulnerabilities affecting Schneider Electric's Magelis human-machine interface products.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-308-02
*** Schneider Electric IONXXXX Series Power Meter Vulnerabilities ***
---------------------------------------------
This advisory is a follow-up to the alert titled ICS-ALERT-16-256-02 Schneider Electric ION Power Meter CSRF Vulnerability that was published September 12, 2016, on the NCCIC/ICS-CERT web site. This advisory contains mitigation details for a cross-site request forgery and no access control vulnerabilities in Schneider Electric's IONXXXX series power meters.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-308-03
*** IBM Security Bulletin ***
---------------------------------------------
*** IBM Security Bulletin: IBM i is affected by several vulnerabilities (CVE-2016-2183 and CVE-2016-6329) ***
http://www-01.ibm.com/support/docview.wss?uid=nas8N1021697
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSH and OpenSSL affect GPFS for Windows V3.5 ***
http://www-01.ibm.com/support/docview.wss?uid=isg3T1024394
---------------------------------------------
*** IBM Security Bulletin: Cross-site scripting vulnerability affects multiple IBM Rational products based on IBM Jazz technology (CVE-2016-2926) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21993444
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in Apache HttpComponents affect IBM InfoSphere Information Server (CVE-2012-6153 CVE-2014-3577) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21982420
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 02-11-2016 18:00 − Donnerstag 03-11-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Unpatched Vulnerability on Wix.com Puts Millions of Sites at Risk ***
---------------------------------------------
Wix websites are vulnerable to reflective DOM cross-site scripting attack that could give attackers control of user's websites.
---------------------------------------------
http://threatpost.com/unpatched-vulnerability-on-wix-com-puts-millions-of-s…
*** Malware: Adwords-Anzeige verlinkt auf falschen Google Chrome ***
---------------------------------------------
Eine Malware-Kampagne, die sich gegen Apple-Nutzer richtet, bietet gefälschte Versionen von Googles Chrome-Browser. Dabei nutzten die Betrüger ausgerechnet Googles Adword-Anzeigen, um Opfer hereinzulegen.
---------------------------------------------
http://www.golem.de/news/malware-adwords-anzeige-verlinkt-auf-falschen-goog…
*** Recognizing Packed Malware and its Unpacking Approaches-Part 2 ***
---------------------------------------------
In Part 1 of this article series, we had a look at the ways to recognize packed executables and various ways to automate the unpacking process. In this article, we will look at the manual process of unpacking a packed malware specimen. In the last article, we have seen how the malware specimen was packed...
---------------------------------------------
http://resources.infosecinstitute.com/recognizing-packed-malware-and-its-un…
*** Bereits 30.000 Angriffe: Experten warnen vor Joomla-Lücke ***
---------------------------------------------
Cyberkriminelle verschaffen sich erweiterte Rechte - Webseiten-Betreiber sollten sofort auf die neueste Version updaten
---------------------------------------------
http://derstandard.at/2000046902782
*** Barracuda: Outage caused by large number of inbound connections ***
---------------------------------------------
Yet firm refuses to say the word DDoS. What are they hiding? Outage-hit security firm Barracuda appears to have been struck down by a DDoS - though the firm says its still investigating and refuses to confirm or deny it.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/11/03/barracuda_o…
*** These 12+ Internet Crime Stories Will Make You Care about Cybersecurity [Updated] ***
---------------------------------------------
Online security seems such an abstract and distant field, where other people get hurt, but you somehow stay safe, either by luck or internet savvy. But the truth is, it could happen to anyone, and it might even have happened to you in the past. They say that nothing beats learning from experience, but sometimes it's best...
---------------------------------------------
https://heimdalsecurity.com/blog/12-true-stories-that-will-make-you-care-ab…
*** Browsererweiterungen: Plötzlich nackt im Netz ***
---------------------------------------------
Alle Suchwörter, alle Webseiten - der Browser-Verlauf eines ganzen Monats steht zum Verkauf. Unser Autor erlebte, wie das ist, wenn die eigenen Daten zur Ware werden.
---------------------------------------------
http://www.golem.de/news/browsererweiterungen-ploetzlich-nackt-im-netz-1611…
*** Ubuntu Core Snaps door shut on Linuxs new Dirty COWs ***
---------------------------------------------
When did Linux start becoming like Windows? Canonical has released Ubuntu Core 16 for IoT, featuring Linux self-patching for a generation of users against future Bash or Dirty COWs.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/11/03/ubuntu_core…
*** HPSBUX03664 SSRT110248 rev.1 HP-UX BIND Service running named, Remote Denial of Service (DoS) ***
---------------------------------------------
Potential security vulnerabilities have been identified in the HP-UX BIND service running named. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS).
---------------------------------------------
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05321107
*** Security Advisory: BIG-IP virtual server TCP sequence numbers vulnerability ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/68/sol68401558.html?…
*** Security Advisory: OpenSSL vulnerability CVE-2016-6304 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/54/sol54211024.html?…
*** Security Advisory: BIND vulnerability CVE-2016-8864 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/35/sol35322517.html?…
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server October 2016 CPU (CVE-2016-5573, CVE-2016-5597) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21993440
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities may affect IBM WebSphere Real Time ***
https://www-01.ibm.com/support/docview.wss?uid=swg21993501
---------------------------------------------
*** IBM Security Bulletin: Lotus Protector for Mail Security Affected By Multiple Open Source OpenSSL Vulnerabilities ***
http://www.ibm.com/support/docview.wss?uid=swg21992348
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Netcool Configuration Manager (ITNCM) (CVE-2016-3426) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21992149
---------------------------------------------
*** IBM Security Bulletin: Password Disclosure via application tracing in IBM Tivoli Storage Manager Client (CVE-2016-0371) ***
http://www.ibm.com/support/docview.wss?uid=swg21985114
---------------------------------------------
*** IBM Security Bulletin: A Vulnerability in OpenSource Apache Taglibs Vulnerability affect Content Integrator (CVE-2015-0254) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21993243
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 31-10-2016 18:00 − Mittwoch 02-11-2016 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** New, more-powerful IoT botnet infects 3,500 devices in 5 days ***
---------------------------------------------
Discovery of Linux/IRCTelnet suggests troubling new DDoS menace could get worse.
---------------------------------------------
http://arstechnica.com/security/2016/11/new-iot-botnet-that-borrows-from-no…
*** Docker user? Havent patched Dirty COW yet? Got bad news for you ***
---------------------------------------------
Repeat after me, containerization isnt protection, its a management feature Heres another reason to pay attention to patching your Linux systems against the Dirty COW vulnerability: it can be used to escape Docker containers.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/11/01/docker_user…
*** Sicherheits-Patch für Zero-Day-Lücke in Windows in Sicht ***
---------------------------------------------
Ein Ausnutzen der Schwachstelle soll nur in Verbindung mit einer bereits geschlossenen Flash-Lücke funktionieren. Microsoft kritisiert Google für die frühe Offenlegung der Lücke.
---------------------------------------------
https://heise.de/-3454255
*** Millionen Surf-Profile: Daten stammen angeblich auch von Browser-Addon WOT ***
---------------------------------------------
Die detaillierten Daten zum Surfverhalten von Millionen Deutschen, auf die NDR-Reporter Zugriff haben, stammen offenbar auch von der beliebten Browser-Erweiterung WOT. Die damit gesammelten Daten seien leicht bestimmten Personen zuzuordnen.
---------------------------------------------
https://heise.de/-3453820
*** Performance-Framework: Kritische Sicherheitslücken in Memcached geschlossen ***
---------------------------------------------
Von einer Sicherheitslücke in einem beliebten Performance-Framework sind auch Dienste wie Facebook, Youtube und Reddit betroffen gewesen. Angreifer hätten auf dem Zielsystem Code ausführen können. Ein Patch und ein Workaround sind verfügbar.
---------------------------------------------
http://www.golem.de/news/performance-framework-kritische-sicherheitsluecken…
*** Datenpanne: Wenn das iPhone die Geheimnummer der Nationalratspräsidentin kennt ***
---------------------------------------------
Offenbar durch einen Fehler bei AppleCare sind die Telefonbucheinträge mehrerer iPhone-Nutzer an andere übertragen worden, berichten der "Stern" und das österreichische Magazin "News".
---------------------------------------------
https://heise.de/-3454575
*** Belkin's WeMo Gear Can Hack Android Phones ***
---------------------------------------------
Vulnerabilities in WeMo home automation devices can be used to attack the Android apps used to manage devices remotely.
---------------------------------------------
http://threatpost.com/belkins-wemo-gear-can-hack-android-phones/121730/
*** Security Advisory: OpenSSL vulnerability CVE-2016-2179 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/23/sol23512141.html?…
*** Security Advisory 2016-02: Security Update for OTRS ***
---------------------------------------------
November 01, 2016 - Please read carefully and check if the version of your OTRS system is affected by this vulnerability. Please send information regarding vulnerabilities in OTRS to: security(a)otrs.org PGP Key pub 2048R/9C227C6B 2011-03-21 [expires at: 2017-08-20] uid OTRS Security Team GPG Fingerprint E330 4608 DA6E 34B7 1551 C244 7F9E 44E9 9C22
---------------------------------------------
https://www.otrs.com/security-advisory-2016-02-security-update-otrs/
*** Palo Alto PAN-OS Insecure API Token Generation Lets Remote Users Access the Target Firewall API Interface ***
---------------------------------------------
http://www.securitytracker.com/id/1037153
*** Palo Alto PAN-OS Input Validation Flaw in Captive Portal Lets Remote Users Conduct Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1037152
*** DFN-CERT-2016-1794: Django: Zwei Schwachstellen ermöglichen u.a. das Erlangen von Benutzerrechten ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-1794/
*** USN-3118-1: Mailman vulnerabilities ***
---------------------------------------------
Ubuntu Security Notice USN-3118-11st November, 2016mailman vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummarySeveral security issues were fixed in Mailman.Software description mailman - Powerful, web-based mailing list manager DetailsIt was discovered that the Mailman administrative web interface did notprotect against cross-site request forgery (CSRF) attacks. If anauthenticated user were
---------------------------------------------
http://www.ubuntu.com/usn/usn-3118-1/
*** CVE-2016-8864: A problem handling responses containing a DNAME answer can lead to an assertion failure ***
---------------------------------------------
A defect in BINDs handling of responses containing a DNAME answer can cause a resolver to exit after encountering an assertion failure in db.c or resolver.c
---------------------------------------------
https://kb.isc.org/article/AA-01434/0/CVE-2016-8864%3A-A-problem-handling-r…
*** Symantec IT Management Suite Multiple Issues ***
---------------------------------------------
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se…
*** Norton Mobile Security for Android Multiple Security Issues ***
---------------------------------------------
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se…
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in Struts v2 affect IBM Security Identity Manager ( CVE-2016-1181 CVE-2016-1182 ) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21992931
---------------------------------------------
*** IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2016-6072) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991893
---------------------------------------------
*** IBM Security Bulletin: IBM Security Guardium Data Redaction is vulnerable to IBM SDK, Java Technology Edition Quarterly CPU Jul 2016 Includes Oracle Jul 2016 CPU (CVE-2016-3485) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21992001
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Monitoring (CVE-2016-3485, CVE-2016-3511, CVE-2016-3598) ***
http://www.ibm.com/support/docview.wss?uid=swg21993191
---------------------------------------------
*** IBM Security Bulletin: A command injection vulnerability has been identified in IBM Security Access Manager for Mobile appliances (CVE-2016-3028) ***
http://www.ibm.com/support/docview.wss?uid=swg21991110
---------------------------------------------
*** IBM Security Bulletin: A vulnerability associated with the default account lockout settings in IBM Security Access Manager for Mobile has been identified (CVE-2016-3025) ***
http://www.ibm.com/support/docview.wss?uid=swg21991107
---------------------------------------------
*** Cisco Security Advisories ***
---------------------------------------------
*** Cisco ASR 5500 Series with DPC2 Cards SESSMGR Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco TelePresence Endpoints Local Command Injection Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco ASR 900 Series Aggregation Services Routers Buffer Overflow Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Application Policy Infrastructure Controller Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Email Security Appliance RAR File Attachment Scanner Bypass Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Prime Home Authentication Bypass Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Meeting Server Session Description Protocol Media Lines Buffer Overflow Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Meeting Server and Meeting App Buffer Underflow Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 28-10-2016 18:00 − Montag 31-10-2016 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** Of course smart homes are targets for hackers ***
---------------------------------------------
The Wirecutter, an in-depth comparative review site for various electrical and electronic devices, just published an opinion piece on whether users should be worried about security issues in IoT devices. The summary: avoid devices that dont require passwords (or dont force you to change a default and devices that want you to disable security, follow general network security best practices but otherwise dont worry - criminals arent likely to target you.This is terrible, irresponsible advice. Its
---------------------------------------------
http://mjg59.dreamwidth.org/45483.html
*** Ensuring that ICS/SCADA isn't our next IoT nightmare ***
---------------------------------------------
The DDoS chaos of the past month tells us that we need to work together to ensure future standards and reduce security risks
---------------------------------------------
https://nakedsecurity.sophos.com/2016/10/28/ensuring-that-icsscada-isnt-our…
*** Volatility Bot: Automated Memory Analysis, (Sun, Oct 30th) ***
---------------------------------------------
Few weeks ago Ive attended the SANS DFIR Summit in Prague, and one of the very interesting talks was from Martin Korman (@MartinKorman), who presented a new tool he developed: Volatility Bot. According to his description, Volatility Bot is an automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation. Not only does it automatically extract the executable...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21655&rss
*** Masque Attack Abuses iOS's Code Signing to Spoof Apps and Bypass Privacy Protection ***
---------------------------------------------
First reported in 2014, Masque Attack allowed hackers to replace a genuine app from the App Store with a malformed, enterprise-signed app that had the same Bundle Identifier (Bundle ID). Apple subsequently patched the vulnerabilities (CVE-2015-3772 and CVE-2015-3725), but while it closed a door, scammers seemed to have opened a window. Haima's repackaged, adware-laden apps and its native helper application prove that App Store scammers are still at it.
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/ffHuC_yu178/
*** DDOS-Attacke gegen Server legt Wiener TU-Informatiker lahm ***
---------------------------------------------
Eine DDOS-Attacke gegen Server der Fachschaft Informatik der TU Wien hat zu Webseiten-Ausfällen geführt.
---------------------------------------------
https://futurezone.at/digital-life/ddos-attacke-gegen-server-legt-wiener-tu…
*** Joomla websites attacked en masse using recently patched exploits ***
---------------------------------------------
Attackers are aggressively attacking Joomla-based websites by exploiting two critical vulnerabilities patched last week.The flaws allow the creation of accounts with elevated privileges on websites built with the popular Joomla content management system, even if account registration is disabled. They were patched in Joomla 3.6.4, released Tuesday.Hackers didnt waste any time reverse engineering the patches to understand how the two vulnerabilities can be exploited to compromise websites,...
---------------------------------------------
http://www.csoonline.com/article/3136933/security/joomla-websites-attacked-…
*** CardComplete-Phishingmail: 3-D Secure Aktualisierung ***
---------------------------------------------
In einer vermeintlichen CardComplete-Benachrichtigung heißt es, dass Kreditkarteninhaber/innen ihr 3-D Secure Verfahren aktualisieren müssen. Dazu sollen sie eine Website aufrufen und ihre persönlichen Kreditkarteninformationen bekannt geben. In Wahrheit stammt die E-Mail von Kriminellen, die damit sensible Daten stehlen.
---------------------------------------------
https://www.watchlist-internet.at/phishing/cardcomplete-phishingmail-3-d-se…
*** "AtomBombing": Forscher warnen vor "unpatchbarer" Windows-Lücke ***
---------------------------------------------
Angeblich alle Windows-Systeme betroffen - Gefahrenpotenzial allerdings unklar
---------------------------------------------
http://derstandard.at/2000046630311
*** Cybercrime-Report 2015: Elf Prozent mehr Anzeigen in Österreich ***
---------------------------------------------
Mehr Fälle bei Internetbetrug, Erpressung und Datenmissbrauch
---------------------------------------------
http://derstandard.at/2000046762022
*** The Week in Ransomware - October 28 2016 - Locky, Angry Duck, and More! ***
---------------------------------------------
Lots and lots of little ransomware and in-dev variants released this week. Of particular note is the quick release of two Locky variants that used .sh*t and then a day later the .thor extension for encrypted files.
---------------------------------------------
http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-octobe…
*** Security Advisory: OpenSSL vulnerability CVE-2016-2181 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/59/sol59298921.html?…
*** Vuln: Moodle CVE-2016-7919 Information Disclosure Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/93971
*** GNU tar 1.29 Extract Pathname Bypass ***
---------------------------------------------
Topic: GNU tar 1.29 Extract Pathname Bypass Risk: Low Text: - t216 special vulnerability release -- Vulnerability: POINTYFEATHER aka Tar extract pathname bypass ...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016100254
*** About the security content of iOS 10.1.1 ***
---------------------------------------------
This document describes the security content of iOS 10.1.1.
---------------------------------------------
https://support.apple.com/en-us/HT207287
*** Vulnerabilities in InfraPower PPS-02-S Q213V1 ***
---------------------------------------------
*** InfraPower PPS-02-S Q213V1 Cross-Site Request Forgery ***
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5375.php
---------------------------------------------
*** InfraPower PPS-02-S Q213V1 Authentication Bypass Vulnerability ***
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5374.php
---------------------------------------------
*** InfraPower PPS-02-S Q213V1 Insecure Direct Object Reference Authorization Bypass ***
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5373.php
---------------------------------------------
*** InfraPower PPS-02-S Q213V1 Unauthenticated Remote Root Command Execution ***
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5372.php
---------------------------------------------
*** InfraPower PPS-02-S Q213V1 Hard-coded Credentials Remote Root Access ***
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5371.php
---------------------------------------------
*** InfraPower PPS-02-S Q213V1 Local File Disclosure Vulnerability ***
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5370.php
---------------------------------------------
*** InfraPower PPS-02-S Q213V1 Multiple XSS Vulnerabilities ***
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5369.php
---------------------------------------------
Next End-of-Shift report: 2016-11-02
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 27-10-2016 18:00 − Freitag 28-10-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Vuln: HP Business Service Management CVE-2016-4392 Cross Site Scripting Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/93933
*** MS16-128 - Critical: Security Update for Adobe Flash Player (3201860) - Version: 1.0 ***
https://technet.microsoft.com/en-us/library/security/MS16-128
*** Vuln: Python urllib3 CVE-2016-9015 TLS Certificate Validation Security Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/93941
*** Vuln: Apache Tomcat Security Manager CVE-2016-6796 Security Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/93944
*** iTunes 12.5.2 for Windows ***
---------------------------------------------
https://support.apple.com/kb/HT207274
*** iPrint Appliance 2.1 Patch 1 ***
---------------------------------------------
https://download.novell.com/Download?buildid=AmZsfGf_NQ4~
*** Malvertising ***
---------------------------------------------
Unsere Kollegen vom niederländischen NCSC haben eben ihr "Cyber Security Assessment Netherlands 2016" auch auf Englisch veröffentlicht. Da steckt viel Arbeit ..
---------------------------------------------
http://www.cert.at/services/blog/20161028083404-1815.html
*** Researchers tag new brace of bugs in NTP, but theyre fixable ***
---------------------------------------------
However, because these are protocol vulnerabilities, the researchers fixing NTP is more important. They propose replacing the current model with one that uses more ..
---------------------------------------------
http://www.theregister.co.uk/2016/10/28/researchers_tag_new_brace_of_bugs_i…
*** Honeywell Experion PKS Improper Input Validation Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a denial-of-service condition caused by an improper input validation vulnerability in Honeywell’s Experion Process Knowledge System platform.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-301-01
*** Bugtraq: [security bulletin] HPSBMU03653 rev.1 - HPE System Management Homepage (SMH), Remote Arbitrary Code Execution, Cross-Site Scripting (XSS), Denial of Service (DoS), Unauthorized Disclosure of Information ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539646
*** Bugtraq: [security bulletin] HPSBHF3549 ThinkPwn UEFI BIOS SmmRuntime Escalation of Privilege ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539645
*** Der Bot im Babyfon ***
---------------------------------------------
In ein Heimnetzwerk integrierte IoT-Geräte bauen oftmals selbstständig eine Verbindung zum Internet auf, indem sie den Router des Nutzers per UPnP (Universal Plug and Play) so konfigurieren, dass eine Portweiterleitung ..
---------------------------------------------
https://www.bsi-fuer-buerger.de/BSIFB/DE/Service/Aktuell/Informationen/Arti…
*** Researchers expose Mirai vuln that could be used to hack back against botnet ***
---------------------------------------------
Exploit can halt attacks from IoT devices Security researchers have discovered flaws in the Mirai ..
---------------------------------------------
www.theregister.co.uk/2016/10/28/mirai_botnet_hack_back/
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 25-10-2016 18:00 − Donnerstag 27-10-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Asterisk users need to patch DoS bug ***
---------------------------------------------
Overlap dialling lets attacker shut down system Asterisk users need to get busy with a patch.
---------------------------------------------
www.theregister.co.uk/2016/10/25/asterisk_patch_dos_bug/
*** Denial of Service Vulnerability in Citrix License Server ***
---------------------------------------------
A vulnerability has been identified in the Citrix License Server for Windows and Citrix License Server VPX that could allow a remote ..
---------------------------------------------
https://support.citrix.com/article/CTX217430
*** Multiple Security Vulnerabilities in Citrix NetScaler Platform IPMI Lights Out Management (LOM) firmware ***
---------------------------------------------
https://support.citrix.com/article/CTX216642
*** Memory Permission Weakness in Citrix XenApp and XenDesktop ***
---------------------------------------------
https://support.citrix.com/article/CTX215460
*** Security Advisory - PXN Defense Mechanism Failure Vulnerability in Huawei Mobile Phones ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161026-…
*** VMSA-2016-0017 ***
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2016-0017.html
*** Security Advisory - Two Information Leak Vulnerabilities in ION Memory Management Module of Huawei Smart Phone ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161026-…
*** Cisco Identity Services Engine SQL Injection Vulnerability ***
---------------------------------------------
A vulnerability in the web framework code of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Siemens SICAM RTU Devices Denial-of-Service Vulnerability ***
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-299-01
*** Bundeskriminalamt gibt Tipps zum Schutz mobiler Geräte ***
---------------------------------------------
http://derstandard.at/2000046518819
*** Security updates available for Adobe Flash Player (APSB16-36) ***
---------------------------------------------
A Security Bulletin (APSB16-36) has been published regarding security updates for Adobe Flash Player. These updates address a critical vulnerability, and Adobe ..
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1416
*** Vulnerability in Linux Kernel Affecting Cisco Products: October 2016 ***
---------------------------------------------
On October 19, 2016, a new vulnerability related to a race condition in the memory manager of the Linux Kernel was disclosed. This vulnerability could allow ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Installer of 7-Zip for Windows may insecurely load Dynamic Link Libraries ***
---------------------------------------------
http://jvn.jp/en/jp/JVN76780067/
*** Cisco Email Security Appliance Malformed DGN File Attachment Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the email message filtering feature of Cisco AsyncOS Software for Cisco Email Security Appliances could allow an unauthenticated, ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Prime Collaboration Provisioning Cross-Site Scripting Vulnerability ***
---------------------------------------------
Multiple vulnerabilities in the web framework code of the Cisco Prime Collaboration Provisioning could allow an unauthenticated, remote attacker to conduct a ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco IP Interoperability and Collaboration System Cross-Site Scripting Vulnerability ***
---------------------------------------------
A vulnerability in the web framework code of the Cisco IP Interoperability and Collaboration System (IPICS) could allow an unauthenticated, ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Email and Web Security Appliance JAR Advanced Malware Protection DoS Vulnerability ***
---------------------------------------------
A vulnerability in Advanced Malware Protection (AMP) for Cisco Email Security Appliances (ESA) and Web Security Appliances (WSA) could allow an unauthenticated, remote attacker to cause a partial denial of service (DoS) ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Email Security Appliance FTP Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in local FTP to the Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to cause a partial denial of service (DoS) condition when the FTP application unexpectedly quits.The ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Email Security Appliance Drop Bypass Vulnerability ***
---------------------------------------------
A vulnerability in the configured security policies, including drop email filtering, in Cisco AsyncOS for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass a configured drop filter by ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Email Security Appliance Corrupted Attachment Fields Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the email message filtering feature of Cisco AsyncOS Software for Cisco Email Security Appliances could allow an unauthenticated, remote attacker ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Email Security Appliance Advanced Malware Protection Attachment Scanning Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the email attachment scanning functionality of the Advanced Malware Protection ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Remote Code Execution Vulnerabilities Plague LibTIFF Library ***
---------------------------------------------
Three vulnerabilities, all which can lead to remote code execution, exist in the LibTIFF library.
---------------------------------------------
http://threatpost.com/remote-code-execution-vulnerabilities-plague-libtiff-…
*** Tripal BLAST UI - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-054 ***
---------------------------------------------
This module enables you to run NCBI BLAST jobs on the host system.The module doesnt sufficiently validate advanced options available to users submitting BLAST jobs, thereby exposing the ability to enter a short snippet of shell code that will be ..
---------------------------------------------
https://www.drupal.org/node/2822366
*** Office 2013 can now block macros to help prevent infection ***
---------------------------------------------
In response to the growing trend of macro-based threats, a new feature in Office 2016 allows an enterprise administrator to block users from running macros ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/10/26/office-2013-can-now-blo…
*** Joomla! squashes critical privileged account creation holes ***
---------------------------------------------
Borked two factor authentication also fixed Joomla! has revealed its patched twin critical flaws allowing attackers to bypass rules and create elevated privilege accounts.
---------------------------------------------
www.theregister.co.uk/2016/10/27/joomla_squashes_critical_privileged_accoun…
*** Three LibTIFF bugs found, only two patched ***
---------------------------------------------
Buffer overruns, remote code execution, you know the drill LibTIFF has three bugs that let booby-trapped files pwn a target - and only two of them have been patched.
---------------------------------------------
www.theregister.co.uk/2016/10/27/three_libtiff_bugs_found_only_two_patched/
*** Inside the Gootkit C&C server ***
---------------------------------------------
In September 2016, we discovered a new version of Gootkit with a characteristic and instantly recognizable feature: an extra check of the environment ..
---------------------------------------------
http://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/
*** Citrix XenServer Security Update for CVE-2016-7777 ***
---------------------------------------------
A security vulnerability has been identified in Citrix XenServer that may allow malicious user code within an HVM guest VM to read or modify the contents of ..
---------------------------------------------
https://support.citrix.com/article/CTX217363
*** IBM Security Bulletin: WebSphere Message Broker and IBM Integration Bus are affected by Open Source Tomcat vulnerability (CVE-2016-3092) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21993043
*** Are the Days of “Booter” Services Numbered? ***
---------------------------------------------
It may soon become easier for Internet service providers to anticipate and block certain types of online assaults launched by Web-based attack-for-hire services known as "booter" or "stresser" services, new research released today suggests.
---------------------------------------------
https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbere…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 24-10-2016 18:00 − Dienstag 25-10-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** iOS 10.1 ***
---------------------------------------------
https://support.apple.com/kb/HT207271
*** IoT Device Maker Vows Product Recall, Legal Action Against Western Accusers ***
---------------------------------------------
A Chinese electronics firm pegged by experts as responsible for making many of the components leveraged in last weeks massive attack that disrupted Twitter and ..
---------------------------------------------
https://krebsonsecurity.com/2016/10/iot-device-maker-vows-product-recall-le…
*** Locky Ransomwares new .SHIT Extension shows that you cant Polish a Turd ***
---------------------------------------------
To further show how ransomware is such a pile of crap, a new version of Locky has been released that appends the .shit extension on encrypted files. Like previous ..
---------------------------------------------
http://www.bleepingcomputer.com/news/security/locky-ransomwares-new-shit-ex…
*** DSA-3698 php5 - security update ***
---------------------------------------------
Several vulnerabilities were found in PHP, a general-purpose scriptinglanguage commonly used for web application development.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3698
*** Critical Patch Update - October 2016 ***
---------------------------------------------
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
*** Kryptologe Hellman: NSA propagiert mittlerweile Verschlüsselung ***
---------------------------------------------
Daten verlässlich zu verschlüsseln auch für Sicherheit von Staaten wichtig – Zusammensetzen sicherer Komponenten macht außerdem noch lange kein sicheres System
---------------------------------------------
http://derstandard.at/2000046466661
*** Wosign und Startcom: Mozilla veröffentlicht Details des TLS-Rauswurfs ***
---------------------------------------------
Mozillas Firefox-Browser wird keine TLS-Zertifikate der beiden skandalträchtigen Certificate Authorities mehr akzeptieren. Wie dies genau umgesetzt wird, hat die Stiftung nun erläutert.
---------------------------------------------
http://www.golem.de/news/wosign-und-startcom-mozilla-veroeffentlicht-detail…
*** Certificate Transparency: Betrug mit TLS-Zertifikaten wird fast unmöglich ***
---------------------------------------------
Alle TLS-Zertifizierungsstellen müssen ab nächstem Herbst ihre Zertifikate vor der Ausstellung in ein öffentliches Log eintragen. Mittels Certificate Transparency kann Fehlverhalten bei der Zertifikatsausstellung leichter entdeckt werden - das TLS-Zertifikatssystem insgesamt wird vertrauenswürdiger.
---------------------------------------------
http://www.golem.de/news/certificate-transparency-betrug-mit-tsl-zertifikat…
*** [20161002] - Core - Elevated Privileges ***
---------------------------------------------
Incorrect use of unfiltered data allows for users to register on a site with elevated privileges. Affected Installs Joomla! CMS versions 3.4.4 through 3.6.3 Solution Upgrade to ..
---------------------------------------------
https://developer.joomla.org/security-centre/660-20161002-core-elevated-pri…
*** [20161001] - Core - Account Creation ***
---------------------------------------------
Inadequate checks allows for users to register on a site when registration has been disabled. Affected Installs Joomla! CMS versions 3.4.4 ..
---------------------------------------------
https://developer.joomla.org/security-centre/659-20161001-core-account-crea…
*** BSI: Deutschland soll vernetzte Geräte besser schützen ***
---------------------------------------------
Nach einem Angriff auf die Internet-Infrastruktur hat das Bundesamt für Sicherheit in der Informationstechnik (BSI) höhere Sicherheitsstandards verlangt.
---------------------------------------------
https://futurezone.at/netzpolitik/bsi-deutschland-soll-vernetzte-geraete-be…
*** Vulnerabilities in Slack could have led to account hijacking ***
---------------------------------------------
Persistence pays off as security researcher nets bug bounty for unearthing an access control bypass allowing attackers to reset passwords if they know the usernames.
---------------------------------------------
http://www.scmagazine.com/vulnerabilities-in-slack-could-have-led-to-accoun…
*** task_t considered harmful ***
---------------------------------------------
Posted by Ian Beer, Project ZeroThis post discusses a design issue at the core of the XNU kernel which powers iOS and MacOS. Apple have shipped two iterations of mitigations followed yesterday by a large refactor in MacOS 10.12.1/iOS ..
---------------------------------------------
http://googleprojectzero.blogspot.com/2016/10/posted-by-ian-beer-project-ze…
Aufgrund des Feiertages am morgigen Mittwoch, den 26.10.2016, erscheint der nächste End-of-Shift Report erst am 27.10.2016.
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 21-10-2016 18:00 − Montag 24-10-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** In a BIND: Third parties distributed outdated, vulnerable ISC Domain Name System software ***
---------------------------------------------
The Internet Systems Consortium issued an advisory on Wednesday, warning that some third parties are distributing versions of ISCs BIND software that contain a high-severity vulnerability, which if exploited can trigger an assertion failure.
---------------------------------------------
http://www.scmagazine.com/in-a-bind-third-parties-distributed-outdated-vuln…
*** Credentials Stealer on Prestashop ***
---------------------------------------------
In a matter of hours, a big e-commerce website can have hundreds of credit card numbers stolen and used by attackers on other websites around the world. We commonly see ecommerce websites infected with credit card (CC) ..
---------------------------------------------
https://blog.sucuri.net/2016/10/credentials-stealer-prestashop.html
*** Hacked Cameras, DVRs Powered Today’s Massive Internet Outage ***
---------------------------------------------
A massive and sustained Internet attack that has caused outages and network congestion today for a large number of Web sites was launched with the help of hacked "Internet of Things" (IoT) devices, such as CCTV video cameras and digital video recorders, new data suggests.
---------------------------------------------
https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-mass…
*** Beware of Hicurdismos: It’s a fake Microsoft Security Essentials installer that can lead to a support call scam ***
---------------------------------------------
Wouldn’t it be a shame if, in trying to secure your PC, you inadvertently install malware and run the risk of being scammed? We recently discovered a threat ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/10/21/beware-of-hicurdismos-i…
*** DSA-3697 kdepimlibs - security update ***
---------------------------------------------
Roland Tapken discovered that insufficient input sanitising in KMailsplain text viewer allowed the injection of HTML code.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3697
*** Policy Analyzer v3.1 PRE-RELEASE ***
---------------------------------------------
Lots of updates to Policy Analyzer in this unsigned, pre-release preview build — please post comments here to let me know how well it addresses your needs and what ..
---------------------------------------------
https://blogs.technet.microsoft.com/secguide/2016/10/22/policy-analyzer-v3-…
*** Sicherere Pornos: "https" soll Nutzer schützen ***
---------------------------------------------
Sicherheitsprotokoll schützt Privatsphäre – soll außerdem vor potenzielle Leaks verhindern
---------------------------------------------
http://derstandard.at/2000046090383
*** "Dirty Cow": Warnung vor "ekliger" Linux-Lücke ***
---------------------------------------------
Fehler erlaubt es Nutzern im Linux-Kernel Dateien zu überschreiben, für die sie Leserechte haben
---------------------------------------------
http://derstandard.at/2000046330107
*** FBI: Russe soll LinkedIn und Dropbox gehackt haben ***
---------------------------------------------
Der russische Staatsbürger wurde in Tschechien festgenommen
---------------------------------------------
http://derstandard.at/2000046330952
*** Request for Packets TCP 4786 - CVE-2016-6385, (Sat, Oct 22nd) ***
---------------------------------------------
We have received information about potential active reconnaissance for TCP 4786 which might be related to CVE-2016-6385 (Cisco IOS and IOS XE Software Smart Install Memory Leak Vulnerability) an advisory released 28 Sep 2016. This ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21625
*** Mirai-Botnetz: Dyn bestätigt Angriff von zig-Millionen IP-Adressen ***
---------------------------------------------
Der Internet-Dienstleister Dyn hat erste Details zur schweren DDoS-Attacke vom vergangenen Freitag genannt. Demnach gab es drei Angriffswellen von unterschiedlichem Ausmaß.
---------------------------------------------
http://www.golem.de/news/mirai-botnetz-dyndns-bestaetigt-angriff-von-zig-mi…
*** Hohe Phishing-Quote: So einfach ließen sich US-Politiker hacken ***
---------------------------------------------
Die Veröffentlichungen von Wikileaks bringen die US-Politik in Schwierigkeiten. Die Hacks machen deutlich, welche Gefahren durch die Nutzung populärer E-Mail-Dienste wie Gmail entstehen.
---------------------------------------------
http://www.golem.de/news/hohe-phishing-quote-so-einfach-liessen-sich-us-pol…
*** Mozilla plots TLS 1.3 future for Firefox ***
---------------------------------------------
Quicker handshake starts encrypting data sooner Mozilla has decided it needs to lift its HTTPS game, and will default to TLS 1.3 in next years Firefox 52.…
---------------------------------------------
www.theregister.co.uk/2016/10/23/mozilla_plots_tls_13_future_for_firefox/
*** DDoS für 7.500 US-Dollar: Hacker verkaufen Zugang zu IoT-Botnetz im Darknet ***
---------------------------------------------
Der Zugang zum IoT-Botnetz Mirai setzt neuerdings keine technischen Kenntnisse mehr voraus, sondern nur genügend Finanzmittel - 7.500 US-Dollar. Außerdem bestätigte ein chinesischer Hersteller, dass seine Geräte Teil des ..
---------------------------------------------
http://www.golem.de/news/ddos-fuer-7-500-us-dollar-hacker-verkaufen-zugang-…
*** Gefälschte Verbund-Rechnung verschlüsselt Dateien ***
---------------------------------------------
Kriminelle versenden gefälschte Verbund-Rechnungen per E-Mail. Darin fordern sie Empfänger/innen auf, dass diese eine Website öffnen. Sie imitiert den Internetauftritt der ..
---------------------------------------------
https://www.watchlist-internet.at/gefaelschte-rechnungen/gefaelschte-verbun…
*** Drammer: Rowhammer bringt zuverlässig Root-Zugriff auf Android ***
---------------------------------------------
Mit forcierten Bitflips im Arbeitsspeicher lassen sich leicht Root-Rechte auf Systemen erlangen. Forscher zeigen, dass dies auch zuverlässig auf Android-Telefonen ..
---------------------------------------------
http://www.golem.de/news/drammer-rowhammer-bringt-zuverlaessig-root-zugriff…
*** Trick Bot – Dyreza’s successor ***
---------------------------------------------
Recently, our analyst Jérôme Segura captured an interesting payload in the wild. It turned out to be a new bot, that, at the moment of the analysis, hadnt been described ..
---------------------------------------------
https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-suc…
*** From There to Here (But Not Back Again) ***
---------------------------------------------
Red Hat Product Security recently celebrated our 15th anniversary this summer and while I cannot claim to have been with Red Hat for that long (although I’m coming up ..
---------------------------------------------
https://access.redhat.com/blogs/766093/posts/2712261
*** Analyzing Rig ***
---------------------------------------------
I recently Googled for a sleeping accommodation in "The Ardennes", a region of extensive forests in Southern Belgium. It wasnt surprised that by clicking on the fourth ..
---------------------------------------------
https://www.uperesia.com/analyzing-rig-exploit-kit
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 20-10-2016 18:00 − Freitag 21-10-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** iCloud Phishing Campaign Zycode Back From the Dead ***
---------------------------------------------
http://threatpost.com/icloud-phishing-campaign-zycode-back-from-the-dead/12…
*** EMC Avamar Data Store and Virtual Edition Unspecified Flaw Lets Remote Authenticated Users Gain Elevated Privileges ***
---------------------------------------------
http://www.securitytracker.com/id/1037066
*** Hack.lu 2016 Wrap-Up Day #3 ***
---------------------------------------------
The third day is already over! I’m just back at home so it’s time for a last quick wrap-up before recovering before BruCON which is organized next week! Damien ..
---------------------------------------------
https://blog.rootshell.be/2016/10/20/hack-lu-2016-wrap-day-3/
*** Oracle Critical Patch Update Advisory - October 2016 ***
---------------------------------------------
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
*** Moxa EDR-810 Industrial Secure Router Privilege Escalation Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a privilege escalation vulnerability in Moxa’s EDR-810 Industrial Secure Router.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-294-01
*** “Most serious” Linux privilege-escalation bug ever is under active exploit (updated) ***
---------------------------------------------
While CVE-2016-5195, as the bug is cataloged, amounts to a mere privilege-escalation ..
http://arstechnica.com/security/2016/10/most-serious-linux-privilege-escala…
*** CVE-2016-2848: A packet with malformed options can trigger an assertion failure in ISC BIND versions released prior to May 2013 ***
---------------------------------------------
A packet with a malformed options section can be used to deliberately trigger an assertion ..
---------------------------------------------
https://kb.isc.org/article/AA-01433/74/CVE-2016-2848
*** Nagios XI 5.2.9 Cross Site Scripting / Open Redirect ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016100203
*** Doctor Web examines new backdoor for Linux ***
---------------------------------------------
October 20, 2016 Most backdoor Trojans are created for Microsoft Windows; however, a few of them can infect Linux devices. This rare type of Trojan ..
---------------------------------------------
http://news.drweb.com/show/?i=10265&lng=en&c=9
*** Vuln: Multiple Synology DiskStation Products CVE-2016-6554 Insecure Default Password Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/93805
*** Warnung vor gefälschter BAWAG PSK-Phishingmail ***
---------------------------------------------
In einer gefälschten BAWAG PSK-Nachricht behaupten Kriminelle, dass es „einer dringenden ..
---------------------------------------------
https://www.watchlist-internet.at/phishing/warnung-vor-gefaelschter-bawag-p…
*** Dridex - an old dog is learning new tricks ***
---------------------------------------------
A lot of things have been said and written about Dridex in the past few months. It has risen and fallen in prevalence and it was rumored that its makers collaborate ..
---------------------------------------------
https://blog.gdatasoftware.com/2016/10/29261-dridex-an-old-dog-is-learning-…
*** New ESET research paper puts Sednit under the microscope ***
---------------------------------------------
Security researchers at ESET have released their latest research into the notorious Sednit ..
---------------------------------------------
http://www.welivesecurity.com/2016/10/20/new-eset-research-paper-puts-sedni…
*** SSA-296574 (Last Update 2016-10-21): Denial of Service in SICAM RTU Devices ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-296574…
*** Hax0rs sow Discord by using VoIP service to sling malware at gamers ***
---------------------------------------------
Not even playtimes safe these days Hackers abused a free VoIP service for gamers to distribute remote-access Trojans and other malware.
---------------------------------------------
www.theregister.co.uk/2016/10/21/gaming_voip_service_malware_abuse/
*** DDoS on Dyn Impacts Twitter, Spotify, Reddit ***
---------------------------------------------
Criminals this morning massively attacked Dyn, a company that provides core Internet services ..
---------------------------------------------
https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-twitter-spotify-red…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 19-10-2016 18:00 − Donnerstag 20-10-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Cisco ASA Software Local Certificate Authority Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the local Certificate Authority (CA) feature of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system.The vulnerability is due to improper handling of ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Firepower Detection Engine HTTP Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the detection engine reassembly of HTTP packets for Cisco Firepower System Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to the Snort process ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Meeting Server Information Disclosure Vulnerability ***
---------------------------------------------
A vulnerability in Web Bridge for Cisco Meeting Server could allow an unauthenticated, remote attacker to retrieve memory from a connected server.The vulnerability is due to missing bounds checks in the Web Bridge functionality. An ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Meeting Server Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
A vulnerability in Cisco Meeting Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco ASA Software Identity Firewall Feature Buffer Overflow Vulnerability ***
---------------------------------------------
A vulnerability in the Identity Firewall feature of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. The vulnerability is due to a ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Adult FriendFinder Vulnerability Leaves Millions Exposed ***
---------------------------------------------
Security experts are reporting popular adult website Adult FriendFinder has been compromised by hackers who have gained access to the sites backend servers.
---------------------------------------------
http://threatpost.com/adult-friendfinder-vulnerability-leaves-millions-expo…
*** The new .LNK between spam and Locky infection ***
---------------------------------------------
Just when it seems the Ransom:Win32/Locky activity has slowed down, our continuous monitoring of the ransomware family reveals a new workaround that the authors ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/10/19/the-new-lnk-between-spa…
*** Hack.lu 2016 Wrap-Up Day #2 ***
---------------------------------------------
I'm just back from the second day of hack.lu. The day started early with Patrice Auffret about Metabrik! Patrice is a Perl addict and developed lot of CPAN ..
---------------------------------------------
https://blog.rootshell.be/2016/10/20/hack-lu-2016-wrap-day-2/
*** Researchers Bypass ASLR Protection On Intel Haswell CPUs ***
---------------------------------------------
An anonymous reader writes: "A team of scientists from two U.S. universities has devised ..
---------------------------------------------
https://news.slashdot.org/story/16/10/19/2358209/researchers-bypass-aslr-pr…
*** OWASP ModSecurity CRS Version 3.0 RC2 Released ***
---------------------------------------------
http://trustwave.com/Resources/SpiderLabs-Blog/OWASP-ModSecurity-CRS-Versio…
*** Novell: Storage Manager for eDirectory 5.0.0 ***
---------------------------------------------
https://download.novell.com/Download?buildid=4x6-1FswplA~
*** Security research tool had security problem ***
---------------------------------------------
Plugin for popular disassembler OllyDGB allowed man-in-the-middle diddle Security ..
---------------------------------------------
www.theregister.co.uk/2016/10/20/ollydgb_vulnerability/
*** Can I spam from here: An Unusually Clever Spambot Tests Blacklists ***
---------------------------------------------
Unit 42 researchers recently observed an unusually clever spambot's attempts to increase delivery efficacy by abusing reputation blacklist service ..
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2016/10/unit42-can-i-spam-from-h…
*** Bugtraq: [security bulletin] HPSBGN03663 rev.1 - HPE ArcSight WINC Connector, Remote Code Execution ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539609
*** Skyping and Typing the Latest Threat to Privacy ***
---------------------------------------------
Typing while using Skype or over other Voice over Internet Protocol (VoIP) services presents an opportunity for an attacker to record the conversation, separate ..
---------------------------------------------
https://threatpost.com/skyping-and-typing-the-latest-threat-to-privacy/1213…
*** The Kings In Your Castle Part #1 ***
---------------------------------------------
In March 2016 I presented together with Raphael Vinot at this year�s Troopers conference in Heidelberg. The talk treated research of targeted malware, ..
---------------------------------------------
https://cyber.wtf/2016/10/12/the-kings-in-your-castle-all-the-lame-threats-…
*** Palo Alto PAN-OS Input Validation Flaw in Monitor Tab Lets Remote Authenticated Users Conduct Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1037063
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 18-10-2016 18:00 − Mittwoch 19-10-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Is it worth reporting ransomware? ***
---------------------------------------------
Answer: yes. Police forces badly need more people to tell them about attacks.
---------------------------------------------
https://nakedsecurity.sophos.com/2016/10/18/is-it-worth-reporting-ransomwar…
*** Security Advisory: PHP vulnerability CVE-2015-8935 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/63/sol63712424.html?…
*** PHP Buffer Overflow in php_pcre_replace_impl() Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
A remote user can supply specially crafted data that, when processed by the target application, will trigger a heap overflow in php_pcre_replace_impl() in the PCRE component and execute arbitrary code on the target system.
...
[Editor's note: The vendor indicates that these other memory errors require strings on the order of 2GB to exploit and that memory_limit and max_input_size values on the target system should prevent exploitation.]
---------------------------------------------
http://www.securitytracker.com/id/1037033
*** Security Advisory: TIFF vulnerability CVE-2015-7554 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/38/sol38871451.html?…
*** IDM 4.5 Midrange BiDirectional Driver 4.5 ***
---------------------------------------------
https://download.novell.com/Download?buildid=sQgqe1Stbog~
*** Hack.lu 2016 Wrap-Up Day #1 ***
---------------------------------------------
I'm back to Luxembourg for a new edition of hack.lu. In fact, I arrived yesterday afternoon to attend the MISP summit. It was a good opportunity to meet MISP users and to get fresh news about the project.
---------------------------------------------
https://blog.rootshell.be/2016/10/18/hack-lu-2016-wrap-day-1/
*** Oracle Java SE Multiple Flaws Let Remote Users Access Data, Partially Modify Data, and Gain Elevated Privileges ***
---------------------------------------------
Version(s): 6u121, 7u111, 8u102; Java SE Embedded: 8u101
Description: Multiple vulnerabilities were reported in Oracle Java SE. A remote user can access data on the target system. A remote user can modify data on the target system. A remote user can gain elevated privileges.
---------------------------------------------
http://www.securitytracker.com/id/1037040
*** Oracle Database Multiple Flaws Let Remote and Local Users Access and Modify Data and Gain Elevated Privileges and Let Local Users Deny Service ***
---------------------------------------------
Version(s): 11.2.0.4, 12.1.0.2
Description: Multiple vulnerabilities were reported in Oracle Database. A remote and local user can access data on the target system. A remote user can modify data on the target system. A local user can cause denial of service conditions on the target system. A local user can obtain elevated privileges on the target system. A remote authenticated user can gain elevated privileges.
---------------------------------------------
http://www.securitytracker.com/id/1037035
*** Vuln: Oracle Fusion Middleware CVE-2016-5531 Remote Security Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/93730
*** MySQL Multiple Bugs Let Remote Users Access and Modify Data, Remote and Local Users Deny Service, and Local Users Modify Data and Gain Elevated Privileges ***
---------------------------------------------
http://www.securitytracker.com/id/1037050
*** Solaris Multiple Bugs Let Remote and Local Users Access Data and Deny Service and Let Local Users Modify Data and Deny Service ***
---------------------------------------------
Version(s): 10, 11.3
Description: Multiple vulnerabilities were reported in Solaris. A remote or local user can access data on the target system. A remote or local user can cause denial of service conditions on the target system. A local user can modify data on the target system. A local user can obtain elevated privileges on the target system.
---------------------------------------------
http://www.securitytracker.com/id/1037048
*** Installer of Evernote for Windows may insecurely load Dynamic Link Libraries ***
---------------------------------------------
http://jvn.jp/en/jp/JVN03251132/
*** Schneider Electric PowerLogic PM8ECC Hard-coded Password Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a hard-coded password vulnerability in Schneider Electric's PowerLogic PM8ECC device.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-292-01
*** Cisco Talos: Vulnerability Spotlight: Foxit PDF Reader JBIG2 Parser Information Disclosure ***
---------------------------------------------
Talos has identified an information disclosure vulnerability in Foxit PDF Reader (TALOS-2016-0201/CVE-2016-8334). A wrongly bounded call to `memcpy`, while parsing jbig2 segments within a PDF file, can be triggered in Foxit PDF Reader causing an out-of-bounds heap memory to be read into a buffer.
---------------------------------------------
http://blog.talosintel.com/2016/10/foxit-pdf-jbig2.html
*** CAIDA: Spoofer ***
---------------------------------------------
We have developed and support a new client-server system for Windows, MacOS, and UNIX-like systems that periodically tests a networks ability to both send and receive packets with forged source IP addresses (spoofed packets). We are (in the process of) producing reports and visualizations that will inform operators, response teams, and policy analysts.
---------------------------------------------
https://www.caida.org/projects/spoofer/
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Cloud Orchestrator, HTTP Server and bundling products shipped with Cloud Orchestrator and Cloud Orchestrator Enterprise (CVE-2015-1788) ***
http://www.ibm.com/support/docview.wss?uid=swg2C1000137
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities may affect IBM SDK for Node.js in IBM Bluemix ***
http://www.ibm.com/support/docview.wss?uid=swg21992427
---------------------------------------------
*** IBM Security Bulletin: IBM TRIRIGA Application Platform Reflected Cross-Site Scripting (XSS) (CVE-2016-5980) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991992
---------------------------------------------
*** IBM Security Bulletin: Apache Commons FileUpload Vulnerability affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2016-3092 ***
http://www.ibm.com/support/docview.wss?uid=swg21992457
---------------------------------------------
*** IBM Security Bulletin: Information disclosure vulnerability in IBM Websphere Application Server and IBM Websphere Application Server Liberty affects IBM BigFix Remote Control (CVE-2016-5986) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991987
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in PCRE affects IBM Tivoli Network Manager IP Edition (CVE-2016-1283) ***
http://www.ibm.com/support/docview.wss?uid=swg21991978
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 17-10-2016 18:00 − Dienstag 18-10-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Security baseline for Windows 10 v1607 (“Anniversary edition”) and Windows Server 2016 ***
---------------------------------------------
Microsoft is pleased to announce the release of the security configuration baseline settings for Windows 10 version 1607, also known as “Anniversary edition” ..
---------------------------------------------
https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-f…
*** New-looking Sundown EK drops Smoke Loader, Kronos banker ***
---------------------------------------------
In this post we take a quick glance at some changes made to the Sundown exploit kit. The landing page has been tweaked and uses various obfuscation techniques. Sundown is used in some smaller campaigns and in this particular case ..
---------------------------------------------
https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-e…
*** Magento Credit Card Swiper Exports to Image ***
---------------------------------------------
Over the past year we have seen a rash of credit card swipers in Magento and other ecommerce-based websites. In fact, we have been finding new variants nearly every week. It is no surprise that ecommerce sites are ..
---------------------------------------------
https://blog.sucuri.net/2016/10/magento-credit-card-swiper-exports-image.ht…
*** ZDI-16-570: Novell NetIQ Sentinel Commons DiskFileItem Deserialization of Untrusted Data Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell NetIQ Sentinel. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-570/
*** Security Advisory - Hardcoded SSH Key Vulnerability in Some Huawei Storage Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161017-…
*** Audit sees VeraCrypt kils critical password recovery, cipher flaws ***
---------------------------------------------
Patches slung at 11 bad bugs Security researchers have found eight critical, three medium, and 15 low ..
---------------------------------------------
www.theregister.co.uk/2016/10/18/veracrypt_audit/
*** iOS 10.0.3 ***
---------------------------------------------
https://support.apple.com/en-us/HT207263
*** Hajime: Analysis of a decentralized internet worm for IoT devices [PDF] ***
---------------------------------------------
Though worms which target IoT devices are not new, they are rising in prominence lately due to the generally wea k security such devices have. What makes Hajime ..
---------------------------------------------
https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf
*** Netzob: Reverse Engineering Communication Protocols ***
---------------------------------------------
Netzob is an open source tool for reverse engineering, traffic generation and fuzzing of ..
---------------------------------------------
https://www.netzob.org/
*** Halfway there! Firefox users now visit over 50% of pages via HTTPS ***
---------------------------------------------
Mozilla telemetry shows sites using HTTPS for more secure browsing now outnumber plain old HTTP.
---------------------------------------------
https://nakedsecurity.sophos.com/2016/10/18/halfway-there-firefox-users-now…
*** Malware verkauft: 22-Jähriger muss in Deutschland vor Gericht ***
---------------------------------------------
Ein 22-Jähriger soll in 4.000 Fällen Trojaner, Viren und andere Malware verkauft haben. Jetzt muss er sich dafür vor Gericht verantworten.
--------------------------------------------
-
https://futurezone.at/digital-life/malware-verkauft-22-jaehriger-muss-in-de…
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 14-10-2016 18:00 − Montag 17-10-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** pseudoDarkleech Rig EK ***
---------------------------------------------
Since Monday 2016-10-03, the pseudoDarkleech campaign has been using Rig exploit kit (EK) to distribute Cerber ransomware." /> Shown above: An infection chain of events. Let" /> Shown above:" /> Shown above: UDP traffic seen ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21595
*** Sierra Wireless Mitigations Against Mirai Malware ***
---------------------------------------------
NCCIC/ICS-CERT received a technical bulletin from the Sierra Wireless company, outlining mitigations to secure Airlink Cellular Gateway devices affected by (or at risk of) the “Mirai” malware. While the Sierra Wireless ..
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-16-286-01
*** Vuln: Magento CMS Multiple Cross-Site Request Forgery Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/bid/93576
*** Vuln: Magento CMS Flash File Uploader Cross Site Scripting Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/93575
*** Vuln: PHP password_verify() Function Out-of-Bounds Read Denial of Service Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/93578
*** Maldoc VBA Anti-Analysis ***
---------------------------------------------
I was asked for help with the analysis of sample 7c9505f2c041ba588bed854258344c43. Turns out this malicious Word document has some anti-analysis tricks (here is an older diary entry with other anti-analysis tricks). Here is the analysis with oledump.py: Stream 8 contains VBA ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21599
*** Symantec observed a surge of spam emails using malicious WSF files ***
---------------------------------------------
Symantec observed a significant increase in the number of email-based attacks using malicious Windows Script File (WSF) attachments. Experts from Symantec are observing a significant increase in the number of email-based ..
---------------------------------------------
http://securityaffairs.co/wordpress/52341/cyber-crime/spam-wsf-files.html
*** Analyzing Office Maldocs With Decoder.xls, (Sun, Oct 16th) ***
---------------------------------------------
In my last diary entry, I show how to decode VBA maldoc strings with Excel. A similar technique can be used to decode a payload (like shellcode). I explain ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21601
*** Outlook-on-Android alternative Nine leaked Exchange Server creds ***
---------------------------------------------
Patches slung to fix popular third-party email app Staff logging into Exchange Server through a popular app could have placed their enterprise credentials at risk through a since-closed vulnerability.
---------------------------------------------
www.theregister.co.uk/2016/10/17/outlook_app_slapped_in_maninthemiddle_didd…
*** VMSA-2016-0016 ***
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2016-0016.html
*** IBM Security Bulletin:Multiple vulnerabilities in IBM Java SDK 7 affect IBM Systems Director (CVE-2016-0264, CVE-2016-3426) ***
---------------------------------------------
There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version ..
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=isg3T1024427
*** No More Ransom adds law enforcement partners from 13 new countries ***
---------------------------------------------
Intel Security and Kaspersky Labs today announced that 13 law enforcement agencies have joined No More Ransom, a partnership between cybersecurity industry and law enforcement organizations to provide ransomware victims education and decryption tools through www.nomoreransom.org. Intel ..
---------------------------------------------
https://blogs.mcafee.com/mcafee-labs/no-ransom-adds-law-enforcement-partner…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 13-10-2016 18:00 − Freitag 14-10-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Gezinkte Primzahlen ermöglichen Hintertüren in Verschlüsselung ***
---------------------------------------------
Ein Forscherteam hat aufgezeigt, dass man durch geschickte Konstruktion einer Primzahl eine Hintertür in Verschlüsselungsverfahren einbauen kann. Nicht auszuschließen, dass dies bei etablierten Verfahren längst passiert ist.
---------------------------------------------
https://heise.de/-3347585
*** Security through Confusion – The FUD Factor ***
---------------------------------------------
The FUD factor has been employed by sales and marketing teams from multiple industries for decades. It stands for fear, uncertainty and doubt (FUD) and first appeared in the 70’s as a tactic used by competitors in the computer ..
---------------------------------------------
https://blog.sucuri.net/2016/10/security-confusion-fud-factor.html
*** Cyber Europe 2016: the pan-European exercise to protect EU Infrastructures against coordinated cyber-attack ***
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/cyber-europe-2016
*** Floating Down .Stream (Shady TLD Research, Part 17) ***
---------------------------------------------
The end of September means the leaves are starting to change -- and our quarterly Top Ten list of the shadiest TLDs is changing as well, with three newcomers since last time ..
---------------------------------------------
https://www.bluecoat.com/security-blog/2016-10-13/floating-down-stream-shad…
*** OSIsoft PI Web API 2015 R2 Service Account Permissions Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a permissions vulnerability in OSIsoft’s PI Web API.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-287-01
*** Siemens Automation License Manager Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for vulnerabilities in Siemen’s Automation License Manager (ALM).
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-287-02
*** Rockwell Automation Stratix Denial-of-Service and Memory Leak Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for vulnerabilities contained in Rockwell Automation’s Allen-Bradley Stratix industrial switches.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-287-04
*** Moxa ioLogik E1200 Series Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for vulnerabilities in Moxas ioLogik E1200 series application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-287-05
*** Fatek Automation Designer Memory Corruption Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for a heap memory corruption and two stack buffer overflow vulnerabilities in Fatek’s Automation PM and FV Designer applications.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-287-06
*** Kabona AB WDC Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for vulnerabilities in Kabona AB’s WebDatorCentral (WDC) application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-287-07
*** Pork Explosion flaw splatters Foxconns Android phones ***
---------------------------------------------
Full compromise over USB bacon-ed in to smartmobes Security researcher John Sawyer says a limited backdoor has been found in some Foxconn-manufactured Android phones, allowing attackers to root phones they have in hand.
---------------------------------------------
www.theregister.co.uk/2016/10/14/pork_explosion_foxconn_flaw/
*** LockyDump - All Your Configs Are Belong To Us ***
---------------------------------------------
This post will discuss a new Locky configuration extractor that Talos is releasing, which we are naming LockyDump. This is the first open source tool which can dump ..
---------------------------------------------
http://blog.talosintel.com/2016/10/lockydump.html
*** Quickly audit and adjust SSH server configurations with SSH-audit ***
---------------------------------------------
SSH-audit is a standalone open source tool for auditing and fixing SSH server configurations. It has no dependencies and will run wherever Python is available. It supports OpenSSH, Dropbear SSH and libssh, and reports on every detail of the tested SSH server, including detailed information about ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/10/14/ssh-audit-fix-ssh-server-configu…
*** Magento-Updates: Checkout-Prozess als Einfallstor für Angreifer ***
---------------------------------------------
Sicherheits-Patches für das Shop-System schließen mehrere Lücken. Zwei davon gelten als kritisch.
---------------------------------------------
https://heise.de/-3350195
*** Apache OpenOffice 4.1.3 ***
---------------------------------------------
Apache OpenOffice 4.1.3 ist ein Release zur Fehlerbeseitigung, welches Sicherheitsprobleme beseitigt, Wörterbücher aktualisiert und einige sonstige bekannte Fehler korrigiert. Allen Benutzern von Apache Openoffice 4.1.2 oder älteren Versionen wird empfohlen zu aktualisieren.
---------------------------------------------
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=65873798
*** SSHowDowN: Zwölf Jahre alter OpenSSH-Bug gefährdet unzählige IoT-Geräte ***
---------------------------------------------
Akamai warnt davor, dass Kriminelle unvermindert Millionen IoT-Geräte für DDoS-Attacken kapern. Die dafür ausgenutzte Lücke ist älter als ein Jahrzehnt. Viele Geräte sollen sich nicht patchen lassen.
---------------------------------------------
https://www.heise.de/newsticker/meldung/SSHowDowN-Zwoelf-Jahre-alter-OpenSS…
*** Cyber-attacks Against Nuclear Plants: A Disconcerting Threat ***
---------------------------------------------
Introduction A cyber-attack against critical infrastructure could cause the paralysis of critical operations with serious consequences for a country and its population. In a worst case scenario, a cyber-attack could affect processes that in ..
---------------------------------------------
http://resources.infosecinstitute.com/cyber-attacks-against-nuclear-plants-…
*** Wosign und Startcom: Mozilla macht Ernst mit dem Rauswurf ***
---------------------------------------------
Mozilla hat auf der Entwicklermailingliste angekündigt, Zertifikaten von Wosign und Startcom mit der übernächsten Firefox Version 51 nicht mehr zu vertrauen. Die Version ist für den kommenden Januar geplant.
---------------------------------------------
http://www.golem.de/news/wosign-und-startcom-mozilla-macht-ernst-mit-dem-ra…
*** GlobalSign annulliert versehentlich Zertifikate von vielen Webseiten ***
---------------------------------------------
Aktuell warnen einige Webbrowser davor, dass Verbindungen zu Webseiten wie etwa Wikipedia nicht mehr gesichert sind, da mit dem Zertifikat der Seite etwas nicht stimmt.
---------------------------------------------
https://heise.de/-3350544
*** IT-Experten des Bundesheeres finden kritische Lücke in Microsoft Office ***
---------------------------------------------
Analyse eines Cyberangriffs – Schwachstelle wurde 11. Oktober mit einem Update beseitigt
---------------------------------------------
http://derstandard.at/2000045921807
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 12-10-2016 18:00 − Donnerstag 13-10-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Gefälschte Finanzministerium-Phishingmail im Umlauf ***
---------------------------------------------
In E-Mailpostfächern findet sich eine vermeintliche Benachrichtigung des Bundesministerium für Finanzen. In dem Schreiben heißt es, dass das BMF Empfänger/innen die Überzahlung von 716,43 Euro zurückerstatte. Dafür sei es notwendig, dass diese ein "Steuer formular" im Anhang der E-Mail ausfüllen. Es handelt sich um einen Phishingversuch von Kriminellen.
---------------------------------------------
https://www.watchlist-internet.at/phishing/gefaelschte-finanzministerium-ph…
*** Gratulation an unser milCERT ***
---------------------------------------------
Gestern war der monatliche Patchday von Microsoft und mitten in den Bugs, die Remote Code Execution erlauben findet sich auch folgendes: Acknowledgments - 2016 MS16-121 Microsoft Office Memory Corruption Vulnerability CVE-2016-7193 Austrian MilCERT | Wir gratulieren unseren Kollegen aus der Stiftskaserne zu dem Fund und erwarten die Details dazu demnächst über dem einen oder anderen Bier. Autor: Otmar Lendl
---------------------------------------------
http://www.cert.at/services/blog/20161012185042-1798.html
*** Everyone Loves Selfies, Including Malware! ***
---------------------------------------------
I was talking with some of my coworkers the other day about why I wanted to jump to the larger iPhone 7 Plus. For me it came down to the camera. I travel a lot for work and even though photography is something of a hobby of mine, I don't always have my "good camera"...
---------------------------------------------
https://blogs.mcafee.com/consumer/everyone-loves-selfies-including-malware/
*** A Look at the BIND Vulnerability: CVE-2016-2776 ***
---------------------------------------------
On September 27, the Internet Systems Consortium (ICS) announced the release of patches for a critical vulnerability that would allow attackers to launch denial-of-service (DoS) attacks using the Berkeley Internet Name Domain (BIND) exploits. The critical error was discovered during internal testing by the ISC. BIND is a very popular open-source software component that implements DNS protocols. It is also known as the de facto standard for Linux and other Unix-based systems, which means a...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/78QqkPE96mw/
*** WSF attachments are the latest malware delivery vehicle ***
---------------------------------------------
Most users have by now learned not to open executable (.EXE), various MS Office, RTF and PDF files delivered via unsolicited emails, but malware peddlers are always trying out new ways to trick users, email filters and AV software. Number of blocked emails containing malicious WSF attachments by month According to Symantec, Windows Script Files (WSFs) are the latest file types to be exploited to deliver malware via email.
---------------------------------------------
https://www.helpnetsecurity.com/2016/10/13/wsf-attachments-malware-delivery/
*** CryPy: ransomware behind Israeli lines ***
---------------------------------------------
A Tweet posted recently by AVG researcher, Jakub Kroustek, suggested that a new ransomware, written entirely in Python, had been found in the wild, joining the emerging trend for Pysomwares such as the latest HolyCrypt, Fs0ciety Locker and others.
---------------------------------------------
http://securelist.com/blog/research/76318/crypy-ransomware-behind-israeli-l…
*** IoT Devices as Proxies for Cybercrime ***
---------------------------------------------
Multiple stories published here over the past few weeks have examined the disruptive power of hacked "Internet of Things" (IoT) devices such as routers, IP cameras and digital video recorders. This post looks at how crooks are using hacked IoT devices as proxies to hide their true location online as they engage in a variety of other types of cybercriminal activity -- from frequenting underground forums to credit card and tax refund fraud.
---------------------------------------------
https://krebsonsecurity.com/2016/10/iot-devices-as-proxies-for-cybercrime/
*** 6000 Online-Shops angeblich mit Kreditkarten-Skimmern verseucht - Tendenz steigend ***
---------------------------------------------
Online-Kriminelle greifen derzeit vermehrt Kreditkarten-Daten auf Webseiten von Online-Shops ab, berichtet ein Sicherheitsforscher.
---------------------------------------------
https://heise.de/-3349185
*** What is MANRS and does your network have it? ***
---------------------------------------------
While the internet itself was first envisioned as a way of enabling robust, fault-tolerant communication, the global routing infrastructure that underlies it is relatively fragile. A simple error like the misconfiguration of routing information in one of the 7,000 to 10,000 networks central to global routing can lead to a widespread outage, and deliberate actions, like preventing traffic with spoofed source IP addresses, can lead to distributed denial of service (DDoS) attacks.
---------------------------------------------
http://www.cio.com/article/3130707/internet/what-is-manrs-and-does-your-net…
*** Cisco Security Advisories ***
---------------------------------------------
*** Cisco cBR-8 Converged Broadband Router vty Integrity Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Wide Area Application Services Central Manager Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Unified Communications Manager iFrame Data Clickjacking Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Prime Infrastructure and Evolved Programmable Network Manager Database Interface SQL Injection Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Meeting Server Client Authentication Bypass Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Finesse Cross-Site Request Forgery Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Juniper Security Bulletins ***
---------------------------------------------
*** JSA10763 - 2016-10 Security Bulletin: Junos: Multiple privilege escalation vulnerabilities in Junos CLI (CVE-2016-4922) ***
http://kb.juniper.net/index?page=content&id=JSA10763&actp=RSS
---------------------------------------------
*** JSA10766 - 2016-10 Security Bulletin: vMX: Information leak vulnerability (CVE-2016-4924) ***
http://kb.juniper.net/index?page=content&id=JSA10766&actp=RSS
---------------------------------------------
*** JSA10767 - 2016-10 Security Bulletin: JUNOSe: Line Card Reset: processor exception 0x68616c74 (halt) task: scheduler, upon receipt of crafted IPv6 packet (CVE-2016-4925) ***
http://kb.juniper.net/index?page=content&id=JSA10767&actp=RSS
---------------------------------------------
*** JSA10764 - 2016-10 Security Bulletin: Junos J-Web: Cross Site Scripting Vulnerability (CVE-2016-4923) ***
http://kb.juniper.net/index?page=content&id=JSA10764&actp=RSS
---------------------------------------------
*** JSA10762 - 2016-10 Security Bulletin: Junos: IPv6 denial of service vulnerability due to resource exhaustion (CVE-2016-4921) ***
http://kb.juniper.net/index?page=content&id=JSA10762&actp=RSS
---------------------------------------------
*** JSA10761 - 2016-10 Security Bulletin: CTPView: Multiple vulnerabilities in CTPView ***
http://kb.juniper.net/index?page=content&id=JSA10761&actp=RSS
---------------------------------------------
*** JSA10760 - 2016-10 Security Bulletin: Junos Space: Multiple vulnerabilities ***
http://kb.juniper.net/index?page=content&id=JSA10760&actp=RSS
---------------------------------------------
*** JSA10759 - 2016-10 Security Bulletin: OpenSSL security updates ***
http://kb.juniper.net/index?page=content&id=JSA10759&actp=RSS
---------------------------------------------
*** Security Advisory: PCRE vulnerability CVE-2016-3191 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/51/sol51440224.html?…
*** Brocade NetIron MLX Line Card IPSec Processing Bug Lets Remote Users Cause the Target Line Card to Reset ***
---------------------------------------------
http://www.securitytracker.com/id/1037010
*** Fortinet FortiManager Input Validation Flaw in Advanced Settings Page Lets Remote Authenticated Administrative Users Conduct Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1036982
*** Fortinet FortiAnalyzer Input Validation Flaw in Advanced Settings Page Lets Remote Authenticated Administrative Users Conduct Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1036981
*** Palo Alto PAN-OS Range Header Null Pointer Dereference Lets Remote Users Cause the Target Service to Crash ***
---------------------------------------------
http://www.securitytracker.com/id/1037007
*** DFN-CERT-2016-1689: Ghostscript: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-1689/
*** Vuln: SAP NetWeaver ABAP ST-PI Component SQL Injection Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/93506
*** Vuln: SAP BusinessObjects Unspecified Cross Site Request Forgery Vulnerability ***
--------------------------------------------
http://www.securityfocus.com/bid/93508
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM BigFix Remote Control (CVE-2016-2183, CVE-2016-6304, CVE-2016-2177, CVE-2016-2178, CVE-2016-6306) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991896
---------------------------------------------
*** IBM Security Bulletin: IBM InfoSphere Information Server is vulnerable to information disclosure (CVE-2016-5994) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21992171
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM BigFix Remote Control (CVE-2016-2183) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991894
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Tomcat affects IBM Websphere that is used by IBM BigFix Remote Control. (CVE-2016-3092) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991866
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM Websphere Application Server affects IBM BigFix Remote Control (CVE-2016-5983) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991902
---------------------------------------------
*** IBM Security Bulletin: IBM Kenexa LCMS Premier on Cloud has addressed (CVE-2016-5949) ***
http://www.ibm.com/support/docview.wss?uid=swg21992276
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Commons FileUpload affects IBM Campaign, IBM Interact, IBM Distributed Marketing, IBM Marketing Operations (CVE-2016-3092) ***
http://www.ibm.com/support/docview.wss?uid=swg21991786
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Open Source Apache Tomcat , Commons FileUpload Vulnerabilities IBM Algorithmics Algo Risk Application ***
http://www.ibm.com/support/docview.wss?uid=swg21990262
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integrated Management Module (IMM) for System x & BladeCenter (CVE-2016-2177, CVE-2016-2178) ***
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099492
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in Apache Struts affect IBM BigFix Remote Control (CVE-2016-1181, CVE-2016-1182) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991903
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 11-10-2016 18:00 − Mittwoch 12-10-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** VU#396440: MatrixSSL contains multiple vulnerabilities ***
---------------------------------------------
Heap-based Buffer Overflow - CVE-2016-6890The Subject Alt Name field of X.509 certificates is not properly parsed. A specially crafted certificate may result in a heap-based buffer overflow ..
---------------------------------------------
http://www.kb.cert.org/vuls/id/396440
*** October 2016 security update release ***
---------------------------------------------
Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released. More information about this month’s security ..
---------------------------------------------
https://blogs.technet.microsoft.com/msrc/2016/10/11/october-2016-security-u…
*** Security Advisory: Expat XML library vulnerability CVE-2015-1283 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/15/sol15104541.html
*** Top of the Junk Pile (Shady TLD research part 16) ***
---------------------------------------------
[Sorry about neglecting the external blog during all of the Symantec excitement this summer, but we had a lot going on... This post is from our internal blog, back in July (7/08/2016), and we wanted to get it out on the site when we resumed blogging, since a lot of people have been ..
---------------------------------------------
https://www.bluecoat.com/2016-10-04/top-junk-pile-shady-tld-research-part-16
*** MSRT October 2016 release: Adding more unwanted software detections ***
---------------------------------------------
Unwanted software often piggy-backs on program downloads, delivered by software bundlers. These bundles, which you might have downloaded, can include software ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/10/11/msrt-october-2016-relea…
*** Four vulnerabilities found in Dell SonicWALL Email Security virtual appliance application ***
---------------------------------------------
Digital Defense (DDI) disclosed the discovery of four security vulnerabilities found in the Dell SonicWALL Email Security virtual appliance application. The appliance is frequently deployed as a perimeter device. Further, ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/10/12/sonicwall-email-security-vulnera…
*** Scan Ruby-based apps for security issues with Dawnscanner ***
---------------------------------------------
Dawnscanner is an open source static analysis scanner designed to review the security of web applications written in Ruby. Dawnscanner’s genesis Its developer, Paolo Perego, says that he was motivated to create it back in spring ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/10/12/scan-ruby-based-apps-dawnscanner/
*** WiFi Still Remains a Good Attack Vector ***
---------------------------------------------
WiFi networks areeverywhere! When we plan to visit a place or reserve ahotel for our holidays, we always check first if free WiFi is available (be honest, you do!). Oncewe connected our beloved devices to an external wireless ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21583
*** Security Advisory - Multiple Security Vulnerabilities in Driver of Huawei Smart Phones ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161012-…
*** List of 2016 OWASP London Talks & Videos ***
---------------------------------------------
https://www.youtube.com/owasplondon
*** VMware vRealize Operations Lets Remote Authenticated Users Gain Elevated Privileges ***
---------------------------------------------
http://www.securitytracker.com/id/1036999
*** Several Exploit Kits Now Deliver Cerber 4.0 ***
---------------------------------------------
We have tracked three malvertising campaigns and one compromised site campaign using Cerber ransomware after version 4.0 (detected as as Ransom_CERBER.DLGE) was ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/several-exploit-…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 10-10-2016 18:00 − Dienstag 11-10-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Denial of Service Vulnerability in Citrix License Server ***
---------------------------------------------
A vulnerability has been identified in the Citrix License Server for Windows and Citrix License Server VPX that could allow a remote ...
---------------------------------------------
http://support.citrix.com/article/CTX217430
*** [2016-10-11] XXE vulnerability in RSA ECAT Client ***
---------------------------------------------
By exploiting the XXE vulnerability, an attacker can get read access to the filesystem of the users system using RSA ECAT client and thus obtain sensitive information from the system. It is also possible to scan ports of the internal hosts and cause DoS on the affected host.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016…
*** Erpressungs-Trojaner DXXD nimmt Windows-Server ins Visier ***
---------------------------------------------
Die Hintermänner der Ransomware haben ihren Schädling optimiert und das kostenlose Entschlüsselungs-Tool unbrauchbar gemacht. Zudem verspotten Sie Sicherheitsforscher öffentlich.
---------------------------------------------
https://heise.de/-3344979
*** Bugtraq: [SEARCH-LAB advisory] AVTECH IP Camera, NVR, DVR multiple vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539567
*** Nymaim: Deep Technical Dive - Adventures in Evasive Malware ***
---------------------------------------------
Nymaim is mostly known worldwide as a downloader, although it seems they evolved from former versions, now having new functionalities to obtain data on the machine with no need to download a new payload. Some of the exported ..
---------------------------------------------
http://www.seculert.com/blogs/nymaim-deep-technical-dive-adventures-in-evas…
*** Zertifizierungsstellen: Bei WoSign und StartCom rollen Köpfe ***
---------------------------------------------
Die beiden Kostenlos-CAs bekommen jeweils eine neue Firmenspitze und sollen komplett voneinander getrennt werden. Damit soll das verlorene Vertrauen zurückgewonnen werden.
---------------------------------------------
https://heise.de/-3344229
*** APT 28: Wie ein französischer Fernsehsender gehackt wurde ***
---------------------------------------------
Im Jahr 2015 ist der französische Fernsehsender TV5 nach einem Angriff auf die IT-Infrastruktur für Stunden lahmgelegt worden. Eine Untersuchung der französischen Polizei zeigt nun, wie planvoll die Angreifer vorgegangen sind.
---------------------------------------------
http://www.golem.de/news/apt-28-wie-ein-franzoesischer-fernsehsender-gehack…
*** Security Bulletins Posted ***
---------------------------------------------
Adobe has published security bulletins for Adobe Flash Player (APSB16-32), Adobe Acrobat and Reader (APSB16-33), and Adobe Creative Cloud Desktop Application (APSB16-34). Adobe recommends users update their product installations ..
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1409
*** DDOS: Was Cloudflare vom Mirai-Botnetz sieht ***
---------------------------------------------
Cloudflare hat sich die aktuellen DDoS-Angriffe genauer angeschaut - und berichtet, dass einige Angriffe 1,75 Millionen HTTP-Anfragen pro Sekunde erzeugen.
---------------------------------------------
http://www.golem.de/news/ddos-was-cloudflare-vom-mirai-botnetz-sieht-1610-1…
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 07-10-2016 18:00 − Montag 10-10-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Europe to Push New Security Rules Amid IoT Mess ***
---------------------------------------------
The European Commission is drafting new cybersecurity requirements to beef up security around so-called Internet of Things (IoT) devices such as Web-connected security cameras, routers and digital video recorders (DVRs). News of the expected proposal comes as security firms are warning that a great many IoT devices are equipped with little or no security protections.
---------------------------------------------
https://krebsonsecurity.com/2016/10/europe-to-push-new-security-rules-amid-…
*** Mehr Sicherheit für das Internet der Dinge ***
---------------------------------------------
Die vernetzten Geräte des Internet of Things (IoT) sammeln und verarbeiten immer mehr Daten, versagen jedoch häufig beim Schutz dieser Daten. Ein ausführlicher Leitfaden will bei der Entwicklung sicherer Geräte helfen.
---------------------------------------------
https://heise.de/-3343482
*** Security Economics of the Internet of Things ***
---------------------------------------------
Brian Krebs is a popular reporter on the cybersecurity beat. He regularly exposes cybercriminals and their tactics, and consequently is regularly a target of their ire. Last month, he wrote about an online attack-for-hire service that resulted in the arrest of the two proprietors. In the aftermath, his site was taken down by a massive DDoS attack.In many ways, this is nothing new. Distributed denial-of-service attacks are a family of attacks that cause websites and other Internet-connected...
---------------------------------------------
https://www.schneier.com/blog/archives/2016/10/security_econom_1.html
*** Mirai: DDoS per IoT ***
---------------------------------------------
In den letzten Wochen wurde mal wieder ein neuer Rekord für den bisher stärksten gemessenen Distributed Denial of Service (DDoS) Angriff aufgestellt. Das ist soweit nicht überraschend, die verfügbare Bandbreite im Internet wächst immer noch stark, da ist klar, dass damit auch die Angriffsstärke zunehmen kann. Überraschend war aber, dass der Rekord nicht über einen "reflected DDoS" erreicht wurde. Diese Methode...
---------------------------------------------
http://www.cert.at/services/blog/20161010095630-1789.html
*** Strange Loop - IP Spoofing ***
---------------------------------------------
I recently gave a talk at the Strange Loop conference in St Louis. The recording and slides are available, but for easier consumption heres a transcript.
---------------------------------------------
https://idea.popcount.org/2016-09-20-strange-loop---ip-spoofing/
*** VMware stopft Informationsleck in Horizon View ***
---------------------------------------------
Wichtige Sicherheits-Updates sollen VMware Horizon View unter Windows sicherer machen.
---------------------------------------------
https://heise.de/-3343678
*** Radare2: rahash2, (Mon, Oct 10th) ***
---------------------------------------------
Radare2 is an open-source reverse-engineering framework. Some time ago I wrote about recovering ransomed pictures. By calculating the entropy of the ransomed files with my byte-stats tool, I could see that the file was not completely encrypted. rahash2 is one of the tools in the Radare2 framework. As it names implies, it calculates (cryptographic) hashes, but it is quite versatile. For example, it will also calculate entropy: And like my byte-stats.py tool, it can also split the file in blocks...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21577&rss
*** Remove ransomware infections from your PC using these free tools ***
---------------------------------------------
A how-to on finding out what ransomware is squatting in your PC -- and how to get rid of it.
---------------------------------------------
http://www.zdnet.com/article/remove-ransomware-infections-from-your-pc-usin…
*** Open-Source-Router: 1000 Turris Omnia ausgeliefert ***
---------------------------------------------
Nachdem es ursprünglich im Sommer losgehen sollte, lieferte der Hersteller cz.nic doch erst Ende September die ersten Turris-Omnia-Router aus. Vor ein paar Tagen wurde bereits das tausendste Exemplar verschickt.
---------------------------------------------
https://heise.de/-3344417
*** VU#338624: U by BB and T iOS banking application fails to properly validate SSL certificates ***
---------------------------------------------
Vulnerability Note VU#338624 U by BB&T iOS banking application fails to properly validate SSL certificates Original Release date: 30 Sep 2016 | Last revised: 06 Oct 2016 Overview U by BB&T for iOS, version 1.5.4 and earlier, fails to properly validate SSL certificates provided by HTTPS connections, which may enable an attacker to conduct man-in-the-middle (MITM) attacks. Description CWE-295: Improper Certificate Validation - CVE-2016-6550U by BB&T is a banking application. On iOS...
---------------------------------------------
http://www.kb.cert.org/vuls/id/338624
*** Vuln: GraphicsMagick CVE-2016-7997 NULL Pointer Denial of Service Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/93467
*** DSA-3689 php5 - security update ***
---------------------------------------------
Several vulnerabilities were found in PHP, a general-purpose scriptinglanguage commonly used for web application development.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3689
*** Toshiba FlashAir does not require authentication in "Internet pass-thru Mode" ***
---------------------------------------------
FlashAir provided by Toshiba Corporation does not require authentication on accepting a connection from STA side LAN when "Internet pass-thru Mode" is enabled.
---------------------------------------------
http://jvn.jp/en/jp/JVN39619137/
*** IBM Security Bulletin: Financial Transaction Manager for Corporate Payment Services: Clickjacking (CVE-2016-3060) ***
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21992051
*** IBM Security Bulletin: HTTP Response Splitting in Liberty affects IBM MessageSight (CVE-2016-0359) ***
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21991096
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Flex System Manager (FSM) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=isg3T1024350
*** IBM Security Bulletin: A security vulnerability in IBM Java Runtime affects IBM Systems Director Storage Control ( CVE-2015-4872) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=isg3T1024349
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 06-10-2016 18:00 − Freitag 07-10-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Gefälschtes Bank Austria-Sicherheitszertifikat ist Schadsoftware ***
---------------------------------------------
In einer gefälschten Bank Austria-Nachricht mit dem Betreff "Sicherheitszertifikat" behaupten Kriminelle, dass Empfänger/innen ein Programm für ihr Smartphone installieren müssen. Das ist angeblich notwendig, damit sie ihr OnlineBanking-Konto nützen können. In Wahrheit handelt es sich bei dem Programm um Schadsoftware.
---------------------------------------------
https://www.watchlist-internet.at/schadsoftware/gefaelschtes-bank-austria-s…
*** Upcoming Security Updates for Adobe Acrobat and Reader (APSB16-33) ***
---------------------------------------------
A prenotification Security Advisory (APSB16-33) has been posted regarding upcoming releases for Adobe Acrobat and Reader scheduled for Tuesday, October 11, 2016. We will continue to provide updates on the upcoming releases via the Security Advisory as well as the Adobe...
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1405
*** 100+ online shops compromised with payment data-stealing code ***
---------------------------------------------
Since March 2016 (and possibly even earlier), someone has been compromising a variety of online shops and injecting them with malicious JavaScript code that exfiltrates payment card and other kinds of information users entered to pay for their shopping. According to RiskIQ and ClearSky researchers, the campaign - which they dubbed Magecart - is still ongoing, albeit at a reduced scope and pace. Since March, the threat actor behind it has compromised more than 100...
---------------------------------------------
https://www.helpnetsecurity.com/2016/10/07/payment-data-stealing-code/
*** Hintergrund: Analysiert: Werbekeule statt Glitzersteine - Android-Malware CallJam seziert ***
---------------------------------------------
Trotz verschiedener Sicherheits-Checks schleicht sich immer wieder Malware in Googles App Store. Eine davon gibt sich als vermeintliches Helferlein für das unfassbar erfolgreiche Spiel "Clash Royale" aus.
---------------------------------------------
https://heise.de/-3340267
*** Lovoo: Sicherheitslücke ermüglicht Erstellung von Bewegungsprofilen ***
---------------------------------------------
Über die Web-API des Dating-Dienstes ließen sich bis vor kurzem Informationen über Nutzer abrufen - auch ohne Login. Per Skript-Automatisierung können damit Bewegungsprofile erstellt werden.
---------------------------------------------
http://www.golem.de/news/lovoo-sicherheitsluecke-ermoeglicht-erstellung-von…
*** Positive Technologies: Security Trends & Vulnerabilities Review Industrial Control Systems (PDF) ***
---------------------------------------------
This study examines components of ICS from different vendors. In the period from 2012 to 2015, a total of 743 vulnerabilities were discovered in ICS components; most of them were detected in products from well-known companies: Siemens, Schneider Electric, and Advantech. Most vulnerabilities are of either high or medium risk (47% high, 47% medium). ... Summary: The study shows that the number of vulnerable ICS components is not reducing from year to year. Nearly half of identified...
---------------------------------------------
https://www.ptsecurity.com/upload/iblock/6bd/ics_vulnerability_2016_eng.pdf
*** An attachment that wasn't there ***
---------------------------------------------
By Slavo Greminger and Oli Schacher | On a daily basis we collect tons of Spam emails, which we analyze for malicious content. Of course, this is not done manually by our thousands of minions, but automated using some Python-fu. Python...
---------------------------------------------
https://securityblog.switch.ch/2016/10/07/an-attachment-that-wasnt-there/
*** Sicherheits-Updates: Angreifer können Cisco-Switches kapern ***
---------------------------------------------
Der Netzwerkausrüster kümmert sich um zwei als kritisch eingestufte Sicherheitslücken in Switches der Nexus-Serie und verteilt Sicherheits-Patches für 15 weitere Schwachstellen in verschiedenen Produkten.
---------------------------------------------
https://heise.de/-3342846
*** OS X El Capitan: Warten auf das große Sicherheitsupdate ***
---------------------------------------------
Mit Apples neuem Betriebssystem macOS Sierra werden zahlreiche Lücken gestopft, die in der Vorversion stecken. Doch ein eigenes Update für OS X El Capitan hat der Hersteller noch nicht publiziert.
---------------------------------------------
https://heise.de/-3342343
*** Malware könnte Video und Audio vom Mac aufzeichnen ***
---------------------------------------------
Der Sicherheitsforscher Patrick Wardle hat einen Demo-Exploit entwickelt, der Kamera- und Mikrofondaten mitschneiden kann, während Chats laufen.
---------------------------------------------
https://heise.de/-3342336
*** VMSA-2016-0015 VMware Horizon View updates address directory traversal vulnerability (CVE-2016-7087) ***
---------------------------------------------
Severity: Important VMware Horizon View contains a vulnerability that may allow for a directory traversal on the Horizon View Connection Server. Exploitation of this issue may lead to a partial information disclosure.
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2016-0015.html
*** IDM 4.5 One SSO Provider (OSP) 6.0.0.5 ***
---------------------------------------------
Abstract: This hotfix provides enhancements and software fixes for the One SSO Provider for Identity Manager. For more information about these updates, see the hotfix details.Document ID: 5256490Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:IDM45-OSP60-HF-5.zip (23.28 MB)Products:Identity Manager 4.5Access Review 1.1Access Review 1.5Superceded Patches:IDM 4.5 One SSO Provider (OSP)
---------------------------------------------
https://download.novell.com/Download?buildid=Z0jKqCEDM7k~
*** Atlassian HipChat Secret Key Disclosure ***
---------------------------------------------
Topic: Atlassian HipChat Secret Key Disclosure Risk: Medium Text:This email refers to the following advisory pages: * Bitbucket Server - https://confluence.atlassian.com/x/0QkcMg * Conflue...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016100066
*** DFN-CERT-2016-1653: KDE: Mehrere Schwachstellen in KMail ermöglichen u.a. das Ausführen beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-1653/
*** GE Bently Nevada 3500/22M Improper Authorization Vulnerability ***
---------------------------------------------
This advisory was originally posted to the US-CERT secure Portal library on September 8, 2016, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for an improper authorization vulnerability in the GE Bently Nevada 3500/22M monitoring system.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-252-01
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: IBM WebSphere Dashboard Framework is affected by a security vulnerability in Apache POI (CVE-2016-5000) ***
http://www.ibm.com/support/docview.wss?uid=swg21991850
---------------------------------------------
*** IBM Security Bulletin: IBM Web Experience Factory is affected by a security vulnerability in Apache POI (CVE-2016-5000) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991851
---------------------------------------------
*** IBM Security Bulletin: IBM WebSphere Dashboard Framework is affected by multiple security vulnerabilities in Apache POI ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991839
---------------------------------------------
*** IBM Security Bulletin: IBM Web Experience Factory is affected by multiple security vulnerabilities in Apache POI ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991845------------------…
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Performance Tester (CVE-2016-3485) ***
http://www.ibm.com/support/docview.wss?uid=swg21991877
---------------------------------------------
*** IBM Security Bulletin: : Multiple vulnerabilities in IBM Java SDK affect Rational Service Tester (CVE-2016-3485) ***
http://www.ibm.com/support/docview.wss?uid=swg21991879
---------------------------------------------
*** IBM Security Bulletin: IBM Streams is affected by Open Source Apache Xerces-C XML parser Vulnerabilities (CVE-2016-4463) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991111
---------------------------------------------
*** IBM Security Bulletin: IBM Streams is affected by Libxml2 vulnerabilities (CVE-2016-4447, CVE-2016-4448, CVE-2016-4449) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991061
---------------------------------------------
*** IBM Security Bulletin: IBM Streams may be impacted by a vulnerability in WebSphere Liberty (CVE-2016-2923) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991058
---------------------------------------------
*** IBM Security Bulletin: IBM Streams is affected by Open Source Apache Xerces-C XML parser Vulnerabilities (CVE-2016-0729) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991112
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 05-10-2016 18:00 − Donnerstag 06-10-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Symantec Web Gateway Management Console Interface Command Injection ***
---------------------------------------------
Symantec has released an update to address a Symantec Web Gateway (SWG) Management Console Interface command injection issue bypassing validation restrictions to add an unauthorized whitelist entry.
Highest severity issue: Medium
---------------------------------------------
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se…
*** NIST: People have given up on cybersecurity - its too much hassle ***
---------------------------------------------
To help change peoples mental models so that they will participate in cybersecurity, Theofanos said technology professionals have to do more work for the people using their products, so that people dont need to make too many decisions. "We need to make it easy for them to do the right thing," she said. "We need to make these things habits, so they dont really have to think about it."
---------------------------------------------
http://www.theregister.co.uk/2016/10/06/go_ahead_steal_my_muffin_recipe/
*** Spotify: Gratis-Version lieferte Schadsoftware für Windows und Mac aus ***
---------------------------------------------
Offensichtlich über Werbung von Dritten eingeschleust - Spotify bestätigt und entschuldigt sich bei Nutzern
---------------------------------------------
http://derstandard.at/2000045458665
*** Malicious actions not necessarily focused on causing disruptions in TELECOM, but system failures still are ***
---------------------------------------------
ENISA publishes its Annual Incidents report which gives the aggregated analysis of the security incidents causing severe outages in 2015.
---------------------------------------------
https://www.enisa.europa.eu/news/malicious-actions-not-necessarily-focused-…
*** Vorsicht vor Verteilung von Malware via Steam-Chat ***
---------------------------------------------
Aktuell häufen sich Hinweise, dass Kriminelle verstärkt über gekaperte Steam-Accounts Links zu Webseiten mit Trojanern verschicken.
---------------------------------------------
https://heise.de/-3342136
*** Denial of Service Vulnerability in Citrix License Server ***
---------------------------------------------
A vulnerability has been identified in the Citrix License Server for Windows and Citrix License Server VPX that could allow a remote, unauthenticated attacker to crash the License Server.
This vulnerability affects all versions of Citrix License Server for Windows and Citrix License Server VPX earlier than version 11.14.0.1.
This vulnerability has been assigned the following CVE number: CVE-2016-6273
---------------------------------------------
http://support.citrix.com/article/CTX217430
*** Vulnerability in Citrix Linux VDA (formerly known as Linux Virtual Desktop) Could Result in Privilege Escalation ***
---------------------------------------------
A vulnerability has been identified in the Linux Virtual Delivery Agent (VDA) component of Citrix XenDesktop that could allow a local user to execute commands as root on the Linux VDA.
The vulnerability affects all versions of the Citrix Linux VDA earlier than version 1.4.0.
This vulnerability has been assigned the following CVE number: CVE-2016-6276
---------------------------------------------
http://support.citrix.com/article/CTX216628
*** Sicherheits-Patches: Foxit beugt Angriffen auf Reader und PhantomPDF vor ***
---------------------------------------------
Die Entwickler schließen mehrere kritische Lücken in den Linux-, OS-X- und Windows-Versionen.
---------------------------------------------
https://heise.de/-3341878
*** Wave your false flags! ***
---------------------------------------------
Targeted attackers are using an increasingly wide range of deception techniques to muddy the waters of attribution, planting "False Flag" timestamps, language strings, malware, among other things, and operating under the cover of non-existent groups.
---------------------------------------------
http://securelist.com/analysis/publications/76273/wave-your-false-flags/
*** Announcing CERT Basic Fuzzing Framework Version 2.8 ***
---------------------------------------------
Today we are announcing the release of the CERT Basic Fuzzing Framework Version 2.8 (BFF 2.8). Its been about three years since we released BFF 2.7. In this post, I highlight some of the changes weve made.
---------------------------------------------
https://insights.sei.cmu.edu/cert/2016/10/announcing-cert-basic-fuzzing-fra…
*** Palo Alto PAN-OS GlobalProtect Portal Web Interface Lets Remote Users Obtain Potentially Sensitive Information on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1036968
*** Erpressungs-Trojaner Cerber lernt dazu und verschlüsselt noch mehr ***
---------------------------------------------
Sicherheitsforscher warnen vor einer neuen Version der Ransomware, die nun unter anderem auch bestimmte laufende Prozesse beenden kann, um so Datenbanken in ihre Fänge zu bekommen.
---------------------------------------------
https://heise.de/-3341992
*** Cisco Security Advisories ***
---------------------------------------------
*** Cisco ASA Software DHCP Relay Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Unified Intelligence Center (CUIC) Software Cross-Site Request Forgery Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Unified Intelligence Center (CUIC) Software Unauthenticated User Account Creation Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Unified Intelligence Center (CUIC) Software Cross-Site Scripting Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Nexus 7000 and 7700 Series Switches Overlay Transport Virtualization Buffer Overflow Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco NX-OS Software-Based Products Authentication, Authorization, and Accounting Bypass Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Nexus 9000 Information Disclosure Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco IOS XR Software Command-Line Interface Privilege Escalation Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco IOS and IOS XE IKEv2 Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Firepower Management Center Console Local File Inclusion Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Firepower Management Center Console Authentication Bypass Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Firepower Threat Management Console Remote Command Execution Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco NX-OS Software Malformed DHCPv4 Packet Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco NX-OS Software Crafted DHCPv4 Packet Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Host Scan Package Cross-Site Scripting Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco IOS Software for Cisco Catalyst 6500 Series Switches and 7600 Series Routers ACL Bypass Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco NX-OS Border Gateway Protocol Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in crypto++ affects PowerKVM (CVE-2016-3995) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024263
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in Python affect PowerKVM ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024236
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in PHP affects PowerKVM (CVE-2016-5385) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024261
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in the Linux kernel affect PowerKVM ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024270
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server July 2016 CPU (CVE-2016-3485) that is bundled with IBM WebSphere Application Server Patterns and IBM WebSphere Application Server for Cloud. ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991149
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Tomcat affects SAN Volume Controller and Storwize Family (CVE-2016-3092) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009284
---------------------------------------------
*** IBM Security Bulletin: Vulnerability affects multiple IBM Rational products based on IBM Jazz technology (CVE-2016-2947) ***
http://www.ibm.com/support/docview.wss?uid=swg21991477
---------------------------------------------
*** IBM Security Bulletin: XStream XML information discloure vulnerability affects IBM Rational Quality Manager (CVE-2016-3674) ***
http://www.ibm.com/support/docview.wss?uid=swg21991406
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities exist in Watson Explorer Analytical Components, Watson Content Analytics, and OmniFind Enterprise Edition (CVE-2016-0359, CVE-2016-3092, CVE-2016-3485) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990062
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in Open Source BeanShell has been addressed by IBM Kenexa LMS (CVE-2016-2510) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21987703
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in qemu affect PowerKVM ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024322
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in nagios affect PowerKVM ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024264
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in nginx affect PowerKVM ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024237
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in NRPE affects PowerKVM (CVE-2014-2913) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024235
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in lighttpd affects PowerKVM (CVE-2016-1000212) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024260
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in pigz affects PowerKVM (CVE-2015-1191) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024213
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in ganglia affects PowerKVM (CVE-2015-6816) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024262
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 04-10-2016 18:00 − Mittwoch 05-10-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Security Advisory: XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2015-1470 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/16000/800/sol16838.htm…
*** Android Security Bulletin October 2016 ***
---------------------------------------------
The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Alongside the bulletin, we have released a security update to Nexus devices through an over-the-air (OTA) update.
---------------------------------------------
https://source.android.com/security/bulletin/2016-10-01.html
*** Security Advisory: OpenSSL vulnerability CVE-2016-2183 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/13/sol13167034.html?…
*** WordPress Hack Modifies Core Files to Share Spam ***
---------------------------------------------
One of the worst feelings a website owner can experience is discovering that your site has been hacked. Without proper security measures in place, even website owners with the best intentions can lose control of their website. When hackers gain access to your site, they can use it to host phishing content, distribute malware, steal sensitive information and more. In this analysis, we look at a website that was unintentionally sharing spam content in the form of Windows keys.
---------------------------------------------
https://blog.sucuri.net/2016/10/wordpress-hack-shares-spam-when-core-modifi…
*** Researchers spot remote code execution flaw in FreeImage ***
---------------------------------------------
Cisco Talos researchers spotted a remote code execution vulnerability in the FreeImage Library XMP Image Handling affecting version 3.17.0.
---------------------------------------------
http://www.scmagazine.com/remote-code-execution-flaw-spotted-in-freeimage-l…
*** Security Advisory: OpenSSL vulnerability CVE-2016-6303 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/35/sol35543324.html?…
*** INDAS Web SCADA Path Traversal Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a path traversal vulnerability in the INDAS Web SCADA application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-278-01
*** Beckhoff Embedded PC Images and TwinCAT Components Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for vulnerabilities in Beckhoff's Embedded PC Images and TwinCAT Components.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-278-02
*** Siemens SIMATIC WinCC, PCS 7, and WinCC Runtime Professional Vulnerabilities (Update B) ***
---------------------------------------------
This updated advisory is a follow-up to the advisory update titled ICSA-16-208-01A Siemens SIMATIC WinCC, PCS 7, and WinCC Runtime Professional Vulnerabilities that was published August 16, 2016, on the NCCIC/ICS-CERT web site. This advisory contains mitigation details for two vulnerabilities in the Siemens SIMATIC WinCC, PCS 7, and WinCC Runtime Professional.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-208-01
*** Lets not meet up with JPEG 2000 - researchers find security hole in image codec ***
---------------------------------------------
Wont it be strange when were all fully pwned? Researchers are warning about a newly discovered security vulnerability in a popular open-source JPEG 2000 parser that could let corrupted image files trigger remote code execution.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/10/04/jpeg_2000_s…
*** DressCode-Malware: 400 Trojaner-Apps infiltrieren Google Play ***
---------------------------------------------
Sicherheitsforscher warnen vor getarnten Android-Spionage-Apps, die aus Firmen-Netzwerken Informationen absaugen sollen.
---------------------------------------------
https://heise.de/-3340921
*** Xen Security Advisory CVE-2016-7777 / XSA-190 version 5: CR0.TS and CR0.EM not always honored for x86 HVM guests ***
---------------------------------------------
A malicious unprivileged guest user may be able to obtain or corrupt sensitive information (including cryptographic material) in other programs in the same guest.
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-190.html
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM Financial Transaction Manager for Corporate Payment Services (CVE-2016-5920) ***
http://www.ibm.com/support/docview.wss?uid=swg21989062
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) and Rational Directory Administrator ***
http://www.ibm.com/support/docview.wss?uid=swg21989495
---------------------------------------------
*** IBM Security Bulletin: IBM Security Guardium is affected by Open Source XMLsoft Libxml2 Vulnerabilities (CVE-2016-3705) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990231
---------------------------------------------
*** IBM Security Bulletin: IBM Security Guardium Database Activity Monitor is affected by Open Source XMLsoft Libxml2 Vulnerabilities (CVE-2016-3627) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991063
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in Open Source GNU glibc affect IBM Workload Deployer (CVE-2014-9761, CVE-2015-8778, CVE-2015-8779) ***
http://www.ibm.com/support/docview.wss?uid=swg21991777
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Open Source GNU glibc affects IBM Workload Deployer. (CVE-2015-8776) ***
http://www.ibm.com/support/docview.wss?uid=swg21991465
---------------------------------------------
*** IBM Security Bulletin: Cross-Site Scripting Vulnerability (CVE-2016-0243) Affects IBM Connections Mail ***
http://www.ibm.com/support/docview.wss?uid=swg21991265
---------------------------------------------
*** IBM Security Bulletin: IBM Security Guardium is affected by Cross-Site Scripting vulnerability (CVE-2016-0246) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990377
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 03-10-2016 18:00 − Dienstag 04-10-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Cisco IOS and Cisco IOS XE Software TCP Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the handling of remote TCP connections in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a partial denial of service (DoS) condition due to low memory.The vulnerability is due to the handling of out-of-order, or otherwise invalid, TCP packets on a remote connection to an affected device.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Vuln: SAP Security Audit Log CVE-2016-4551 Security Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/93288
*** Security Advisory: Nginx vulnerability CVE-2016-4450 ***
---------------------------------------------
os/unix/ngx_files.c in nginx before 1.10.1 and 1.11.x before 1.11.1 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a crafted request, involving writing a client request body to a temporary file. (CVE-2016-4450)
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/08/sol08250500.html?…
*** Researchers gut EMCs VMAX, vApp with five god mode hack holes ***
---------------------------------------------
Complete compromise: DIY admin, or DoS your victim Researchers with Digital Defence have reported six dangerous vulnerabilities in EMCs VMAX product line that can grant remote attackers arbitrary command execution with root privileges.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/10/04/researchers…
*** SAP Netweaver 7.40 SP 12 SCTC_REFRESH_EXPORT_TAB_COMP Command Injection ***
---------------------------------------------
Topic: SAP Netweaver 7.40 SP 12 SCTC_REFRESH_EXPORT_TAB_COMP Command Injection Risk: High Text:Onapsis Security Advisory ONAPSIS-2016-041: SAP OS Command Injection in SCTC_REFRESH_EXPORT_TAB_COMP 1. Impact on Business ...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016100025
*** SAP Netweaver 7.40 SP 12 SCTC_REFRESH_CHECK_ENV Command Injection ***
---------------------------------------------
Topic: SAP Netweaver 7.40 SP 12 SCTC_REFRESH_CHECK_ENV Command Injection Risk: High Text:Onapsis Security Advisory ONAPSIS-2016-042: SAP OS Command Injection in SCTC_REFRESH_CHECK_ENV 1. Impact on Business ...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016100024
*** SAP Netweaver 7.40 SP 12 SCTC_TMS_MAINTAIN_ALOG Command Injection ***
---------------------------------------------
Topic: SAP Netweaver 7.40 SP 12 SCTC_TMS_MAINTAIN_ALOG Command Injection Risk: High Text:Onapsis Security Advisory ONAPSIS-2016-043: SAP OS Command Injection in SCTC_TMS_MAINTAIN_ALOG 1. Impact on Business ...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016100023
*** NCCIC/ICS-CERT 2015 Assessment Report [PDF] ***
---------------------------------------------
This report provides a year-end summary of the NCCIC/ICS-CERT security assessment activities.
---------------------------------------------
https://ics-cert.us-cert.gov/sites/default/files/Annual_Reports/FY2015_Indu…
*** Major security flaw in Samsung Knox could give hackers full control of your phone ***
---------------------------------------------
Israeli researchers found three vulnerabilities in Samsung Knox - they have since been patched but out-of-date devices may still be at risk
---------------------------------------------
http://www.wired.co.uk/article/samsung-knox-security-vulnerabilities
*** Industrial control kit hackable, warn researchers ***
---------------------------------------------
Plus: Ethernet I/O devices web app fails to sanitise user input Multiple vulnerabilities in MOXA ioLogik controllers placed industrial facilities at risk if they do not apply patches.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/10/04/ios_10_flaw/
*** Samsung Knox flaws open unpatched devices to compromise ***
---------------------------------------------
Researchers from Viral Security Group have discovered three vulnerabilities in Samsung Knox, a security platform that allows users to maintain separate identities for work and personal use, and is built into some of the company's Android smartphones and tablets. Knox is meant to protect the integrity of the entire device - both hardware and software - but apparently there are ways to bypass some of those protections, specifically those offered by the Real-time Kernel
---------------------------------------------
https://www.helpnetsecurity.com/2016/10/04/samsung-knox-flaws/
*** HPE KeyView SDK File Processing Flaw Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
Several vulnerabilities were reported in HPE KeyView SDK. A remote user can cause arbitrary code to be executed on the target system.
A remote user can create a specially crafted file that, when processed by the target application using the HPE KeyView SDK, will execute arbitrary code on the target system. The code will run with the privileges of the target application.
The specific impact depends on the application using the SDK.
---------------------------------------------
http://www.securitytracker.com/id/1036935
*** Sicherheitspatches für VMAX-Storage-Systeme von Dell EMC ***
---------------------------------------------
Die Enterprise-Storage-Systeme sind anfällig für Angriffe aus dem eigenen Netzwerk. Angreifer können die Kommunikation des Unisphere-Managers manipulieren und sich so vollen Zugriff zu den Netzwerkspeichern verschaffen.
---------------------------------------------
https://heise.de/-3340322
*** Bugtraq: Serimux SSH Console Switch v2.4 - Multiple Cross Site Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539524
*** Bugtraq: ESA-2016-121: EMC Unisphere for VMAX and Solutions Enabler Virtual Appliances Multiple Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539526
*** Bugtraq: ESA-2016-063: EMC Replication Manager and Network Module for Microsoft Remote Code Execution Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539525
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: IBM Notes HarfBuzz is vulnerable to a denial of service information disclosure (CVE-2015-8947) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990410
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities affect IBM Sterling Secure Proxy Configuration Manager ***
http://www.ibm.com/support/docview.wss?uid=swg21991278
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in Apache POI affect Asset and Service Management ***
http://www-01.ibm.com/support/docview.wss?uid=swg21989525
---------------------------------------------
*** IBM Security Bulletin: IBM Tivoli Monitoring (CVE-2016-4472, CVE-2016-0718) ***
http://www.ibm.com/support/docview.wss?uid=swg21990634
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in IBM Java Runtime affects: WebSphere Dashboard Framework (CVE-2016-3485) ***
http://www.ibm.com/support/docview.wss?uid=swg21990404
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MQ Light (CVE-2016-3426) ***
http://www.ibm.com/support/docview.wss?uid=swg21988437
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Synergy (CVE-2016-3426) ***
http://www.ibm.com/support/docview.wss?uid=swg21990945
---------------------------------------------
*** IBM Security Bulletin: IBM i Integrated Web Application Server version 8.5 is affected by multiple vulnerabilities. ***
http://www-01.ibm.com/support/docview.wss?uid=nas8N1021649
---------------------------------------------
*** IBM Security Bulletin: IBM Security Guardium Database Activity Monitor is affected by SQL Injection vulnerability (CVE-2016-0249) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990363
---------------------------------------------
*** IBM Security Bulletin: IBM Security Guardium is affected by Password in Clear Text vulnerability (CVE-2016-0247) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990368
---------------------------------------------
*** IBM Security Bulletin: FileNet Workplace XT and FileNet Workplace (Application Engine), can be affected by Cross Site Scripting vulnerabilities (CVE-2016-5981) ***
http://www.ibm.com/support/docview.wss?uid=swg21990899
---------------------------------------------
*** IBM Security Bulletin: Cross Site Scripting vulnerability in IBM Business Process Manager (CVE-2016-5901) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990852
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling Connect:Direct Browser User Interface (CVE-2016-3426, CVE-2016-3485) ***
http://www.ibm.com/support/docview.wss?uid=swg21991387
---------------------------------------------
*** IBM Security Bulletin: HTML injection vulnerability in Business Space might affect IBM Business Process Manager (CVE-2016-3056) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990850
---------------------------------------------
*** IBM Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect IBM Business Process Manager (BPM) Configuration Editor (CVE-2014-9748, CVE-2016-1669) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990841
---------------------------------------------
*** IBM Security Bulletin: Security vulnerabilities in Apache Struts might affect IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2016-1181, CVE-2016-1182, CVE-2015-0899) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990834
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling Secure Proxy (CVE-2016-3426, CVE-2016-3485) ***
http://www.ibm.com/support/docview.wss?uid=swg21991287
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling External Authentication Server (CVE-2016-3426, CVE-2016-3485) ***
http://www.ibm.com/support/docview.wss?uid=swg21991289
---------------------------------------------
*** IBM Security Bulletin: IBM Security Guardium Database Activity Monitor is affected by Execution with Unnecessary Privileges vulnerability (CVE-2016-0328) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990226
---------------------------------------------
*** IBM Security Bulletin: IBM Security Guardium is affected by Application Error vulnerability (CVE-2016-0242) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990229
---------------------------------------------
*** IBM Security Bulletin: IBM Expeditor HarfBuzz is vulnerable to a denial of service information disclosure (CVE-2015-8947) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990412
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 30-09-2016 18:00 − Montag 03-10-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Security Advisory: NAT64 vulnerability CVE-2016-5745 ***
---------------------------------------------
BIG-IP devices using NAT64 are vulnerable to an unauthenticated remote attack that may allow modification of the BIG-IP system configuration. (CVE-2016-5745)
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/64/sol64743453.html?…
*** imagemagick mogrify global buffer overflow ***
---------------------------------------------
Topic: imagemagick mogrify global buffer overflow Risk: High Text:Hi, imagemagick identify suffers of a global buffer overflow issue, which I reported and has been patched...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016100007
*** Ubiquiti UniFi Critical Vulnerability ***
---------------------------------------------
Vulnerability Details:
You are able to connect to the access points database, because of an broken authentication (OWASP TOP10). So you are
able to modify the database and read the data. An possible scenario you'll find in PoC section.
Risk:
An attacker gets access to the database and for e.g. is able to change the admins password, like you see in PoC below.
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016100006
*** Bundeskriminalamt plant Mobilversion des Bundestrojaners ***
---------------------------------------------
Das BKA will den Einsatz des Bundestrojaners auf Smartphones und Tablets ausweiten. Das geht aus Haushaltsunterlagen des Bundestages hervor, die Süddeutsche Zeitung, NDR und WDR einsehen konnten.
---------------------------------------------
https://heise.de/-3339512
*** Source Code for IoT Botnet 'Mirai' Released ***
---------------------------------------------
The source code that powers the "Internet of Things" (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, DVRs and other easily hackable IoT devices.
---------------------------------------------
https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-releas…
*** cJSON buffer out of bound read ***
---------------------------------------------
I would like to report a buffer out of bound read problem in cJSON, which
is a embeddable JSON parser, used (I imagine) in embedded devices, or even
bigger stuff like the ps4...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016100013
*** Default Credentials Considered Harmful ***
---------------------------------------------
The use of default credentials by vendors is an outdated, dangerous throwback to 20th century practices that has no business being used in todays world. It is this specific antique practice that is directly responsible for the existence of the record-breaking denial-of-service botnet recently used to censor Brian Krebs and the similar attack on OVH - these botnets only exist because default credentials were implemented on devices, in flagrant violation of best-practices ...
---------------------------------------------
https://www.alienvault.com/blogs/security-essentials/default-credentials-co…
*** The Short Life of a Vulnerable DVR Connected to the Internet, (Sun, Oct 2nd) ***
---------------------------------------------
Most devices connected to the Internet these days arent maintained and monitored personal computers. Instead, they are devices who are often not understood as computers but as things, giving rise to the term Internet of Things or IoT. Over two years ago, we reported about how exploited DVRs are used to attack other devices across the internet. Back then, like today, the vulnerability was an open telnet server with a trivial default password.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21543&rss
*** Researchers Break MarsJoke Ransomware Encryption ***
---------------------------------------------
Victims infected with the MarsJoke ransomware can now decrypt their files; researchers cracked the encryption in the CTB-Locker lookalike last week.
---------------------------------------------
http://threatpost.com/researchers-break-marsjoke-ransomware-encryption/1210…
*** Security Design: Stop Trying to Fix the User ***
---------------------------------------------
Every few years, a researcher replicates a security study by littering USB sticks around an organizations grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as "teachable moments" for others. "If only everyone was more security
---------------------------------------------
https://www.schneier.com/blog/archives/2016/10/security_design.html
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM i ***
http://www.ibm.com/support/docview.wss?uid=nas8N1021643
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Rational Application Developer for WebSphere Software (CVE-2016-3508, CVE-2016-3500, CVE-2016-3458, CVE-2016-3485) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991383
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in IBM Java SDK and IBM Java Runtime affects Web Experience Factory (CVE-2016-3485) ***
http://www.ibm.com/support/docview.wss?uid=swg21990405
---------------------------------------------
*** IBM Security Bulletin: IBM B2B Advanced Communications is vulnerable to cross-site scripting due to the vulnerability of 10x (CVE-2016-5892) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991148
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Commons affects IBM B2B Advanced Communications (CVE-2016-3092) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990424
---------------------------------------------
*** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple libxml2 vulnerabilities ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024318
---------------------------------------------
*** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple openssl vulnerabilities ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024319
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM Runtime Environments Java Technology Edition, Versions 6, 7, 8 affect Transformation Extender Design Studio (CVE-2016-3426) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990356
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application Server ***
http://www.ibm.com/support/docview.wss?uid=swg21990451
---------------------------------------------
*** IBM Security Bulletin: OpenStack Glance vulnerabilities affect IBM Cloud Manager with OpenStack (CVE-2016-0757) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024348
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 29-09-2016 18:00 − Freitag 30-09-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** The Equation Groups Firewall Exploit Chain ***
---------------------------------------------
There has been plenty of research on pieces of this exploit kit, but very little on the full exploit chain. We were interested in studying some of the command and control traffic used by this exploit kit for emulation in BreakingPoint. On the way, we figured out how a lot of the puzzle pieces fit together. What follows are our findings on how this kit gains persistent control of a Cisco firewall. We also identify some of the missing pieces that were not previously available.
---------------------------------------------
https://www.ixiacom.com/company/blog/equation-groups-firewall-exploit-chain
*** European Cyber Security Month: get in the driving seat of your own online security ***
---------------------------------------------
October 2016 is European Cyber Security Month and this year October will bring plenty of opportunities for people to discover how to stay safe online and play an active role in their own security. Throughout European Cyber Security Month – which kicks-off today in Brussels - over 300 activities, including events, training sessions, tips and an online quiz, will take place across 27 countries. This year's Cyber Security Month will focus on security in banking, cyber safety, cyber training and mobile malware.
---------------------------------------------
https://www.enisa.europa.eu/news/ecsm
*** Lesser known tricks of spoofing extensions ***
---------------------------------------------
It is a well-known fact that malware using social engineering tricks is designed to hide itself from being an obvious executable. In this short article, we will present two other less common tricks used to deceive users.
---------------------------------------------
https://blog.malwarebytes.com/cybercrime/2016/09/lesser-known-tricks-of-spo…
*** Backdoored D-Link Router Should be Trashed, Researcher Says ***
---------------------------------------------
A researcher who found a slew of vulnerabilities in a popular router says it's so hopelessly broken that consumers who own them should throw them away.
---------------------------------------------
http://threatpost.com/backdoored-d-link-router-should-be-trashed-researcher…
*** Sentinel 7.4 SP3 (Sentinel 7.4.3.0) Build 2805 ***
---------------------------------------------
This service pack resolves the following security vulnerabilities:
Sentinel 7.4 SP3 resolves a Java deserialization (CVE-2016-1000031) vulnerability.
---------------------------------------------
https://download.novell.com/Download?buildid=HXXzqDiAPd0~
*** [SANS ISC Diary] Another Day, Another Malicious Behaviour ***
---------------------------------------------
I published the following diary on isc.sans.org: "Another Day, Another Malicious Behaviour". Every day, we are spammed with thousands of malicious emails and attackers always try to find new ways to bypass the security controls. Yesterday, I detected a suspicious HTTP GET request...
---------------------------------------------
https://blog.rootshell.be/2016/09/30/sans-isc-diary-another-day-another-mal…
*** Patch für Street Fighter V: Anti-Cheat-Tool als Rootkit missbrauchar ***
---------------------------------------------
Ein aktueller Patch für die Windows-Version von Street Fighter V bringt Maßnahmen gegen Cheater mit, deaktiviert dafür aber einen essentiellen Sicherheits-Mechanismus von Computern. Mittlerweile soll ein Fix des Sicherheits-Problem aus der Welt schaffen.
---------------------------------------------
https://heise.de/-3338614
*** Bugtraq ***
---------------------------------------------
*** Bugtraq: Multiple exposures in Sophos UTM ***
http://www.securityfocus.com/archive/1/539518
---------------------------------------------
*** Bugtraq: [SYSS-2016-060] Logitech M520 - Insufficient Verification of Data Authenticity (CWE-345) ***
http://www.securityfocus.com/archive/1/539517
---------------------------------------------
*** Bugtraq: Persistent XSS in Abus Security Center - CVSS 8.0 ***
http://www.securityfocus.com/archive/1/539514
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 28-09-2016 18:00 − Donnerstag 29-09-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Dangerous Linux Trojan family investigated by Doctor Web ***
---------------------------------------------
September 27, 2016 Doctor Web’s security researchers have examined a Trojan named Linux.Mirai which is used by criminals to carry out DDoS attacks. Because virus specialists were familiar with earlier versions of this Trojan, they were able to find many features of the previous versions in this latest one, ..
---------------------------------------------
http://news.drweb.com/show/?i=10218&lng=en&c=9
*** SSH Brute Force Compromises Leading to DDoS ***
---------------------------------------------
A few weeks ago we ran an experiment to see how long it would take for some IPv4-only and IPv6-only servers to be compromised via SSH brute force attacks. We configured five cloud servers on Linode and Digital Ocean with the root password ..
---------------------------------------------
https://blog.sucuri.net/2016/09/ssh-brute-force-compromises-leading-to-ddos…
*** Introducing Her Royal Highness, the Princess Locker Ransomware ***
---------------------------------------------
Today we bring you Princess Locker; the ransomware only royalty could love. First discovered by Michael Gillespie, Princess Locker encrypts a victims data and then demands a hefty ransom ..
---------------------------------------------
http://www.bleepingcomputer.com/news/security/introducing-her-royal-highnes…
*** Sicherheitsrisiko Baustellenampeln: Grüne Welle auf Knopfdruck ***
---------------------------------------------
Es klingt wie ein Computerspiel oder ein Hackerfilm, ist aber leider Realität: Die Ampelanlagen eines deutschen Herstellers lassen sich fernsteuern. Obwohl das Unternehmen seit Monaten Kenntnis davon hat, ist bislang nichts geschehen.
---------------------------------------------
http://www.golem.de/news/sicherheitsrisiko-baustellenampeln-gruene-welle-au…
*** ManageEngine ServiceDesk Plus vulnerable to cross-site scripting ***
---------------------------------------------
http://jvn.jp/en/jp/JVN50347324/
*** Rekord-DDoS-Attacke mit 1,1 Terabit pro Sekunde gesichtet ***
---------------------------------------------
Höher, schneller, weiter: Ein stetig wachsendes Botnet soll die Server eines französischen Web-Hosters mit gewaltigen Datenmengen bombardiert haben. Dabei handelt es sich offensichtlich um den bisher größten dokumentierten DDoS-Angriff.
---------------------------------------------
http://heise.de/-3336494
*** 500-Millionen-Hack: Yahoo sparte an der Sicherheit ***
---------------------------------------------
Marissa Mayer verteilte bei Yahoo kostenfreie iPhones und teures Catering - an der Sicherheit wurde aber offenbar gespart. Außerdem bezweifelt eine Sicherheitsfirma, dass Yahoo wirklich von einem staatlichen Akteur gehackt wurde.
---------------------------------------------
http://www.golem.de/news/500-millionen-hack-yahoo-sparte-an-der-sicherheit-…
*** Multiple vulnerabilities in extension "phpMyAdmin" ***
---------------------------------------------
https://typo3.org/news/article/multiple-vulnerabilities-in-extension-phpmya…
*** Cisco patcht Hintertür weg und schließt weitere Lücken ***
---------------------------------------------
Unter bestimmten Voraussetzungen sollen Angreifer ohne viel Aufwand Email Security Appliances kapern können. Cisco stuft die Sicherheitslücke mit dem höchsten Bedrohungsgrad ein.
---------------------------------------------
http://heise.de/-3337464
*** Bundeskriminalamt: Bewusstsein für Cyberbedrohungen immer noch mangelhaft ***
---------------------------------------------
Bundesheer und Bundeskriminalamt setzen auf Aufklärung und suchen technikaffine Kräfte
---------------------------------------------
http://derstandard.at/2000045143087
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 27-09-2016 18:00 − Mittwoch 28-09-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Warnung vor Rechnungen der "Austria Domain Hosting" ***
---------------------------------------------
Aktuell erhalten zahlreiche InternetnutzerInnen per E-Mail vermeintliche Rechnungen der "Austria Domain Hosting". Zu zahlen sind 179,40 Euro für eine nie bestellte Registrierung einer Domain. In Wirklichkeit handelt es sich um einen Betrugsversuch!
---------------------------------------------
https://www.watchlist-internet.at/gefaelschte-rechnungen/warnung-vor-rechnu…
*** Datenschützer decken schwere Mängel im Internet der Dinge auf ***
---------------------------------------------
Das Global Privacy Network (GPEN) hat 314 vernetzte Geräte von Fitness-Trackern über Blutzuckermessgeräte bis zu Smart-TVs geprüft und ist auf große Lücken beim Datenschutz gestoßen. Selbst sensible Informationen würden kaum verschlüsselt.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Datenschuetzer-decken-schwere-Maenge…
*** Back in Time Memory Forensics, (Tue, Sep 27th) ***
---------------------------------------------
You might get into a case where you have only the disk image without having the memory image. Or even if you have the memory image but you wish If you have something back in time.With hibernation file (hiberfil.sys) ,PageFile (pageand crash dump that might be possible. And if you are lucky enough you might be able to recover them from volume shadow copy which is enabled by default in most of modern Windows OS .
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21527&rss
*** Bugtraq: ESA-2016-127: EMC ViPR SRM Stored Cross-Site Scripting Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539492
*** Vuln: libgd gd_webp.c Integer Overflow Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/93184
*** Security Advisory: BIND vulnerability CVE-2016-2776 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/18/sol18829561.html?…
*** Vuln: Symantec Messaging Gateway CVE-2016-5312 Directory Traversal Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/93148
*** Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016 ***
---------------------------------------------
On September 22, 2016, the OpenSSL Software Foundation released an advisory that describes 14 vulnerabilities. Of these 14 vulnerabilities, the OpenSSL Software Foundation classifies one as "Critical Severity" one as "Moderate Severity" and the other 12 as "Low Severity". Subsequently, on September 26, the OpenSSL Software Foundation released an additional advisory that describes two new vulnerabilities.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Vuln: Apache Axis2 Document Type Declaration Processing Security Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/40976
*** Vuln: Apache Xerces-C CVE-2016-4463 Stack Buffer Overflow Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/91501
*** BIND Bug in buffer.c Constructing Query Responses Lets Remote Users Cause the Target Service to Crash ***
---------------------------------------------
BIND Bug in buffer.c Constructing Query Responses Lets Remote Users Cause the Target Service to Crash
---------------------------------------------
http://www.securitytracker.com/id/1036903
*** Security Advisory: libssh vulnerability CVE-2016-0739 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/57/sol57255643.html?…
*** Security Advisory: TMM SSL/TLS virtual server vulnerability CVE-2016-6907 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/39/sol39508724.html?…
*** EMC ViPR SRM Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks ***
---------------------------------------------
EMC ViPR SRM Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks
---------------------------------------------
http://www.securitytracker.com/id/1036904
*** Security Advisory - Path Traversal Vulnerability in Multiple Huawei Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160928-…
*** SSA-378531 (Last Update 2016-09-27): Vulnerabilities in SIMATIC WinCC, PCS 7 and WinCC Runtime Professional ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-378531…
*** TP-Link Archer CR-700 Cross Site Scripting ***
---------------------------------------------
n running the command above, it send a DHCP request to the router. On a DHCP request, the host name is sent to which we have forcibly set it to an XSS script <script>alert(5)</script>
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090203
*** Bugtraq: Multiple vulnerabilities found in the Dlink DWR-932B (backdoor, backdoor accounts, weak WPS, RCE ...) ***
---------------------------------------------
Multiple vulnerabilities found in the Dlink DWR-932B (backdoor, backdoor accounts, weak WPS, RCE ...)
---------------------------------------------
http://www.securityfocus.com/archive/1/539502
*** ICS-CERT releases new tools for securing industrial control systems ***
---------------------------------------------
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has published newer versions of two tools that can help administrators with securing industrial control systems: the Cyber Security Evaluation Tool (CSET), and a whitepaper on recommended practices for improving ICS cybersecurity with defense-in-depth strategies. While the former has received many update through the years (this newer version is v8.0), the whitepaper is a 'modernized' version of a document ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/09/28/tools-securing-industrial-contro…
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: A security vulnerability has been identified in WebSphere Liberty Profile shipped with IBM License Metric Tool v9 and IBM BigFix Inventory v9 (CVE-2016-3485) ***
http://www.ibm.com/support/docview.wss?uid=swg21990448
---------------------------------------------
*** IBM Security Bulletin: Multiple Vulnerabilities in Oracle Outside In Technology affect IBM Rational DOORS Next Generation (CVE-2016-3574, CVE-2016-3575, etc) ***
http://www.ibm.com/support/docview.wss?uid=swg21988718
---------------------------------------------
*** IBM Security Bulletin: Security Vulnerability in Apache Commons FileUpload affects IBM WebSphere Dashboard Framework (CVE-2016-3092 ) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990386
---------------------------------------------
*** IBM Security Bulletin: Security Vulnerability in Apache Commons FileUpload affects IBM Web Experience Factory (CVE-2016-3092 ) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990394
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Tomcat affects IBM Algo Credit Limits (CVE-2016-3092) ***
http://www.ibm.com/support/docview.wss?uid=swg21988584
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Rational BuildForge (CVE-2016-2107, CVE-2016-2176) ***
http://www.ibm.com/support/docview.wss?uid=swg21988081
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in sblim-sfcb affects IBM Integrated Management Module (IMM) for System x & BladeCenter (CVE-2015-5185) ***
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099487
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in libxml2 affects IBM Integrated Management Module (IMM) for System x & BladeCenter (CVE-2015-8710) ***
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099488
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 26-09-2016 18:00 − Dienstag 27-09-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Sofacy APT Targeting OS X Machines with Komplex Trojan ***
---------------------------------------------
APT gang Sofacy is targeting Mac OS X users with a Trojan that allows an attacker to execute remote commands on infected systems.
---------------------------------------------
http://threatpost.com/sofacy-apt-targeting-os-x-machines-with-komplex-troja…
*** Java-Deserialization-Cheat-Sheet ***
---------------------------------------------
A cheat sheet for pentesters about Java Native Binary Deserialization vulnerabilities
---------------------------------------------
https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
*** Sicherheitsupdate für Django 1.8 und 1.9 veröffentlicht ***
---------------------------------------------
Grund für das Update des Webframeworks ist eine Schwachstelle, die im Zusammenspiel mit Google Analytics Djangos CSRF-Schutz angreifbar macht. Das aktuelle Django 1.10 ist nicht betroffen, und ältere Varianten als 1.8 erhalten keine Security-Patches mehr.
---------------------------------------------
http://heise.de/-3332611
*** Rotten Potato - Privilege Escalation from Service Accounts to SYSTEM ***
---------------------------------------------
The idea behind this vulnerability is simple to describe at a high level: - Trick the 'NT AUTHORITY\SYSTEM' account into authenticating via NTLM to a TCP endpoint we control.
- Man-in-the-middle this authentication attempt (NTLM relay) to locally negotiate a security token for the 'NT AUTHORITY\SYSTEM' account. This is done through a series of Windows API calls.
- Impersonate the token we have just negotiated
---------------------------------------------
https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-…
*** Unsafe at any clock speed: Linux kernel security needs a rethink ***
---------------------------------------------
Ars reports from the Linux Security Summit - and finds much work that needs to be done.
---------------------------------------------
http://arstechnica.com/security/2016/09/linux-kernel-security-needs-fixing/
*** No wonder were being hit by Internet of Things botnets. Ever tried patching a Thing? ***
---------------------------------------------
Akamai CSO laments pisspoor security design practices Internet of Things devices are starting to pose a real threat to security for the sensible part of the web, Akamais chief security officer Andy Ellis has told The Register.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/09/27/akamai_chie…
*** CVE-2016-7543 -- bash SHELLOPTS+PS4 ***
---------------------------------------------
The recent bash 4.4 patched an old attack vector regarding specially crafted SHELLOPTS+PS4 environment variables against bogus setuid binaries using system()/popen().
---------------------------------------------
http://seclists.org/oss-sec/2016/q3/617
*** Siemens SCALANCE M-800/S615 Web Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a web security vulnerability in Siemens SCALANCE M-800 and S615 modules.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-271-01
*** IBM Security Bulletin: Vulnerabilities in OpenSSH affect AIX (CVE-2015-8325, CVE-2016-6210, CVE-2016-6515) ***
---------------------------------------------
http://aix.software.ibm.com/aix/efixes/security/java_july2016_advisory.asc
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 23-09-2016 18:00 − Montag 26-09-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Kein Erste Bank-Sicherheitszertifikat installieren ***
---------------------------------------------
In einer gefälschten Erste Bank-Nachricht verlangen Kriminelle von Empfängern, dass diese ein Sicherheitszertifikat für ihr mobiles Endgerät installieren. Tun Adressaten das nicht, führt das angeblich zur Kontensperrung. Die Installation des Sicherheitszertifikats infiziert das Smartphone mit Schadsoftware. Mit dieser haben Kriminelle Zugriff auf das fremde Konto. Opfer verlieren Geld.
---------------------------------------------
https://www.watchlist-internet.at/schadsoftware/kein-erste-bank-sicherheits…
*** Geschwächte iTunes-Backup-Verschlüsselung: Apple stellt Fix in Aussicht ***
---------------------------------------------
Eine Schwachstelle macht Brute-Force-Angriffe auf verschlüsselte iTunes-Backups von iOS-10-Geräten weniger zeitintensiv. Apple ist das Problem bekannt - und betont, dass iCloud-Backups davon nicht betroffen sind.
---------------------------------------------
http://heise.de/-3331346
*** VBA and P-code, (Mon, Sep 26th) ***
---------------------------------------------
I want to draw your attention to some great work Dr. Bontchev did. pcodedmp.py is a VBA P-code disassembler. Microsoft Office documents contain VBA macros in several forms. They contain the source code, but also compiled P-code. Dr. Bontchev created a proof-of-concept document that executes P-code and does not contain the corresponding source code. Here is the output from his pcodedmp.py tool for his PoC document: python pcodedmp.py -d poc2b.docProcessing file:...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21521&rss
*** Leaking Beeps: Here's A Reason to Kick Pagers out of Hospitals ***
---------------------------------------------
Today, Trend's FTR team released the paper Leaking Beeps: Unencrypted Pager Messages in the Healthcare Industry, on our research into pager technology. If are concerned about keeping your health information private, I would highly recommend you read through it. I, for one, was not expecting the findings we made. Pagers are secure, right? We've used them for decades, they are hard to monitor, and that's why some of our most trusted industries use them, including the healthcare...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/o-H15bX77W8/
*** OpenSSL Fixes Critical Bug Introduced by Latest Update ***
---------------------------------------------
OpenSSL's most recent update introduced a critical vulnerability in the crypto library, forcing an emergency update today.
---------------------------------------------
http://threatpost.com/openssl-fixes-critical-bug-introduced-by-latest-updat…
*** OpenSSL Security Advisory [26 Sep 2016] ***
---------------------------------------------
This security update addresses issues that were caused by patches included in our previous security update, released on 22nd September 2016. Given the Critical severity of one of these flaws we have chosen to release this advisory immediately to prevent upgrades to the affected version, rather than delaying in order to provide our usual public pre-notification.
---------------------------------------------
https://www.openssl.org/news/secadv/20160926.txt
*** Security Advisory: NodeJS vulnerability CVE-2016-2086 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/15/sol15311661.html?…
*** Security Notice - Statement on Elevation of Privilege Vulnerability in Huawei HG8247H Product Disclosed on THEZEDT Website ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-notices/2016/huawei-sn-20160924-01-…
*** Security Notice - Statement on Elevation of Privilege Vulnerability in Huawei HG8247H Product Disclosed on TheZedt Website ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-notices/2016/huawei-sn-20160924-01-…
*** Security Advisory - Heap Overflow Vulnerability in the HIFI Driver of Huawei Smart Phone ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2015/hw-460347
*** Security Advisory - Privilege Escalation Vulnerability in Huawei Multiple Smart Phones ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160926-…
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple Expat XML Parser vulnerabilities in Prospect ***
http://www-01.ibm.com/support/docview.wss?uid=swg21988817
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager for Web is affected by security vulnerabilities in libxml2 ***
http://www.ibm.com/support/docview.wss?uid=swg21990838
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by security vulnerabilities in libxml2 ***
http://www.ibm.com/support/docview.wss?uid=swg21990837
---------------------------------------------
*** IBM Security Bulletin: Multiple libarchive vulnerabilities affect Watson Explorer ***
http://www-01.ibm.com/support/docview.wss?uid=swg21988311
---------------------------------------------
*** IBM Security Bulletin: A command injection vulnerability has been identified in IBM Security Access Manager for Web appliances (CVE-2016-3028) ***
http://www.ibm.com/support/docview.wss?uid=swg21990317
---------------------------------------------
*** IBM Security Bulletin: A vulnerability associated with the default account lockout settings in IBM Security Access Manager for Web has been identified (CVE-2016-3025) ***
http://www.ibm.com/support/docview.wss?uid=swg21990318
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in Apache Struts affect SAN Volume Controller and Storwize Family ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009282
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in Apache Struts and Apache Commons FileUpload affects IBM WebSphere Service Registry and Repository (CVE-2016-1181, CVE-2016-1182, CVE-2016-3092) ***
http://www.ibm.com/support/docview.wss?uid=swg21988198
---------------------------------------------
*** IBM Security Bulletin: Multiple Vulnerabilities in Struts v2 affect IBM Opportunity Detect ***
http://www.ibm.com/support/docview.wss?uid=swg21987854
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect SAN Volume Controller and Storwize Family (CVE-2016-2107 CVE-2016-2108) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009281
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 22-09-2016 18:00 − Freitag 23-09-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** The era of big DDOS?, (Thu, Sep 22nd) ***
---------------------------------------------
I have been tracking DDOSs for a number of years, and quite frankly, it has become boring. Dont get me wrong, I am not complaining, just stating a fact. A number of factors seem tohave contributed to its fall from mainstream consciousness. somewhat better filtering practices, more awareness of timely patching, and probably the most significant being the novelty has worn off. Occasionally I will still see a multi-Gbps DDOS, but mostly it has been relegated to booter traffic which is not even a...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21511&rss
*** LGPO.exe v2.0 PRE-RELEASE: support for MLGPO and REG_QWORD ***
---------------------------------------------
LGPO.exe is a command-line utility to automate the management of local group policy objects (LGPO). Version 1.0 was released last January. The PRE-RELEASE LGPO.exe v2.0 is attached to this blog post, and adds support for Multiple Local Group Policy Objects (MLGPO) and 64-bit REG_QWORD registry values. Full details are in the LGPO.pdf in the download. For more...
---------------------------------------------
https://blogs.technet.microsoft.com/secguide/2016/09/23/lgpo-exe-v2-0-pre-r…
*** Gefälschte Sendungsverfolgungen der Post ***
---------------------------------------------
Internet-Nutzer/innen erhalten eine angebliche Sendungsverfolgung der Österreichischen Post. Darin heißt es, dass das Unternehmen ein Paket zurückerhalten habe. Damit es Empfänger/innen erhalten können, sollen sie einen Link aufrufen und eine Datei ausführen. Sie beinhaltet Schadsoftware. Wer diese öffnet, erleidet einen Datenverlust.
---------------------------------------------
https://www.watchlist-internet.at/gefaelschte-rechnungen/gefaelschte-sendun…
*** Nach DDoS-Attacken: Akamai nimmt Sicherheitsforscher Krebs vom Netz ***
---------------------------------------------
Nach der Enttarnung eines israelischen DDoS-Anbieters ist der Sicherheitsexperte Krebs selbst Opfer eines ungewöhnlichen Angriffs geworden. Seine Website ist vom Netz genommen worden.
---------------------------------------------
http://www.golem.de/news/nach-ddos-attacken-akamai-nimmt-sicherheitsforsche…
*** A week to go for the European Cyber Security Month launch! ***
---------------------------------------------
ENISA together with the European Commission, the European Baking Federation (EBF), Europol's European Cybercrime Centre (EC3), and its partners, are getting ready for the launch event of the European Cyber Security Month (ECSM), the EU advocacy campaign on cybersecurity which runs throughout October.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/a-week-to-go-for-the-european-c…
*** Security Update for Microsoft Office (3185852) ***
---------------------------------------------
V.2.0(September 22, 2016): Bulletin revised to announce the availability of the 14.6.8 update for Microsoft Office for Mac 2011 (3186805) and the 15.25 update for Microsoft Office 2016 for Mac (3186807). Customers running affected Mac software should install the appropriate update for their product to be protected from the vulnerabilities discussed in this bulletin.
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS16-107
*** Cisco Email Security Appliance Internal Testing Interface Vulnerability ***
---------------------------------------------
A vulnerability in Cisco IronPort AsyncOS for Cisco Email Security Appliances (ESA) could allow an unauthenticated, remote attacker to obtain complete control of an affected device.The vulnerability is due to the presence of a Cisco internal testing and debugging interface (intended for use during product manufacturing only) on customer-available software releases. An attacker could exploit this vulnerability by connecting to this testing and debugging interface. An exploit could allow an...
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** IDM 4.5 Notes Driver Version 4.0.1.0 ***
---------------------------------------------
Abstract: This patch is for Identity Manger Notes Driver. It can be installed on IDM 4.5. This patch will take the version of the Notes Driver to version 4.0.1.0.Document ID: 5255110Security Alert: YesDistribution Type: Field Test FileEntitlement Required: NoFiles:IDM45_Notes_4010.zip (1.12 MB)Products:Identity Manager 4.5Superceded Patches:IDM 4.5 Notes Driver Version 4.0.0.4
---------------------------------------------
https://download.novell.com/Download?buildid=aLUafJcAJps~
*** DSA-3674 firefox-esr - security update ***
---------------------------------------------
Multiple security issues have been found in the Mozilla Firefox webbrowser: Multiple memory safety errors, buffer overflows and otherimplementation errors may lead to the execution of arbitrary code orinformation disclosure.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3674
*** Microsoft Internet Explorer 11 CORS Disrespect ***
---------------------------------------------
Topic: Microsoft Internet Explorer 11 CORS Disrespect Risk: Low Text:IE11 is not following CORS specification for local files like Chrome and Firefox. Ive contacted Microsoft and they say this i...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090165
*** DFN-CERT-2016-1560/">LibreSSL: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-1560/
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983). ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990060
---------------------------------------------
*** IBM Security Bulletin: Security vulnerability has been identified in IBM WebSphere Portal (CVE-2016-5954) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21989993
---------------------------------------------
*** IBM Security Bulletin: IBM DB2 LUW on AIX and Linux Affected by Multiple Vulnerabilities in GPFS (CVE-2016-2984, CVE-2016-2985). ***
http://www-01.ibm.com/support/docview.wss?uid=swg21989842
---------------------------------------------
*** IBM Security Bulletin: IBM Security Guardium Database Activity Monitor is affected by Open Source XMLsoft Libxml2 Vulnerabilities (CVE-2016-4483) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990364
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Commons FileUpload affects IBM Algo Credit Manager (CVE-2016-3092) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21988586
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Tomcat affects IBM Algo Credit Administrator (CVE-2016-3092) ***
http://www.ibm.com/support/docview.wss?uid=swg21988585
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Struts affects FileNet Content Manager and IBM Content Foundation (CVE-2016-1181, CVE-2016-1182) ***
http://www.ibm.com/support/docview.wss?uid=swg21987189
---------------------------------------------
*** IBM Security Bulletin: IBM Security Guardium is affected by Open Source XMLsoft Libxml2 Vulnerabilities (CVE-2016-4447 CVE-2016-4448 CVE-2016-4449) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21986710
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Network Security (NSS) affects IBM SAN Volume Controller and Storwize Family (CVE-2016-1978) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009280
---------------------------------------------
*** IBM Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed (CVE-2016-0377) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990525
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Tivoli LWI impacts pConsole and WebSM for AIX (CVE-2016-6038) ***
http://http://aix.software.ibm.com/aix/efixes/security/pconsole_mitigation.…
---------------------------------------------
*** IBM Security Bulletin: The Elastic Storage Server and the GPFS Storage Server are affected by a vulnerability in IBM Spectrum Scale (CVE-2016-2985 and CVE-2016-2984) ***
http://www-01.ibm.com/support/docview.wss?uid=isg3T1024336
---------------------------------------------
*** IBM Security Bulletin: Multiple security vulnerabilities affect Liberty for Java for IBM Bluemix ***
http://www.ibm.com/support/docview.wss?uid=swg21990527
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in libpng affect NVIDIA Linux device drivers for System x, Flex and BladeCenter Systems (CVE-2015-8472, CVE-2015-7981, CVE-2015-8126) ***
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099471
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 21-09-2016 18:00 − Donnerstag 22-09-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Fake-Abmahnung von RA Jörg Schmidt im Umlauf ***
---------------------------------------------
Haushalte erhalten eine Abmahnung der Rechtsanwaltskanzlei Jörg Schmidt. Darin heißt es, dass es zu einer Verletzung von Urheberrechten der abbywinters.com BV gekommen sei, weil Empfänger/innen den Erotikfilm "Girl & Girl Pee Marigold & Christiana" verwertet haben. Aus diesem Grund sollen sie 950.00 Euro zahlen. Es handelt sich um einen Betrugsversuch.
---------------------------------------------
https://www.watchlist-internet.at/sonstiges/fake-abmahnung-von-ra-joerg-sch…
*** More than 840,000 Cisco devices are vulnerable to NSA-related exploit ***
---------------------------------------------
More than 840,000 Cisco networking devices from around the world are exposed to a vulnerability thats similar to one exploited by a hacking group believed to be linked to the U.S. National Security Agency.The vulnerability was announced by Cisco last week and it affects the IOS, IOS XE, and IOS XR software that powers many of its networking devices. The flaw allows hackers to remotely extract the contents of a devices memory, which can lead to the exposure of sensitive information.
---------------------------------------------
http://www.cio.com/article/3122868/more-than-840000-cisco-devices-are-vulne…
*** Bug that hit Firefox and Tor browsers was hard to spot - now we know why ***
---------------------------------------------
The curious case of Firefoxs (now fixed) certificate pinning failure.
---------------------------------------------
http://arstechnica.com/security/2016/09/bug-that-hit-firefox-and-tor-browse…
*** Hacked Website Report - 2016/Q2 ***
---------------------------------------------
Today we're releasing our quarterly Hacked Website Report for 2016/Q2. The data in this report is based on compromised websites we worked on, with insights and analysis performed by our Incident Response Team (IRT) and Malware Research Team (MRT). CMS Analysis Our analysis consisted of over 9,000 infected websites. The graphs below show a side-by-side...
---------------------------------------------
https://blog.sucuri.net/2016/09/hacked-website-report-2016q2.html
*** KrebsOnSecurity Hit With Record DDoS ***
---------------------------------------------
On Tuesday evening, KrebsOnSecurity.com was the target of an extremely large and unusual distributed denial-of-service (DDoS) attack designed to knock the site offline. The attack did not succeed thanks to the hard work of the engineers at Akamai, the company that protects my site from such digital sieges. But according to Akamai, it was nearly double the size of the largest attack theyve seen previously, and was among the biggest assaults the Internet has ever witnessed.
---------------------------------------------
http://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
*** Controlling Kerio Control - When your firewall turns against you. ***
---------------------------------------------
IntroductionThis blog post describes two different attacks which can be used to compromise companies which use Kerio Control in their network. Kerio Control is a hardware appliance which can be used as network firewall, router and VPN gateway. Both attacks spawn a reverse shell on Kerio Control. Since both attack payloads are delivered via CSRF (cross site request forgery) or XSS (cross site scripting) no ports must be open from the Internet.
---------------------------------------------
http://blog.sec-consult.com/2016/09/controlling-kerio-control-when-your.html
*** Future attack scenarios against ATM authentication systems ***
---------------------------------------------
The report comprises two papers in which we analyze all existing methods of authentication used in ATMs and those expected to be used in the near future, including: contactless authentication through NFC, one-time password authentication and biometric authentication systems, as well as potential vectors of attacks using malware, through to network attacks and attacks on hardware components.
---------------------------------------------
http://securelist.com/analysis/publications/76099/future-attack-scenarios-a…
*** Cisco plugs two Cloud Services Platform system compromise flaws ***
---------------------------------------------
Cisco has patched two serious vulnerabilities in Cisco Cloud Services Platform 2100, both of which could allow a remote attacker to execute arbitrary code on a targeted system. Both vulnerabilities affect version 2.0 of the platform and there are no workarounds to address them, so administrators are advised to update to release 2.1.0 and later to plug the holes. What's the problem? Cisco Cloud Services Platform 2100 is a popular Linux Kernel-based Virtual Machine software...
---------------------------------------------
https://www.helpnetsecurity.com/2016/09/22/cisco-plugs-cloud-services-platf…
*** Fixing the mixed content problem with Automatic HTTPS Rewrites ***
---------------------------------------------
CloudFlare aims to put an end to the unencrypted Internet. But the web has a chicken and egg problem moving to HTTPS. Long ago it was difficult, expensive, and slow to set up an HTTPS capable web site. Then along came services like CloudFlare's Universal SSL that made switching...
---------------------------------------------
https://blog.cloudflare.com/fixing-the-mixed-content-problem-with-automatic…
*** OpenSSL Update Released, (Thu, Sep 22nd) ***
---------------------------------------------
As announced earlier this week,OpenSSLreleased an update today for all currently supported versions (1.0.1, 1.0.2, 1.1.0). The update fixes 14 different vulnerabilities. Only one vulnerability is rated High. This vulnerability,CVE-2016-6304, can lead to memory exhaustion and a denial of service if the client sends multiple largeOCSP">OCSP">">">SWEET32">">OOB write in">">MalformedSHA512">">">">Pointer...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21509&rss
*** OpenSSL Security Advisory [22 Sep 2016] ***
---------------------------------------------
OCSP Status Request extension unbounded memory growth (CVE-2016-6304) SSL_peek() hang on empty record (CVE-2016-6305) SWEET32 Mitigation (CVE-2016-2183) OOB write in MDC2_Update() (CVE-2016-6303) Malformed SHA512 ticket DoS (CVE-2016-6302) OOB write in BN_bn2dec() (CVE-2016-2182) OOB read in TS_OBJ_print_bio() (CVE-2016-2180) Pointer arithmetic undefined behaviour (CVE-2016-2177) Constant time flag not preserved in DSA signing (CVE-2016-2178) DTLS buffered message DoS (CVE-2016-2179) DTLS...
---------------------------------------------
https://www.openssl.org/news/secadv/20160922.txt
*** Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2016-004 ***
---------------------------------------------
Description Users who have rights to edit a node, can set the visibility on comments for that node. Advisory ID: DRUPAL-SA-CORE-2016-004Project: Drupal core Version:li 8.xDate: 2016-September-21Security risk: 18/25 ( Critical) AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: DescriptionUsers without "Administer comments" can set comment visibility on nodes they can edit. (Less critical) Users who have rights to edit a node, can set the visibility on comments for that
---------------------------------------------
https://www.drupal.org/SA-CORE-2016-004
*** ZDI-16-526: (0Day) Google Chrome Protocol Handler Logic Error Restrictions Bypass Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to bypass restrictions on vulnerable installations of Google Chrome. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-526/
*** ZDI-16-525: (0Day) Fatek Automation PM Designer Heap Memory Corruption Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Fatek Automation PM Designer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-525/
*** [2016-09-22] Potential backdoor access through multiple vulnerabilities in in Kerio Control Unified Threat Management ***
---------------------------------------------
Kerio Control contains multiple vulnerabilities which can be used by an attacker to obtain a reverse root shell to the internal firewall system of a network. An attacker can use this reverse root shell to further compromise the victims local network, sniff VPN traffic (including VPN credentials) or just backdoor the firewall/VPN gateway.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016…
*** HPSBGN03649 rev.1 - HPE Network Automation using Java Deserialization, Remote Code Execution ***
---------------------------------------------
A vulnerability in Apache Commons-Collections and Commons-BeanUtils library used for handling Java object deserialization was addressed by HPE Network Automation. The vulnerability could be exploited remotely to allow remote code execution.
---------------------------------------------
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05279098
*** SSA-342135 (Last Update 2016-09-22): Web Vulnerability in SCALANCE M-800 / S615 ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-342135…
*** SSA-301706 (Last Update 2016-09-22): GNU C Library Vulnerability in Industrial Products ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-301706…
*** Cisco Security Advisories ***
---------------------------------------------
*** Cisco Application Policy Infrastructure Controller Binary Privilege Escalation Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco IOS and IOS XE iox Command Injection Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Firepower Management Center and FireSIGHT System Software SSLIinspection Bypass Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco IOS and IOS XE Software Data in Motion Component Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Cloud Services Platform 2100 Remote Command Execution Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Cloud Services Platform 2100 Command Injection Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Prime Home Web-Based User Interface XML External Entity Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Application-Hosting Framework HTTP Header Injection Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco IOS and IOS XE Software Application-Hosting Framework Unauthorized File Access Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 20-09-2016 18:00 − Mittwoch 21-09-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Spear Phishing: Deutsche Politiker mit Malware-Mails angegriffen ***
---------------------------------------------
Politiker aller Parteien waren im August Ziel von Spear-Phishing-Angriffen. Angebliche Nato-Informationen zum Putsch in der Türkei und zum Erdbeben in Italien sollten zum Klicken auf Malware verleiten.
---------------------------------------------
http://www.golem.de/news/spear-phishing-deutsche-politiker-mit-malware-mail…
*** Windows Events log for IR/Forensics ,Part 2, (Tue, Sep 20th) ***
---------------------------------------------
In a previous diary[i] I talked about Windows Events and I gave some examples about some of the most useful events for Forensics/IR. In this diary I will talk about how to use Windows PowerShell to search for events Get-WinEvent The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the Windows Event Log technology introduced in Windows Vista. It also gets events in log files generated by...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21501&rss
*** ISAKMP Scanning and Potential Vulnerabilities ***
---------------------------------------------
Introduction As many of you are aware, we scan the Internet on a daily basis for many different protocols. We have added several new ones over time mostly depending on our own time available to engineer a scan for that protocol. Occasionally, we add one that is more topical and addresses a recent vulnerability or...
---------------------------------------------
http://blog.shadowserver.org/2016/09/20/isakmp-scanning-and-potential-vulne…
*** Mamba Ransomware Encrypts Hard Drives Rather Than Files ***
---------------------------------------------
A new ransomware strain called Mamba opts to encrypts hard drives rather than individual files and folders stored on the local disk.
---------------------------------------------
http://threatpost.com/mamba-ransomware-encrypts-hard-drives-rather-than-fil…
*** Should you trust your security software? ***
---------------------------------------------
The complaint that security is broken isn't new and even industry insiders are joining the chorus. Companies spent an estimated $75 billion last year on security products and yet cyber attacks and data breaches are still a common occurrence. Now, we're finding that security tools themselves have vulnerabilities that are putting organizations at risk. Given that vulnerabilities in software are the root cause of most attacks and security tools are inherently intrusive in order to...
---------------------------------------------
https://www.helpnetsecurity.com/2016/09/21/security-software/
*** macOS Sierra beseitigt fast 70 Sicherheitslücken ***
---------------------------------------------
Mit der neuen Version 10.12 hat Apple 68 Schwachstellen in macOS respektive OS X behoben, darunter kritische. Für ältere OS-X-Versionen liegt derzeit kein Sicherheits-Update vor.
---------------------------------------------
http://heise.de/-3328701
*** Considerations on the Traffic Light Protocol ***
---------------------------------------------
The Traffic Light Protocol (TLP) is a means for someone sharing information to inform their audience about any limitations in further spreading this information. It is used in almost all CSIRT communities and some Information Analysis and Sharing Centres (ISACs). The TLP can be used in all forms of communication, whether written or oral. This Glossary Entry presents the TLP and its possible variants, and proposes some considerations on its use and its limitations.
---------------------------------------------
https://www.enisa.europa.eu/topics/national-csirt-network/glossary/consider…
*** Did You Really Lock that Door? ***
---------------------------------------------
One of my favorite books about information security is Ghost in the Wires, by Kevin Mitnick. Kevin, of course is one of the notorious early hackers whose exploits are brilliant and quite entertaining. If you have not already done so, add that book to your reading list. This post however is not a book review. I was reminded of Kevin's book the other evening when my son went dashing to the door in the middle of the night to make sure that he locked it. Normally, like all teenagers, he just...
---------------------------------------------
https://feeds.feedblitz.com/~/200516044/0/alienvault-blogs~Did-You-Really-L…
*** InfoArmor Uncovers Malicious Torrent Distribution Network ***
---------------------------------------------
InfoArmor has identified a special tool used by cybercriminals to distribute malware by packaging it with the most popular torrent files on the Internet. The bad actors have analyzed trends on video, audio, software and other digital content downloads from around the globe and have created seeds on famous torrent trackers using weaponized torrents packaged with malicious code.
---------------------------------------------
https://www.infoarmor.com/infoarmor-uncovers-malicious-torrent-distribution…
*** Opportunistic Encryption: Bringing HTTP/2 to the unencrypted web ***
---------------------------------------------
Encrypting the web is not an easy task. Various complexities prevent websites from migrating from HTTP to HTTPS, including mixed content, which can prevent sites from functioning with HTTPS. Opportunistic Encryption provides an additional level of security to websites that have not yet moved to HTTPS and the performance benefits...
---------------------------------------------
https://blog.cloudflare.com/opportunistic-encryption-bringing-http-2-to-the…
*** Bugtraq: ESA-2016-093: RSA Adaptive Authentication (On-Premise) Cross-Site Scripting Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539432
*** DSA-3671 wireshark - security update ***
---------------------------------------------
Multiple vulnerabilities were discovered in the dissectors for H.225,Catapult DCT2000, UMTS FP and IPMI, which could result in denial ofservice or the execution of arbitrary code.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3671
*** Filr 2.0 - Hot Patch 3 ***
---------------------------------------------
Abstract: This patch provides a number of general bug fixes and security updates for Novell Filr, Search and MySQL 2.0.0 appliances including an updated Filr 2.0 Desktop client.Document ID: 5255170Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:preinstall-Search-20HP3.zip (24.95 MB)preinstall-MySQL-20HP3.zip (24.18 MB)preinstall-Filr-20HP3.zip (34.59 MB)Filr-2.0.0.474.HP.zip (155.89 MB)Search-2.0.0.417.HP.zip (10.67 MB)MySQL-2.0.0.197.HP.zip (1.44 kB)Products:Filr...
---------------------------------------------
https://download.novell.com/Download?buildid=LMP8JAI5Lrc~
*** Security Advisory - DoS Vulnerability in Multiple Huawei Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160921-…
*** Security Advisory - DoS Vulnerability in Multiple Huawei Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160921-…
*** Security Advisory - DOS Vulnerability in Video Driver of Huawei Smart Phone ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160921-…
*** Apple Security Updates ***
---------------------------------------------
*** Safari 10 ***
https://support.apple.com/kb/HT207157
---------------------------------------------
*** macOS Sierra 10.12 ***
https://support.apple.com/kb/HT207170
---------------------------------------------
*** tvOS 10 ***
https://support.apple.com/kb/HT207142
---------------------------------------------
*** iTunes 12.5.1 for Windows ***
https://support.apple.com/kb/HT207158
---------------------------------------------
*** macOS Server 5.2 ***
https://support.apple.com/kb/HT207171
---------------------------------------------
*** iCloud for Windows 6.0 ***
https://support.apple.com/kb/HT207147
---------------------------------------------
*** Vuln: OpenStack Nova Denial of Service Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/93068
*** ShoreTel Connect ONSITE Blind SQL Injection Vulnerability ***
---------------------------------------------
Topic: ShoreTel Connect ONSITE Blind SQL Injection Vulnerability Risk: Medium Text:ShoreTel Connect ONSITE Blind SQL Injection Vulnerability == vulnerability type: Unauthenticated Blin...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090154
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Rational Software Architect, Rational Software Architect for WebSphere Software and Rational Software Architect RealTime Edition ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990374
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2016-2119) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009255
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in XML processing affect IBM DataPower Gateways ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990046
---------------------------------------------
*** IBM Security Bulletin: Multiple security vulnerabilities affect IBM WebSphere Application Server for Bluemix ***
http://www.ibm.com/support/docview.wss?uid=swg21990236
---------------------------------------------
*** IBM Security Bulletin: IBM WebSphere MQ Invalid client protocol flows could cause denial of service (CVE-2016-0379) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21984565
---------------------------------------------
*** IBM Security Bulletin: IBM WebSphere Cast Iron Solution is affected by Apache Tomcat vulnerability CVE-2015-5174 ***
http://www-01.ibm.com/support/docview.wss?uid=swg21988742
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 19-09-2016 18:00 − Dienstag 20-09-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** European Cyber Security Month - NIS Quiz ***
---------------------------------------------
This tool is designed to help you update your internet security knowledge, begin whenever you feel ready. It will take max 10 minutes and we hope youll enjoy the quiz and learn something useful!
---------------------------------------------
https://cybersecuritymonth.eu/references/quiz-demonstration/intro
*** The banker that can steal anything ***
---------------------------------------------
The use of root privileges is not typical for banking malware attacks, because money can be stolen in numerous other ways that dont require exclusive rights. However, in early February 2016, Kaspersky Lab discovered Trojan-Banker.AndroidOS.Tordow.a, whose creators decided that root privileges would come in handy.
---------------------------------------------
http://securelist.com/blog/mobile/76101/the-banker-that-can-steal-anything/
*** Erpressungs-Trojaner HDDCryptor soll Computer von Opfern abriegeln ***
---------------------------------------------
HDDCryptor verschlüsselt nicht nur Daten, sondern überschreibt offensichtlich auch den MBR von Windows-Computern und gibt infizierte Rechner erst nach einer Lösegeld-Zahlung wieder frei, warnen Sicherheitsforscher.
---------------------------------------------
http://heise.de/-3327880
*** Encryption Week ***
---------------------------------------------
Since CloudFlare's inception, we have worked tirelessly to make encryption as simple and as accessible as possible. Over the last two years, we've made CloudFlare the easiest way to enable encryption for web properties and internet services. From the launch of Universal SSL, which gives HTTPS to millions
---------------------------------------------
https://blog.cloudflare.com/encryption-week/
*** Mozilla und Tor schließen Certificate-Pinning-Lücke ***
---------------------------------------------
Durch einen Fehler beim Bau neuer Versionen von Firefox und des Tor Browsers waren diese anfällig gegen Man-in-the-Middle-Angriffe, über die Schadcode eingeschleust werden konnte.
---------------------------------------------
http://heise.de/-3328039
*** Hacking WordPress Sites on Shared Servers ***
---------------------------------------------
A website is only as safe as the weakest link on its shared server. Once a hacker gains access to one site on the server, they can easily infect other sites that share the same server permissions. This is called cross-site contamination. When it comes to WordPress websites, the core structure is well known by...
---------------------------------------------
https://blog.sucuri.net/2016/09/hacking-wordpress-sites-shared-servers.html
*** Steganography... what is that? ***
---------------------------------------------
When people think about Information Security the first word that generally comes mind is "Hacking", but there are many disciplines in security and one of them is called "Steganography", an offshoot of encryption and "data hiding". The word "steganography" can...
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/Steganography----what-i…
*** Vulnerability Patched in WordPress Theme That Allows Unrestricted Uploads ***
---------------------------------------------
A vulnerability has been patched in a popular WordPress theme called Neosense that allows an attacker to upload code without authentication.
---------------------------------------------
http://threatpost.com/vulnerability-patched-in-wordpress-theme-that-allows-…
*** High-Tech Bridge releases a new version of its free SSL testing service ***
---------------------------------------------
The new version of the service enables companies to easily test any SSL/TLS-based services for compliance with PCI DSS, HIPAA and NIST, while the new API provides much more flexibility for software developers.
---------------------------------------------
https://www.htbridge.com/news/ssl-testing-service-api-hipaa-compliance.html
*** Bugtraq: ESA-2016-096: EMC Celerra, VNX1, VNX2 and VNXe SMB NTLM Authentication Weak Nonce Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539424
*** Bugtraq: ESA-2016-065: EMC Avamar Data Store and Avamar Virtual Edition Multiple Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539423
*** VMSA-2016-0014 ***
---------------------------------------------
VMware ESXi, Workstation, Fusion, and Tools updates address multiple security issues
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2016-0014.html
*** VMSA-2016-0010.1 ***
---------------------------------------------
VMware product updates address multiple important security issues
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2016-0010.html
*** ZDI-16-517: AlienVault Unified Security Management Remote Authentication Bypass Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to bypass authentication requirements on vulnerable installations of AlienVault Unified Security Manager. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-517/
*** ZDI-16-518: Rockwell Automation RSLogix Micro Starter Lite Project File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Rockwell Automation RSLogix Micro Starter Lite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-518/
*** Vuln: QEMU hw/usb/hcd-xhci.c Information Disclosure Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/93029
*** Security Advisories Relating to Symantec Products - Symantec Decomposer Engine Security Update ***
---------------------------------------------
Symantec has released an update to address two issues in the RAR file parser component of the antivirus decomposer engine used by multiple Symantec products. Parsing of maliciously formatted RAR container files may cause an application-level denial of service condition.
---------------------------------------------
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=s…
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Rational DOORS Next Generation with potential for Cross-Site Scripting attack (CVE-2016-5955) ***
http://www.ibm.com/support/docview.wss?uid=swg21990054
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in libtiff affect PowerKVM ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024132
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in libxml2 affect PowerKVM ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024088
---------------------------------------------
*** IBM Security Bulletin: Rational Asset Analyzer (CVE-2016-5967) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990215
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in node.js processing affect IBM DataPower Gateways ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990050
---------------------------------------------
*** IBM Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed (CVE-2016-1181 and CVE-2016-1182) ***
http://www.ibm.com/support/docview.wss?uid=swg21989496
---------------------------------------------
*** IBM Security Bulletin: IBM Connections Security Update for Multiple Vulnerabilities ***
http://www-01.ibm.com/support/docview.wss?uid=swg21989067
---------------------------------------------
*** IBM Security Bulletin: Information Disclosure in IBM WebSphere Application Server Liberty (CVE-2016-0378) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21981529
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 16-09-2016 18:00 − Montag 19-09-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** The Week in Ransomware - September 16 2016 - Stampado, Locky, Atom, and More ***
---------------------------------------------
Thankfully, it was a slow week this week when it comes to ransomware. For this week we had 3 new variants of existing ransomware, 2 new ransomware infections, and an updated decryptor. [...]
---------------------------------------------
http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-septem…
*** Windows Events log for IR/Forensics ,Part 1, (Sun, Sep 18th) ***
---------------------------------------------
In the time of incidents, Windows Event logs provide a plenty of useful information for the Incident responder.As you know Windows can generate thousands of events in few minutes ,in this diary I will talk about some of the most useful events and in the next diary I would discuss how to use PowerShell to search for them . Here is of the most useful events for Forensics/Incident response: Event ID Description Log Name 4624 Successful Logon Security 4625 Failed Login...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21493&rss
*** Mozilla will patch zero-day Firefox bug to fiddle man-in-the-middle diddle ***
---------------------------------------------
Researcher revealed Tor flaw after initially being ignored Mozilla will patch a flaw in its Firefox browser that could allow well-resourced attackers to launch man-in-the-middle impersonation attacks that also affects the Tor anonymity network.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/09/18/mozilla_tor…
*** Untangling the Ripper ATM Malware ***
---------------------------------------------
Last August , security researchers released a blog discussing a new ATM malware family called Ripper which they believe was involved in the recent ATM attacks in Thailand. Large numbers of ATMs were also temporarily shut down as a precautionary measure.During our analysis we noticed some additional details that where not called out, or which appear to contradict this earlier analysis. We highlight these differences in this blog post. We have also included technical indicators such as code...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/ddt8SN3uzhs/
*** Periscope ATM Skimmers ***
---------------------------------------------
"Periscope skimmers" are the most sophisticated kind of ATM skimmers. They are entirely inside the ATM, meaning theyre impossible to notice.Theyre been found in the US.
---------------------------------------------
https://www.schneier.com/blog/archives/2016/09/periscope_atm_s.html
*** 324,000 payment cards breached, CVVs included, source still unknown! ***
---------------------------------------------
When you decide to add debugging logs to your payment application, the PCI DSS rules about what you are allowed to store DO NOT CHANGE!
---------------------------------------------
http://feedproxy.google.com/~r/nakedsecurity/~3/NpR-rDlVOj0/
*** Does it Matter If You Cover Your Webcam?, (Mon, Sep 19th) ***
---------------------------------------------
During security conferences, laptops with tape covering the webcam has certainly been a common sight. But recently, covering webcams has become somewhat of a main-stream phenomenon, after Mark Zuckerberg was sighted with a covered webcam [1], and even the FBI director suggests people covering their cameras [2]. Laptops are often used in private spaces, and an attacker, with access to the camera, is expected to be able to spy on the user of the laptop. Attacks like this have happened, and even...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21497&rss
*** Reverse Engineering Cisco ASA for EXTRABACON Offsets ***
---------------------------------------------
[...] One of the zero-day vulnerabilities released was a remote code execution in the Cisco Adaptive Security Appliance (ASA) device. The Equation Groups exploit for this was named EXTRABACON. [...] At RiskSense we had spare ASAs lying around in our red team lab, and my colleague Zachary Harding was extremely interested in exploiting this vulnerability. I told him if he got the ASAs properly configured for remote debugging I would help in the exploitation process.
---------------------------------------------
https://zerosum0x0.blogspot.cz/2016/09/reverse-engineering-cisco-asa-for.ht…
*** BENIGNCERTAIN-like flaw affects various Cisco networking devices ***
---------------------------------------------
The leaking of BENIGNCERTAIN, an NSA exploit targeting a vulnerability in legacy Cisco PIX firewalls that allows attackers to eavesdrop on VPN traffic, has spurred Cisco to search for similar flaws in other products - and they found one. CVE-2016-6415 arises from insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. The IKE protocol is used in the Internet Protocol Security (IPsec) protocol suite to negotiate cryptographic...
---------------------------------------------
https://www.helpnetsecurity.com/2016/09/19/beningcertain-cisco-networking-d…
*** IKEv1 Information Disclosure Vulnerability in Multiple Cisco Products ***
---------------------------------------------
A vulnerability in IKEv1 packet processing code in Cisco IOS, Cisco IOS XE and Cisco IOS XR Software could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information.The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept...
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** iPrint Appliance 2.1 Hot Patch 2 ***
---------------------------------------------
Abstract: iPrint Appliance 2.1 Hot Patch 2 is the first patch set for the iPrint Appliance version 2.1. Document ID: 5254950Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:iPrint-2.1.0.68.HP.zip (755.2 MB)Products:iPrint Appliance 2.1Superceded Patches: None
---------------------------------------------
https://download.novell.com/Download?buildid=AJTQmn_Q1yk~
*** iPrint Appliance 2.0 Hot Patch 2 ***
---------------------------------------------
Abstract: Hot Patch 2 includes bug fixes, security fixes and a consolidation of previously released patches, including iPrint Appliance 2.0 Patch 2. Document ID: 5254970Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:iPrint-2.0.0.533.HP.zip (881.14 MB)Products:iPrint Appliance 2Superceded Patches: None
---------------------------------------------
https://download.novell.com/Download?buildid=C1Xh-X9MGcc~
*** Forthcoming OpenSSL releases ***
---------------------------------------------
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.0a, 1.0.2i, 1.0.1u. These releases will be made available on 22nd September 2016 at approximately 0800 UTC. They will fix several security defects: one classfied as severity "high", one as "moderate", and the rest "low".
---------------------------------------------
https://mta.openssl.org/pipermail/openssl-announce/2016-September/000076.ht…
*** IBM Security Bulletin: Spice-server vulnerabilities affect IBM SmartCloud Entry (CVE-2016-0749 CVE-2016-2150 ) ***
---------------------------------------------
SmartCloud Entry is vulerable to Spice-server vulnerabilities. Attackers could exploit them to cause improper bounds checking by smartcard interaction or bypass security restrictions CVE(s): CVE-2016-0749, CVE-2016-2150 Affected product(s) and affected version(s): IBM SmartCloud Entry 3.2 through Appliance fix pack 21 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www.ibm.com/support/docview.wss?uid=isg3T1024006X-Force...
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=isg3T1024006
*** IBM Security Bulletin: Vulnerability in openssl affects IBM System Networking Switch products (CVE-2016-2108) ***
---------------------------------------------
IBM System Networking Switch products have addressed the following vulnerability in openssl. CVE(s): CVE-2016-2108 Affected product(s) and affected version(s): Product Affected Version IBM Flex System Fabric EN4093R 10Gb Scalable Switch 7.8.14.0 IBM Flex System Fabric CN4093 10Gb Converged Scalable Switch 7.8.14.0 IBM Flex System Fabric SI4093 System Interconnect Module 7.8.14.0 IBM Flex System EN2092 1Gb...
---------------------------------------------
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099464
*** BINOM3 Electric Power Quality Meter Vulnerabilities ***
---------------------------------------------
Topic: BINOM3 Electric Power Quality Meter Vulnerabilities Risk: Medium Text:*Universal multifunctional Electric Power Quality Meter BINOM3 - Multiple Vulnerabilities* *About* The meters are designed...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090122
*** MyBB 1.8.6 Improper validation of data passed to eval ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090124
*** MyBB 1.8.6 CSRF Weak Hashing, Plaintext Passwords ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090126
*** MyBB 1.8.6 SQL Injection ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090125
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 15-09-2016 18:00 − Freitag 16-09-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** DSA-3668 mailman - security update ***
---------------------------------------------
It was discovered that there was a CSRF vulnerability in mailman, aweb-based mailing list manager, which could allow an attacker to obtaina users password.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3668
*** Yokogawa STARDOM Authentication Bypass Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for an authentication bypass vulnerability in the Yokogawa STARDOM controller.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-259-01
*** ABB DataManagerPro Credential Management Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a credential management vulnerability in ABB’s DataManagerPro application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-259-02
*** Trane Tracer SC Sensitive Information Exposure Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for an information exposure vulnerability in Trane U.S. Inc.’s Tracer SC field panel.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-259-03
*** Attack Leverages Windows Safe Mode ***
---------------------------------------------
Researchers say a proof-of-concept attack using Windows Safe Mode can lead to credential theft and allow hackers to move laterally within a corporate network.
---------------------------------------------
http://threatpost.com/attack-leverages-windows-safe-mode/120622/
*** Ransomware Getting More Targeted, Expensive ***
---------------------------------------------
I shared a meal not long ago with a source who works at a financial services company. The subject of ransomware came up and he told me that a server in his ..
---------------------------------------------
http://krebsonsecurity.com/2016/09/ransomware-getting-more-targeted-expensi…
*** DSA-3670 tomcat8 - security update ***
---------------------------------------------
Dawid Golunski of LegalHackers discovered that the Tomcat init scriptperformed unsafe file handling, which could result in local privilegeescalation.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3670
*** DSA-3669 tomcat7 - security update ***
---------------------------------------------
Dawid Golunski of LegalHackers discovered that the Tomcat init scriptperformed unsafe file handling, which could result in local privilegeescalation.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3669
*** Necurs – the Heavyweight Malware Spammer ***
---------------------------------------------
Today we want to dwell upon a pesky botnet that goes by the name of Necurs, and in particular its spamming activities. The botnet has been responsible for a massive ..
---------------------------------------------
http://trustwave.com/Resources/SpiderLabs-Blog/Necurs-%e2%80%93-the-Heavywe…
*** Trend Micro Internet Security vulnerability where files may be excluded as scan targets ***
---------------------------------------------
Trend Micro Internet Security provided by Trend Micro Incorporated contains a vulnerability where arbitrary files or folders may be excluded as scan targets.
---------------------------------------------
http://jvn.jp/en/jp/JVN98126322/
*** Splunk Enterprise and Splunk Lite vulnerable to cross-site scripting ***
---------------------------------------------
Splunk Enterprise and Splunk Lite contain a cross-site scripting vulnerability.Note that this vulnerability is different from JVN#74244518.
---------------------------------------------
http://jvn.jp/en/jp/JVN71462075/
*** Gefährliche Inhalte effektiver erkennen: Google baut Webseiten-Scan aus ***
---------------------------------------------
Webmaster können ihre Seiten nun noch tiefgehender nach unter anderem Malware-Verweisen und gefährlichen Downloads durchsuchen lassen.
---------------------------------------------
http://heise.de/-3325042
*** Erste Sicherheitslücken im Krypto-Messenger Signal entdeckt ***
---------------------------------------------
Ein Programmierfehler in Signal erlaubt die Manipulation von Dateianhängen. Über einen zweiten hätten Angreifer Schadcode aus der Ferne einschleusen können, hätte ein dritter Bug diesen Angriff nicht verhindert.
---------------------------------------------
http://heise.de/-3325242
*** Erpressungstrojaner: Stampado verschlüsselt von Ransomware verschlüsselte Dateien ***
---------------------------------------------
Ein neuer Erpressungstrojaner hat eine besonders gemeine Taktik: Verschlüsselt werden Dateien, die bereits von anderer Ransomware verschlüsselt wurden. Zum Glück gibt es Abhilfe.
---------------------------------------------
http://www.golem.de/news/erpressungstrojaner-stampado-verschluesselt-von-ra…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 14-09-2016 18:00 − Donnerstag 15-09-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Cisco IOS and IOS XE Software IOx Local Manager Cross-Site Scripting Vulnerability ***
---------------------------------------------
A vulnerability in the web framework code of the Cisco Local Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of the affected ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco WebEx Meetings Server Remote Command Execution Vulnerability ***
---------------------------------------------
A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to bypass security restrictions on a host located in a DMZ and inject arbitrary commands on a targeted system.The vulnerability is due ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Unified Computing System Command Line Interface Privilege Escalation Vulnerability ***
---------------------------------------------
A vulnerability in the command-line interface (CLI) of the Cisco Unified Computing System (UCS) Manager and UCS 6200 Series Fabric Interconnects could allow an authenticated, local attacker to access the underlying operating system ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Fog Director for IOx Arbitrary File Write Vulnerability ***
---------------------------------------------
A vulnerability in the Cisco Fog Director for IOx could allow an authenticated, remote attacker to write a file to arbitrary locations. The vulnerability is due to insufficient input validation. An attacker could exploit this ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** iOS 10 schließt Sicherheitslücken in Tastatur und Sandbox ***
---------------------------------------------
Das Update auf iOS 10.0.1 räumt sieben Schwachpunkte aus, darunter eine mögliche Preisgabe 'sensibler Informationen' durch die Autokorrektur des Keyboards. watchOS 3 stopft eine Lücke.
---------------------------------------------
http://heise.de/-3323066
*** DSA-3666 mysql-5.5 - security update ***
---------------------------------------------
Dawid Golunski discovered that the mysqld_safe wrapper provided by theMySQL database server insufficiently restricted the load path for custommalloc implementations, which could result in privilege escalation.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3666
*** Science press site hacked; hackers release .. random crap ***
---------------------------------------------
http://arstechnica.com/science/2016/09/science-press-site-hacked-hackers-re…
*** Cryptocurrencies a Target for Cybercriminals, Part 1: the Risks of Innovation ***
---------------------------------------------
All cryptocurrencies are a target for cybercriminals. Anywhere there is value, criminals, fraudsters, and charlatans will soon follow. Call it the Willie Sutton principle. Sutton, a famous bank robber in the 1920s–30s, was asked why he ..
---------------------------------------------
https://blogs.mcafee.com/mcafee-labs/cryptocurrencies-a-target-for-cybercri…
*** Russian Hackers Get Bolder in Anti-Doping Agency Attack ***
---------------------------------------------
The attack on the World Anti-Doping Agency, following the DNC hack, signals Russian hackers emerging from the shadows to brazenly flaunt their work.
---------------------------------------------
https://www.wired.com/2016/09/anti-doping-agency-attack-shows-russian-hacke…
*** Virtueller Schiffsdiebstahl bei Star Citizen ***
---------------------------------------------
Im bisher noch unfertigen Weltraumepos Star Citizen kann man für hunderte Euros virtuelle Raumschiffe kaufen. Nun häufen sich anscheinend Angriffe auf die Konten der Spieler, mit dem Ziel, diese Schiffe zu klauen.
---------------------------------------------
http://heise.de/-3323060
*** DSA-3667 chromium-browser - security update ***
---------------------------------------------
https://www.debian.org/security/2016/dsa-3667
*** Erpressungs-Trojaner Locky nun mit Autopilot ***
---------------------------------------------
Sicherheitsforschern zufolge kann Locky sein Schadenswerk jetzt auch offline ohne Kontakt zum Command-and-Control-Server der Kriminellen verrichten.
---------------------------------------------
http://heise.de/-3324553
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 13-09-2016 18:00 − Mittwoch 14-09-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** MS16-SEP - Microsoft Security Bulletin Summary for September 2016 - Version: 1.0 ***
---------------------------------------------
This bulletin summary lists security bulletins released for September 2016.
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS16-SEP
*** Announcing the Project Zero Prize ***
---------------------------------------------
Posted by Natalie Silvanovich, Exploit EnthusiastDespite the existence of vulnerability rewards programs at Google and other companies, many unique, high-quality security bugs have been discovered as a result of hacking contests. Hoping to continue the stream of great bugs, we've decided to start our own contest: The Project Zero Prize.The goal of this contest is to find a vulnerability or bug chain that achieves remote code execution on multiple Android devices knowing only the...
---------------------------------------------
http://googleprojectzero.blogspot.com/2016/09/announcing-project-zero-prize…
*** MSRT September 2016 release feature: Prifou ***
---------------------------------------------
As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this September includes detections for: BrowserModifier:Win32/Prifou TrojanClicker:Win32/NightClick Trojan:Win32/Suweezy Trojan:Win32/Xadupi This blog discusses BrowserModifier:Win32/Prifou (Prifou). Windows Defender detects this threat because it limits your choice and control over your browser and operating system. The unwanted behaviors...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/09/13/msrt-september-2016-rel…
*** Angst vor Spam: Swisscom deaktiviert mehrere Tausend Mailaccounts ***
---------------------------------------------
Weil die Kunden zu einfache E-Mail-Passwörter gewählt hatten, sperrte die Swisscom Tausende Accounts. Das Unternehmen fürchtet offenbar, sonst auf Spam-Blacklists von Google oder anderen Providern zu landen. Die Kunden müssen nun aktiv werden.
---------------------------------------------
http://www.golem.de/news/angst-vor-spam-swisscom-deaktiviert-mehrere-tausen…
*** Letzter klassischer Microsoft-Patchday bringt sieben kritische Updates ***
---------------------------------------------
Heute können Windows-Admins zum letzten Mal auswählen, welche Windows-Updates sie am monatlichen Patchday installieren wollen. Ab nächsten Monat gibt es dann nur noch monolithische Rollup-Pakete.
---------------------------------------------
http://heise.de/-3321310
*** Adobe-Patchday: Flash jetzt patchen! ***
---------------------------------------------
Kritische Lücken im Flash Player erlauben das Kapern von Rechnern. Adobe hat Updates veröffentlicht, um diese zu stopfen. Ebenso erhalten die eBook-Software Digital Editions und die Entwicklungswerkzeuge von AIR Patches.
---------------------------------------------
http://heise.de/-3321895
*** Rio 2016: Fancybear veröffentlicht medizinische Daten von US-Sportlern ***
---------------------------------------------
Vertrauliche medizinische Daten von US-Sportlern stehen im Netz. Angeblich russische Hacker haben mehrere Datensätze veröffentlicht, die Unregelmäßigkeiten bei Dopingkontrollen beweisen sollen. Die Wada ist entsetzt - und spricht von legalen Ausnahmegenehmigungen.
---------------------------------------------
http://www.golem.de/news/rio-2016-fancybear-veroeffentlicht-medizinische-da…
*** Exploit Attempts for Drupal RESTWS .x Module Vulnerability, (Wed, Sep 14th) ***
---------------------------------------------
Attackers usually dont have to worry much about Drupal administrators applying patches. The majority of exploit attempts I see in our honeypots use pretty ancient vulnerabilities. So I was happy to see a script kiddie go the extra mile and use a vulnerabilityreleased in July of this year [1] [2]. The vulnerability itself is very straight forward. The attacker can send arbitrary php code that will be executed on the server. No special encoding beyond URL encoding appears to be required. Here is...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21481&rss
*** Geldautomaten: Hintermann von Skimmingbande muss fünf Jahre in Haft ***
---------------------------------------------
Eine Skimmingbande hat in Sachsen fast 270.000 Euro mit gefälschten Bankkarten erbeutet. Die Tat fand bereits im Jahr 2011 statt, nun wurde ein Hintermann der Gruppe zu einer Freiheitsstrafe verurteilt.
---------------------------------------------
http://www.golem.de/news/geldautomaten-hintermann-von-skimmingbande-muss-fu…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 12-09-2016 18:00 − Dienstag 13-09-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** FortiClient Unencrypted Password Vulnerability ***
---------------------------------------------
FOne of the processes in FortiClient stores VPN credentials unencrypted in memory. A malicious attacker who compromised the workstation could dump the credentials.
---------------------------------------------
http://fortiguard.com/advisory/FG-IR-16-021
*** FortiClient DLL Hijacking vulnerability ***
---------------------------------------------
When executed, the FortiClient installer (FortiClientOnlineInstaller.exe), if downloaded before August 11th, 2016 (build 0842), would attempt to load DLLs from the directory where it resides.
---------------------------------------------
http://fortiguard.com/advisory/FG-IR-16-046
*** Türkische Hacker griffen offenbar österreichische Nationalbank an ***
---------------------------------------------
Es handelt sich laut Kurier um dieselbe Gruppe, die schon den Flughafen Wien-Schwechat angegriffen hat
---------------------------------------------
http://derstandard.at/2000044275176
*** Gefälschte A1 Online Rechnung im Postfach ***
---------------------------------------------
Mit vermeintlichen papierlosen A1 Rechnungen wollen Kriminelle, dass Empfänger/innen eine Website aufrufen und dort die Datei „A1_rechnung.zip“ öffnen. Sie verbirgt Schadsoftware. Wer diese ausführt, installiert Programme, die den Computer unbrauchbar machen oder Bankdaten stehlen. Am sichersten ist es, wenn Sie die Nachrichten löschen.
---------------------------------------------
https://www.watchlist-internet.at/gefaelschte-rechnungen/gefaelschte-a1-onl…
*** Cache Flooding in TYPO3 Frontend ***
---------------------------------------------
It has been discovered, that TYPO3 is vulnerable to Cache Flooding
---------------------------------------------
https://typo3.org/news/article/cache-flooding-in-typo3-frontend/
*** DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices ***
---------------------------------------------
Over the past two years, we’ve observed many cases of Microsoft Windows and Apple iOS malware designed to attack mobile devices. This attack vector is increasingly ..
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-troj…
*** Sicherheits-Updates für Xen-Hypervisor ***
---------------------------------------------
Insgesamt vier Sicherheitslücken erfordern Updates. Für Debian, Oracle VM und Fedora gibt es aktualisierte Pakete.
---------------------------------------------
http://heise.de/-3319523
*** "Pokémon Go": Fake-App spioniert Millionen Smartphones aus ***
---------------------------------------------
Spionieren Internet-Daten der User aus und installieren Adware auf dem Smartphone
---------------------------------------------
http://derstandard.at/2000044305667
*** Antivirenentwickler: John McAfee soll Morde und Vergewaltigung begangen haben ***
---------------------------------------------
Ein Dokumentarfilm erhebt schwere Anschuldigungen gegen John McAfee. Während seiner Zeit in Belize soll er zwei Männer getötet und eine Frau vergewaltigt haben. McAfee bestreitet alle Vorwürfe und unterstellt dem Filmteam Bestechung von Quellen.
---------------------------------------------
http://www.golem.de/news/antiviren-entwickler-john-mcafee-soll-morde-und-ve…
*** Neutrino EK’s Afraidgate pushed in malvertising attack ***
---------------------------------------------
With a rise in malvertising attacks lately, we take a look at an ad server pushing the Afraidgate, traditionally found on compromised sites.
---------------------------------------------
https://blog.malwarebytes.com/cybercrime/exploits/2016/09/neutrino-eks-afra…
*** Security Bulletins Posted ***
---------------------------------------------
Adobe has published security bulletins for Adobe Digital Editions (APSB16-28), Adobe Flash Player (APSB16-29) and Adobe AIR SDK & Compiler (APSB16-31). Adobe recommends users update their product installations to the latest versions using ..
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1399
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 09-09-2016 18:00 − Montag 12-09-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** DSA-3664 pdns - security update ***
---------------------------------------------
Multiple vulnerabilities have been discovered in pdns, an authoritativeDNS server. The Common Vulnerabilities and Exposures project identifies ..
---------------------------------------------
https://www.debian.org/security/2016/dsa-3664
*** WordPress 4.6.1 stopft zwei Lücken ***
---------------------------------------------
Die Hersteller des CMS WordPress empfehlen, das Update auf WordPress 4.6.1 schnellstmöglich einzuspielen, da es zwei gefährliche Sicherheitslücken schließt. Installationen mit Auto-Update haben die neue Version automatisch in den vorigen Tagen bekommen.
---------------------------------------------
http://heise.de/-3317796
*** OSX.Mokes: Mächtige Mac-Malware entdeckt ***
---------------------------------------------
Ermöglicht Angreifern weitreichende Überwachung – sucht zudem System nach Daten ab
---------------------------------------------
http://derstandard.at/2000044172706
*** Android: Google-Sicherheitspatch vom September stopft erneute Stagefright-Lücke ***
---------------------------------------------
Google behebt im Security Bulletin vom September mehrere Fehler in Android, darunter eine vom eigenen Team Zero gefundene Erweiterung des Stagefright-Bugs. Der Patch ist an die Hersteller ausgeliefert, einige haben schon Updates bereitgestellt.
---------------------------------------------
http://heise.de/-3317825
*** Sicherheitsexperten finden IoT-Botnet ***
---------------------------------------------
Eine Linux-Malware greift aktuell IoT-Geräte wie IP-Kameras mit veralteter Firmware an. Das Besondere an diesem Schädling: Nach der Infektion verwischt er seine Spuren und bleibt nur im Arbeitsspeicher der Geräte präsent. Das erschwert die Analyse.
---------------------------------------------
http://heise.de/-3317830
*** WooCommerce <= 2.6.3 - Stored Cross Site Scripting (XSS) via REST API ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8619
*** l+f: Anti-ROP Mainframe-Style ***
---------------------------------------------
Nach Intel, Microsoft, OpenBSD und diversen anderen stellt nun auch IBM seine eigene Anti-ROP-Technik vor.
---------------------------------------------
http://heise.de/-3317746
*** USB Killer: 50-Dollar-Stick zerstört Computer beim Anstecken ***
---------------------------------------------
Version 2.0 des Sticks veröffentlicht – Hochspannungsimpuls führt zu irreparablem Schaden
---------------------------------------------
http://derstandard.at/2000044216572
*** Gugi: from an SMS Trojan to a Mobile-Banking Trojan ***
---------------------------------------------
In the previous article, we described the mechanisms used by Trojan-Banker.AndroidOS.Gugi.c to bypass a number of new Android 6 security features. In this article, we review the entire Gugi mobile-banking Trojan family in more detail.
---------------------------------------------
http://securelist.com/blog/mobile/76023/gugi-from-an-sms-trojan-to-a-mobile…
*** Vdos: Betreiber des größten DDoS-Anbieters in Israel verhaftet ***
---------------------------------------------
Der Hack eines DDoS-Anbieters zeigt: Die Vermietung von Angriffskapazitäten ist ein einträgliches Geschäft. Ironischerweise versuchen die Anbieter, sich hinter dem DDoS-Schutz Cloudflare zu verstecken. Die Betreiber wurden mittlerweile in Israel festgenommen.
---------------------------------------------
http://www.golem.de/news/vdos-betreiber-des-groessten-ddos-anbieters-in-isr…
*** Remote Root Code Execution / Privilege Escalation (0day) ***
---------------------------------------------
An independent research has revealed multiple severe MySQL vulnerabilities. This advisory focuses on a critical vulnerability with a CVEID of CVE-2016-6662 which can allow attackers to (remotely) inject malicious settings into MySQL configuration files (my.cnf) leading to critical consequences.
---------------------------------------------
http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution…
*** DSA-3665 openjpeg2 - security update ***
---------------------------------------------
Multiple vulnerabilities in OpenJPEG, a JPEG 2000 image compression /decompression library, may result in denial of service or the executionof arbitrary code if a malformed JPEG 2000 file is processed.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3665
*** Linux Malware: Novelties in the Threat Landscape ***
---------------------------------------------
In the last couple of years, security firms have observed an increasing number of malware specifically designed to target Linux-based systems. Linux, like ..
---------------------------------------------
http://resources.infosecinstitute.com/linux-malware-novelties-threat-landsc…
*** Payment Card Industry Council: Kreditkartenterminals bald mit Firmware-Update ***
---------------------------------------------
Skimming, Kreditkartenbetrug und manipulierte Bezahlterminals: Der Sicherheitstandard für EC- und Kreditkartenterminals wird überarbeitet. Künftig sollen die Geräte signierte Updates erhalten und gegen Laser resistent werden.
---------------------------------------------
http://www.golem.de/news/payment-card-industry-council-kreditkartenterminal…
*** LuaBot: Malware targeting cable modems ***
---------------------------------------------
CERT/CC released the Vulnerability Note VU#419568 and it got lots of media coverage. I did not provide any POCs during that time because I was pretty sure that those vulnerabilities were easily wormable... And guess what? Someone is actively exploiting those devices since May/2016.
---------------------------------------------
https://w00tsec.blogspot.co.at/2016/09/luabot-malware-targeting-cable-modem…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 08-09-2016 18:00 − Freitag 09-09-2016 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** Cisco ACE30 Application Control Engine Module and Cisco ACE 4710 Application Control Engine Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the SSL/TLS functions of the Cisco ACE30 Application Control Engine Module and the Cisco ACE 4700 Series Application Control Engine Appliances could allow an unauthenticated, remote attacker to cause a denial of ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** DSA-3662 inspircd - security update ***
---------------------------------------------
It was discovered that incorrect SASL authentication in the InspircdIRC server may lead to users impersonating other users.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3662
*** ZDI-16-505: AlienVault Unified Security Management get_directive_kdb directive_id SQL Injection Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of AlienVault Unified Security Management. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-505/
*** ZDI-16-504: AlienVault Unified Security Management Multiple PHP Scripts Remote Code Execution Vulnerabilities ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of AlienVault Unified Security Management. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-504/
*** Multiple Security Vulnerabilities in Citrix NetScaler Platform IPMI Lights Out Management (LOM) firmware ***
---------------------------------------------
A number of security vulnerabilities have been identified in firmware used in the Lights Out Management (LOM) component across all NetScaler ..
---------------------------------------------
http://support.citrix.com/article/CTX216642
*** iPrint Appliance 2.0 Hot Patch 1 ***
---------------------------------------------
https://download.novell.com/Download?buildid=S7GK9olwBDk~
*** iPrint Appliance 2.1 Hot Patch 1 ***
---------------------------------------------
https://download.novell.com/Download?buildid=lVbNSynhgHU~
*** Asterisk RTP Session Management Bug Lets Remote Authenticated Users Consume Excessive Resources on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1036750
*** Asterisk Error in Processing Unknown Endpoints Lets Remote Users Cause the Target Service to Crash ***
---------------------------------------------
http://www.securitytracker.com/id/1036749
*** Collecting Users Credentials from Locked Devices, (Fri, Sep 9th) ***
---------------------------------------------
Its a fact: When a device can be physically accessed, you may consider it as compromised. And if the device is properly hardened, its just a matter of time. The best ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21461
*** Samsung Android Security Updates ***
---------------------------------------------
SMR-SEP-2016 - Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.
---------------------------------------------
http://security.samsungmobile.com/smrupdate.html
*** Picture Perfect: CryLocker Ransomware Uploads User Information as PNG Files ***
---------------------------------------------
Taking advantage of legitimate sites for command-and-control (C&C) purposes is typically done by most malware to avoid rousing suspicion from their targets. While ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/picture-perfect-…
*** Your Seagate Central NAS could be hosting mining malware ***
---------------------------------------------
If you have discovered cryptocurrency mining malware on your system, have removed it, and got compromised again without an idea about how it happened, it could be that the ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/09/09/seagate-central-nas-hosting-malw…
*** Chrome soll vor nicht verschlüsselnden Webseiten warnen ***
---------------------------------------------
Zunächst brandmarkt der Browser nur Seiten, die Passwörter oder Kreditkarteninformationen enthalten. Nach und nach soll die Warnung dann ausgeweitet werden.
---------------------------------------------
http://heise.de/-3317393
*** Red Hat JBoss Enterprise Application Platform Input Validation Flaw Lets Remote Users Conduct HTTP Response Splitting and Content Injection Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1036758
*** HTTPS: Google Chrome will vor unverschlüsselten Webseiten warnen ***
---------------------------------------------
Wie umgehen mit unverschlüsselten Webseiten? Google will in Chrome künftig warnen, wenn unverschlüsselte Webseiten Passwörter und Kreditkartendaten abfragen. Doch das ist nur der Beginn der Planungen.
---------------------------------------------
http://www.golem.de/news/https-google-chrome-will-vor-unverschluesselten-we…
*** Asterisk RTP Session Management Bug Lets Remote Authenticated Users Consume Excessive Resources on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1036750
*** Asterisk Error in Processing Unknown Endpoints Lets Remote Users Cause the Target Service to Crash ***
---------------------------------------------
http://www.securitytracker.com/id/1036749
*** Collecting Users Credentials from Locked Devices, (Fri, Sep 9th) ***
---------------------------------------------
Its a fact: When a device can be physically accessed, you may consider it as compromised. And if the device is properly hardened, its just a matter of time. The best ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21461
*** Samsung Android Security Updates ***
---------------------------------------------
SMR-SEP-2016 - Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.
---------------------------------------------
http://security.samsungmobile.com/smrupdate.html
*** Picture Perfect: CryLocker Ransomware Uploads User Information as PNG Files ***
---------------------------------------------
Taking advantage of legitimate sites for command-and-control (C&C) purposes is typically done by most malware to avoid rousing suspicion from their targets. While ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/picture-perfect-…
*** Your Seagate Central NAS could be hosting mining malware ***
---------------------------------------------
If you have discovered cryptocurrency mining malware on your system, have removed it, and got compromised again without an idea about how it happened, it could be that the ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/09/09/seagate-central-nas-hosting-malw…
*** Chrome soll vor nicht verschlüsselnden Webseiten warnen ***
---------------------------------------------
Zunächst brandmarkt der Browser nur Seiten, die Passwörter oder Kreditkarteninformationen enthalten. Nach und nach soll die Warnung dann ausgeweitet werden.
---------------------------------------------
http://heise.de/-3317393
*** Red Hat JBoss Enterprise Application Platform Input Validation Flaw Lets Remote Users Conduct HTTP Response Splitting and Content Injection Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1036758
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 07-09-2016 18:00 − Donnerstag 08-09-2016 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** Cisco Firepower Management Center and FireSIGHT System Software Session Fixation Vulnerability ***
---------------------------------------------
A vulnerability in session identification management functionality of the web-based management interface for Cisco Firepower Management Center and Cisco FireSIGHT System Software could allow an unauthenticated, remote attacker to hijack a valid user session ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Firepower Management Center and FireSIGHT System Software Malware Bypass Vulnerability ***
---------------------------------------------
A vulnerability in the malicious file detection and blocking features of Cisco Firepower Management Center and Cisco FireSIGHT System Software could allow an unauthenticated, remote attacker to bypass malware detection mechanisms on ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Firepower Management Center and FireSIGHT System Software Cross-Site Scripting Vulnerability ***
---------------------------------------------
A vulnerability in the web-based management interface of Cisco Firepower Management Center and Cisco FireSIGHT System Software could allow an authenticated, remote attacker ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Return to libstagefright: exploiting libutils on Android ***
---------------------------------------------
I’ve been investigating different fuzzing approaches on some Android devices recently, and this turned up the following rather interesting bug (CVE 2016-3861 fixed in the most recent Android Security Bulletin), deep in the ..
---------------------------------------------
http://googleprojectzero.blogspot.com/2016/09/return-to-libstagefright-expl…
*** [R1] LCE 4.8.1 Fixes Multiple Third-party Library Vulnerabilities ***
---------------------------------------------
http://www.tenable.com/security/tns-2016-14
*** Critical Flaws Found in Network Management Systems ***
---------------------------------------------
Four leading network management system providers patched nearly a dozen critical cross-site scripting vulnerabilities disclosed Wednesday by Rapid7.
---------------------------------------------
http://threatpost.com/critical-flaws-found-in-network-management-systems-2/…
*** Updated DShield Blocklist ***
---------------------------------------------
Earlier today, I updated how our block list is generated. The idea behind this is to avoid some false positives and to make the list more meaningful. As usual, ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21453&
*** Stealing login credentials from a locked PC or Mac just got easier ***
---------------------------------------------
20 seconds of physical access with a $50 device is all it takes.
---------------------------------------------
http://arstechnica.com/security/2016/09/stealing-login-credentials-from-a-l…
*** The Limits of SMS for 2-Factor Authentication ***
---------------------------------------------
A recent ping from a reader reminded me that Ive been meaning to blog about the security limitations of using cell phone text messages for two-factor authentication ..
---------------------------------------------
http://krebsonsecurity.com/2016/09/the-limits-of-sms-for-2-factor-authentic…
*** Erpressungstrojaner: FBI hofft auf mehr Anzeigen ***
---------------------------------------------
Die Erpresser, die Computer kapern und verschlüsseln, werden immer professioneller. In den USA wünscht sich das FBI möglichst viele Anzeigen der Opfer, da jede Information im Kampf gegen die Verbrecher helfen könne.
---------------------------------------------
http://heise.de/-3316101
*** Ten-year-old Windows Media Player hack is the new black, again ***
---------------------------------------------
Why bother buying a zero-day when casual piracy and old code can p0wn thousands? Net scum are still finding ways to take down users with a decade-old Windows Media Player attack.
---------------------------------------------
www.theregister.co.uk/2016/09/08/windows_media_player_malware_drm_security/
*** WordPress 4.6.1 upgrades security, fixes 15 bugs ***
---------------------------------------------
WordPress 4.6.1 is now available. This is a security release for all previous versions and all users are strongly encouraged to update their sites immediately. The two ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/09/08/wordpress-4-6-1-upgrades-securit…
*** Netzwerkanalyse: Version 2.2 von Wireshark freigegeben ***
---------------------------------------------
Version 2.2 von Wireshark versteht eine Reihe neuer Protokolle. Zudem spricht es selbst inzwischen JSON und kann Pakete in diesem Format exportieren.
---------------------------------------------
http://heise.de/-3316297
*** Denial of Service in extension "Speaking URLs for TYPO3" (realurl) ***
---------------------------------------------
https://typo3.org/news/article/denial-of-service-in-extension-speaking-urls…
*** Xen Security Advisory CVE-2016-7154 / XSA-188 ***
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-188.html
*** Xen Security Advisory CVE-2016-7094 / XSA-187 ***
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-187.html
*** Xen Security Advisory CVE-2016-7093 / XSA-186 ***
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-186.html
*** Xen Security Advisory CVE-2016-7092 / XSA-185 ***
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-185.html
*** Citrix XenServer Multiple Security Updates ***
---------------------------------------------
A number of security vulnerabilities have been identified in Citrix XenServer that may allow malicious privileged code running within a guest VM to compromise the host.
---------------------------------------------
https://support.citrix.com/article/CTX216071
*** IBM Security Bulletin: A security vulnerability for cross-site scripting affects multiple IBM Rational products based on IBM Jazz technology (CVE-2016-2986) ***
---------------------------------------------
This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials ..
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21989940
*** IBM Security Bulletin: A vulnerability in PostgreSQL affects IBM Security Access Manager version 9 (CVE-2016-0773) ***
---------------------------------------------
IBM Security Access Manager version 9 appliances are affected by a vulnerability in postgreSQL. CVE(s): CVE-2016-0773 Affected product(s) and affected version(s): IBM ..
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21989543
*** Urheberrecht: Datenpanne bei Abmahnsoftware ***
---------------------------------------------
Eine Kanzlei, die gegen unrechtmäßige Nutzung von Fotos vorgeht, nutzt offenbar Software, die nachlässig konfiguriert ist. Unberechtigte Nutzer konnten Daten zu Mandaten und Abmahnungen einsehen.
---------------------------------------------
http://www.golem.de/news/urheberrechte-datenpanne-bei-abmahnkanzlei-1609-12…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 06-09-2016 18:00 − Mittwoch 07-09-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Cleaning the Wp-Page Pharma Hack in WordPress ***
---------------------------------------------
Pharma hacks are common website infections categorized under SEO spam. With pharma hacks, the attacker exploits vulnerable websites to distribute pharmaceutical advertisements to visitors. Symptoms of a pharma hack include embedded links and anchor text on pages or modified listings in Search Engine Results Pages (SERPs). These attacks most often target search engines like Google...
---------------------------------------------
https://blog.sucuri.net/2016/09/cleaning-the-wp-page-pharma-hack-in-wordpre…
*** How to Set Up Your Own Malware Trap, (Tue, Sep 6th) ***
---------------------------------------------
I am sure what you really want is more malware ;-). But a few people asked for tricks to collect malware.Malware can be useful for a number of reasons: First of all, you could extract indicators of compromise from malware using various more or less automated methods. In addition, it is a good idea to keep an eye on what your users may be seeing, in particular if they receive e-mail from sources other then your corporate e-mail system. Sadly, many corporations these days switch to cloud...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21447&rss
*** Google stopft letzte QuadRooter-Lücken in Android ***
---------------------------------------------
Im Rahmen seines allmonatliche Android-Patches stopft Google 47 Sicherheitslücken im Betriebssystem. Sieben der Lücken gelten als kritisch.
---------------------------------------------
http://heise.de/-3315023
*** Ungepatchte Lücken in Load-Balancern von Fortinet ***
---------------------------------------------
Fortinet hat mit einem Update eine Sicherheitslücke in seinen Load-Balancern der FortiWAN-Serie geschlossen. Andere Lücken scheinen davon aber unbenommen, was es Angreifern erlauben würde, Admin-Kommandos ohne entsprechende Rechte auszuführen.
---------------------------------------------
http://heise.de/-3315178
*** Keine Bestätigung persönlicher Daten bei Amazon erforderlich ***
---------------------------------------------
In einer Phishingmail schreiben Kriminelle, dass Amazon das Benutzerkonto von Empfänger/innen zeitweise eingefroren habe. Aus diesem Grund sollen Kund/innen ihre persönlichen Daten bestätigen. Dazu müssen sie einen Link aufrufen und Zugangsdaten auf einer Website bekannt geben. Das dürfen Nutzer/innen nicht tun!
---------------------------------------------
https://www.watchlist-internet.at/phishing/keine-bestaetigung-persoenlicher…
*** Back-dooring PE Files on Windows ***
---------------------------------------------
Introduction: Portable Executable (PE) files are very commonly used today. Many people download these files from the internet or get it from a friend and run it on their systems without realizing the dangers involved in running these kind of files. It is very easy to add malicious code to these files and have it...
---------------------------------------------
http://resources.infosecinstitute.com/back-dooring-pe-files-windows/
*** The Missing Piece - Sophisticated OS X Backdoor Discovered ***
---------------------------------------------
In a nutshell Backdoor.OSX.Mokes.a is the most recently discovered OS X variant of a cross-platform backdoor which is able to operate on all major operating systems (Windows,Linux,OS X). Please see also our analysis on the Windows and Linux variants.
---------------------------------------------
http://securelist.com/blog/research/75990/the-missing-piece-sophisticated-o…
*** A bite of Python ***
---------------------------------------------
Being easy to pick up and progress quickly towards developing larger and more complicated applications, Python is becoming increasingly ubiquitous in computing environments. Though apparent language clarity and friendliness could lull the vigilance of software engineers and system administrators -- luring them into coding mistakes that may have serious security implications. In this article, which primarily targets people who are new to Python, a handful of security-related quirks are looked...
---------------------------------------------
https://access.redhat.com/blogs/766093/posts/2592591
*** OUCH! 2016 Newsletter ***
---------------------------------------------
September 2016: Email Dos and Donts
---------------------------------------------
https://securingthehuman.sans.org/resources/newsletters/ouch/2016
*** WordPress 4.6.1 Security and Maintenance Release ***
---------------------------------------------
https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance…
*** FortiWAN Multiple Vulnerabilities ***
---------------------------------------------
FortWan 4.2.4 and below is exposed to cross site scripting, information leak and escalation of privilege vulnerabilities.CVE-2016-4965 FortiWAN Non-administrative authenticated user having access privileges to the nslookup functionality can perform OS command injection in the root user contextCVE-20...
---------------------------------------------
http://fortiguard.com/advisory/fortiwan-multiple-vulnerabilities
*** [R5] PHP < 5.6.21 Vulnerabilities Affect Tenable SecurityCenter ***
---------------------------------------------
http://www.tenable.com/security/tns-2016-09
*** TA16-250A: The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations ***
---------------------------------------------
Original release date: September 06, 2016 Systems Affected Network Infrastructure Devices Overview The advancing capabilities of organized hacker groups and cyber adversaries create an increasing global threat to information systems. The rising threat levels place more demands on security personnel and network administrators to protect information systems. Protecting the network infrastructure is critical to preserve the confidentiality, integrity, and availability of communication and...
---------------------------------------------
https://www.us-cert.gov/ncas/alerts/TA16-250A
*** Security Advisory: Expat XML parser vulnerability CVE-2012-6702 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/65/sol65460334.html?…
*** Security Advisory: FreeType vulnerabilities CVE-2014-9746 and CVE-2014-9747 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/52/sol52439336.html?…
*** Bugtraq: Infoblox Cross-site scripting vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539367
*** Bugtraq: [CVE-2016-6484] Infoblox Network Automation CRLF Injection/ HTTP splitting ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539366
*** BMC BladeLogic Server Automation For Linux 8.7 Directory Dump ***
---------------------------------------------
Topic: BMC BladeLogic Server Automation For Linux 8.7 Directory Dump Risk: Medium Text:Title: Unauthenticated Arbitrary Directory Dump in BMC BladeLogic Server Automation Affected Software: BMC Bla...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090036
*** VU#282991: DEXIS Imaging Suite 10 contains hard-coded credentials ***
---------------------------------------------
Vulnerability Note VU#282991 DEXIS Imaging Suite 10 contains hard-coded credentials Original Release date: 07 Sep 2016 | Last revised: 07 Sep 2016 Overview DEXIS is a dental x-ray imaging software that manages patient records. DEXIS Imaging Suite 10 contains several hard-coded credentials allowing administrative or root access to the patient database. Description CWE-798: Use of Hard-coded Credentials - CVE-2016-6532 DEXIS Imaging Suite 10 contains several hard-coded database credentials...
---------------------------------------------
http://www.kb.cert.org/vuls/id/282991
*** VU#548399: Dentsply Sirona SchickTech CDR contains multiple hard-coded credentials ***
---------------------------------------------
Vulnerability Note VU#548399 Dentsply Sirona SchickTech CDR contains multiple hard-coded credentials Original Release date: 06 Sep 2016 | Last revised: 06 Sep 2016 Overview The Dentsply Sirona ShickTech CDR DICOM is software for managing medical dental records. CDR DICOM contains several hard-coded credentials allowing administrative or root access. Description CWE-798: Use of Hard-coded Credentials - CVE-2016-6530 ShickTech CDR DICOM version 5 and below contains several hard-coded database...
---------------------------------------------
http://www.kb.cert.org/vuls/id/548399
*** VU#619767: Open Dental contains hard-coded credentials ***
---------------------------------------------
Vulnerability Note VU#619767 Open Dental contains hard-coded credentials Original Release date: 06 Sep 2016 | Last revised: 06 Sep 2016 Overview Open Dental is a medical dental records management software. Open Dental contains hard-coded default credentials allowing administrative or root access to the patient database. Description CWE-798: Use of Hard-coded Credentials - CVE-2016-6531Open Dental contains a hard-coded default database credential. An unauthenticated remote attacker with...
---------------------------------------------
http://www.kb.cert.org/vuls/id/619767
*** VU#548399: Dentsply Sirona CDR DICOM contains multiple hard-coded credentials ***
---------------------------------------------
Vulnerability Note VU#548399 Dentsply Sirona CDR DICOM contains multiple hard-coded credentials Original Release date: 06 Sep 2016 | Last revised: 06 Sep 2016 Overview The Dentsply Sirona (previously known as Shick Technologies) CDR DICOM is software for managing medical dental records. CDR DICOM contains several hard-coded credentials allowing administrative or root access. Description CWE-798: Use of Hard-coded Credentials - CVE-2016-6530 Dentsply Sirona CDR DICOM version 5 and below...
---------------------------------------------
http://www.kb.cert.org/vuls/id/548399
*** Security Advisory - XML Bomb Vulnerability in AnyOffice ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160907-…
*** Security Advisory - Two Vulnerabilities in Huawei WS331a ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160907-…
*** Security Advisory - TCP Connection Hijack Vulnerability ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160907-…
*** Security Advisory - Information Leak Vulnerability in Certain Huawei Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2015/hw-455876
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in NTP affect AIX (CVE-2015-7974, CVE-2016-1550, CVE-2016-1551, CVE-2016-2517, CVE-2016-2518, CVE-2016-2519, CVE-2016-1547, CVE-2016-4957, CVE-2016-4953, CVE-2016-4954, CVE-2016-4955) ***
http://http://aix.software.ibm.com/aix/efixes/security/ntp_advisory7.asc
---------------------------------------------
*** IBM Security Bulletin: Two vulnerabilities in libvirt affect PowerKVM (CVE-2015-5313, CVE-2016-5008) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024185
---------------------------------------------
*** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple php vulnerabilities ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024229
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in the Apache HTTP Server affects PowerKVM (CVE-2016-5387) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024017
---------------------------------------------
*** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by a Pluggable Authentication Module (PAM) vulnerability (CVE-2013-7041) ***
http://www-01.ibm.com/support/docview.wss?uid=isg3T1024221
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in Struts v2 affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2016-1181, CVE-2016-1182 ***
http://www.ibm.com/support/docview.wss?uid=swg21988638
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Control and Tivoli Storage Productivity Center April 2016 CPU (CVE-2016-3426) ***
http://www.ibm.com/support/docview.wss?uid=swg21988636
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in libssh2 affect IBM Flex System FC3171 8Gb SAN Switch & SAN Pass-thru Firmware and QLogic Virtual Fabric Extension Module for IBM BladeCenter (CVE-2016-0787) ***
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099450
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Rational Team Concert with potential for Cross-Site Scripting attack (CVE-2016-0331) ***
http://www.ibm.com/support/docview.wss?uid=swg21989899
---------------------------------------------
*** IBM Security Bulletin: OpenSource Apache Taglibs vulnerability affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2015-0254 ***
http://www.ibm.com/support/docview.wss?uid=swg21988644
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in MD5 Signature and Hash Algorithm, glibc and OpenSSL affect IBM Netezza Firmware Diagnostics Tools ***
http://www-01.ibm.com/support/docview.wss?uid=swg21980965
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 05-09-2016 18:00 − Dienstag 06-09-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Hacker takes down CEO wire transfer scammers, sends their Win 10 creds to the cops ***
---------------------------------------------
Whaling attackers fall for poison PDF invoices HITB Florian Lukavsky hacks criminals profiting from out of control multi-billion dollar CEO wire transfer scams and they hate him for it.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/09/06/hacker_hack…
*** House of Keys: 9 Months later... 40% Worse ***
---------------------------------------------
In November 2015 SEC Consult released the results of our study on hardcoded cryptographic secrets in embedded systems. Its time to summarize what has happened since.To accomplish the mammoth task of informing about 50 different vendors and various ISPs we teamed up with CERT/CC (VU#566724). We would really like to report that our efforts were successful, but as it turns out the number of devices on the web using known private keys for HTTPS server certificates has gone up by 40% in the last...
---------------------------------------------
http://blog.sec-consult.com/2016/09/house-of-keys-9-months-later-40-worse.h…
*** Too many Cisco ASA boxes still open to an EXTRABACON attack ***
---------------------------------------------
Among the Equation Group exploits leaked by the Shadow Brokers, the one named EXTRABACON that targets Cisco ASA devices got the most attention from security researchers and attackers. It has been demonstrated that the original exploit can be easily modified to work on more recent versions of the Cisco ASA SSL VPN appliances, and researchers armed with honeypots noted that exploitation attempts started soon after the leak. You would think that news like this would...
---------------------------------------------
https://www.helpnetsecurity.com/2016/09/06/cisco-asa-still-open-extrabacon/
*** Digital Forensics According to the FORZA Model and Diamond Model for Intrusion Analysis ***
---------------------------------------------
The Bridge on the River Forza We can teach these barbarians a lesson in Western methods and efficiency that will put them to shame. -Colonel Nicholson (The Bridge on the River Kwai, 1957) Efficiency. Something we look to implement in everything we do, whether that be through the elimination of waste through Six Sigma, or other frameworks and methodologies, efficiency is what we strive for. When performing digital forensics, efficiency and rigor in our approach to ensure no stone left...
---------------------------------------------
https://feeds.feedblitz.com/~/192237180/0/alienvault-blogs~Digital-Forensic…
*** How False Positives can ruin your day - and how to stop them ***
---------------------------------------------
False positives can seriously ruin your day, and can cost enterprises serious money. Highlighted by a recent example, we share some key tips on how to mitigate false alerts.
---------------------------------------------
https://www.htbridge.com/blog/how-false-positives-can-ruin-your-day-and-how…
*** A week in security (Aug 28 - Sep 03) ***
---------------------------------------------
A compilation of notable security news and blog posts from August 28th to September 3rd. This week, we talked about browser-based fingerprinting; what was going on with the Mac app, Transmission; and a tech support scam that banked on an iPad error popping up on Windows systems.Categories: Security world Week in securityTags: recapweekly blog roundup(Read more...)
---------------------------------------------
https://blog.malwarebytes.com/security-world/2016/09/a-week-in-security-aug…
*** [2016-09-06] Private key for browser-trusted certificate embedded in multiple Aruba Networks / Alcatel-Lucent products ***
---------------------------------------------
A browser-trusted certificate including its private key is embedded in the firmware of several Aruba Networks/Alcatel-Lucent products. The certificate is used for providing user access to a captive portal via HTTPS as well as EAP connections for WPA2-Enterprise clients. An attacker can use this vulnerability to impersonate a captive portal or Wi-Fi AP and gain access to sensitive information.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016…
*** SSA-630413 (Last Update 2016-09-05): Vulnerabilities in SIPROTEC 4 and SIPROTEC Compact ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-630413…
*** ArcServe UDP - Unquoted Service Path Privilege Escalation ***
---------------------------------------------
Topic: ArcServe UDP - Unquoted Service Path Privilege Escalation Risk: High Text:Title: ArcServe UDP - Unquoted Service Path Privilege Escalation CWE Class: CWE-427: Uncontrolled Search Path Element Date: 0...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090024
*** ArcServe UDP - Download Manager/Setup - DLL Hijacking ***
---------------------------------------------
Topic: ArcServe UDP - Download Manager/Setup - DLL Hijacking Risk: Medium Text:Title: ArcServe UDP - Download Manager/Setup - DLL Hijacking CWE Class: CWE-427: Uncontrolled Search Path Element Date: 04/09...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090030
*** ArcServe UDP - HTTP Installation MiTM ***
---------------------------------------------
Topic: ArcServe UDP - HTTP Installation MiTM Risk: Low Text:Title: ArcServe UDP - MiTM CWE Class: CWE-300: Channel Accessible by Non-Endpoint (Man-in-the-Middle) | CWE-319: Cleartext T...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090029
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in Network Security Services (NSS) affects the IBM FlashSystem model V9000 (CVE-2016-1978) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009104
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in Network Security Services (NSS) affect the IBM FlashSystem models 840 and 900 (CVE-2016-1978) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009103
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in Network Security Services (NSS) affects the IBM FlashSystem model V840 (CVE-2016-1978) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009102
---------------------------------------------
*** IBM Security Bulletin: BigInsights is affected by a vulnerability in DB2 (CVE-2014-0919, CVE-2016-0211) ***
http://www.ibm.com/support/docview.wss?uid=swg21987604
---------------------------------------------
*** IBM Security Bulletin: IBM Forms Viewer may be affected by an Apache Xerces-C XML Parser library vulnerability (CVE-2016-0729) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21988714
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in OpenSSL affects the IBM FlashSystem model V840 (CVE-2016-2107) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009106
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in OpenSSL affects the IBM FlashSystem models 840 and 900 (CVE-2016-2107) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009105
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 02-09-2016 18:00 − Montag 05-09-2016 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** DNS tunneling threat drills into nearly half of networks tested ***
---------------------------------------------
InfoBloxs new report showed nearly half of all networks tested to show signs of DNS tunnelling
---------------------------------------------
http://www.scmagazine.com/dns-tunneling-threat-drills-into-nearly-half-of-n…
*** Android Patch Fixes Nexus 5X Critical Vulnerability ***
---------------------------------------------
Google patched an undocumented vulnerability that allowed attackers to bypass Nexus 5X devices lock screen via a forced memory dump that exposed the device owners password.
---------------------------------------------
http://threatpost.com/android-patch-fixes-nexus-5x-critical-vulnerability/1…
*** Cisco IOS Software Point-to-Point Tunneling Protocol Server Information Disclosure Vulnerability ***
---------------------------------------------
A vulnerability in the implementation of Point-to-Point Tunneling Protocol (PPTP) server functionality in Cisco IOS Software could allow an unauthenticated, remote attacker to access data from a packet buffer that was previously ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Sundown EK – Stealing Its Way to the Top ***
---------------------------------------------
Sundown is one of the newest Exploit Kits on the market these days, and like many up-and-coming exploit kits before it, this means that it is in under constant development. With ..
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/Sundown-EK-%e2%80%93-St…
*** Mailman Access Control Flaw in User Options Page Lets Remote Users Conduct Cross-Site Request Forgery Attacks ***
---------------------------------------------
Mailman Access Control Flaw in User Options Page Lets Remote Users Conduct Cross-Site Request Forgery Attacks
---------------------------------------------
http://www.securitytracker.com/id/1036728
*** ‘Flash Hijacks’ Add New Twist to Muggings ***
---------------------------------------------
A frequent crime in Brazil is a scheme in which thieves kidnap people as theyre leaving a bank, and free them only after theyve visited a number of ATMs to withdraw ..
---------------------------------------------
http://krebsonsecurity.com/2016/09/flash-hijacks-add-new-twist-to-muggings/
*** Telnet is not dead – at least not on ‘smart’ devices ***
---------------------------------------------
Depending on your age, you either might or might not have used Telnet to connect to remote computers in the past. But ..
---------------------------------------------
http://en.blog.nic.cz/2016/09/01/telnet-is-not-dead-at-least-not-on-smart-d…
*** "Wenn Ihre Daten in der Cloud sind, hat sie auch die NSA" ***
---------------------------------------------
Der Kryptologe Bart Preneel im futurezone-Interview über Verschlüsselung in der Nach-Snowden-Ära, Hintertüren und Quantenkryptographie.
---------------------------------------------
https://futurezone.at/science/wenn-ihre-daten-in-der-cloud-sind-hat-sie-auc…
*** Microsoft thought of the children and decided to ban some browsers ***
---------------------------------------------
Redmonds Family Settings now block browsers-without-filters by default, but which ones? Microsoft has updated its family filters to block some rival ..
---------------------------------------------
www.theregister.co.uk/2016/09/05/microsoft_thought_of_the_children_and_deci…
*** Hintergrund: Analysiert: Ransomware meets Info-Stealer - RAA und das diebische Pony, Teil II ***
---------------------------------------------
Wie diese Analysiert:-Folge enthüllt, weist die scheinbar perfekte Verschlüsselung des RAA-Trojaners doch Lücken auf. Auch der von RAA gestartete Passwort-Dieb kann sich mit seinen Anti-Debugging-Tricks der Analyse nicht entziehen.
---------------------------------------------
http://heise.de/-3303401
*** Fake attacks by insiders to fool companies ***
---------------------------------------------
Famous cybercrime groups and hacktivists “brands” may be a smokescreen to cover sophisticated insider attacks.
---------------------------------------------
https://www.htbridge.com/blog/fake-attacks-by-insiders-to-fool-companies.ht…
*** Security Advisory - Information Leak Vulnerability in Huawei eSpace IAD ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160905-…
*** Security Advisory - Multiple Security Vulnerabilities in Huawei HiSuite ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160905-…
*** BKA geht mit SOKO Clavis gegen Ransomware vor ***
---------------------------------------------
Nachdem sich in den vergangenen Wochen die Fälle häufen, will das Bundeskriminalamt nun gezielt gegen Ransomware vorgehen. Eine SOKO soll die Täter ausfindig machen.
---------------------------------------------
https://futurezone.at/netzpolitik/bka-geht-mit-soko-clavis-gegen-ransomware…
*** Sophos Windows users face black screens after false positive snafu ***
---------------------------------------------
Black is the new BSOD Users of Sophos’s security software were confronted with a black screen on starting up ..
---------------------------------------------
www.theregister.co.uk/2016/09/05/sophos_black_screen_snafu/
*** Vuln: Inspircd SSL Certificate Spoofing Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/92737
*** Totgesagte leben länger: Adobe poliert NPAPI-Flash auf Linux auf ***
---------------------------------------------
Entgegen so manch einem Meinungsartikel ist Flash noch lange nicht am Ende. Das muss wohl auch Adobe einsehen und frischt nun die veraltete NPAPI-Version unter Linux auf.
---------------------------------------------
http://heise.de/-3314084
*** 800.000 Klartext-Passwörter der Pornoseite Brazzers veröffentlicht ***
---------------------------------------------
Wieder ist ein großer Hack mit kopierten Nutzerdaten bekannt geworden und wieder scheint der Einbruch in die Server 2012 stattgefunden zu haben.
---------------------------------------------
http://heise.de/-3314087
*** Malware Delivered via .pub Files ***
---------------------------------------------
While searching for new scenarios to deliver their malwares[1][2], attackers launched a campaignto deliver malicious code embedded in Microsoft Publisher[3] (.pub) files. The ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21443
*** Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems ***
---------------------------------------------
The Trend Micro Forward Looking Threat Research team recently obtained samples of a new rootkit family from one of our trusted partners. We are providing a ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-u…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 01-09-2016 18:00 − Freitag 02-09-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Chrome 53 Fixes Address Spoofing Vulnerability, 32 Other Bugs ***
---------------------------------------------
http://threatpost.com/chrome-53-fixes-address-spoofing-vulnerability-32-oth…
*** Insecure Redis Instances at Core of Attacks Against Linux Servers ***
---------------------------------------------
Attackers are targeting insecure Redis instances, exposed to the internet, to access Linux servers and delete web files and folders in exchange for ransom.
---------------------------------------------
http://threatpost.com/insecure-redis-instances-at-core-of-attacks-against-l…
*** Security Update 2016-001 El Capitan and Security Update 2016-005 Yosemite ***
---------------------------------------------
https://support.apple.com/kb/HT207130
*** Safari 9.1.3 ***
---------------------------------------------
https://support.apple.com/kb/HT207131
*** IoT Home Router Botnet Leveraged in Large DDoS Attack ***
---------------------------------------------
We have been monitoring a large-scale Layer 7 HTTPS flood attack (i.e., application level DDoS) against a customer over the past few weeks. It is being distributed ..
---------------------------------------------
https://blog.sucuri.net/2016/09/iot-home-router-botnet-leveraged-in-large-d…
*** Wenn die Physik zur Sicherheitslücke wird ***
---------------------------------------------
Bei der Sicherheitskonferenz Usenix haben Hacker neue Möglichkeiten demonstriert, Systeme mit Angriffen auf die Hardware zu manipulieren.
---------------------------------------------
https://futurezone.at/science/wenn-die-physik-zur-sicherheitsluecke-wird/21…
*** DSA-3658 libidn - security update ***
---------------------------------------------
Hanno Boeck discovered multiple vulnerabilities in libidn, the GNUlibrary for Internationalized Domain Names (IDNs), allowing a remoteattacker to cause a denial of service against an application using thelibidn library (application crash).
---------------------------------------------
https://www.debian.org/security/2016/dsa-3658
*** Mutmaßlicher Angreifer auf Web-Infrastruktur des Linux Kernels festgenommen ***
---------------------------------------------
In den USA ist ein Hacker festgenommen worden, der für Angriffe auf die Linux Foundation und die Webseite kernel.org verantwortlich sein soll. Dabei handelt es sich wohl um den einschlägig bekannten Angriff von 2011.
---------------------------------------------
http://heise.de/-3312595
*** Over 40 million usernames, passwords from 2012 breach of Last.fm surface ***
---------------------------------------------
While Last.fm informed users in 2012, passwords were easily cracked.
---------------------------------------------
http://arstechnica.com/security/2016/09/over-40-million-usernames-passwords…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 31-08-2016 18:00 − Donnerstag 01-09-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** There are really only two effectively distinct settings for the UAC slider ***
---------------------------------------------
Theres a control panel that lets you specify how often you want to be prompted by UAC. You can set any of four levels: ... Although it looks like there are four settings, in a theoretical sense, there really are only two settings.
---------------------------------------------
https://blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105
*** Flag - Moderately Critical - Access Bypass - SA-CONTRIB-2016-050 ***
---------------------------------------------
https://www.drupal.org/node/2793115
*** So much for counter-phishing training: Half of people click anything sent to them ***
---------------------------------------------
Even people who claimed to be aware of risks clicked out of curiosity.
---------------------------------------------
http://arstechnica.com/security/2016/08/researchers-demonstrate-half-of-peo…
*** New Version of Cerber Ransomware Distributed via Malvertising ***
---------------------------------------------
Crber has become one of the most notorious and popular ransomware families to date. It now has a new variant that, while superficially similar to earlier variants, ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/new-version-cerb…
*** MMD-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled.. ***
---------------------------------------------
Background From August 4th 2016 several sysadmin friends were starting to upload this malware files to our dropbox. The samples warent easy to retrieve, so there are good ones and also some broken ones, I listed in this post for the good ones. This threat is made by the ELF trojan backdoor, the ..
---------------------------------------------
http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html
*** Maxmind.com (Ab)used As Anti-Analysis Technique ***
---------------------------------------------
A long time ago I wrote a diary[1] about malware samples which use online geolocalization services. Such services are used to target only specific victims. If the malware detects that it is executed from a specific area, it just stops. This ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21435
*** Breaching a CA – Blind Cross-site Scripting (BXSS) in the GeoTrust SSL Operations Panel Using XSS Hunter ***
---------------------------------------------
This is a continuation of a series of blog posts which will cover blind cross-site scripting (XSS) and its impact on the internal systems which suffer from it. Previously, ..
---------------------------------------------
https://thehackerblog.com/breaching-a-ca-blind-cross-site-scripting-bxss-in…
*** Spotify: Einfach mal Passwörter ändern ***
---------------------------------------------
Schon wieder neue Passwörter: Einige Kunden von Spotify sollen sie als Vorsichtsmaßnahme ändern, der Hintergrund bleibt vage. Auch nach welchen Kriterien die Kunden ausgewählt wurden, ist nicht bekannt.
---------------------------------------------
http://www.golem.de/news/spotify-einfach-mal-passwoerter-aendern-1609-12301…
*** Bundeskriminalamt warnt vor Erpressungs-Trojaner in falschen Bewerbungsmails ***
---------------------------------------------
Computer wird verschlüsselt und Lösegeld gefordert
---------------------------------------------
http://derstandard.at/2000043687916
*** Unix: OpenBSD 6.0 erzwingt W^X für das Basissystem ***
---------------------------------------------
Das OpenBSD-Projekt sichert sein Basissystem ab, indem der genutzte Speicher entweder beschreibbar oder ausführbar (W^X) ist. Zudem verzichtet das Team auf VAX- und Linux-Support, hat aber die ARMv7-Unterstützung erweitert.
---------------------------------------------
http://www.golem.de/news/unix-openbsd-6-0-erzwingt-w-x-fuer-das-basissystem…
*** Darknet: Festnahme nach Drogenrazzia bei Chemical-Love-Kunden ***
---------------------------------------------
Bei einer bundesweiten Razzia konnten Ermittler größere Mengen Drogen sicherstellen, die die Verdächtigen zuvor im Darknet gekauft haben sollen. Die Beschuldigten sollen als Händler tätig gewesen sein.
---------------------------------------------
http://www.golem.de/news/darknet-festnahme-nach-drogenrazzia-bei-chemical-l…
*** Retefe-Trojaner in gefälschten Rechnungen ***
---------------------------------------------
In E-Mailpostfachen finden sich Nachrichten mit dem Betreff „Ihre Zahlung 631 EUR“, „167 EUR Bestellung“, „33 EUR Zahlung“ oder „81 EUR Rechnung“. Sie stammen angeblich von der ..
---------------------------------------------
https://www.watchlist-internet.at/gefaelschte-rechnungen/retefe-trojaner-in…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 30-08-2016 18:00 − Mittwoch 31-08-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Security Bulletin Posted for ColdFusion (APSB16-30) ***
---------------------------------------------
Adobe has published a Security Bulletin (APSB16-30) announcing the availability of hotfixes for ColdFusion versions 11 and 10. These hotfixes resolve a critical vulnerability ..
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1395
*** Inside the Demise of the Angler Exploit Kit ***
---------------------------------------------
Researchers at Kaspersky Lab today confirmed that the cybercriminals behind the Lurk Trojan were also responsible for the development and distribution of ..
---------------------------------------------
http://threatpost.com/inside-the-demise-of-the-angler-exploit-kit/120222/
*** BASHLITE Family Of Malware Infects 1 Million IoT Devices ***
---------------------------------------------
Over 1 million consumer web-connected video cameras and DVRs have have become the slaves to botnet herders that use the devices for DDoS and phishing attacks.
---------------------------------------------
http://threatpost.com/bashlite-family-of-malware-infects-1-million-iot-devi…
*** Ask Sucuri: How Modern Web Phishing Works ***
---------------------------------------------
Most of us have experienced some kind of phishing attempt in our online lives, and we have seen phishing grow in complexity. Usually, we notice that the login pages are ..
---------------------------------------------
https://blog.sucuri.net/2016/08/modern-web-phishing-works.html
*** Ursnif: Deep Technical Dive ***
---------------------------------------------
While attack tools around the world are stealthy and stay under the radar, we at Seculert examine many different malicious tools. This is done in order to stay at least one step ahead of the attackers, and improve our advanced analytics technology to detect their artistic evasive techniques.
---------------------------------------------
http://www.seculert.com/blogs/ursnif-deep-technical-dive
*** Das Ziel seien Banken: DDoS‑Erpresser fordern “nur” 1 Bitcoin und drohen Verschlüsselung an ***
---------------------------------------------
Die aktuelle Gruppe nennt sich „HACKER TEAM – Armada Collective“. Die Kriminellen haben laut Link11 mehreren ..
---------------------------------------------
http://www.it-finanzmagazin.de/ernstzunehmende-ddos-erpresser-fordern-nur-1…
*** Adobe stopft ColdFusion-Lücken vor dem Patchday ***
---------------------------------------------
Gut zwei Wochen vor dem regulären Patchday der Firma schließt Adobe zwei Lücken im Web-Application-Server ColdFusion. Das deutet darauf hin, dass Admins die Patches schnell einspielen sollten.
---------------------------------------------
http://heise.de/-3309658
*** Blockchain-Technologie: Ein Drittel aller Bitcoin-Börsen wurde gehackt ***
---------------------------------------------
Wie sicher sind Bitcoin bei Online-Börsen? Nicht besonders, wenn man einer aktuellen Studie Glauben schenkt. Demnach ..
---------------------------------------------
http://www.golem.de/news/blockchain-technologie-ein-drittel-aller-bitcoin-b…
*** [2016-08-31] Manipulation of pre-boot authentication in CryptWare CryptoPro Secure Disk for Bitlocker ***
---------------------------------------------
CryptoPro Secure Disk for Bitlocker contains multiple vulnerabilities which can be used by an attacker to manipulate the PBA (pre-boot authentication). This allows ..
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016…
*** DSA-3657 libarchive - security update ***
---------------------------------------------
Hanno Boeck and Marcin Noga discovered multiple vulnerabilities inlibarchive; processing malformed archives may result in denial ofservice or the execution of arbitrary code.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3657
*** Dropbox-Hack: Seit 2012 rund 68 Millionen Passwörter im Netz ***
---------------------------------------------
Datenbank konnte offenbar wegen LinkedIn-Hack gestohlen werden, wo Dropbox-Mitarbeiter gleiches Passwort nutzte
---------------------------------------------
http://derstandard.at/2000043625840
*** Swift spricht von weiteren Hackerattacken auf Banken ***
---------------------------------------------
http://derstandard.at/2000043626250
*** BitTorrent-Client Transmission brachte erneut Malware auf Macs ***
---------------------------------------------
Zum zweiten Mal konnten sich Nutzer durch den Download der populären BitTorrent-App Malware auf ihrem Mac ..
---------------------------------------------
http://heise.de/-3310446
*** Sicherheitslücken in Defibrillatoren: Investmentfirma spekulierte mit Hersteller-Börsenkurs ***
---------------------------------------------
Ein schwerer Vorwurf: Eine Sicherheitsfirma soll ein potenziell lebensbedrohliche Sicherheitslücken aufgebauscht und an eine Investmentfirma verraten haben, um dann an der Börse Geld zu scheffeln.
---------------------------------------------
http://heise.de/-3309906
*** Zertifizierungsstelle: Wosign stellt unberechtigtes Zertifikat für Github aus ***
---------------------------------------------
Eine ganze Reihe von Vorfällen bringt die Zertifizierungsstelle Wosign in Erklärungsnot. Verschiedene Sicherheitslücken ermöglichten die unberechtigte Ausstellung von ..
---------------------------------------------
http://www.golem.de/news/zertifizierungsstelle-wosign-stellt-unberechtigtes…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 29-08-2016 18:00 − Dienstag 30-08-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Browser-based fingerprinting: implications and mitigations ***
---------------------------------------------
This post covers the information disclosure bugs in Internet Explorer and Edge that we sometimes refer to as fingerprinting. We review past ..
---------------------------------------------
https://blog.malwarebytes.com/cybercrime/exploits/2016/08/browser-based-fin…
*** Double-click me not: Malicious proxy settings in OLE Embedded Script ***
---------------------------------------------
Attackers have been using social engineering to avoid the increasing costs of exploitation due to the significant hardening and exploit mitigations investments in ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/08/29/double-click-me-not-mal…
*** Hintergrund: Analysiert: Ransomware meets Info-Stealer - RAA und das diebische Pony ***
---------------------------------------------
Im Rahmen unserer Analysiert:-Serie geht es diesmal einem Erpressungs-Trojaner an den Code: Olivia von Westernhagen untersucht den in JavaScript realisierte RAA-Trojaner, der gleich auch noch eine Passwort-Klau-Malware im Gepäck hat.
---------------------------------------------
http://heise.de/-3303113
*** Skurriles Motiv für Cyberangriff auf Präsidenten-Website in Sri Lanka ***
---------------------------------------------
17 Jahre alter Angreifer forderte Verschiebung der Abiturprüfungen
---------------------------------------------
http://derstandard.at/2000043545769
*** Linux-Paketmanager: RPM-Entwicklung verläuft chaotisch ***
---------------------------------------------
Unser Autor hat versucht, potenzielle Sicherheitslücken im Paketmanager RPM zu melden, der von Red Hat, Suse und weiteren Linux-Distributionen genutzt wird. Doch das war gar ..
---------------------------------------------
http://www.golem.de/news/linux-paketmanager-rpm-entwicklung-verlaeuft-chaot…
*** The Hunt for Lurk ***
---------------------------------------------
In June, 2016, the Russian police arrested the alleged members of the criminal group known as Lurk. The police suspected Lurk of stealing nearly three billion rubles. The story of Lurk gives some idea of the amount of work that has to be done to obtain enough evidence to arrest and prosecute suspects.
---------------------------------------------
http://securelist.com/analysis/publications/75944/the-hunt-for-lurk/
*** Ripper: Geldautomaten-Malware gibt bis zu 40 Scheine aus ***
---------------------------------------------
Sicherheitsforscher haben eine Schadsoftware entdeckt, die Geldautomaten gleich dreier Hersteller infizieren soll. Vieles deutet daraufhin, dass Kriminelle mit Hilfe der Malware in Thailand Geld im Wert von mehr als 300.000 Euro entwenden konnten.
---------------------------------------------
http://www.golem.de/news/ripper-geldautomaten-malware-gibt-bis-zu-40-schein…
*** Linux servers hit with FairWare ransomware – or is it just a scam? ***
---------------------------------------------
Users posting on Bleeping Computer’s forums have alerted the world to a new threat targeting Linux server admins: the FairWare ransomware. Whether the ransomware actually ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/08/30/linux-fairware-ransomware/
*** Sicherheit implantierbarer Medizintechnik: Herzschrittmacher von St. Jude Medical sollen hackbar sein ***
---------------------------------------------
Streit mit harten Bandagen: Der US-amerikanische Medizingerätehersteller St. Jude Medical zofft sich mit dem Sicherheitsspezialisten MedSec und der Investmentfirma Muddy Waters Capital über die Sicherheit von lebenswichtigen Geräten.
---------------------------------------------
http://heise.de/-3307510
*** 71,000 Minecraft World Map accounts leaked online after hack ***
---------------------------------------------
Dumped creds have been exposed since January Some 71,000 user accounts and IP addresses have been leaked from Minecraft fan website Minecraft World Map.
---------------------------------------------
www.theregister.co.uk/2016/08/30/71000_minecraft_world_map_accounts_leak/
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 26-08-2016 18:00 − Montag 29-08-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** VMSA-2016-0007.2 ***
---------------------------------------------
VMware NSX and vCNS product updates address a critical information disclosure vulnerability
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2016-0007.html
*** Another Day - Another Ransomware Sample ***
---------------------------------------------
Catching ransomware is pretty easy these days. I setup a procmail filter that will extract all e-mails with compressed JavaScript attachments. Whatever is ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21413
*** QNAP QTS Bugs Let Remote Users Conduct Cross-Site Scripting Attacks, Overwrite Arbitrary Files, and Inject Commands ***
---------------------------------------------
http://www.securitytracker.com/id/1036699
*** Tips for Securing SSL Renegotiation ***
---------------------------------------------
A number of Internet connections require SSL renegotiation, a Secure Sockets Layer/Transport ..
---------------------------------------------
https://blogs.mcafee.com/mcafee-labs/tips-securing-ssl-renegotiation/
*** Amazon: Gehackte Händlerkonten locken mit Schnäppchen ***
---------------------------------------------
Bei besonders günstigen Artikeln im Amazon Marketplace versuchen die vermeintlichen Händler die Kaufabwicklung außerhalb des Shops vorzunehmen.
---------------------------------------------
http://futurezone.at/digital-life/amazon-gehackte-haendlerkonten-locken-mit…
*** Dropbox setzt Passwörter aus dem Jahr 2012 und davor zurück ***
---------------------------------------------
Der Cloud-Speicher-Dienst fordert aktuell einige Nutzer dazu auf, ihr Dropbox-Kennwort zurückzusetzen und neu zu vergeben. Hintergrund ist ein Datenleck aus dem Jahr 2012.
---------------------------------------------
http://heise.de/-3306240
*** Cybercriminals Select Insiders To Attack Telecom Providers ***
---------------------------------------------
An anonymous reader quotes a report from Help Net Security: Cybercriminals are using insiders to gain access to telecommunications networks and subscriber data, according to Kaspersky Lab. In addition, these ..
---------------------------------------------
https://tech.slashdot.org/story/16/08/27/0739204/cybercriminals-select-insi…
*** Opera warns Opera Sync users of possible security breach ***
---------------------------------------------
The Norwegian company warned the users that the Opera Sync service of a possible security breach that might have exposed their data. On Friday, Opera, published ..
---------------------------------------------
http://securityaffairs.co/wordpress/50690/data-breach/opera-sync-security-b…
*** Observatory: Mozilla bietet Sicherheitscheck für Websites ***
---------------------------------------------
Wie sicher ist die eigene Internetseite? Der Test mit einem neuen Tool von Browserhersteller Mozilla könnte für viele Betreiber ernüchternd sein.
---------------------------------------------
http://www.golem.de/news/observatory-mozilla-bietet-sicherheitscheck-fuer-w…
*** Ransomware: Trojaner Fantom gaukelt kritisches Windows-Update vor ***
---------------------------------------------
Ein Windows-Update wiegt die Nutzer in Sicherheit, haben sich die Hersteller des Erpressungstrojaners Fantom wohl gedacht. In diesem Fall ist jedoch besondere Vorsicht geboten.
---------------------------------------------
http://www.golem.de/news/ransomware-trojaner-fantom-gaukelt-kritisches-wind…
*** Exploits: Treiber der Android-Hersteller verursachen Kernel-Lücken ***
---------------------------------------------
Die Zahl der Angriffe auf den Linux-Kernel in Android wächst sehr stark. Der mit Abstand größte Teil der bekannten Sicherheitslücken findet sich dabei in den Gerätetreibern der Hersteller, die mit der Kernel-Pflege offenbar überfordert sind.
---------------------------------------------
http://www.golem.de/news/exploits-treiber-der-android-hersteller-verursache…
*** Wartungsarbeiten Donnerstag, 1. 9. 2016, nachmittags ***
---------------------------------------------
Am Donnerstag, 1. September 2016, werden wir ab etwa 13h notwendige Wartungsarbeiten an unserer Infrastruktur vornehmen. Dies wird zu keinen Ausfällen der extern ..
---------------------------------------------
http://www.cert.at/services/blog/20160829150342-1783.html
*** l+f: Passwort-Safe mit Löchern ***
---------------------------------------------
Googles Security Crack Tavis Ormandy nimmt sich nach der Anitviren-Software jetzt Passwort-Safes zur Brust -- mit ähnlich erschreckenden Resultaten.
---------------------------------------------
http://heise.de/-3306993
*** ZDI-16-497: Apple OS X AppleHDA Buffer Overflow Privilege Escalation Vulnerability ***
---------------------------------------------
This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of Apple OS X. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-497/
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 25-08-2016 18:00 − Freitag 26-08-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** OpenSSL schützt vor Sweet32-Attacke und tanzt ChaCha20 ***
---------------------------------------------
Version 1.1.0 mistet alte, unsichere Krypto-Verfahren aus und unterstützt dafür modernere wie ChaCha20. Das Update stoppt zudem die Sweet32-Attacke auf SSL/TLS und OpenVPN.
---------------------------------------------
http://heise.de/-3305647
*** Hintergrund: Die iOS-Spyware Pegasus - eine Bestandsaufnahme ***
---------------------------------------------
Die Spionage-Software Pegasus erschüttert die iPhone-Welt. Wie kann ich mich schützen? Liegt das iOS-Sicherheitskonzept in Schutt und Asche? Ist das das Ende? Eine Analyse der bekannten Fakten schafft Klarheit.
---------------------------------------------
http://heise.de/-3305780
*** What's The Deal With Machine Learning? ***
---------------------------------------------
We've recently received quite a few questions regarding the use of machine learning techniques in cyber security. I figured it was time for a blog post. Interestingly, while I was writing this post, we got asked even more questions, so the timing couldn't be better. It seems that there are quite a few companies out...
---------------------------------------------
https://labsblog.f-secure.com/2016/08/26/whats-the-deal-with-machine-learni…
*** Floating Domains - Taking Over 20K DigitalOcean Domains via a Lax Domain Import System ***
---------------------------------------------
DigitalOcean is a cloud service provider similar to Amazon Web Services or Google Cloud. They offer cloud DNS hosting as one of their product lines - a nice guide on how to set up your domain to use their DNS can be found here. Take a moment to read it over and see if you can spot any potential issues with their domain name set up process.
---------------------------------------------
https://thehackerblog.com/floating-domains-taking-over-20k-digitalocean-dom…
*** 5 security practices hackers say make their lives harder ***
---------------------------------------------
Whether they identify as white hats, black hats or something in-between, a majority of hackers agree that no password is safe from them - or the government for that matter. Regardless of where they sit with respect to the law, hackers mostly agree that five key security measures can make it a lot harder to penetrate enterprise networks.At the Black Hat USA 2016 conference in Las Vegas earlier this month, Thycotic, a specialist in privileged account management (PAM) solutions, surveyed...
---------------------------------------------
http://www.cio.com/article/3112740/security/5-security-practices-hackers-sa…
*** iOS 9.3.5 ***
---------------------------------------------
This document describes the security content of iOS 9.3.5.
---------------------------------------------
https://support.apple.com/en-us/HT207107
*** F-Secure Policy Manager 12.00.67239 - Remote code execution by authenticated user ***
---------------------------------------------
The F-Secure Policy Manager client relies on Spring remoting to communicate with the server. Spring remoting uses Java serialization as transfer protocol. Spring internal mechanisms first deserialize before validating the deserialization class is authorized. That behavior leads to remote command execution if we are able to send objects present in the classpath that execute code when they are deserialized.
---------------------------------------------
https://remoteawesomethoughts.blogspot.com/2016/08/f-secure-policy-manager-…
*** PowerDNS Recursor 4.0.2 - Released August 26th 2016 ***
---------------------------------------------
This release fixes a regression in 4.x where CNAME records for DNSSEC signed domains were not sorted before the final answers, leading to some clients (notably some versions of Chrome) not being able to extract the required answer from the packet. [...] Further fixes and changes can be found below:...
---------------------------------------------
https://doc.powerdns.com/md/changelog/
*** VU#305607: Accellion Kiteworks contains multiple vulnerabilities ***
---------------------------------------------
Vulnerability Note VU#305607 Accellion Kiteworks contains multiple vulnerabilities Original Release date: 26 Aug 2016 | Last revised: 26 Aug 2016 Overview The Accellion Kiteworks appliance prior to version kw2016.03.00 contains multiple vulnerabilities. Description CWE-276: Incorrect Default Permissions - CVE-2016-5662 The `/opt/bin/cli` script has setuid permissions by default, allowing an authenticated KiteWorks users to escalate privileges of commands to root. In practice, the user would...
---------------------------------------------
http://www.kb.cert.org/vuls/id/305607
*** AlienVault USM/OSSIM 5.2 conf/reload.php DOM-based XSS ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016080229
*** FreePBX 13.0.35 Remote command execution ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016080231
*** Apple libc incomplete fix of Security Update for OS X El Capitan 10.11.2 ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016080232
*** OpenBSD SMTP Processing Bug in rfc2822_parser_init() May Let Remote Users Bypass Security Restrictions on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1036691
*** DFN-CERT-2016-1391: OpenSSL: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen und Ausspähen von Informationen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-1391/
*** OpenVPN Blowfish Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases ***
---------------------------------------------
http://www.securitytracker.com/id/1036695
*** DSA-3651 rails - security update ***
---------------------------------------------
Andrew Carpenter of Critical Juncture discovered a cross-site scriptingvulnerability affecting Action View in rails, a web applicationframework written in Ruby. Text declared as HTML safe will not havequotes escaped when used as attribute values in tag helpers.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3651
*** DSA-3654 quagga - security update ***
---------------------------------------------
Two vulnerabilities were discovered in quagga, a BGP/OSPF/RIP routingdaemon.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3654
*** DSA-3653 flex - security update ***
---------------------------------------------
Alexander Sulfrian discovered a buffer overflow in theyy_get_next_buffer() function generated by Flex, which may result indenial of service and potentially the execution of code if operating ondata from untrusted sources.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3653
*** DSA-3652 imagemagick - security update ***
---------------------------------------------
This updates fixes many vulnerabilities in imagemagick: Various memoryhandling problems and cases of missing or incomplete input sanitisingmay result in denial of service or the execution of arbitrary code ifmalformed TIFF, WPG, RLE, RAW, PSD, Sun, PICT, VIFF, HDR, Meta, Quantum,PDB, DDS, DCM, EXIF, RGF or BMP files are processed.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3652
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 24-08-2016 18:00 − Donnerstag 25-08-2016 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** Cisco AnyConnect Secure Mobility Client Local Privilege Escalation Vulnerability ***
---------------------------------------------
A vulnerability in Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to install and execute an arbitrary executable file with privileges equivalent .. ---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Financial Transaction Manager for ACH Services, Check Services, Corporate Payment Services (CVE-2016-5920, CVE-2016-1181, CVE-2016-1182, CVE-2016-3060) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21989060
*** IBM Security Bulletin: IBM Tivoli Storage Manager FastBack Demo package on the Web Potential DLL Loading Code Execution Vulnerability (CVE-2016-5934 ) ***
---------------------------------------------
IBM Tivoli Storage Manager FastBack Demo package on the Web contains a DLL hijacking vulnerability that could allow an unauthenticated, remote attacker to execute ..
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21988908
*** IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by vulnerabilities in OpenSSL ***
---------------------------------------------
Vulnerabilities have been identified in OpenSSL. IBM Security Access Manager for Mobile uses OpenSSL and is affected by these vulnerabilities. CVE(s): CVE-2016-0799, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, ..
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21988189
*** Hacked Email: Why Cyber Criminals Want to Get Into Your Inbox ***
---------------------------------------------
“I don’t care about getting hacked, there’s nothing valuable in my email” If I got a nickel ..
---------------------------------------------
https://heimdalsecurity.com/blog/hacked-email-why-cyber-criminals-want-inbo…
*** Example of Targeted Attack Through a Proxy PAC File, (Wed, Aug 24th) ***
---------------------------------------------
Yesterday, I discovered a nice example of targeted attack against a Brazilian bank. It started with an email sample like this: This message was sent to a ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21405
*** Bugtraq: WebKitGTK+ Security Advisory WSA-2016-0005 ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539295
*** [2016-08-25] Multiple vulnerabilities in Micro Focus (Novell) GroupWise ***
---------------------------------------------
Micro Focus (Novell) GroupWise 2014 (up to R2 SP1) contains vulnerabilities that allow an attacker to take over user sessions by sending the victim a crafted email, take over administrator accounts or potentially compromise the system (heap based buffer overflow).
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016…
*** SWEET32: Kurze Verschlüsselungsblöcke sorgen für Kollisionen ***
---------------------------------------------
Ein neuer Angriff auf TLS- und VPN-Verbindungen betrifft alte Verschlüsselungsalgorithmen wie Triple-DES und Blowfish, die Daten in 64-Bit-Blöcken verschlüsseln. Der Angriff erfordert das Belauschen vieler Gigabytes an Daten und dürfte damit nur selten praktikabel sein.
---------------------------------------------
http://www.golem.de/news/sweet32-kurze-verschluesselungsbloecke-sorgen-fuer…
*** Cisco liefert Sicherheits-Patches für NSA-Exploit ExtraBacon aus ***
---------------------------------------------
Admins müssen Firewalls mit der Adaptive-Security-Appliance-Software (ASA) nun nicht mehr mittels eines Workarounds absichern: Cisco stopft die Schwachstelle mit abgesicherten Versionen.
---------------------------------------------
http://heise.de/-3304688
*** Falsche Bank Austria-Mail: „Zahlungsbestätigung Monatsbeitrag“ ***
---------------------------------------------
Internet-Nutzer/innen erhalten eine angebliche Benachrichtigung der Bank Austria. In dieser heißt es, dass der Newsletter und ein Gewinnspiel monatlich EUR 39,99- kosten. Den Gebrauch des Services sollen Kund/innen auf einer Website bestätigen. Empfänger/innen der E-Mail dürfen das nicht tun, denn andernfalls übermitteln sie Zugangsdaten an Kriminelle.
---------------------------------------------
https://www.watchlist-internet.at/phishing/falsche-bank-austria-mail-zahlun…
*** Security Advisory - Resource Management Vulnerability in Huawei Servers ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160824-…
*** Stolen devices to blame for many breaches in the financial services sector ***
---------------------------------------------
Bitglass performed an analysis of all breaches in the financial services sector since 2006, with data aggregated from public databases and government mandated disclosures. They found that leaks nearly doubled between ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/08/25/breaches-financial-services-sect…
*** Falsche Verbund-Rechnung verbreitet Schadsoftware ***
---------------------------------------------
Im E-Mailpostfach findet sich eine Rechnung des Stromanbieters Verbund. Kund/innen können die Zahlungaufforderung auf der Website „verbund-bill.com“ ansehen. Das dürfen Empfänger/innen nicht tun, denn andernfalls installieren sie Schadsoftware auf ihrem Computer. Diese macht den PC unbrauchbar. Kriminelle fordern Bitcoins, um das zu ändern.
---------------------------------------------
https://www.watchlist-internet.at/gefaelschte-rechnungen/falsche-verbund-re…
*** BMI warnt: Erst Taschendiebstahl von iPhone, dann Phishing ***
---------------------------------------------
Es werden vermehrt iPhones in Österreich gestohlen. Mit einer Masche wird danach die Fernsperre außer Kraft gesetzt.
---------------------------------------------
http://futurezone.at/digital-life/bmi-warnt-erst-taschendiebstahl-von-iphon…
*** How the Consumer Product Safety Commission is (Inadvertently) Behind the Internet’s Largest DDoS Attacks ***
---------------------------------------------
The mission of the United States Governments Consumer Product Safety Commission (CPSC) is to protect consumers from injury by products. Its ironic then that the CPSC ..
---------------------------------------------
https://blog.cloudflare.com/how-the-consumer-product-safety-commission-is-i…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 23-08-2016 18:00 − Mittwoch 24-08-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** The SWEET32 Issue, CVE-2016-2183 ***
---------------------------------------------
Today, Karthik Bhargavan and Gaetan Leurent from Inria have unveiled a new attack on Triple-DES, SWEET32, Birthday attacks on 64-bit block ciphers in TLS and OpenVPN. It has been assigned CVE-2016-2183. This post gives a bit of background and describes what OpenSSL is doing. For more details, see their website.
---------------------------------------------
https://www.openssl.org/blog/blog/2016/08/24/sweet32/
*** "Wildfire" Ransomware Extinguished by Tool From NoMoreRansom; Unlock Files for Free ***
---------------------------------------------
Intel Security and Kaspersky Lab, partners in the project NoMoreRansom, are pleased to announce today the availability of a decryption tool for victims of the Wildfire variant of ransomware. This tool is available following successful collaboration with the Dutch police and the European Cybercrime Centre. This strong public-private partnership has led to the seizure of...
---------------------------------------------
https://blogs.mcafee.com/mcafee-labs/wildfire-ransomware-extinguished-tool-…
*** BSI veröffentlicht Update zu den Top 10 Bedrohungen für Industrial Control Systems ***
---------------------------------------------
Das Bundesamt für Sicherheit in der Informationstechnik (BSI) beobachtet die Bedrohungslage für Industrial Control Systems deshalb kontinuierlich. Die schwerwiegendsten Gefahren sowie passende Gegenmaßnahmen fasst das BSI seit 2012 im Dokument "Industrial Control System Security - Top 10 Bedrohungen und Gegenmaßnahmen" zusammen. Für das Jahr 2016 hat das Bundesamt nun ein Update des Papiers herausgegeben.
---------------------------------------------
https://www.allianz-fuer-cybersicherheit.de/ACS/DE/_/infos/20160823_Update_…
*** NSA-Exploit ExtraBacon soll deutlich mehr Cisco-Firewalls bedrohen ***
---------------------------------------------
Untersuchungen von Sicherheitsforschern legen nahe, dass auch neuere Version der Cisco Adaptive Security Appliance (ASA) angreifbar sind.
---------------------------------------------
http://heise.de/-3303629
*** Privilege Escalation on Linux with Live examples ***
---------------------------------------------
Introduction One of the most important phase during penetration testing or vulnerability assessment is Privilege Escalation. During that step, hackers and security researchers attempt to find out a way (exploit, bug, misconfiguration) to escalate between the system accounts. Of course, vertical privilege escalation is the ultimate goal. For many security researchers, this is a fascinating...
---------------------------------------------
http://resources.infosecinstitute.com/privilege-escalation-linux-live-examp…
*** Forscher sehen Löcher in Apples iOS-Sandbox ***
---------------------------------------------
Die iOS-Sandbox weist Wissenschaftlern zufolge "bedenkliche Sicherheitslücken" auf, die Apps den eigentlich verwehrten Zugriff auf Nutzerdaten ermöglichen - und Eingriff ins System. Apple will die Schwachstellen offenbar mit iOS 10 schließen.
---------------------------------------------
http://heise.de/-3304068
*** VMSA-2016-0013 ***
---------------------------------------------
VMware Identity Manager and vRealize Automation updates address multiple security issues
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2016-0013.html
*** Moxa OnCell Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for several vulnerabilities in Moxa's OnCell products.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-236-01
*** Huawei Security Advisories ***
---------------------------------------------
*** Security Advisory - IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160824-…
---------------------------------------------
*** Security Advisory - Weak Encryption Algorithm Vulnerability in Huawei Servers ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160824-…
---------------------------------------------
*** Security Advisory - XXE Vulnerability in the E9000 ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160824-…
---------------------------------------------
*** Security Advisory - Uncontrolled Format String Vulnerability on Multiple Products ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160824-…
---------------------------------------------
*** Security Advisory - Reset Password and Information Leak Vulnerabilities in Huawei UMA ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160824-…
---------------------------------------------
*** Security Advisory - Two Command Injection Vulnerabilities in Huawei UMA ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160824-…
---------------------------------------------
*** Security Advisory - Information Leak Vulnerability in Huawei FusionSphere Product ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160824-…
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 22-08-2016 18:00 − Dienstag 23-08-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Vuln: WordPress CVE-2016-6897 Cross Site Request Forgery Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/92572
*** Juniper Acknowledges Equation Group Targeted ScreenOS ***
---------------------------------------------
Juniper Networks on Friday acknowledged that implants contained in the ShadowBrokers data dump target NetScreen firewalls running ScreenOS.
---------------------------------------------
http://threatpost.com/juniper-acknowledges-equation-group-exploits-target-s…
*** Obihai Patches Memory Corruption, DoS, CSRF Vulnerabilities in IP Phones ***
---------------------------------------------
Obihai Technology recently patched a slew of issues in its ObiPhone IP phone products that could have led to memory corruption, a buffer overflow, and denial of service conditions, among other outcomes.
---------------------------------------------
http://threatpost.com/obihai-patches-memory-corruption-dos-csrf-vulnerabili…
*** Vuln: PHP php_quot_print_encode() Function Integer Overflow Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/92588
*** shellray. a php webshell detector ***
---------------------------------------------
nimbusec shellray ist ein kostenloser Online Webshell Detector für .php-Dateien.
---------------------------------------------
https://shellray.com/de/
*** Voice Message Notifications Deliver Ransomware ***
---------------------------------------------
Bad guys need to constantly find new ways to lure their victims. If billing notifications were very common for a while, not all people in a company are working ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21397
*** Security Notice - Statement About Toolkit Released by Shadow Brokers ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-notices/2016/huawei-sn-20160823-01-…
*** 'Sicherheits-Check' bei Bank Austria-Kunden ***
---------------------------------------------
Eine falsche Bank Austria-Mail ist im Umlauf. Darin behaupten Kriminelle, dass Kund/innen einen Sicherheits-Check durchführen müssen. Aus diesem ..
---------------------------------------------
https://www.watchlist-internet.at/phishing/sicherheits-check-bei-bank-austr…
*** Sandscout: Angriff auf Apples Sandkasten ***
---------------------------------------------
Im Sicherheitsvergleich mit Android schneidet iOS meist besser ab. In einem aktuellen Versuch gelang es Forschern aber, einen erfolgreichen Angriff auf die Sandboxing-Funktion von iOS-Apps durchzuführen.
---------------------------------------------
http://www.golem.de/news/sandscout-angriff-auf-apples-sandkasten-1608-12285…
*** Timing of Browser-Based Security Alerts Could Be Better ***
---------------------------------------------
New academic research shows that security warnings should be better timed to pop up when computers users are less likely to be multitasking.
---------------------------------------------
http://threatpost.com/timing-of-browser-based-security-alerts-could-be-bett…
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 19-08-2016 18:00 − Montag 22-08-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Shadow Brokers Release of Hacking Code ***
---------------------------------------------
Juniper responds to hacking code released by The Shadow Brokers.
---------------------------------------------
https://forums.juniper.net/t5/Security-Incident-Response/Shadow-Brokers-Rel…
*** Cisco ASA SNMP Remote Code Execution Vulnerability, (Sun, Aug 21st) ***
---------------------------------------------
Looking back through all the vulnerabilities announced this week, one caught my eye. CVE-2016-6366 is a vulnerability in the Cisco ASA products which could allow a remote attacker to remotely execute code. This vulnerability is part of the Equation Group disclosures and was not previously known by Cisco.The vulnerability is in the SNMP code on the ASA and would allow an attacker with knowledge of the SNMP community stringto send craftedIPv4SNMP traffic which could be used to reload the system...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21389&rss
*** I got the power - over your IoT power-point ***
---------------------------------------------
It never gets better, does it? The latest "your IoT security is rubbish" takes the world one step closer to "burn it all and try again": a "smart" electrical outlet thats actually a whole-of-network attack vector.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/08/22/i_got_the_p…
*** How to get your network and security teams working together ***
---------------------------------------------
Its not surprising that network and security teams arent always on the same page. After all, networks need to be fast and efficient, while security is about slowing things down and implementing extra steps to help meet security measures. While both teams are a part of the IT department, and need to work together in the event of a breach, each group has its own objectives and expectations. But when a data breach or security threat strikes, businesses need both teams working together to help get...
---------------------------------------------
http://www.cio.com/article/3110264/careers-staffing/how-to-get-your-network…
*** Threat intelligence report for the telecommunications industry ***
---------------------------------------------
The telecoms sector is under fire on all sides - hit by direct attacks on organizations and networks, indirect attacks in search of subscribers, and collateral damage from unrelated, targeted campaigns. This report reveals the many layers of vulnerability.
---------------------------------------------
http://securelist.com/analysis/publications/75846/threat-intelligence-repor…
*** Open sourced: Cyber reasoning system that won third place in DARPA's Cyber Grand Challenge ***
---------------------------------------------
Earlier this month, the DARPA-backed Cyber Grand Challenge (CGC) has shown that a future in which computer systems will (wholly or partially) replace bug hunters and patchers looms near. Now, the team that has won third place in the contest - Shellphish of Santa Barbara, California - has open sourced many of the components of its winning Mechanical Phish cyber reasoning system. But individuals and teams interested in testing and advancing the system will have...
---------------------------------------------
https://www.helpnetsecurity.com/2016/08/22/cyber-reasoning-system/
*** Finding and Enumerating Processes within Memory-Part 3 ***
---------------------------------------------
Continuing with the series, in this article, we will learn about enumeration of important structures like heaps, environment variables, DLLs pointed by main PEB. Just to recap in the previous two articles, we have looked at the way of finding the processes within memory and then enumerated structures like Page Tables, VADs, and PEB. Dynamic...
---------------------------------------------
http://resources.infosecinstitute.com/finding-enumerating-processes-within-…
*** Announcing the Heimdal Cyber Security Glossary ***
---------------------------------------------
Not too long ago, I was a total newbie in the cyber security field. Although I understood some of the basics, there was an entire universe for me to explore, from concepts to how they translate into action. What I found most baffling in the beginning were some of the technical terms. Of course I...
---------------------------------------------
https://heimdalsecurity.com/blog/heimdal-cyber-security-glossary/
*** Young European white hat hackers meet for the 2nd Cyber Security Challenge competition ***
---------------------------------------------
On the 7th of November, young European white hat hackers will meet at Düsseldorf to measure their skills in attacking and defending computer systems.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/young-european-white-hat-hacker…
*** Bugtraq: [security bulletin] HPSBNS03635 rev.1 - HPE NonStop Servers OSS Script Languages running Perl and PHP, Multiple Local and Remote Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539280
*** Vuln: MatrixSSL Multiple Information Disclosure Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/bid/91488
*** ZDI-16-487: AVG Internet Security avgtdix.sys Kernel Driver Untrusted Pointer Dereference Privilege Escalation Vulnerability ***
---------------------------------------------
This vulnerability allows local attackers to escalate privileges on vulnerable installations of AVG Internet Security. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-487/
*** Security Advisory: Linux file utility vulnerabilities CVE-2014-8116 and CVE-2014-8117 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/16000/300/sol16347.htm…
*** Self Service Password Reset 3.3.1.6 ***
---------------------------------------------
Abstract: These files contain all updates made to SSPR 3.3.1 since the release of SSPR 3.3.1. This is a complete build of SSPR. SSPR 3.3.1 Patch 6 includes several new fixes. It also includes a security fix which was originally included in SSPR 3.3.1 HF2. Without this fix SSPR is vulnerable to a cross-site-scripting (XSS) attack (CVE-2016-1599, reported by Tom Ravenscroft of Datacom TSS). For more details see TID # 7017399 at https://www.netiq.com/support/kb/doc.php?id=7017399. It is mandatory...
---------------------------------------------
https://download.novell.com/Download?buildid=AYDcXUSlNzI~
*** WordPress 4.5.3 - Authenticated Denial of Service (DoS) ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8606
*** Newtec Satellite Modem MDM6000 2.2.5 Cross-Site Scripting Vulnerability ***
---------------------------------------------
Newtec Satellite Modem MDM6000 suffers from multiple reflected cross-site scripting vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a users browser session in context of an affected site.
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5359.php
*** Sakai 10.7 Multiple Vulnerabilities ***
---------------------------------------------
Sakai suffers from multiple reflected cross-site scripting vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a users browser session in context of an affected site. Also there is a file disclosure vulnerability when calling custom tool script. It is not properly verified before being used to read files. This can be exploited to disclose...
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5358.php
*** tcPbX - (tcpbx_lang) Local File Inclusion ***
---------------------------------------------
Topic: tcPbX - (tcpbx_lang) Local File Inclusion Risk: Medium Text:Vulnerable hardware : tcpbx voip distro Vendor : www.tcpbx.org Author : Ahmed sultan (@0x4148) Email : 0x4148(a)gmail.com ...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016080196
*** ZYCOO IP Phone System - Remote Command Execution ***
---------------------------------------------
Topic: ZYCOO IP Phone System - Remote Command Execution Risk: High Text:Vulnerable hardware : ZYCOO IP phone system Vendor : zycoo.com Author : Ahmed sultan (@0x4148) Email : 0x4148(a)gmail.com ...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016080195
*** C2S DVR Management Remote Credentials Disclosure & Authentication Bypass ***
---------------------------------------------
Topic: C2S DVR Management Remote Credentials Disclosure & Authentication Bypass Risk: High Text:1. Advisory Information = Title : C2S DVR Management Remote Credentials Disclosure & Authentic...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016080192
*** IP-Camera Vulnerabilities ***
---------------------------------------------
*** MESSOA NIC990 IP-Camera auth bypass configuration download ***
https://cxsecurity.com/issue/WLB-2016080194
---------------------------------------------
*** TOSHIBA IK-WP41A IP-Camera auth bypass configuration download ***
https://cxsecurity.com/issue/WLB-2016080193
---------------------------------------------
*** JVC IP-Camera (VN-T216VPRU) Remote Credentials Disclosure ***
https://cxsecurity.com/issue/WLB-2016080191
---------------------------------------------
*** Vanderbilt IP-Camera (CCPW3025-IR + CVMW3025-IR) Remote Credentials Disclosure ***
https://cxsecurity.com/issue/WLB-2016080190
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 18-08-2016 18:00 − Freitag 19-08-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** 18 Jahre lang vorhersehbare Zufallszahlen bei GnuPG ***
---------------------------------------------
Lange Zeit schlummerte eine Sicherheitslücke in Libgcrypt, der Krypto-Bibliothek des GnuPG-Projektes. Glücklicherweise scheint es so, als ob Nutzern ein großflächiger Austausch von PGP-Schlüsseln erspart bleiben wird.
---------------------------------------------
http://heise.de/-3300159
*** Neues von Locky: Der Erpressungstrojaner greift jetzt massenhaft Krankenhäuser an ***
---------------------------------------------
Die Drahtzieher hinter Locky verlegen sich von X-beliebigen Internetnutzern auf Firmen. Vor allem Krankenhäuser haben sich als lukratives Ziel erwiesen.
---------------------------------------------
http://heise.de/-3300555
*** Doctor Web discovers self-spreading Linux Trojan that can create P2P botnets ***
---------------------------------------------
August 19, 2016 The Linux operating system remains a major target for virus makers. Doctor Web's security researchers have examined yet another Trojan for Linux written in the Go programming language. This malware program attacks web servers that use various CMS, performs DDoS attacks, sends out spam messages, and distributes itself over networks. The new Trojan, named Linux.Rex.1, was first spotted by Kernelmode forum users who referred to this malware as "Drupal ransomware"...
---------------------------------------------
http://news.drweb.com/show/?i=10157&lng=en&c=9
*** Erpressungs-Trojaner Cerber rüstet sich gegen Entschlüsselungs-Tools ***
---------------------------------------------
Check Points und Trend Micros kostenlose Dechiffrierungs-Tools können Daten nicht mehr aus den Fängen der aktuellen Version des Verschlüsselungs-Trojaners Cerber befreien.
---------------------------------------------
http://heise.de/-3300589
*** Schwerwiegende Lücke im Teamspeak-Server offengelegt ***
---------------------------------------------
Angreifer können über die aktuelle Version des Teamspeak-Servers Schadcode einschleusen und auf dem Server ausführen. Da der Sicherheitsforscher, der die Lücke entdeckte, die Entwickler nicht vorher informiert hat, gibt es momentan keinen Patch.
---------------------------------------------
http://heise.de/-3300608
*** Pixpocket: So hätte die NSA VPNs ausspionieren können ***
---------------------------------------------
Der Shadow-Brokers-Datensatz liefert möglicherweise Informationen darüber, wie die NSA in der Lage war, VPN-Verbindungen abzuhören. Die Schwachstelle hat Ähnlichkeiten mit Heartbleed.
---------------------------------------------
http://www.golem.de/news/pixpocket-so-haette-die-nsa-vpns-ausspionieren-koe…
*** DFN-CERT-2016-1359: PHP: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-1359/
*** Bugtraq: Horizontal Privilege Escalation/Code Injection in ownCloud's Windows Client ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539269
*** Cisco IOS and Cisco IOS XE Software OpenSSH TCP Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the handling of Secure Shell (SSH) TCP packets in the Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a partial denial of service (DoS) condition due to low memory on the device.The vulnerability is due to the handling of out-of-order, or otherwise invalid, TCP packets on an SSH connection to the device. An attacker could exploit this vulnerability by connecting via SSH to the device and then crafting TCP packets which are out of
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Navis WebAccess SQL Injection Vulnerability ***
---------------------------------------------
NCCIC/ICS-CERT is aware of a public report of an SQL Injection vulnerability with proof-of-concept (PoC) exploit code affecting Navis WebAccess application. This report was released by "bRpsd" without coordination with either the vendor or ICS-CERT. ICS-CERT has reached out to the affected vendor to validate the report. ICS-CERT is issuing this alert to provide notice of the report and to identify baseline mitigations for reducing risks to this and other cybersecurity attacks.
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-16-230-01
*** IBM Security Bulletin: IBM Connections Security Update ***
---------------------------------------------
IBM Connections Security Update for multiple CVEs. There are multiple vulnerabilities in IBM Connections, see details below for remediation information. CVE(s): CVE-2016-2995, CVE-2016-2997, CVE-2016-2998, CVE-2016-3005, CVE-2016-3010 Affected product(s) and affected version(s): The following versions of IBM Connections are impacted: IBM Connections 5.5 IBM Connections 5.0 IBM Connections 4.5 IBM Connections 4.0 Refer to the following...
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21988991
*** IBM Security Bulletin: The IBM BigFix Platform has a Cross-Site Scripting vulnerability (CVE-2016-0293 ) ***
---------------------------------------------
A .beswrpt can be injected/modified to contain malicious JavaScript CVE(s): CVE-2016-0293 Affected product(s) and affected version(s): 9.0, 9.1, 9.2 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www.ibm.com/support/docview.wss?uid=swg21985743X-Force Database:...
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21985743
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 17-08-2016 18:00 − Donnerstag 18-08-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Cisco Firepower Management Center Remote Command Execution Vulnerability ***
---------------------------------------------
A vulnerability in the web-based GUI of Cisco Firepower Management Center and Cisco Adaptive Security Appliance (ASA) 5500-X Series with FirePOWER Services could allow an authenticated, remote attacker to perform unauthorized remote command execution on the affected device.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Application Policy Infrastructure Controller Enterprise Module Remote Code Execution Vulnerability ***
---------------------------------------------
A vulnerability in the Grapevine update process of the Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with the privileges of the root user.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Security Afterworks – Best of Summer of Security Conferences ***
---------------------------------------------
https://www.sba-research.org/events/security-afterworks-best-of-summer-of-s…
*** Cookie Parser Buffer Overflow Vulnerability ***
---------------------------------------------
FortiGate firmware (FOS) released before Aug 2012 has a cookie parser buffer overflow vulnerability. This vulnerability, when exploited by a crafted HTTP request, can result ..
---------------------------------------------
http://fortiguard.com/advisory/cookie-parser-buffer-overflow-vulnerability
*** Browser Address Bar Spoofing Vulnerability Disclosed ***
---------------------------------------------
Chrome, Firefox and likely other major browsers are afflicted by a vulnerability that allows attackers to spoof URLs in the address bar.
---------------------------------------------
http://threatpost.com/browser-address-bar-spoofing-vulnerability-disclosed/…
*** Panelizer - Moderately Critical - Access Bypass - SA-CONTRIB-2016-048 ***
---------------------------------------------
https://www.drupal.org/node/2785687
*** Panels - Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-047 ***
---------------------------------------------
https://www.drupal.org/node/2785631
*** Hosting - Less Critical - Access bypass - SA-CONTRIB-2016-046 ***
---------------------------------------------
https://www.drupal.org/node/2785531
*** Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability ***
---------------------------------------------
A vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Adaptive Security Appliance CLI Remote Code Execution Vulnerability ***
---------------------------------------------
A vulnerability in the command-line interface (CLI) parser of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, local attacker to create a denial of service (DoS) condition or potentially ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Patches ASA Zero Days Exposed by ShadowBrokers ***
---------------------------------------------
Cisco today patched two vulnerabilities in its Adaptive Security Appliance that were leaked in the ShadowBrokers data dump of Equation Group exploits.
---------------------------------------------
http://threatpost.com/cisco-patches-asa-zero-days-exposed-by-shadowbrokers/…
*** 1 compromised site - 2 campaigns, (Thu, Aug 18th) ***
---------------------------------------------
Earlier today, I ran across a compromised website with injected script from both the pseudo-Darkleech campaign and the EITest campaign. This is similar to another compromised site I reported back in June ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21381
*** DSA-3649 gnupg - security update ***
---------------------------------------------
Felix Doerre and Vladimir Klebanov from the Karlsruhe Institute ofTechnology discovered a flaw in the mixing functions of GnuPGs randomnumber generator. An attacker who obtains 4640 bits from the RNG cantrivially predict the next 160 bits of output.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3649
*** Bitcoin targeted by state sponsored attackers says Bitcoin.org ***
---------------------------------------------
Bitcoin Core devs dont know about threat, advise usual signatures and hash checks Update Bitcoin.org is warning that the Bitcoin Core, the as-close-to-official-as-it-gets version of ..
---------------------------------------------
www.theregister.co.uk/2016/08/18/bitcoin_targeted_by_state_sponsored_attack…
*** PayPal patches 2FA portal bug ***
---------------------------------------------
Attacker could log in to account without triggering confirmation text PayPal has patched a two-factor authentication (2FA) bug that could have let an attacker bypass its login processes.
---------------------------------------------
www.theregister.co.uk/2016/08/18/paypal_patches_2fa_portal_bug/
*** If this headline was a security warning 90% of you would ignore it ***
---------------------------------------------
Boffins find interrupting users with pop-ups in the middle of things just doesnt work Developers, advertisers, and scammers be warned; boffins say your pop ups will be almost universally ignored if they interrupt users.
---------------------------------------------
www.theregister.co.uk/2016/08/18/coding_pop_ups_hit_em_when_theyre_idling_u…
*** Gefälschte Software: Bitcoin fühlt sich durch Staaten angegriffen ***
---------------------------------------------
Manipulierte Bitcoin-Software? Davon geht das Projekt offenbar aus. In einem Blogpost warnen die Macher vor staatlichen Angriffen auf das kommende Release. Das Projekt gibt auch Hinweise an die Nutzer.
---------------------------------------------
http://www.golem.de/news/gefaelschte-software-bitcoin-fuehlt-sich-durch-sta…
*** Lets Encrypt ups rate limits ***
---------------------------------------------
20 is plenty Lets Encrypt has revised its rate limits to make life easier for large organisations and hosting providers who use its services.
---------------------------------------------
www.theregister.co.uk/2016/08/18/lets_encrypt_clarifies_rate_limit_rules/
*** The Shadow Brokers EPICBANANAS and EXTRABACON Exploits ***
---------------------------------------------
On August 15th, 2016, Cisco was alerted to information posted online by the “Shadow Brokers”, which claimed to possess disclosures from the Equation Group. The files included exploit code that can be used against multi-vendor devices, including the Cisco ASA and legacy Cisco PIX firewalls.
---------------------------------------------
https://blogs.cisco.com/security/shadow-brokers
*** Locky Targets Hospitals In Massive Wave Of Ransomware Attacks ***
---------------------------------------------
A massive wave of Locky ransomware delivered via DOCM attachments is targeting the healthcare sector this month.
---------------------------------------------
http://threatpost.com/locky-targets-hospitals-in-massive-wave-of-ransomware…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 16-08-2016 18:00 − Mittwoch 17-08-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** SQL Injection Vulnerability in Ninja Forms ***
---------------------------------------------
As part of our regular research audits for our Sucuri Firewall, we discovered an SQL Injection vulnerability affecting the Ninja Forms plugin for WordPress, currently installed on 600,000+ websites.
---------------------------------------------
https://blog.sucuri.net/2016/08/sql-injection-vulnerability-ninja-forms.html
*** PMASA-2016-38 ***
---------------------------------------------
https://www.phpmyadmin.net/security/PMASA-2016-38/
*** PMASA-2016-34 ***
---------------------------------------------
https://www.phpmyadmin.net/security/PMASA-2016-34/
*** PMASA-2016-39 ***
---------------------------------------------
https://www.phpmyadmin.net/security/PMASA-2016-39/
*** PMASA-2016-43 ***
---------------------------------------------
https://www.phpmyadmin.net/security/PMASA-2016-43/
*** PMASA-2016-54 ***
---------------------------------------------
https://www.phpmyadmin.net/security/PMASA-2016-54/
*** PGP admins: Kill short keys now, or Alice will become Chuck ***
---------------------------------------------
Someones impersonating the likes of Linus Torvalds with attacks via keyservers The issue of short ..
---------------------------------------------
www.theregister.co.uk/2016/08/17/pgp_admins_kill_short_keys_now_or_alice_wi…
*** Snowden: NSA-Leak von Hackern ist "russische Botschaft" an USA ***
---------------------------------------------
Der NSA-Whistleblower insinuiert, dass russische Hacker damit die Reaktion auf den Einbruch bei den Demokraten abmildern wollen
---------------------------------------------
http://derstandard.at/2000042924155
*** Wartungsarbeiten Donnerstag, 18. 8. 2016, nachmittags ***
---------------------------------------------
Am Donnerstag, 18. August 2016, nachmittags, müssen wir dringende Wartungsarbeiten an unserer Infrastruktur vornehmen. Dies wird zu kurzen Ausfällen der extern erreichbaren Services (zB Email, Webserver, Mailinglisten) führen - es gehen dabei keine Daten (zb Emails) verloren, die ..
---------------------------------------------
http://www.cert.at/services/blog/20160817111811-1777.html
*** VxWorks: Execute My Packets ***
---------------------------------------------
Earlier this year we reported 3 vulnerabilities in VxWorks to Wind River. Each of these vulnerabilities can be exploited by anonymous remote attackers on the same ..
---------------------------------------------
https://blog.exodusintel.com/2016/08/09/vxworks-execute-my-packets/
*** Sicherheitsbedenken: Provider und Aktivisten vereint gegen Router-Lockdown ***
---------------------------------------------
Auch in Österreich soll Routerfirmware künftig reguliert werden. Aktivisten und ISPs kritisieren die geplanten Regelungen. Diese gingen davon aus, dass es keine Sicherheitslücken bei Routern geben würde.
---------------------------------------------
http://www.golem.de/news/sicherheitsbedenken-provider-und-aktivisten-verein…
*** New wave of targeted attacks focus on industrial organizations ***
---------------------------------------------
Kaspersky Lab researchers discovered a new wave of targeted attacks against the industrial and engineering sectors in 30 countries around the world. Dubbed Operation ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/08/17/operation-ghoul/
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 12-08-2016 18:00 − Dienstag 16-08-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Hacker veröffentlichte weitere Unterlagen der US-Demokraten ***
---------------------------------------------
Darunter persönliche Handynummern und E-Mail-Adressen von fast 200 Parlamentariern
---------------------------------------------
http://derstandard.at/2000042820320
*** Olympia: Hacker-Angriff auf Doping-Informantin Stepanowa ***
---------------------------------------------
http://derstandard.at/2000042830707
*** CVE-2016-5696 and its effects on Tor ***
---------------------------------------------
tl;dr: This vulnerability is quite serious, but it doesn't effect the Tor network any more than it effects the rest of the internet. In particular, the Tor-specific attacks mentioned in the paper will not work as described.
---------------------------------------------
https://blog.patternsinthevoid.net/cve-2016-5696-and-its-effects-on-tor.html
*** Forensik-Tool: Forscher stellen Inhalte von Whatsapp und Signal wieder her ***
---------------------------------------------
Mit Hilfe einer App sollen Strafverfolgungsbehörden Inhalte von Messenger-Apps ..
---------------------------------------------
http://www.golem.de/news/forensik-tool-forscher-stellen-inhalte-von-whatsap…
*** Pokemon Go-Ransomware verschlüsselt, erpresst und schnüffelt ***
---------------------------------------------
Hinter einer gefakten Version des Smartphone-Spiels PokemonGo für PCs steckt ein Erpressungs-Trojaner, der es auf Daten von Nutzern abgesehen hat.
---------------------------------------------
http://heise.de/-3294543
*** Nutzer bringt Windows-Betrüger dazu, Ransomware zu installieren ***
---------------------------------------------
User dreht den Spiess um und sorgt für Abschreckung bei Support-Fakern
---------------------------------------------
http://derstandard.at/2000042856802
*** Verschlüsselung: Mails zu Veracrypt-Audit verschwinden spurlos ***
---------------------------------------------
Ein Audit soll prüfen, ob der Truecrypt-Nachfolger Veracrypt Sicherheitslücken hat. Die Macher der Initiative berichten, dass der Versuch sabotiert werde - E-Mails würden unauffindbar verschwinden.
---------------------------------------------
http://www.golem.de/news/geplanter-audit-mails-zu-veracrypt-audit-verschwin…
*** Exploit kit shakedown: RIG EK grabs Neutrino EK campaigns ***
---------------------------------------------
Something unusual happened in the exploit kit ecosystem. Two well-known malware distribution campaigns switched from Neutrino EK to RIG EK. A temporary ..
---------------------------------------------
https://blog.malwarebytes.com/threat-analysis/exploits-threat-analysis/2016…
*** Hacker behaupten, Spionagetools der NSA gestohlen zu haben ***
---------------------------------------------
Sicherheitsforscher gehen von einer Echtheit des Leaks aus, Hacker kündigen "Versteigerung" an
---------------------------------------------
http://derstandard.at/2000042884275
*** BlackBerry stopft auch die vierte Quadrooter-Schwachstelle ***
---------------------------------------------
Drei der auf der BlackHat USA bekannt gewordenen Schwachstellen waren bereits mit dem monatlichen Sicherheitsupdate repariert. Die vierte schliesst BlackBerry nun mit einem Hotfix.
---------------------------------------------
http://heise.de/-3295312
*** The Shadow Brokers: Lifting the Shadows of the NSA's Equation Group? ***
---------------------------------------------
This week a hacker group going by the name The Shadow Brokers has surfaced and appears to be auctioning off computer exploits it claims are stolen from the Equation ..
---------------------------------------------
https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-sh…
*** Shade: not by encryption alone ***
---------------------------------------------
Malefactors continue to expand the features of ransomware as they try to extract maximum benefit from the compromise of infected computers. We recently found an interesting example of such an 'upgrade': a new logic in the latest ..
---------------------------------------------
https://securelist.com/blog/research/75645/shade-not-by-encryption-alone/
*** Bewerbungen verbreiten Schadsoftware ***
---------------------------------------------
Mit vermeintlichen Bewerbungsschreiben treten Kriminelle an Firmen heran und ersuchen die ..
---------------------------------------------
https://www.watchlist-internet.at/schadsoftware/bewerbungen-verbreiten-scha…
*** Secunia Research: Mit schlechten Statistiken zum falschen Sicherheitseindruck ***
---------------------------------------------
Secunia Research schaute sich an, wie gut Anwender ihre Systeme pflegen. Die gute Nachricht: Windows wird in der Regel aktualisiert. Die schlechte: Bei ..
---------------------------------------------
http://www.golem.de/news/secunia-research-mit-schlechten-statistiken-zum-fa…
*** Microsoft stellt Patchsystem für ältere Windows-Versionen um ***
---------------------------------------------
In Zukunft sollen Patch-Pakete einmal im Monat erscheinen und auch ältere Fixes enthalten
---------------------------------------------
http://derstandard.at/2000042906045
*** Detection and Prevention of DNS Anomalies ***
---------------------------------------------
Malware and Botnets have been a threat to systems and networks for several years. The usual methods of detecting a virus with a local virus scanner or their spreading with intrusion detection system (IDS) will not mitigate the ..
---------------------------------------------
http://resources.infosecinstitute.com/detection-prevention-dns-anomalies/
*** P@55w0rd5 - Blessing or curse? ***
---------------------------------------------
By now, everybody has passwords for something, just like keys to different doors. The more doors you have to unlock, the bigger your keychain is going to be. This in turn ..
---------------------------------------------
https://blog.gdatasoftware.com/2016/28917-p-55w0rd5-blessing-or-curse
*** Das Schnurren einer Festplatte verrät Geheimnisse ***
---------------------------------------------
Indem Sicherheitsforscher die Geräusche der Zugriffe auf eine Festplatte auswerten, lesen sie Daten von einem Computer aus, auf den sie keinen direkten Zugriff haben.
---------------------------------------------
http://heise.de/-3295965
*** Cerber ransomware earns $2.3mil with 0.3% response rate ***
---------------------------------------------
The fast-growing Cerber ransomware earned nearly $200,000 in July despite a payment rate of just 0.3 percent as a result of its affiliate distribution model, according to a new report by Check Point and IntSights Cyber ..
---------------------------------------------
http://www.cio.com/article/3108368/cyber-attacks-espionage/cerber-ransomwar…
*** Microsoft Authenticator: Zweiwege-Authentifizierungs-App kommt für Android und iOS ***
---------------------------------------------
Microsoft hat seine neue Autorisierungs-App Authenticator auch für Android und iOS veröffentlicht. Damit können Nutzer Anmeldungen auf einem PC zusätzlich absichern. Praktischerweise können mehrere Konten verwendet werden, auch von Diensten, die Microsoft nicht selbst anbietet.
---------------------------------------------
http://www.golem.de/news/microsoft-authenticator-zweiwege-authentifizierung…
*** CEO Fraud: Deutscher Autozulieferer Leoni um Millionensumme betrogen ***
---------------------------------------------
Der deutsche Autozulieferer Leoni ist Opfer eines millionenschweren Betrugs geworden. Die bisher unbekannten Täter ..
---------------------------------------------
http://derstandard.at/2000042922341-406
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 11-08-2016 18:00 − Freitag 12-08-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** An ATM hack and a PIN-pad hack show chip cards aren't impervious to fraud ***
---------------------------------------------
The good news? Hacks are limited for now. The bad news? Hackers will get better.
---------------------------------------------
http://arstechnica.com/security/2016/08/an-atm-hack-and-a-pin-pad-hack-show…
*** Four free tools for handling Amazon Web Services security incident response ***
---------------------------------------------
Responding to security incidents that involve deployments within Amazon Web Services is a lot different from responding to incidents that happen on corporate-owned gear, and two researchers have come up with free tools to make that process easier.Obtaining forensic evidence is different, primarily because security pros can't obtain physical access to the machines on which their AWS instances are running.+More on Network World: Black Hat: 9 free security tools for defense...
---------------------------------------------
http://www.cio.com/article/3106302/security/four-free-tools-for-handling-am…
*** Looking for the insider: Forensic Artifacts on iOS Messaging App, (Thu, Aug 11th) ***
---------------------------------------------
Most of the times we care about and focus on external threats, looking for actors that may attack us via phishing emails, vulnerable web services, misconfigured network devices, etc. However, sometimes the threat may come from the inside. In fact, it is not so uncommon to have disloyal/disgruntled employees exfiltrating information from the company (e.g. Intellectual Property to competitors, confidential information to the press, etc.). In such situations, a full forensics analysis of the...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21363&rss
*** Decrypting Chimera ransomware ***
---------------------------------------------
We take a technical look at validating the leaked Chimera ransomware keys as well as if we can decrypt files with these keys.
---------------------------------------------
https://blog.malwarebytes.com/cybercrime/2016/08/decrypting-chimera-ransomw…
*** Ransomware Decryption Tools ***
---------------------------------------------
IMPORTANT! Before downloading and starting the solution, read the how-to guide. Make sure you remove the malware from your system first, otherwise it will repeatedly lock your system or encrypt files.
---------------------------------------------
https://www.nomoreransom.org/decryption-tools.html
*** Analyzing and Cleaning Hijacked Google SEO Spam Results ***
---------------------------------------------
Blackhat SEO spam comes in many forms, and one of the most nefarious is hijacked search results. This happens when search engines crawl and display unwanted content in the title and description of infected web pages. The negative impact to the infected website cannot be understated. This harms the website's reputation with visitors and will...
---------------------------------------------
https://blog.sucuri.net/2016/08/cleaning-hijacked-google-seo-spam-results.h…
*** Microsofts compromised Secure Boot implementation ***
---------------------------------------------
Theres been a bunch of coverage of this attack on Microsofts Secure Boot implementation, a lot of which has been somewhat confused or misleading. Heres my understanding of the situation.Windows RT devices were shipped without the ability to disable Secure Boot. Secure Boot is the root of trust for Microsofts User Mode Code Integrity (UMCI) feature, which is what restricts Windows RT devices to running applications signed by Microsoft. This restriction is somewhat inconvenient for developers, so...
---------------------------------------------
http://mjg59.dreamwidth.org/44223.html
*** Security-Fixes für Ruby on Rails verfügbar ***
---------------------------------------------
Die Updates verhindern Cross-Site-Scritping-Attacken über html_safe in den Hauptversionen 3, 4 und 5 sowie die Möglichkeit, Queries in Rails 4.2.x zu manipulieren.
---------------------------------------------
http://heise.de/-3293426
*** This is strictly a violation of the TCP specification ***
---------------------------------------------
I was asked to debug another weird issue on our network. Apparently every now and then a connection going through CloudFlare would time out with 522 HTTP error. 522 error on CloudFlare indicates a connection issue between our edge server and the...
---------------------------------------------
https://blog.cloudflare.com/this-is-strictly-a-violation-of-the-tcp-specifi…
*** Finding and Enumerating Processes within Memory: Memory and Volatility ***
---------------------------------------------
In this article series, we will learn about how processes reside in memory and various ways to find and enumerate them. I will be using Volatility plugins to find processes in memory. Once we know how to find processes within memory, in Part 2 we will see how to enumerate through them. Note: The scope...
---------------------------------------------
http://resources.infosecinstitute.com/finding-and-enumerating-processes-wit…
*** VU#301735: ZModo ZP-NE14-S DVR and ZP-IBH-13W cameras contain hard-coded credentials ***
---------------------------------------------
Vulnerability Note VU#301735 ZModo ZP-NE14-S DVR and ZP-IBH-13W cameras contain hard-coded credentials Original Release date: 12 Aug 2016 | Last revised: 12 Aug 2016 Overview The ZModo ZP-NE14-S DVR and ZP-IBH-13W cameras contain hard-coded credentials and run telnet by default. Description CWE-798: Use of Hard-coded Credentials - CVE-2016-5081According to the reporter, the Zmodo ZP-NE14-S DVR and ZP-IBH-13W cameras contain undocumented credentials for accessing the device via telnet.
---------------------------------------------
http://www.kb.cert.org/vuls/id/301735
*** HPSBHF03440 rev.1 - HPE iLO 3 using JQuery, Remote Cross-Site Scripting (XSS) ***
---------------------------------------------
A potential security vulnerability in JQuery was addressed by HPE Integrated Lights-Out 3. The vulnerability could be remotely exploited to allow Cross-Site Scripting (XSS).
---------------------------------------------
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05232730
*** HPSBGN03630 rev.2 - HP Operations Manager for Unix, Solaris, and Linux using Apache Commons Collections (ACC), Remote Code Execution ***
---------------------------------------------
A vulnerability in Apache Commons Collections (ACC) for handling Java object deserialization was addressed in the AdminUI of HP Operations Manager for Unix, Solaris and Linux. The vulnerability could be exploited remotely to allow remote code execution.
---------------------------------------------
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr…
*** IDM 4.5 SOAP Driver Version 4.0.0.4 ***
---------------------------------------------
Abstract: Patch update for the Novell Identity Manager SOAP driver. The patch will take the driver version to 4.0.0.4. You must have IDM 4.0.2 or later to use this driver. Document ID: 5251690Security Alert: YesDistribution Type: Field Test FileEntitlement Required: NoFiles:IDM45_SOAP_4004.zip (161.66 kB)Products:Identity Manager 4.5Superceded Patches:IDM 4.5 SOAP Driver Version 4.0.0.3
---------------------------------------------
https://download.novell.com/Download?buildid=95cHErCKIOQ~
*** F5 Security Advisory: libssh2 vulnerability CVE-2016-0787 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/21/sol21531693.html?…
*** F5 Security Advisory: TMM vulnerability CVE-2016-5023 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/19/sol19784568.html?…
*** VU#332115: D-Link routers contain buffer overflow vulnerability ***
---------------------------------------------
Vulnerability Note VU#332115 D-Link routers contain buffer overflow vulnerability Original Release date: 11 Aug 2016 | Last revised: 11 Aug 2016 Overview D-Link DIR routers contain a stack-based buffer overflow vulnerability, which may allow a remote attack to execute arbitrary code. Description CWE-121: Stack-based Buffer Overflow - CVE-2016-5681A stack-based buffer overflow occurs in the function within the cgibin binary which validates the session cookie.This function is used by a service...
---------------------------------------------
http://www.kb.cert.org/vuls/id/332115
*** Rockwell Automation MicroLogix 1400 SNMP Credentials Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a privileged simple network management protocol vulnerability in Rockwell Automation's MicroLogix 1400 programmable logic controllers.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-224-01
*** DSA-3646 postgresql-9.4 - security update ***
---------------------------------------------
Several vulnerabilities have been found in PostgreSQL-9.4, a SQLdatabase system.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3646
*** FortiVoice 5.0 Filter Bypass & Persistent Web Vulnerabilities ***
---------------------------------------------
A vulnerablity in FortiVoice 5.0 web-application could allow malicious script being injected in the affected module; this potentially enables XSS attacks.
---------------------------------------------
http://fortiguard.com/advisory/fortivoice-5-0-filter-bypass-persistent-web-…
*** Cisco Aironet 1800, 2800, and 3800 Series Access Point Platforms ARP Request Handling Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability exists in Cisco Access Point (AP) platforms when processing Address Resolution Protocol (ARP) packets that could allow an unauthenticated, adjacent attacker to inject crafted entries into the ARP table and eventually cause a reload of the affected device.The vulnerability is due to improper processing of illegal ARP packets. An attacker could exploit this vulnerability by sending crafted ARP packets to be processed by an affected device. An exploit could allow the attacker to...
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager for Web is affected by vulnerabilities in OpenSSL ***
http://www.ibm.com/support/docview.wss?uid=swg21987903
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2109, CVE-2016-2176). ***
http://www-01.ibm.com/support/docview.wss?uid=swg21988350
---------------------------------------------
*** IBM Security Bulletin: Multiple security vulnerabilities have been identified in WebSphere Application Server and bundling products shipped with IBM Cloud Orchestrator (CVE-2016-3426, CVE-2016-3427) ***
http://www-01.ibm.com/support/docview.wss?uid=swg2C1000178
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by vulnerabilities in OpenSSH (CVE-2016-3115, CVE-2016-1908) ***
http://www.ibm.com/support/docview.wss?uid=swg21987636
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager for Web is affected by vulnerabilities in OpenSSH (CVE-2016-3115, CVE-2016-1908) ***
http://www.ibm.com/support/docview.wss?uid=swg21987638
---------------------------------------------
*** IBM Security Bulletin: IBM Netezza SQL Extensions is vulnerable to an OpenSource PCRE Vulnerability (CVE-2016-1283, CVE-2016-3191) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21985982
---------------------------------------------
Next End-of-Shift report: 2016-08-16
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 10-08-2016 18:00 − Donnerstag 11-08-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Sicherheitsforscher kapern HTTP-Verbindungen von Linux ***
---------------------------------------------
Eine Schwachstelle im Linux-Kernel gefährdet TCP-Verbindungen. Unter bestimmten Voraussetzungen konnten sich Sicherheitsforscher in Verbindungen einklinken und diese etwa lahmlegen und sogar manipulieren.
---------------------------------------------
http://heise.de/-3292257
*** Bing.VC Hijacks Browsers Using Legitimate Applications ***
---------------------------------------------
Browser hijackers are a type of malware that modifies a web browser's settings without the user's permission. Generally a browser hijacker injects unwanted advertising into the browser. It replaces the home page or search page with its own. It also steals cookies and can install a keylogger to fetch other sensitive information. McAfee Labs has recently...
---------------------------------------------
https://blogs.mcafee.com/mcafee-labs/bing-vc-hijacks-browser-using-legitima…
*** Profiling SSL Clients with tshark, (Wed, Aug 10th) ***
---------------------------------------------
Cisco recently published a paper showing how malicious SSL traffic sometimes uses very specific SSL options. Once you know what set of SSL options to look for, you will then be able to identify individual pieces of malware without having to decrypt the SSL traffic. (and before anybody complains: SSL does include TLS. I am just old fashioned that way) I wanted to see how well this applies to HTTPS traffic hitting the ISC website. I collected about 100 MB of traffic, which covered client hello...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21361&rss
*** Python-based TLS tester tool ***
---------------------------------------------
We at Oulu University Secure Programming Group, OUSPG for short, have been developing a neat little gadget called TryTLS. It is a systematic tester tool that checks the safety of TLS libraries. We think we have something of value here, as certificate handling is a very complex and overlooked issue. The tool and info on how to get started can be found here: https://github.com/ouspg/trytls We would really value your input if you could think of some good backends, tests or other resources that...
---------------------------------------------
http://www.reddit.com/r/netsec/comments/4x1z36/pythonbased_tls_tester_tool/
*** Linux Trojan Mines For Cryptocurrency Using Misconfigured Redis Servers ***
---------------------------------------------
An anonymous reader writes: In another installment of "Linux has malware too," security researchers have discovered a new trojan that targets Linux servers running Redis, where the trojan installs a cryptocurrency miner. The odd fact about this trojan is that it includes a wormable feature that allows it to spread on its own. The trojan, named Linux.Lady, will look for Redis servers that dont have an admin account password, access the database, and then download itself on the new...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/WKFxUVtVPG0/linux-trojan-mi…
*** CRIME, TIME, BREACH and HEIST: A brief history of compression oracle attacks on HTTPS ***
---------------------------------------------
The HEIST vulnerability was presented at Black Hat USA 2016 by Mathy Vanhoef and Tom Van Goethem. In this presentation, new techniques were presented that enhanced previously presented padding oracle attacks on HTTPS, making them more practical. In a padding oracle attack, the attacker has partial control of part of a message that contains secret information, and is compressed, then encrypted before being sent over the network. An example of this is a web page...
---------------------------------------------
https://www.helpnetsecurity.com/2016/08/11/compression-oracle-attacks-https/
*** Volkswagen-Hack: Mit dem Arduino 100 Millionen Autos öffnen ***
---------------------------------------------
Mit einem Arduino und Hardware im Wert von 40 US-Dollar lassen sich fast alle Modelle der VW-Gruppe aus den vergangenen 15 Jahren öffnen - sagen Sicherheitsforscher. Das Unternehmen hat die Lücke eingeräumt. 14 weitere Autohersteller sind betroffen.
---------------------------------------------
http://www.golem.de/news/hack-mit-dem-arduino-100-millionen-autos-oeffnen-1…
*** Road Warriors: Beware of "Video Jacking" ***
---------------------------------------------
A little-known feature of many modern smartphones is their ability to duplicate video on the devices screen so that it also shows up on a much larger display -- like a TV. However, new research shows that this feature may quietly expose users to a simple and cheap new form of digital eavesdropping. Dubbed "video jacking" by its masterminds, the attack uses custom electronics hidden inside what appears to be a USB charging station. As soon as you connect a vulnerable phone to the...
---------------------------------------------
http://krebsonsecurity.com/2016/08/road-warriors-beware-of-video-jacking/
*** EyeLock nano NXT 3.5 Remote Root Exploit ***
---------------------------------------------
EyeLocks nano NXT firmware latest version 3.5 (released 25.07.2016) suffers from multiple unauthenticated command injection vulnerabilities. The issue lies within the rpc.php script located in the /scripts directory and can be triggered when user supplied input is not correctly sanitized while updating the local time for the device and/or get info from remote time server. The vulnerable script has two REQUEST parameters timeserver and localtime that are called within a shell_exec() function for...
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5357.php
*** EyeLock nano NXT 3.5 Local File Disclosure Vulnerability ***
---------------------------------------------
nano NXT suffers from a file disclosure vulnerability when input passed thru the path parameter to logdownload.php script is not properly verified before being used to read files. This can be exploited to disclose contents of files from local resources.
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5356.php
*** EyeLock Myris 3.3.2 SDK Service Unquoted Service Path Privilege Escalation ***
---------------------------------------------
The application suffers from an unquoted search path issue impacting the service MyrisService for Windows deployed as part of Myris solution. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application...
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5355.php
*** Bugtraq: [CORE-2016-0006] - SAP CAR Multiple Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539180
*** SSA-378531 (Last Update 2016-08-11): Vulnerabilities in SIMATIC WinCC, PCS 7 and WinCC Runtime Professional ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-378531…
*** Security Advisory: BIG-IP file validation vulnerability CVE-2015-8022 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/12/sol12401251.html?…
*** Security Advisory: BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/10/sol10133477.html?…
*** Cisco IOS XR Software for Cisco ASR 9001 Aggregation Services Routers Fragmented Packet Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the driver processing functions of Cisco IOS XR Software for Cisco ASR 9001 Aggregation Services Routers could allow an unauthenticated, remote attacker to cause a memory leak on the route processor (RP) of an affected device, which could cause the device to drop all control-plane protocols and lead to a denial of service condition (DoS) on a targeted system.The vulnerability is due to improper handling of crafted, fragmented packets that
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco IP Phone 8800 Series Cross-Site Scripting Vulnerability ***
---------------------------------------------
A vulnerability in the web application of the Cisco IP Phone 8800 Series could allow an authenticated, remote attacker to perform a stored, cross-site scripting (XSS) attack.The vulnerability is due to insufficient sanitization of parameter values. An attacker could exploit this vulnerability by storing malicious code on a device and waiting for a user to access a web page that triggers execution of the code. An exploit could allow the attacker to execute arbitrary script code in the context of
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Connected Streaming Analytics Unauthorized Access Vulnerability ***
---------------------------------------------
A vulnerability in the administrative web interface of Cisco Connected Streaming Analytics could allow an authenticated, remote attacker to obtain sensitive information.The vulnerability is due to the inclusion of sensitive information in a server response when certain pages of the administrative web interface are accessed. An authenticated attacker who can view the affected configuration page of an affected system could obtain a service password used for event and report notification. This
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Redirect HTTP traffic vulnerability may affect IBM HTTP Server (CVE-2016-5387) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21988019
---------------------------------------------
*** IBM Security Bulletin: IBM API Connect server credentials used for a specific restricted scenario may have been exposed (CVE-2016-3012) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21988212
---------------------------------------------
*** IBM Security Bulletin: IBM Tivoli Common Reporting (TCR) 2016Q2 Security Updater : IBM Tivoli Common Reporting is affected by multiple vulnerabilities ***
http://www-01.ibm.com/support/docview.wss?uid=swg21986669
---------------------------------------------
*** IBM Security Bulletin: Security Bulletin: IBM Connections Security Refresh for CVE-2016-0310 ***
http://www.ibm.com/support/docview.wss?uid=swg21988338
---------------------------------------------
*** IBM Security Bulletin: IBM Connections Security Refresh for CVE-2016-0305, CVE-2016-0307,CVE-2016-0308 ***
http://www.ibm.com/support/docview.wss?uid=swg21986770
---------------------------------------------
*** IBM Security Bulletin: Flexara InstallShield vulnerability affects IBM Mobile Connect (CVE-2016-2542) ***
http://www.ibm.com/support/docview.wss?uid=swg21986258
---------------------------------------------
*** IBM Security Bulletin: IBM Active Content Filtering Vunerability impacts IBM Docs (CVE-2016-0243 ) ***
http://www.ibm.com/support/docview.wss?uid=swg21986626
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 09-08-2016 18:00 − Mittwoch 10-08-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Fixing an Internet Security Threat ***
---------------------------------------------
A weakness in the Transmission Control Protocol (TCP) of all Linux operating systems since late 2012 enables attackers to hijack users' Internet communications completely remotely, researchers said.
---------------------------------------------
http://www.isssource.com/fixing-an-internet-security-threat/
*** August 2016 security update release ***
---------------------------------------------
Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released. More information about this month's security updates and advisories can be found in the Security TechNet Library.
---------------------------------------------
https://blogs.technet.microsoft.com/msrc/2016/08/09/august-2016-security-up…
*** Microsoft Patch Tuesday, August 2016, (Tue, Aug 9th) ***
---------------------------------------------
Today, Microsoft released a total of 9 security bulletins. 5 of the bulletins are rated critical, the rest are rated important. You can find our usual summary here: https://isc.sans.edu/mspatchdays.html?viewday=2016-08-09(or via the API in various parsable formats) Some of the highlights: MS16-095/096: The usual Internet Explorer and Edge patches. Microsoft addresses nine vulnerabilities for Internet Explorer, and 8 for Edge. Note that there is a lot of overlap. Kind of makes you wonder how...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21357&rss
*** MSRT August 2016 release adds Neobar detection ***
---------------------------------------------
As part of our ongoing effort to provide better malware protection, the August 2016 release of the Microsoft Malicious Software Removal Tool (MSRT) includes detections for BrowserModifier: Win32/Neobar, unwanted software, and Win32/Rovnix, a trojan malware family. This blog discusses BrowserModifier:Win32/Neobar and its inclusion in MSRT supports our unwanted software family detections in Windows Defender, along...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/08/09/msrt-august-2016-releas…
*** Kardinalfehler: Microsoft setzt aus Versehen Secure Boot Schachmatt ***
---------------------------------------------
Durch eine vergessene Debug-Funktion hat Microsoft jedem Administrator die Möglichkeit gegeben, Secure Boot auch aus der Ferne abzuschalten. Damit aber nicht genug der Peinlichkeiten: Zwei Versuche, die Lücke zu stopfen, scheiterten bereits.
---------------------------------------------
http://heise.de/-3291946
*** Google Chrome will beat Flash to death with a shovel: Why... wont... you... just... die! ***
---------------------------------------------
Adobe plugin completely snubbed for HTML5 By the end of the year, Google Chrome will block virtually all Flash content and make whatevers left click-to-play by default.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/08/09/google_chro…
*** Factsheet Use virtualisation wisely ***
---------------------------------------------
Virtualisation of ICT services ensures more efficient and flexible use of hardware. This factsheet is about specific risks that arise when you use virtual servers to outsource ICT services. Your virtual server has an unknown number of virtual neighbours on the host. By using the newly discovered Flip Feng Shui attack method, an attacker can penetrate a virtual neighbour or have it install malware. To date, an attacker could only eavesdrop on the activity of virtual neighbours. The success...
---------------------------------------------
https://www.ncsc.nl/english/current-topics/factsheets/factsheet-use-virtual…
*** Research team presents Flip Feng Shui attack method at Usenix Security Symposium 2016 ***
---------------------------------------------
Researchers of the Vrije Universiteit Amsterdam and the Katholieke Universteit Leuven discovered a new attack method, known as Flip Feng Shui. This is the first attack method that enables an attacker to change the contents of the memory of another virtual server. In this way, he can directly attack the virtual server. Previously discovered attack methods, so-called side channels, aim to eavesdrop on a virtual server on the same host, and gain access to confidential information. On August the
---------------------------------------------
https://www.ncsc.nl/english/current-topics/news/researchteam-presents-flip-…
*** Verschlüsselung: Microsofts Edge und Internet Explorer 11 werfen RC4 über Bord ***
---------------------------------------------
Ab sofort öffnen die Webbrowser Edge und Internet Explorer 11 keine Webseiten mehr, die auf das RC4-Verschlüsselungsverfahren setzen. Das dafür nötige Update verteilt Microsoft aktuell.
---------------------------------------------
http://heise.de/-3291361
*** Verflixte Primzahlen: Eine subtile Hintertür im Diffie-Hellman-Schlüsselaustausch ***
---------------------------------------------
Benutzt der Diffie-Hellman-Schlüsselaustausch an der richtigen Stelle die falschen Primzahlen, kann ein Angreifer unter Umständen an die geheimen Schlüssel kommen. Das würde ihm erlauben etwa SSL-Verbindungen aufzubrechen.
---------------------------------------------
http://heise.de/-3289764
*** Determining the real economic impact of cyber-incidents: A mission (almost) impossible ***
---------------------------------------------
Today ENISA publishes a systematic review of studies on the economic impact of cyber-security incidents on critical information infrastructures (CII).
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/determining-the-real-economic-i…
*** IDG Contributor Network: Reach em and teach em--educating developers on application security ***
---------------------------------------------
How are developers supposed to build security throughout the development lifecycle if they are not taught security at any stage of their education? Vulnerabilities exist because products made by developers who have close to no knowledge of security are hitting the market. Rather than accept the idea that software will never be 100 percent secure, academia and industry leaders can be more proactive and teach developers how to think about application security.In a white paper, "App-Sec...
---------------------------------------------
http://www.csoonline.com/article/3105503/application-development/reach-em-a…
*** Security Advisory - A Security Vulnerability of Using Insecure Random Numbers to Generate Self-signed Certificates in Huawei Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160810-…
*** Security Advisory - Buffer Overflow Vulnerability in Huawei USG Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160810-…
*** IBM Security Bulletin: XXE and XmlBomb vulnerability in FileNet Workplace (CVE-2016-3055) ***
---------------------------------------------
FileNet Workplace is susceptible to the XXE and XmlBomb vulnerability. CVE(s): CVE-2016-3055 Affected product(s) and affected version(s): FileNet Workplace 4.0.2 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www.ibm.com/support/docview.wss?uid=swg21987128X-Force Database:...
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21987128
*** IBM Security Bulletin: IBM Forms Experience Builder vulnerable to CSRF when configured with non default settings (CVE-2016-2884) ***
---------------------------------------------
A cross-site request forgery attack is possible when configured with non default settings, caused by improper validation of user-supplied input. CVE(s): CVE-2016-2884 Affected product(s) and affected version(s): IBM Forms Experience Builder 8.5 IBM Forms Experience Builder 8.5.1 IBM Forms Experience Builder 8.6.x Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin:...
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21987252
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Service Tester (CVE-2016-3426) ***
---------------------------------------------
There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 7 and Version 8. These issues were disclosed as part of the IBM Java SDK updates in April 2016. Rational Service Tester is only affected by one of these vulnerabilities. CVE(s): CVE-2016-3426 Affected product(s) and affected version(s): Rational Service Tester versions 8.3, 8.5, 8.6,...
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21988456
*** IBM Security Bulletin: A security vulnerability in IBM Java Runtime affects IBM Cognos Planning (CVE-2016-3427) ***
---------------------------------------------
There are multiple vulnerabilities in IBM Runtime Environment Java Version 6 that is used by IBM Cognos Planning. These issues were disclosed as part of the IBM Java SDK updates in April 2016. CVE(s): CVE-2016-3427 Affected product(s) and affected version(s): IBM Cognos Planning 10.1 IBM Cognos Planning 10.1.1 Refer to the following reference URLs for...
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21975745
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 08-08-2016 18:00 − Dienstag 09-08-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** "Cat-Loving" Mobile Ransomware Operates With Control Panel ***
---------------------------------------------
Recently the McAfee Labs Mobile Malware Research team found a sample of ransomware for Android with botnet capabilities and a web-based control panel service. The malware is running on compromised legitimate servers. The payload of this malware can encrypt a victim's files, steal SMS messages, and block access to the device. In this variant the...
---------------------------------------------
https://blogs.mcafee.com/mcafee-labs/cat-loving-mobile-ransomware-operates-…
*** Researcher warns of flaws in Samsung Pay tokenization and mag stripe features ***
---------------------------------------------
A researcher claims to have found vulnerabilities in Samsung Pays tokenization mechanism and its magnetic secure transmission (MST) technology that could allow hackers to steal users tokens and make fraudulent purchases.
---------------------------------------------
http://www.scmagazine.com/researcher-warns-of-flaws-in-samsung-pay-tokeniza…
*** Samsung Calls Reports of Samsung Pay Security Flaw "Inaccurate" ***
---------------------------------------------
Researcher finds a way to make fraudulent transactions via Samsung Pay, but Samsung denies any issues
---------------------------------------------
http://news.softpedia.com/news/samsung-calls-reports-of-samsung-pay-securit…
*** Anonymes Dokument: Angriffe auf den FreeBSD-Update-Prozess ***
---------------------------------------------
Ein anonymes Dokument beschreibt detailliert Sicherheitslücken im FreeBSD-Update-System. Betroffen sind Portsnap, Libarchive und Bspatch. Fixes gibt es bislang nur für wenige der Bugs. Möglicherweise existieren ähnliche Angriffe auch auf Linux-Systemen.
---------------------------------------------
http://www.golem.de/news/anonymes-dokument-angriffe-auf-den-freebsd-update-…
*** Sicherheit: Hacker knacken 12 von 16 Smartlocks ***
---------------------------------------------
Zwei Hacker haben drei Viertel der von ihnen untersuchten Bluetooth-Smartlocks knacken können - mit stellenweise haarsträubend einfachen Mitteln. Die Reaktion der Hersteller zeugt nicht von großem Interesse, an den Problemen etwas ändern zu wollen.
---------------------------------------------
http://www.golem.de/news/sicherheit-hacker-knacken-12-von-16-smartlocks-160…
*** DFRWS EU/IMF 2017 ***
---------------------------------------------
DFRWS EU 2017 will be held in Überlingen, Lake Constance, Germany. This year brings together two premier research conferences in Europe, the DFRWS digital forensics conference (DFRWS EU 2017) and the International Conference on IT Security Incident Management & IT Forensics (IMF 2017). Established in 2001, DFRWS has become the premier digital forensics conference, dedicated to solving real world challenges, and pushing the envelope of what is currently possible in digital forensics.
---------------------------------------------
http://www.dfrws.org/conferences/dfrws-eu-2017
*** Unechte PayLife-Nachricht: Ihre Kreditkarte wird vorläufig eingeschränkt ***
---------------------------------------------
In einer E-Mail behaupten Kriminelle, dass PayLife-Kund/innen ihre persönlichen Daten bestätigen müssen. Tun sie das nicht, müssen sie angeblich 89,95 Euro bezahlen. Empfänger/innen, die der Aufforderung nachkommen, übermitteln sensible Kreditkarteninformationen an Verbrecher/innen.
---------------------------------------------
https://www.watchlist-internet.at/phishing/unechte-paylife-nachricht-ihre-k…
*** Windows 10 Anniversary Update is infested with bugs ***
---------------------------------------------
Last month, I warned readers that Microsofts Windows 10 Anniversary Update would likely be somewhat buggy and suggested consumers should wait awhile before installing it. Unfortunately, my advice proved valid.Windows 10 Anniversary Update infestationThere are widespread reports of significant bugs in the update, and theyre causing systems to freeze, browsers to misbehave, and peripherals - including Xbox One controllers - to malfunction. Two major antivirus companies also warn that...
---------------------------------------------
http://www.cio.com/article/3104774/windows-security/windows-10-anniversary-…
*** QuadRooter vulnerability: 5 things to know about this Android security scare ***
---------------------------------------------
Once again, its Android security scare season. This morning news broke of the latest collection of vulnerabilities, discovered by security firm Check Point and grouped together under the catchy monicker "QuadRooter." As usual, most of the reporting has focused on worst-case scenarios and a shockingly huge number of potentially vulnerable devices - in this case, an estimated 900 million. Were going to break down exactly whats going on, and just how vulnerable youre likely to be.
---------------------------------------------
http://www.androidcentral.com/quadrooter-5-things-know-about-latest-android…
*** IPv6 router bug: Juniper spins out hotfix to thwart DDoS attacks ***
---------------------------------------------
Vulnerability common to devices routing IPv6; Cisco offered partial fix in July.
---------------------------------------------
http://arstechnica.com/security/2016/08/ipv6-router-bug-juniper-cisco-ddos-…
*** Security Bulletin Posted for Adobe Experience Manager (APSB16-27) ***
---------------------------------------------
Adobe has published a Security Bulletin for Adobe Experience Manager(APSB16-27). Adobe recommends users apply the relevant hotfix to their product installation using the instructions referenced in the security bulletin. Adobe is not planning to issue a security update for Flash Player this...
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1385
*** Cisco IOS and IOS XE Software Crafted Network Time Protocol Packets Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the processing of Network Time Protocol (NTP) packets by Cisco IOS and Cisco IOS XE could allow an unauthenticated, remote attacker to cause an interface wedge and an eventual denial of service (DoS) condition on the affected device.The vulnerability is due to insufficient checks on clearing the invalid NTP packets from the interface queue. An attacker could exploit this vulnerability by sending a number of crafted NTP packets to be processed by an affected device. An exploit...
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Foxit Reader Multiple Flaws Let Remote Users Obtain Potentially Sensitive Information, Deny Service, and Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1036558
*** Vuln: OpenSSH CVE-2016-6515 Denial of Service Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/92212
*** Bugtraq: ESA-2016-070: RSA Authentication Manager Prime SelfService Insecure Direct Object Reference Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539157
*** Bugtraq: [CVE-2016-6600/1/2/3]: Multiple vulnerabilities (RCE, file download, etc) in WebNMS Framework 5.2 / 5.2 SP1 ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539159
*** Trend Micro Control Manager (TMCM) Multiple Vulnerabilities ***
---------------------------------------------
https://esupport.trendmicro.com/solution/en-US/1114749.aspx
*** Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) Multiple Vulnerabilities ***
---------------------------------------------
https://esupport.trendmicro.com/solution/en-US/1114746.aspx
*** Trend Micro Smart Protection Server (Standalone) Multiple Vulnerabilities ***
---------------------------------------------
https://esupport.trendmicro.com/solution/en-US/1114913.aspx
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: AppScan Source vulnerable to denial of service caused by an XML External Entity (CVE-2016-3033) ***
http://www.ibm.com/support/docview.wss?uid=swg21987326
---------------------------------------------
*** IBM Security Bulletin: IBM Tivoli Monitoring Buffer Overflow (CVE-2016-2946 ) ***
http://www.ibm.com/support/docview.wss?uid=swg21984578
---------------------------------------------
*** IBM Security Bulletin: Lotus Protector for Mail Security affected by Cross Site Scripting (CVE-2016-2991) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21985280
---------------------------------------------
*** IBM Security Bulletin:Open Source Apache Xerces-C XML parser Vulnerabilities (CVE-2016-0729 CVE-2016-4463) ***
http://www.ibm.com/support/docview.wss?uid=swg21987267
---------------------------------------------
*** IBM Security Bulletin: OpenStack vulnerabilities affect IBM Cloud Manager with Openstack (CVE-2015-7548, CVE-2015-8749 CVE-2015-1850) ***
http://www-01.ibm.com/support/docview.wss?uid=isg3T1024106
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 05-08-2016 18:00 − Montag 08-08-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** F5 Security Advisory: glibc vulnerability CVE-2016-3706 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/06/sol06493172.html?…
*** Smoke Loader - downloader with a smokescreen still alive ***
---------------------------------------------
This time we will have a look at another payload from recent RIG EK campaign. It is Smoke Loader (also known as Dofoil), a bot created several years ago. One of its early versions was advertised on the black marker in 2011.Categories: Malware Threat analysisTags: DofoildownloaderRIG EKsmoke loader(Read more...)
---------------------------------------------
https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-download…
*** Docker Unspecified Flaw Lets Remote Authenticated Users Deny Service on the Target Swarm Cluster ***
---------------------------------------------
http://www.securitytracker.com/id/1036548
*** Apple iOS Memory Corruption Error in IOMobileFrameBuffer Lets Applications Gain Elevated Privileges on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1036546
*** FortiAnalyzer & FortiManager - Client Side Cross Site Scripting Web Vulnerability ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016080052
*** This PC monitor hack can manipulate pixels for malicious effect ***
---------------------------------------------
Don't believe everything you see. It turns out even your computer monitor can be hacked.On Friday, researchers at DEF CON presented a way to manipulate the tiny pixels found on a computer display.Ang Cui and Jatin Kataria of Red Balloon Security were curious how Dell monitors worked and ended up reverse-engineering one.They picked apart a Dell U2410 monitor and found that the display controller inside can be used to change and log the pixels across the screen.During their DEF CON...
---------------------------------------------
http://www.cio.com/article/3104974/this-pc-monitor-hack-can-manipulate-pixe…
*** Angriff auf Geldautomaten mit Fernsteuerung ***
---------------------------------------------
Ein Sicherheitsforscher hat auf der Blackhat-Konferenz demonstriert, wie sich trotz PIN-Absicherung Bargeld von fremden Konten ziehen lässt. Angeblich lässt sich dabei auch an modernen Geldautomaten die PIN abgreifen, ohne Spuren zu hinterlassen.
---------------------------------------------
http://heise.de/-3289469
*** Externe Festplatten mit Verschlüsselung knackbar ***
---------------------------------------------
Viele USB-Festplatten mit Vollverschlüsselung und PIN-Tastatur lassen sich vermutlich entschlüsseln, wenn man die Firmware des USB-SATA-Bridge-Chips austauscht.
---------------------------------------------
http://heise.de/-3289530
*** Video surveillance recorders RIDDLED with 0-days ***
---------------------------------------------
Kit from NUUO, Netgear has face-palm grade stoopid There are multiple Web interface vulnerabilities in a network video recorder under Netgears ReadyNAS brand and various devices by video recording company NUUO.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/08/07/nuuo_netgea…
*** Strider: Cyberespionage group turns eye of Sauron on targets ***
---------------------------------------------
Low-profile group uses Remsec malware to spy on targets in Russia, China, and Europe. Twitter Card Style: summary_large_image A previously unknown group called Strider has been conducting cyberespionage-style attacks against selected targets in Russia, China, Sweden, and Belgium. The group uses an advanced piece of malware known as Remsec (Backdoor.Remsec) to conduct its attacks.read more
---------------------------------------------
http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-ey…
*** Week in review: Black Hat USA 2016 coverage, QRLJacking, exposed SAP systems ***
---------------------------------------------
Here's an overview of some of last week's most interesting news and articles: Black Hat USA 2016 Want to learn the news from Black Hat USA 2016? Get is all from our dedicated coverage page. QRLJacking: A new attack vector for hijacking online accounts We all know that scanning random QR codes is a risky proposition, but a newly detailed social engineering attack vector dubbed QRLJacking adds another risk layer to their use. 36000 SAP...
---------------------------------------------
https://www.helpnetsecurity.com/2016/08/08/week-review-black-hat-usa-2016-c…
*** Bugtraq: vBulletin <= 5.2.2 Preauth Server Side Request Forgery (SSRF) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539149
*** VMware product updates address multiple important security issues ***
---------------------------------------------
VMware product updates address a DLL hijacking issue in Windows-based VMware Tools and an HTTP Header injection issue in vCenter Server and ESXi.
Relevant Products: VMware vCenter Server VMware vSphere Hypervisor (ESXi) VMware Workstation Pro VMware Workstation Player VMware Fusion VMware Tools
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2016-0010.html
*** Remote Butler attack: APT groups' dream come true ***
---------------------------------------------
Microsoft security researchers have come up with an extension of the "Evil Maid" attack that allows attackers to bypass local Windows authentication to defeat full disk encryption: "Remote Butler". Demonstrated at Black Hat USA 2016 by researchers Tal Be'ery and Chaim Hoch, the Remote Butler attack has one crucial improvement over Evil Maid: it can be effected by attackers who do not have physical access to the target Windows computer that has, at one time,...
---------------------------------------------
https://www.helpnetsecurity.com/2016/08/08/remote-butler-attack/
*** IBM Security Bulletin: Multiple vulnerabilities may affect IBM WebSphere Real Time ***
---------------------------------------------
Java SE issues disclosed in the Oracle July 2016 Critical Patch Update CVE(s): CVE-2016-3598, CVE-2016-3511, CVE-2016-3485 Affected product(s) and affected version(s): These vulnerabilities affect IBM WebSphere Real Time Version 3 Service Refresh 9 Fix Pack 40 and earlier releases Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=swg21987762X-Force Database:...
---------------------------------------------
https://www-01.ibm.com/support/docview.wss?uid=swg21987762
*** IBM Security Bulletin: Multiple vulnerabilities may affect IBM SDK, Java Technology Edition ***
---------------------------------------------
Java SE issues disclosed in the Oracle July 2016 Critical Patch Update CVE(s): CVE-2016-3610, CVE-2016-3598, CVE-2016-3606, CVE-2016-3587, CVE-2016-3511, CVE-2016-3550, CVE-2016-3485 Affected product(s) and affected version(s): These vulnerabilities affect IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 26 and earlier releases These vulnerabilities affect IBM SDK, Java Technology Edition, Version 6R1 Service...
---------------------------------------------
https://www-01.ibm.com/support/docview.wss?uid=swg21986642
*** IBM Security Bulletin: OpenStack vulnerabilities affect IBM SmartCloud Entry(CVE-2015-7548, CVE-2015-8749 CVE-2015-1850) ***
---------------------------------------------
IBM SmartClound Entry is vulnerable to several Openstack Nova vulerabilities, which could allow a local authenticated attacker or a remote attacker to obtain sensitive information CVE(s): CVE-2015-8749, CVE-2015-7548, CVE-2015-1850 Affected product(s) and affected version(s): IBM SmartCloud Entry 3.2 through Appliance fix pack 21 IBM SmartCloud Entry 3.1 through Appliance fix pack 21 Refer to the...
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=isg3T1023865
*** VU#735416: UltraVNC repeater does not restrict IP addresses or ports by default ***
---------------------------------------------
Vulnerability Note VU#735416 UltraVNC repeater does not restrict IP addresses or ports by default Original Release date: 08 Aug 2016 | Last revised: 08 Aug 2016 Overview UltraVNC repeater versions prior to ultravnc_repeater_1300 do not restrict usage by IP address by default and cannot restrict by ports, which may be leveraged to induce connections to arbitrary hosts using any port. Description CWE-16: Configuration - CVE-2016-5673UltraVNC repeater acts as a proxy to route remote desktop VNC...
---------------------------------------------
http://www.kb.cert.org/vuls/id/735416
*** Neuer auftretender Verschlüsselungs-Trojaner (Ransomware) machen Daten unwiederbringlich unbrauchbar ***
---------------------------------------------
[...] Die derzeit auftretenden Varianten der Ransomware benennen sich Vegclass(a)aol.com, Salazar-Slytherin10(a)yahoo.com, usw., der eigentliche Schadcode dürfte dabei jedoch auf die aus Russland stammende Ransomware "Troldesh" zurück zu führen sein.
---------------------------------------------
http://www.bmi.gv.at/cms/bmi/_news/bmi.aspx?id=524B7A526E703148456D553D&pag…
*** Malware mit Barcodes und Excel in abgeschottete Netze einschleusen ***
---------------------------------------------
Ein Hacker bringt Malware auf einem Umweg in Netzwerke, bei denen weder USB noch optische Laufwerke oder Netzwerktransfers funktionieren. Er verwandelt die Software in 2D-Barcodes, die er dann mit Excel wieder in ausführbaren Code verwandelt.
---------------------------------------------
http://heise.de/-3290119
*** Qualcomm-powered Android devices plagued by four rooting flaws ***
---------------------------------------------
Hundreds of millions of Android devices based on Qualcomm chipsets are likely exposed to at least one of four critical vulnerabilities that allow non-privileged apps to take them over.The four flaws were presented by security researcher Adam Donenfeld from Check Point Software Technologies on Sunday at the DEF CON security conference in Las Vegas. They were reported to Qualcomm between February and April, and the chipset maker has since released fixes for the vulnerabilities after classifying...
---------------------------------------------
http://www.cio.com/article/3104896/qualcomm-powered-android-devices-plagued…
*** Data Breach At Oracle's MICROS Point-of-Sale Division ***
---------------------------------------------
A Russian organized cybercrime group known for hacking into banks and retailers appears to have breached more than 700 computer systems at software giant Oracle Corp., KrebsOnSecurity has learned. More alarmingly, the attackers appear to have compromised a customer support portal for companies using Oracles MICROS point-of-sale credit card payment systems.
---------------------------------------------
http://krebsonsecurity.com/?p=35752
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 04-08-2016 18:00 − Freitag 05-08-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** iPhone: Nach Diebstahl auf gezieltes Phishing achten ***
---------------------------------------------
Diebe setzen auf nachgestellte Apple-Anschreiben, um Beklaute zur Eingabe der Zugangsdaten zu bewegen. Damit können sie die Aktivierungssperre aufheben und das gestohlene iPhone voll funktionsfähig verkaufen.
---------------------------------------------
http://heise.de/-3288554
*** Microsoft Bounty Programs Expansion – Microsoft Edge Remote Code Execution (RCE) Bounty ***
---------------------------------------------
I’m very happy to announce another addition to the Microsoft Bounty Programs. Microsoft will be hosting a ..
---------------------------------------------
https://blogs.technet.microsoft.com/msrc/2016/08/04/microsoft-bounty-progra…
*** Pwnie Awards 2016: Die Oscars der Security-Szene gehen an … ***
---------------------------------------------
Die süßen goldenen Pwnies gingen unter anderem an Tavis Ormandy, Charlie Miller, Juniper und Western Digital. Nicht ..
---------------------------------------------
http://heise.de/-3288420
*** To Obfuscate, or not to Obfuscate ***
---------------------------------------------
Introduction Malwares goal is to bypass computer defenses, infect a target, and often remain on the system as long as possible. A variety of techniques are used to accomplish ..
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/To-Obfuscate,-or-not-to…
*** Apple will Hackern 200.000 Dollar für Bug-Entdeckung zahlen ***
---------------------------------------------
Während Microsoft, Google und Co schon länger Bug Bounty-Programme betreiben, hielt sich Apple bislang zurück
---------------------------------------------
http://derstandard.at/2000042391260
*** Cyber Grand Challenge: IT-Security könnte sich radikal ändern ***
---------------------------------------------
Wenn Computer völlig autonom Sicherheitslücken suchen, finden und dann entweder stopfen oder ausnutzen, bleibt ..
---------------------------------------------
http://heise.de/-3288820
*** WPAD: 20 Jahre altes Protokoll bringt Millionen Nutzer in Gefahr ***
---------------------------------------------
Das Protokoll WPAD dient zum automatischen Konfigurieren von Proxies und stellt eine lange bekannte ..
---------------------------------------------
http://heise.de/-3288801
*** Odd Packet: Any ideas where this comes from?, (Fri, Aug 5th) ***
---------------------------------------------
Out reader submitted to us severalodd packets. Of course, I cant resist to figure out what is exactly going on here: The packets appearto include a lengthy pre-ample, but I ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21343
*** Frequent Password Changes is a Bad Security Idea ***
---------------------------------------------
Ive been saying for years that its bad security advice, that it encourages poor passwords. Lorrie Cranor, now the FTCs chief technologist, agrees:By studying the data, the researchers identified common techniques ..
---------------------------------------------
https://www.schneier.com/blog/archives/2016/08/frequent_passwo.html
*** Nach Bitcoin-Hack: Bitfinex-Diebe wollen jetzt spenden ***
---------------------------------------------
Nachdem Angreifer bei Bitfinex Bitcoin im Wert von rund 72 Millionen US-Dollar entwendet haben, wollen sie offenbar einen Teil davon spenden. Insgesamt 1.000 Bitcoin ..
---------------------------------------------
http://www.golem.de/news/nach-bitcoin-hack-bitfinex-diebe-wollen-jetzt-spen…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 03-08-2016 18:00 − Donnerstag 04-08-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Cisco TelePresence Video Communication Server Expressway Command Injection Vulnerability ***
---------------------------------------------
A vulnerability in the administrative web interface of Cisco TelePresence Video Communication Server Expressway could allow an authenticated, remote attacker to execute arbitrary commands on the affected system.The ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco RV180 VPN and RV180W Wireless-N Multifunction VPN Routers Remote Code Execution Vulnerability ***
---------------------------------------------
A vulnerability in the web interface of the Cisco RV180 VPN Router and Cisco RV180W Wireless-N Multifunction VPN Router could allow an authenticated, remote ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco RV110W, RV130W, and RV215W Routers Command Shell Injection Vulnerability ***
---------------------------------------------
A vulnerability in the command-line interface (CLI) command parser of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Administration Views - Critical - Access bypass - SA-CONTRIB-2016-041 ***
---------------------------------------------
https://www.drupal.org/node/2778501
*** Snitches get stitches: Little Snitch bugs were a blessing for malware ***
---------------------------------------------
Now-patched kernel-level flaw in OS X app firewall will be revealed this week DEF CON Vulnerabilities in popular OS X security tool Little Snitch potentially granted malicious applications extra powers, undermining the protection offered by the software.
---------------------------------------------
www.theregister.co.uk/2016/08/03/mac_firewall_littlesnitch/
*** A look into Neutrino EK’s jQueryGate ***
---------------------------------------------
In the cybercrime landscape, Exploit Kits (EKs) are the tools of choice to infect endpoints by exploiting software vulnerabilities. However, a critical component EKs ..
---------------------------------------------
https://blog.malwarebytes.com/threat-analysis/exploits-threat-analysis/2016…
*** [20160802] - Core - XSS Vulnerability ***
---------------------------------------------
https://developer.joomla.org/security-centre/653-20160802-core-xss-vulnerab…
*** [20160801] - Core - ACL Violation ***
---------------------------------------------
https://developer.joomla.org/security-centre/652-20160801-core-core-acl-vio…
*** [20160803] - Core - CSRF ***
---------------------------------------------
https://developer.joomla.org/security-centre/654-20160803-core-csrf.html
*** XML External Entity Injection Opens Door to Attacks, Theft ***
---------------------------------------------
XML is a popular language for web developers, partially due to its software and hardware independence. Recently, however, XML security is under threat from XML external ..
---------------------------------------------
https://blogs.mcafee.com/mcafee-labs/xml-external-entity-injection-opens-do…
*** A Plugin’s Expired Domain Poses a Security Threat to Websites ***
---------------------------------------------
Do you keep all your website software (including all third-party themes, plugins and components) up-to-date? You should! We always recommend this to our ..
---------------------------------------------
https://blog.sucuri.net/2016/08/plugin-expired-domain-security-threat.html
*** DSA-3639 wordpress - security update ***
---------------------------------------------
https://www.debian.org/security/2016/dsa-3639
*** Activity Log <= 2.3.2 - Cross-Site Scripting (XSS) ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8584
*** HEIST: Timing- und Kompressionsangriff auf TLS ***
---------------------------------------------
Durch die geschickte Kombination eines Timing-Angriffs in Javascript und der bereits bekannten BREACH-Attacke ist es möglich, Geheimnisse in TLS-Verbindungen zu entschlüsseln. Anders als früher ist dafür kein Man-in-the-Middle-Angriff nötig.
---------------------------------------------
http://www.golem.de/news/heist-timing-und-kompressionsangriff-auf-tls-1608-…
*** Activity Log <= 2.3.2 - Cross-Site Scripting (XSS) in page ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8585
*** Phishing-Studie: Neugier siegt über Sicherheitsbedenken ***
---------------------------------------------
Allen Warnungen und Sicherheitsvorkehrungen zum Trotz: Nutzer lassen sich sehr leicht auf eine Webseite locken, wenn die Phishing-Mail verführerisch genug klingt. Das sollte Auswirkungen auf die Sicherheitsarchitektur haben, fordern Forscher.
---------------------------------------------
http://www.golem.de/news/phishing-studie-neugier-siegt-ueber-sicherheitsbed…
*** Social Engineering: Jeder zweite fällt auf USB-Sticks und Facebook-Nachrichten rein ***
---------------------------------------------
Würden Sie einen gerade gefundenen USB-Stick anschließen? Würden Sie auf den Link in einer Facebook-Nachricht einer Ihnen unbekannten Person klicken? Laut zwei Studien beantworten dies viele mit nein – tun es aber trotzdem.
---------------------------------------------
http://heise.de/-3287818
*** DSA-3640 firefox-esr - security update ***
---------------------------------------------
https://www.debian.org/security/2016/dsa-3640
*** DSA-3638 curl - security update ***
----------------------------------------------
https://www.debian.org/security/2016/dsa-3638
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 02-08-2016 18:00 − Mittwoch 03-08-2016 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** MICROSOFT LIVE ACCOUNT CREDENTIALS LEAKING FROM WINDOWS 8 AND ABOVE ***
---------------------------------------------
Discovered in 1997 by Aaron Spangler and never fixed, the WinNT/Win95 Automatic Authentication Vulnerability (IE Bug #4) is certainly an excellent vintage. In Windows 8 and 10, the same bug has now been found to potentially leak the user's Microsoft Live account login and (hashed) password information, which is also used to access OneDrive, Outlook, Office, Mobile, Bing, Xbox Live, MSN and Skype (if used with a Microsoft account).
---------------------------------------------
https://hackaday.com/2016/08/02/microsoft-live-account-credentials-leaking-…
*** Internet-Telefonie: Datenschützer raten zu Perfect Forward Secrecy ***
---------------------------------------------
Die Internationale Arbeitsgruppe zum Datenschutz in der Telekommunikation empfiehlt den Einsatz von sicherer Verschlüsselung bei Apps für VoIP oder Chats. Anbieter sollten möglichst wenig personenbezogene Informationen speichern.
---------------------------------------------
http://heise.de/-3285356
*** SAP ASE file creation vulnerability (CVE-2016-6196) ***
---------------------------------------------
Recently SAP released a patch for an Adaptive Server Enterprise vulnerability that allows legitimate database users to create files on disk where the server process can write to. This is useful when doing a chained database attack - first create...
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/SAP-ASE-file-creation-v…
*** The Dark Side of Certificate Transparency, (Wed, Aug 3rd) ***
---------------------------------------------
I am a big fan of the idea behind Certificate Transparency [1]. The real problem with SSL (and TLS... it really doesnt matter for this discussion) is not the weak ciphers or subtle issues with algorithms (yes, you should still fix it), but the certificate authority trust model. It has been too easy in the past to obtain a fraudulent certificate [2]. There was little accountability when it came to certificate authorities issuing test certificates, or just messing up, and validating the wrong...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21329&rss
*** Windows 10 Anniversary Update fordert signierte Treiber schärfer ein ***
---------------------------------------------
Seit der 64-Bit-Version von Windows Vista verlangt Microsoft digital signierte Treiber für PC-Komponenten; die jüngste Windows-10-Version 1607 (Redstone) schraubt die Anforderungen höher.
---------------------------------------------
http://heise.de/-3285419
*** Unsichere SMS-Authentifizierung: Telegram-Accounts in Iran offenbar gehackt ***
---------------------------------------------
Der Messengerdienst Telegram gilt vielen als sichere Alternative zu Whatsapp. Doch es ist durchaus möglich, Sicherheitsvorkehrungen auszuhebeln und an Accounts zu gelangen.
---------------------------------------------
http://www.golem.de/news/unsichere-sms-authentifizierung-telegram-accounts-…
*** FossHub kompromittiert: Software-Installer mit Malware infiziert ***
---------------------------------------------
Die Download-Plattform FossHub ist gehackt worden. Die Hacker haben die Installer von verbreiteten Open-Source-Programmen mit Malware infiziert die den Bootloader überschreibt.
---------------------------------------------
http://heise.de/-3286347
*** A brief introduction to Forensic Readiness ***
---------------------------------------------
Introduction As defined in the RFC 2350 (Expectations for Computer Security Incident Response), the security incident is any adverse event which compromises some aspect of computer or network security. The definition of an incident may vary between organizations but generally is related to the compromise of confidentiality (i.e. document theft), integrity (i.e. alteration of the...
---------------------------------------------
http://resources.infosecinstitute.com/a-brief-introduction-to-forensic-read…
*** Finding and Enumerating Processes within Memory-Part 1 ***
---------------------------------------------
In this article series, we will learn about how processes reside in memory and various ways to find and enumerate them. I will be using Volatility plugins to find processes in memory. Once we know how to find processes within memory, in Part 2 we will see how to enumerate through them. Note: The scope...
---------------------------------------------
http://resources.infosecinstitute.com/finding-and-enumerating-processes-wit…
*** Social Engineering: Wie man anderen mit Schokolade das Passwort entlocken kann ***
---------------------------------------------
Wissenschafter belegen erschreckend leichtfertigen Umgang mit vertraulichen Daten
---------------------------------------------
http://derstandard.at/2000042272093-406
*** Four high-profile vulnerabilities in HTTP/2 revealed ***
---------------------------------------------
Imperva released a new report at Black Hat USA 2016, which documents four high-profile vulnerabilities researchers at the Imperva Defense Center found in HTTP/2, the new version of the HTTP protocol that serves as one of the main building blocks of the Worldwide Web. HTTP/2 introduces new mechanisms that effectively increase the attack surface of business critical web infrastructure which then becomes vulnerable to new types of attacks. Imperva researchers took an in-depth look at...
---------------------------------------------
https://www.helpnetsecurity.com/2016/08/03/vulnerable-http2/
*** Stealing payment card data and PINs from POS systems is dead easy ***
---------------------------------------------
Many of the large payment card breaches that hit retail and hospitality businesses in recent years were the result of attackers infecting point-of-sale systems with memory-scraping malware. But there are easier ways to steal this sort of data, due to a lack of authentication and encryption between card readers and the POS payment applications.POS systems are specialized computers. They typically run Windows and have peripherals like keyboards, touch screens, barcode scanners and card readers...
---------------------------------------------
http://www.cio.com/article/3102922/stealing-payment-card-data-and-pins-from…
*** Nagios Core Access Control Flaw Lets Remote Users Conduct Cross-Site Request Forgery Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1036513
*** Moxa SoftCMS SQL Injection Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a SQL injection vulnerability in Moxas SoftCMS.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-215-01
*** Siemens SINEMA Server Privilege Escalation Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a privilege escalation vulnerability in the Siemens SINEMA Server.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-215-02
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 01-08-2016 18:00 − Dienstag 02-08-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Android Security Bulletin August 2016 ***
---------------------------------------------
https://source.android.com/security/bulletin/2016-08-01.html
*** Google Domain Enables HSTS Protection ***
---------------------------------------------
Google ensures HTTPS connections to its domains with support for HTTP Strict Transport Security, or HSTS.
---------------------------------------------
http://threatpost.com/google-domain-enables-hsts-protection/119597/
*** DSA-3637 chromium-browser - security update ***
---------------------------------------------
https://www.debian.org/security/2016/dsa-3637
*** Slinging Hash: Speeding Cyber Threat Hunting Methodologies via Hash-Based Searching ***
---------------------------------------------
Introduction The term "hash" is thrown around in casual IT conversation quite a bit nowadays, ..
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/Slinging-Hash--Speeding…
*** 36000 SAP systems exposed online, most open to attacks ***
---------------------------------------------
ERPScan released the first comprehensive SAP Cybersecurity Threat Report, which covers three main angles: Product Security, Implementation Security, and Security Awareness. The company used its own scanning method to gather ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/08/02/sap-cybersecurity-report/
*** Im Darknet werden 200 Millionen Yahoo-Accounts verkauft ***
---------------------------------------------
Login-Informationen zu rund 200 Millionen Yahoo-Accounts werden zum Verkauf angeboten. Und Yahoo weiß darüber Bescheid.
---------------------------------------------
http://futurezone.at/digital-life/im-darknet-werden-200-millionen-yahoo-acc…
*** FireEye admits filtering out legitimate emails in sniffer snafu ***
---------------------------------------------
Benign messages frogmarched into quarantine FireEye has admitted that a snafu involving its email filtering technology meant harmless messages were shuffled off to quarantine for no good reason.
---------------------------------------------
www.theregister.co.uk/2016/08/02/fireeye_filtering_snafu/
*** Kasperskys Herz für Hacker: 50.000 US-Dollar für gemeldete Bugs ***
---------------------------------------------
Als zweiter AV-Hersteller führen die Russen ein Bug-Bounty-Programm ein. Sicherheitsforscher sollen nun Geld dafür bekommen, Schwachstellen in Kaspersky-Produkten zu finden.
---------------------------------------------
http://heise.de/-3284172
*** Introducing the p0f BPF compiler ***
---------------------------------------------
Two years ago we blogged about our love of BPF (BSD packet filter) bytecode.CC BY 2.0 image by jim simonsonThen we published a set of utilities we are using to generate the BPF ..
---------------------------------------------
https://blog.cloudflare.com/introducing-the-p0f-bpf-compiler/
*** Timing Attacks in the Modern Web ***
---------------------------------------------
Before you explore all the details of these browser-based timing attacks, head over to my laboratories to play around with these attacks yourself!
---------------------------------------------
https://tom.vg/2016/08/browser-based-timing-attacks/
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 29-07-2016 18:00 − Montag 01-08-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Fake FreeDNS Used to Redirect Traffic to Malicious Sites ***
---------------------------------------------
During the last couple of days we performed a few similar cleanup requests where sites occasionally redirected visitors to malicious sites that displayed ads, spam and malicious downloads. One of our security analysts, Andrey Kucherov, ..
---------------------------------------------
https://blog.sucuri.net/2016/07/fake-freedns-used-to-redirect-traffic-to-ma…
*** SwiftKey zeigt Vorschläge fremder Nutzer ***
---------------------------------------------
Nutzer des alternativen Smartphone-Keyboards SwiftKey haben Wortvorschläge fremder Nutzer erhalten. Neben Wörtern in anderen Sprachen sollen auch fremde E-Mail-Adressen darunter gewesen sein.
---------------------------------------------
http://heise.de/-3282177
*** DSA-3636 collectd - security update ***
---------------------------------------------
Emilien Gaspar discovered that collectd, a statistics collection andmonitoring daemon, incorrectly processed incoming networkpackets. This resulted in a heap overflow, allowing a remote attackerto either cause a DoS via application crash, or potentially executearbitrary code.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3636
*** HTML-Injection-Lücke erlaubte Zertifikatsklau bei Comodo ***
---------------------------------------------
Eine Lücke im Zertifikats-Bestellsystem der Certification Authority Comodo erlaubte es Angreifern, sich SSL-Zertifikate für fremde Websites ausstellen zu lassen, was Man-in-the-middle-Lauschangriffe auf deren Traffic ermöglicht.
---------------------------------------------
http://heise.de/-3282183
*** Xen Vulnerability Allows Hackers To Escape Qubes OS VM And Own the Host ***
---------------------------------------------
Slashdot reader Noryungi writes: Qubes OS certainly has an intriguing approach to security, but a newly discovered Xen vulnerability allows a hacker to escape a VM and own the host. If you are running Qubes, make sure you update ..
---------------------------------------------
https://tech.slashdot.org/story/16/07/30/1552244/xen-vulnerability-allows-h…
*** DSA-3634 redis - security update ***
---------------------------------------------
It was discovered that redis, a persistent key-value database, did notproperly protect redis-cli history files: they were created by defaultwith world-readable permissions.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3634
*** Are you getting I-CANNED? ***
---------------------------------------------
One year ago, I already covered the impact that ICANNs latest money grab was having on security, see https://isc.sans.edu/forums/diary/httpsyourfakebanksupport+TLD+confusion+st…. ICANN is the organization that ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21323
*** Booking Calendar <= 6.2 - SQL Injection ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8576
*** Booking Calendar <= 6.2 - Reflected Cross-Site Scripting (XSS) ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8575
*** Pokémon GO Creators Twitter Account Hacked — Pika, Pikaaaa! ***
---------------------------------------------
Twitter account of another high-profile CEO has been hacked! This time, its Niantic CEO John Hanke, the developer behind the worlds most popular game Pokémon GO. And it ..
---------------------------------------------
https://thehackernews.com/2016/07/pokemon-go-hack.html
*** Kaspersky DDoS Intelligence Report for Q2 2016 ***
---------------------------------------------
In Q2 2016, the geography of DDoS attacks narrowed to 70 countries, with China accounting for 77.4% of attacks. In fact, 97.3% of the targeted resources were located in ..
---------------------------------------------
http://securelist.com/analysis/quarterly-malware-reports/75513/kaspersky-dd…
*** INTERPOL Arrests Business Email Compromise Scam Mastermind ***
---------------------------------------------
Business Email Compromise (BEC) attacks have proven to be an effective tactic, with criminals stealing large amounts of money from various businesses. From 2013 to 2015, BEC-related damages were estimated at US$ 2.3 billion. Targeting ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/interpol-arrests…
*** Sicherheitslücke: Millionen Daten von Flugreisenden jahrelang im Internet ***
---------------------------------------------
Rechnungen, Namen und teilweise sogar die Bankdaten von Flugreisenden waren jahrelang ohne technische Hürden offen im Netz verfügbar - ohne, dass es jemandem aufgefallen wäre. Auch Kriminelle haben die Daten nach aktuellem Stand übersehen.
---------------------------------------------
http://www.golem.de/news/sicherheitsluecke-millionen-daten-von-flugreisende…