- Daily - CERT.at

Tageszusammenfassung - Freitag 30-09-2016
by Daily end-of-shift report 30 Sep '16

30 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 29-09-2016 18:00 − Freitag 30-09-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** The Equation Groups Firewall Exploit Chain *** --------------------------------------------- There has been plenty of research on pieces of this exploit kit, but very little on the full exploit chain. We were interested in studying some of the command and control traffic used by this exploit kit for emulation in BreakingPoint. On the way, we figured out how a lot of the puzzle pieces fit together. What follows are our findings on how this kit gains persistent control of a Cisco firewall. We also identify some of the missing pieces that were not previously available. --------------------------------------------- https://www.ixiacom.com/company/blog/equation-groups-firewall-exploit-chain *** European Cyber Security Month: get in the driving seat of your own online security *** --------------------------------------------- October 2016 is European Cyber Security Month and this year October will bring plenty of opportunities for people to discover how to stay safe online and play an active role in their own security. Throughout European Cyber Security Month – which kicks-off today in Brussels - over 300 activities, including events, training sessions, tips and an online quiz, will take place across 27 countries. This year's Cyber Security Month will focus on security in banking, cyber safety, cyber training and mobile malware. --------------------------------------------- https://www.enisa.europa.eu/news/ecsm *** Lesser known tricks of spoofing extensions *** --------------------------------------------- It is a well-known fact that malware using social engineering tricks is designed to hide itself from being an obvious executable. In this short article, we will present two other less common tricks used to deceive users. --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2016/09/lesser-known-tricks-of-spo… *** Backdoored D-Link Router Should be Trashed, Researcher Says *** --------------------------------------------- A researcher who found a slew of vulnerabilities in a popular router says it's so hopelessly broken that consumers who own them should throw them away. --------------------------------------------- http://threatpost.com/backdoored-d-link-router-should-be-trashed-researcher… *** Sentinel 7.4 SP3 (Sentinel 7.4.3.0) Build 2805 *** --------------------------------------------- This service pack resolves the following security vulnerabilities: Sentinel 7.4 SP3 resolves a Java deserialization (CVE-2016-1000031) vulnerability. --------------------------------------------- https://download.novell.com/Download?buildid=HXXzqDiAPd0~ *** [SANS ISC Diary] Another Day, Another Malicious Behaviour *** --------------------------------------------- I published the following diary on isc.sans.org: "Another Day, Another Malicious Behaviour". Every day, we are spammed with thousands of malicious emails and attackers always try to find new ways to bypass the security controls. Yesterday, I detected a suspicious HTTP GET request... --------------------------------------------- https://blog.rootshell.be/2016/09/30/sans-isc-diary-another-day-another-mal… *** Patch für Street Fighter V: Anti-Cheat-Tool als Rootkit missbrauchar *** --------------------------------------------- Ein aktueller Patch für die Windows-Version von Street Fighter V bringt Maßnahmen gegen Cheater mit, deaktiviert dafür aber einen essentiellen Sicherheits-Mechanismus von Computern. Mittlerweile soll ein Fix des Sicherheits-Problem aus der Welt schaffen. --------------------------------------------- https://heise.de/-3338614 *** Bugtraq *** --------------------------------------------- *** Bugtraq: Multiple exposures in Sophos UTM *** http://www.securityfocus.com/archive/1/539518 --------------------------------------------- *** Bugtraq: [SYSS-2016-060] Logitech M520 - Insufficient Verification of Data Authenticity (CWE-345) *** http://www.securityfocus.com/archive/1/539517 --------------------------------------------- *** Bugtraq: Persistent XSS in Abus Security Center - CVSS 8.0 *** http://www.securityfocus.com/archive/1/539514 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 29-09-2016
by Daily end-of-shift report 29 Sep '16

29 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 28-09-2016 18:00 − Donnerstag 29-09-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Dangerous Linux Trojan family investigated by Doctor Web *** --------------------------------------------- September 27, 2016 Doctor Web’s security researchers have examined a Trojan named Linux.Mirai which is used by criminals to carry out DDoS attacks. Because virus specialists were familiar with earlier versions of this Trojan, they were able to find many features of the previous versions in this latest one, .. --------------------------------------------- http://news.drweb.com/show/?i=10218&lng=en&c=9 *** SSH Brute Force Compromises Leading to DDoS *** --------------------------------------------- A few weeks ago we ran an experiment to see how long it would take for some IPv4-only and IPv6-only servers to be compromised via SSH brute force attacks. We configured five cloud servers on Linode and Digital Ocean with the root password .. --------------------------------------------- https://blog.sucuri.net/2016/09/ssh-brute-force-compromises-leading-to-ddos… *** Introducing Her Royal Highness, the Princess Locker Ransomware *** --------------------------------------------- Today we bring you Princess Locker; the ransomware only royalty could love. First discovered by Michael Gillespie, Princess Locker encrypts a victims data and then demands a hefty ransom .. --------------------------------------------- http://www.bleepingcomputer.com/news/security/introducing-her-royal-highnes… *** Sicherheitsrisiko Baustellenampeln: Grüne Welle auf Knopfdruck *** --------------------------------------------- Es klingt wie ein Computerspiel oder ein Hackerfilm, ist aber leider Realität: Die Ampelanlagen eines deutschen Herstellers lassen sich fernsteuern. Obwohl das Unternehmen seit Monaten Kenntnis davon hat, ist bislang nichts geschehen. --------------------------------------------- http://www.golem.de/news/sicherheitsrisiko-baustellenampeln-gruene-welle-au… *** ManageEngine ServiceDesk Plus vulnerable to cross-site scripting *** --------------------------------------------- http://jvn.jp/en/jp/JVN50347324/ *** Rekord-DDoS-Attacke mit 1,1 Terabit pro Sekunde gesichtet *** --------------------------------------------- Höher, schneller, weiter: Ein stetig wachsendes Botnet soll die Server eines französischen Web-Hosters mit gewaltigen Datenmengen bombardiert haben. Dabei handelt es sich offensichtlich um den bisher größten dokumentierten DDoS-Angriff. --------------------------------------------- http://heise.de/-3336494 *** 500-Millionen-Hack: Yahoo sparte an der Sicherheit *** --------------------------------------------- Marissa Mayer verteilte bei Yahoo kostenfreie iPhones und teures Catering - an der Sicherheit wurde aber offenbar gespart. Außerdem bezweifelt eine Sicherheitsfirma, dass Yahoo wirklich von einem staatlichen Akteur gehackt wurde. --------------------------------------------- http://www.golem.de/news/500-millionen-hack-yahoo-sparte-an-der-sicherheit-… *** Multiple vulnerabilities in extension "phpMyAdmin" *** --------------------------------------------- https://typo3.org/news/article/multiple-vulnerabilities-in-extension-phpmya… *** Cisco patcht Hintertür weg und schließt weitere Lücken *** --------------------------------------------- Unter bestimmten Voraussetzungen sollen Angreifer ohne viel Aufwand Email Security Appliances kapern können. Cisco stuft die Sicherheitslücke mit dem höchsten Bedrohungsgrad ein. --------------------------------------------- http://heise.de/-3337464 *** Bundeskriminalamt: Bewusstsein für Cyberbedrohungen immer noch mangelhaft *** --------------------------------------------- Bundesheer und Bundeskriminalamt setzen auf Aufklärung und suchen technikaffine Kräfte --------------------------------------------- http://derstandard.at/2000045143087

1 0

Tageszusammenfassung - Mittwoch 28-09-2016
by Daily end-of-shift report 28 Sep '16

28 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 27-09-2016 18:00 − Mittwoch 28-09-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Warnung vor Rechnungen der "Austria Domain Hosting" *** --------------------------------------------- Aktuell erhalten zahlreiche InternetnutzerInnen per E-Mail vermeintliche Rechnungen der "Austria Domain Hosting". Zu zahlen sind 179,40 Euro für eine nie bestellte Registrierung einer Domain. In Wirklichkeit handelt es sich um einen Betrugsversuch! --------------------------------------------- https://www.watchlist-internet.at/gefaelschte-rechnungen/warnung-vor-rechnu… *** Datenschützer decken schwere Mängel im Internet der Dinge auf *** --------------------------------------------- Das Global Privacy Network (GPEN) hat 314 vernetzte Geräte von Fitness-Trackern über Blutzuckermessgeräte bis zu Smart-TVs geprüft und ist auf große Lücken beim Datenschutz gestoßen. Selbst sensible Informationen würden kaum verschlüsselt. --------------------------------------------- http://www.heise.de/newsticker/meldung/Datenschuetzer-decken-schwere-Maenge… *** Back in Time Memory Forensics, (Tue, Sep 27th) *** --------------------------------------------- You might get into a case where you have only the disk image without having the memory image. Or even if you have the memory image but you wish If you have something back in time.With hibernation file (hiberfil.sys) ,PageFile (pageand crash dump that might be possible. And if you are lucky enough you might be able to recover them from volume shadow copy which is enabled by default in most of modern Windows OS . --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21527&rss *** Bugtraq: ESA-2016-127: EMC ViPR SRM Stored Cross-Site Scripting Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/539492 *** Vuln: libgd gd_webp.c Integer Overflow Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/93184 *** Security Advisory: BIND vulnerability CVE-2016-2776 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/18/sol18829561.html?… *** Vuln: Symantec Messaging Gateway CVE-2016-5312 Directory Traversal Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/93148 *** Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016 *** --------------------------------------------- On September 22, 2016, the OpenSSL Software Foundation released an advisory that describes 14 vulnerabilities. Of these 14 vulnerabilities, the OpenSSL Software Foundation classifies one as "Critical Severity" one as "Moderate Severity" and the other 12 as "Low Severity". Subsequently, on September 26, the OpenSSL Software Foundation released an additional advisory that describes two new vulnerabilities. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Vuln: Apache Axis2 Document Type Declaration Processing Security Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/40976 *** Vuln: Apache Xerces-C CVE-2016-4463 Stack Buffer Overflow Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/91501 *** BIND Bug in buffer.c Constructing Query Responses Lets Remote Users Cause the Target Service to Crash *** --------------------------------------------- BIND Bug in buffer.c Constructing Query Responses Lets Remote Users Cause the Target Service to Crash --------------------------------------------- http://www.securitytracker.com/id/1036903 *** Security Advisory: libssh vulnerability CVE-2016-0739 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/57/sol57255643.html?… *** Security Advisory: TMM SSL/TLS virtual server vulnerability CVE-2016-6907 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/39/sol39508724.html?… *** EMC ViPR SRM Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks *** --------------------------------------------- EMC ViPR SRM Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks --------------------------------------------- http://www.securitytracker.com/id/1036904 *** Security Advisory - Path Traversal Vulnerability in Multiple Huawei Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160928-… *** SSA-378531 (Last Update 2016-09-27): Vulnerabilities in SIMATIC WinCC, PCS 7 and WinCC Runtime Professional *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-378531… *** TP-Link Archer CR-700 Cross Site Scripting *** --------------------------------------------- n running the command above, it send a DHCP request to the router. On a DHCP request, the host name is sent to which we have forcibly set it to an XSS script <script>alert(5)</script> --------------------------------------------- https://cxsecurity.com/issue/WLB-2016090203 *** Bugtraq: Multiple vulnerabilities found in the Dlink DWR-932B (backdoor, backdoor accounts, weak WPS, RCE ...) *** --------------------------------------------- Multiple vulnerabilities found in the Dlink DWR-932B (backdoor, backdoor accounts, weak WPS, RCE ...) --------------------------------------------- http://www.securityfocus.com/archive/1/539502 *** ICS-CERT releases new tools for securing industrial control systems *** --------------------------------------------- The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has published newer versions of two tools that can help administrators with securing industrial control systems: the Cyber Security Evaluation Tool (CSET), and a whitepaper on recommended practices for improving ICS cybersecurity with defense-in-depth strategies. While the former has received many update through the years (this newer version is v8.0), the whitepaper is a 'modernized' version of a document .. --------------------------------------------- https://www.helpnetsecurity.com/2016/09/28/tools-securing-industrial-contro… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: A security vulnerability has been identified in WebSphere Liberty Profile shipped with IBM License Metric Tool v9 and IBM BigFix Inventory v9 (CVE-2016-3485) *** http://www.ibm.com/support/docview.wss?uid=swg21990448 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in Oracle Outside In Technology affect IBM Rational DOORS Next Generation (CVE-2016-3574, CVE-2016-3575, etc) *** http://www.ibm.com/support/docview.wss?uid=swg21988718 --------------------------------------------- *** IBM Security Bulletin: Security Vulnerability in Apache Commons FileUpload affects IBM WebSphere Dashboard Framework (CVE-2016-3092 ) *** http://www-01.ibm.com/support/docview.wss?uid=swg21990386 --------------------------------------------- *** IBM Security Bulletin: Security Vulnerability in Apache Commons FileUpload affects IBM Web Experience Factory (CVE-2016-3092 ) *** http://www-01.ibm.com/support/docview.wss?uid=swg21990394 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Tomcat affects IBM Algo Credit Limits (CVE-2016-3092) *** http://www.ibm.com/support/docview.wss?uid=swg21988584 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Rational BuildForge (CVE-2016-2107, CVE-2016-2176) *** http://www.ibm.com/support/docview.wss?uid=swg21988081 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in sblim-sfcb affects IBM Integrated Management Module (IMM) for System x & BladeCenter (CVE-2015-5185) *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099487 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in libxml2 affects IBM Integrated Management Module (IMM) for System x & BladeCenter (CVE-2015-8710) *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099488 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 27-09-2016
by Daily end-of-shift report 27 Sep '16

27 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 26-09-2016 18:00 − Dienstag 27-09-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Sofacy APT Targeting OS X Machines with Komplex Trojan *** --------------------------------------------- APT gang Sofacy is targeting Mac OS X users with a Trojan that allows an attacker to execute remote commands on infected systems. --------------------------------------------- http://threatpost.com/sofacy-apt-targeting-os-x-machines-with-komplex-troja… *** Java-Deserialization-Cheat-Sheet *** --------------------------------------------- A cheat sheet for pentesters about Java Native Binary Deserialization vulnerabilities --------------------------------------------- https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet *** Sicherheitsupdate für Django 1.8 und 1.9 veröffentlicht *** --------------------------------------------- Grund für das Update des Webframeworks ist eine Schwachstelle, die im Zusammenspiel mit Google Analytics Djangos CSRF-Schutz angreifbar macht. Das aktuelle Django 1.10 ist nicht betroffen, und ältere Varianten als 1.8 erhalten keine Security-Patches mehr. --------------------------------------------- http://heise.de/-3332611 *** Rotten Potato - Privilege Escalation from Service Accounts to SYSTEM *** --------------------------------------------- The idea behind this vulnerability is simple to describe at a high level: - Trick the 'NT AUTHORITY\SYSTEM' account into authenticating via NTLM to a TCP endpoint we control. - Man-in-the-middle this authentication attempt (NTLM relay) to locally negotiate a security token for the 'NT AUTHORITY\SYSTEM' account. This is done through a series of Windows API calls. - Impersonate the token we have just negotiated --------------------------------------------- https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-… *** Unsafe at any clock speed: Linux kernel security needs a rethink *** --------------------------------------------- Ars reports from the Linux Security Summit - and finds much work that needs to be done. --------------------------------------------- http://arstechnica.com/security/2016/09/linux-kernel-security-needs-fixing/ *** No wonder were being hit by Internet of Things botnets. Ever tried patching a Thing? *** --------------------------------------------- Akamai CSO laments pisspoor security design practices Internet of Things devices are starting to pose a real threat to security for the sensible part of the web, Akamais chief security officer Andy Ellis has told The Register. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/09/27/akamai_chie… *** CVE-2016-7543 -- bash SHELLOPTS+PS4 *** --------------------------------------------- The recent bash 4.4 patched an old attack vector regarding specially crafted SHELLOPTS+PS4 environment variables against bogus setuid binaries using system()/popen(). --------------------------------------------- http://seclists.org/oss-sec/2016/q3/617 *** Siemens SCALANCE M-800/S615 Web Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a web security vulnerability in Siemens SCALANCE M-800 and S615 modules. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-271-01 *** IBM Security Bulletin: Vulnerabilities in OpenSSH affect AIX (CVE-2015-8325, CVE-2016-6210, CVE-2016-6515) *** --------------------------------------------- http://aix.software.ibm.com/aix/efixes/security/java_july2016_advisory.asc

1 0

Tageszusammenfassung - Montag 26-09-2016
by Daily end-of-shift report 26 Sep '16

26 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 23-09-2016 18:00 − Montag 26-09-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Kein Erste Bank-Sicherheitszertifikat installieren *** --------------------------------------------- In einer gefälschten Erste Bank-Nachricht verlangen Kriminelle von Empfängern, dass diese ein Sicherheitszertifikat für ihr mobiles Endgerät installieren. Tun Adressaten das nicht, führt das angeblich zur Kontensperrung. Die Installation des Sicherheitszertifikats infiziert das Smartphone mit Schadsoftware. Mit dieser haben Kriminelle Zugriff auf das fremde Konto. Opfer verlieren Geld. --------------------------------------------- https://www.watchlist-internet.at/schadsoftware/kein-erste-bank-sicherheits… *** Geschwächte iTunes-Backup-Verschlüsselung: Apple stellt Fix in Aussicht *** --------------------------------------------- Eine Schwachstelle macht Brute-Force-Angriffe auf verschlüsselte iTunes-Backups von iOS-10-Geräten weniger zeitintensiv. Apple ist das Problem bekannt - und betont, dass iCloud-Backups davon nicht betroffen sind. --------------------------------------------- http://heise.de/-3331346 *** VBA and P-code, (Mon, Sep 26th) *** --------------------------------------------- I want to draw your attention to some great work Dr. Bontchev did. pcodedmp.py is a VBA P-code disassembler. Microsoft Office documents contain VBA macros in several forms. They contain the source code, but also compiled P-code. Dr. Bontchev created a proof-of-concept document that executes P-code and does not contain the corresponding source code. Here is the output from his pcodedmp.py tool for his PoC document: python pcodedmp.py -d poc2b.docProcessing file:... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21521&rss *** Leaking Beeps: Here's A Reason to Kick Pagers out of Hospitals *** --------------------------------------------- Today, Trend's FTR team released the paper Leaking Beeps: Unencrypted Pager Messages in the Healthcare Industry, on our research into pager technology. If are concerned about keeping your health information private, I would highly recommend you read through it. I, for one, was not expecting the findings we made. Pagers are secure, right? We've used them for decades, they are hard to monitor, and that's why some of our most trusted industries use them, including the healthcare... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/o-H15bX77W8/ *** OpenSSL Fixes Critical Bug Introduced by Latest Update *** --------------------------------------------- OpenSSL's most recent update introduced a critical vulnerability in the crypto library, forcing an emergency update today. --------------------------------------------- http://threatpost.com/openssl-fixes-critical-bug-introduced-by-latest-updat… *** OpenSSL Security Advisory [26 Sep 2016] *** --------------------------------------------- This security update addresses issues that were caused by patches included in our previous security update, released on 22nd September 2016. Given the Critical severity of one of these flaws we have chosen to release this advisory immediately to prevent upgrades to the affected version, rather than delaying in order to provide our usual public pre-notification. --------------------------------------------- https://www.openssl.org/news/secadv/20160926.txt *** Security Advisory: NodeJS vulnerability CVE-2016-2086 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/15/sol15311661.html?… *** Security Notice - Statement on Elevation of Privilege Vulnerability in Huawei HG8247H Product Disclosed on THEZEDT Website *** --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2016/huawei-sn-20160924-01-… *** Security Notice - Statement on Elevation of Privilege Vulnerability in Huawei HG8247H Product Disclosed on TheZedt Website *** --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2016/huawei-sn-20160924-01-… *** Security Advisory - Heap Overflow Vulnerability in the HIFI Driver of Huawei Smart Phone *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2015/hw-460347 *** Security Advisory - Privilege Escalation Vulnerability in Huawei Multiple Smart Phones *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160926-… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple Expat XML Parser vulnerabilities in Prospect *** http://www-01.ibm.com/support/docview.wss?uid=swg21988817 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Web is affected by security vulnerabilities in libxml2 *** http://www.ibm.com/support/docview.wss?uid=swg21990838 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by security vulnerabilities in libxml2 *** http://www.ibm.com/support/docview.wss?uid=swg21990837 --------------------------------------------- *** IBM Security Bulletin: Multiple libarchive vulnerabilities affect Watson Explorer *** http://www-01.ibm.com/support/docview.wss?uid=swg21988311 --------------------------------------------- *** IBM Security Bulletin: A command injection vulnerability has been identified in IBM Security Access Manager for Web appliances (CVE-2016-3028) *** http://www.ibm.com/support/docview.wss?uid=swg21990317 --------------------------------------------- *** IBM Security Bulletin: A vulnerability associated with the default account lockout settings in IBM Security Access Manager for Web has been identified (CVE-2016-3025) *** http://www.ibm.com/support/docview.wss?uid=swg21990318 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Apache Struts affect SAN Volume Controller and Storwize Family *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009282 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Apache Struts and Apache Commons FileUpload affects IBM WebSphere Service Registry and Repository (CVE-2016-1181, CVE-2016-1182, CVE-2016-3092) *** http://www.ibm.com/support/docview.wss?uid=swg21988198 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in Struts v2 affect IBM Opportunity Detect *** http://www.ibm.com/support/docview.wss?uid=swg21987854 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect SAN Volume Controller and Storwize Family (CVE-2016-2107 CVE-2016-2108) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009281 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 23-09-2016
by Daily end-of-shift report 23 Sep '16

23 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 22-09-2016 18:00 − Freitag 23-09-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** The era of big DDOS?, (Thu, Sep 22nd) *** --------------------------------------------- I have been tracking DDOSs for a number of years, and quite frankly, it has become boring. Dont get me wrong, I am not complaining, just stating a fact. A number of factors seem tohave contributed to its fall from mainstream consciousness. somewhat better filtering practices, more awareness of timely patching, and probably the most significant being the novelty has worn off. Occasionally I will still see a multi-Gbps DDOS, but mostly it has been relegated to booter traffic which is not even a... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21511&rss *** LGPO.exe v2.0 PRE-RELEASE: support for MLGPO and REG_QWORD *** --------------------------------------------- LGPO.exe is a command-line utility to automate the management of local group policy objects (LGPO). Version 1.0 was released last January. The PRE-RELEASE LGPO.exe v2.0 is attached to this blog post, and adds support for Multiple Local Group Policy Objects (MLGPO) and 64-bit REG_QWORD registry values. Full details are in the LGPO.pdf in the download. For more... --------------------------------------------- https://blogs.technet.microsoft.com/secguide/2016/09/23/lgpo-exe-v2-0-pre-r… *** Gefälschte Sendungsverfolgungen der Post *** --------------------------------------------- Internet-Nutzer/innen erhalten eine angebliche Sendungsverfolgung der Österreichischen Post. Darin heißt es, dass das Unternehmen ein Paket zurückerhalten habe. Damit es Empfänger/innen erhalten können, sollen sie einen Link aufrufen und eine Datei ausführen. Sie beinhaltet Schadsoftware. Wer diese öffnet, erleidet einen Datenverlust. --------------------------------------------- https://www.watchlist-internet.at/gefaelschte-rechnungen/gefaelschte-sendun… *** Nach DDoS-Attacken: Akamai nimmt Sicherheitsforscher Krebs vom Netz *** --------------------------------------------- Nach der Enttarnung eines israelischen DDoS-Anbieters ist der Sicherheitsexperte Krebs selbst Opfer eines ungewöhnlichen Angriffs geworden. Seine Website ist vom Netz genommen worden. --------------------------------------------- http://www.golem.de/news/nach-ddos-attacken-akamai-nimmt-sicherheitsforsche… *** A week to go for the European Cyber Security Month launch! *** --------------------------------------------- ENISA together with the European Commission, the European Baking Federation (EBF), Europol's European Cybercrime Centre (EC3), and its partners, are getting ready for the launch event of the European Cyber Security Month (ECSM), the EU advocacy campaign on cybersecurity which runs throughout October. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/a-week-to-go-for-the-european-c… *** Security Update for Microsoft Office (3185852) *** --------------------------------------------- V.2.0(September 22, 2016): Bulletin revised to announce the availability of the 14.6.8 update for Microsoft Office for Mac 2011 (3186805) and the 15.25 update for Microsoft Office 2016 for Mac (3186807). Customers running affected Mac software should install the appropriate update for their product to be protected from the vulnerabilities discussed in this bulletin. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS16-107 *** Cisco Email Security Appliance Internal Testing Interface Vulnerability *** --------------------------------------------- A vulnerability in Cisco IronPort AsyncOS for Cisco Email Security Appliances (ESA) could allow an unauthenticated, remote attacker to obtain complete control of an affected device.The vulnerability is due to the presence of a Cisco internal testing and debugging interface (intended for use during product manufacturing only) on customer-available software releases. An attacker could exploit this vulnerability by connecting to this testing and debugging interface. An exploit could allow an... --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** IDM 4.5 Notes Driver Version 4.0.1.0 *** --------------------------------------------- Abstract: This patch is for Identity Manger Notes Driver. It can be installed on IDM 4.5. This patch will take the version of the Notes Driver to version 4.0.1.0.Document ID: 5255110Security Alert: YesDistribution Type: Field Test FileEntitlement Required: NoFiles:IDM45_Notes_4010.zip (1.12 MB)Products:Identity Manager 4.5Superceded Patches:IDM 4.5 Notes Driver Version 4.0.0.4 --------------------------------------------- https://download.novell.com/Download?buildid=aLUafJcAJps~ *** DSA-3674 firefox-esr - security update *** --------------------------------------------- Multiple security issues have been found in the Mozilla Firefox webbrowser: Multiple memory safety errors, buffer overflows and otherimplementation errors may lead to the execution of arbitrary code orinformation disclosure. --------------------------------------------- https://www.debian.org/security/2016/dsa-3674 *** Microsoft Internet Explorer 11 CORS Disrespect *** --------------------------------------------- Topic: Microsoft Internet Explorer 11 CORS Disrespect Risk: Low Text:IE11 is not following CORS specification for local files like Chrome and Firefox. Ive contacted Microsoft and they say this i... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016090165 *** DFN-CERT-2016-1560/">LibreSSL: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1560/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983). *** http://www-01.ibm.com/support/docview.wss?uid=swg21990060 --------------------------------------------- *** IBM Security Bulletin: Security vulnerability has been identified in IBM WebSphere Portal (CVE-2016-5954) *** http://www-01.ibm.com/support/docview.wss?uid=swg21989993 --------------------------------------------- *** IBM Security Bulletin: IBM DB2 LUW on AIX and Linux Affected by Multiple Vulnerabilities in GPFS (CVE-2016-2984, CVE-2016-2985). *** http://www-01.ibm.com/support/docview.wss?uid=swg21989842 --------------------------------------------- *** IBM Security Bulletin: IBM Security Guardium Database Activity Monitor is affected by Open Source XMLsoft Libxml2 Vulnerabilities (CVE-2016-4483) *** http://www-01.ibm.com/support/docview.wss?uid=swg21990364 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Commons FileUpload affects IBM Algo Credit Manager (CVE-2016-3092) *** http://www-01.ibm.com/support/docview.wss?uid=swg21988586 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Tomcat affects IBM Algo Credit Administrator (CVE-2016-3092) *** http://www.ibm.com/support/docview.wss?uid=swg21988585 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Struts affects FileNet Content Manager and IBM Content Foundation (CVE-2016-1181, CVE-2016-1182) *** http://www.ibm.com/support/docview.wss?uid=swg21987189 --------------------------------------------- *** IBM Security Bulletin: IBM Security Guardium is affected by Open Source XMLsoft Libxml2 Vulnerabilities (CVE-2016-4447 CVE-2016-4448 CVE-2016-4449) *** http://www-01.ibm.com/support/docview.wss?uid=swg21986710 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Network Security (NSS) affects IBM SAN Volume Controller and Storwize Family (CVE-2016-1978) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009280 --------------------------------------------- *** IBM Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed (CVE-2016-0377) *** http://www-01.ibm.com/support/docview.wss?uid=swg21990525 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Tivoli LWI impacts pConsole and WebSM for AIX (CVE-2016-6038) *** http://http://aix.software.ibm.com/aix/efixes/security/pconsole_mitigation.… --------------------------------------------- *** IBM Security Bulletin: The Elastic Storage Server and the GPFS Storage Server are affected by a vulnerability in IBM Spectrum Scale (CVE-2016-2985 and CVE-2016-2984) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1024336 --------------------------------------------- *** IBM Security Bulletin: Multiple security vulnerabilities affect Liberty for Java for IBM Bluemix *** http://www.ibm.com/support/docview.wss?uid=swg21990527 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in libpng affect NVIDIA Linux device drivers for System x, Flex and BladeCenter Systems (CVE-2015-8472, CVE-2015-7981, CVE-2015-8126) *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099471 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 22-09-2016
by Daily end-of-shift report 22 Sep '16

22 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 21-09-2016 18:00 − Donnerstag 22-09-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Fake-Abmahnung von RA Jörg Schmidt im Umlauf *** --------------------------------------------- Haushalte erhalten eine Abmahnung der Rechtsanwaltskanzlei Jörg Schmidt. Darin heißt es, dass es zu einer Verletzung von Urheberrechten der abbywinters.com BV gekommen sei, weil Empfänger/innen den Erotikfilm "Girl & Girl Pee Marigold & Christiana" verwertet haben. Aus diesem Grund sollen sie 950.00 Euro zahlen. Es handelt sich um einen Betrugsversuch. --------------------------------------------- https://www.watchlist-internet.at/sonstiges/fake-abmahnung-von-ra-joerg-sch… *** More than 840,000 Cisco devices are vulnerable to NSA-related exploit *** --------------------------------------------- More than 840,000 Cisco networking devices from around the world are exposed to a vulnerability thats similar to one exploited by a hacking group believed to be linked to the U.S. National Security Agency.The vulnerability was announced by Cisco last week and it affects the IOS, IOS XE, and IOS XR software that powers many of its networking devices. The flaw allows hackers to remotely extract the contents of a devices memory, which can lead to the exposure of sensitive information. --------------------------------------------- http://www.cio.com/article/3122868/more-than-840000-cisco-devices-are-vulne… *** Bug that hit Firefox and Tor browsers was hard to spot - now we know why *** --------------------------------------------- The curious case of Firefoxs (now fixed) certificate pinning failure. --------------------------------------------- http://arstechnica.com/security/2016/09/bug-that-hit-firefox-and-tor-browse… *** Hacked Website Report - 2016/Q2 *** --------------------------------------------- Today we're releasing our quarterly Hacked Website Report for 2016/Q2. The data in this report is based on compromised websites we worked on, with insights and analysis performed by our Incident Response Team (IRT) and Malware Research Team (MRT). CMS Analysis Our analysis consisted of over 9,000 infected websites. The graphs below show a side-by-side... --------------------------------------------- https://blog.sucuri.net/2016/09/hacked-website-report-2016q2.html *** KrebsOnSecurity Hit With Record DDoS *** --------------------------------------------- On Tuesday evening, KrebsOnSecurity.com was the target of an extremely large and unusual distributed denial-of-service (DDoS) attack designed to knock the site offline. The attack did not succeed thanks to the hard work of the engineers at Akamai, the company that protects my site from such digital sieges. But according to Akamai, it was nearly double the size of the largest attack theyve seen previously, and was among the biggest assaults the Internet has ever witnessed. --------------------------------------------- http://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/ *** Controlling Kerio Control - When your firewall turns against you. *** --------------------------------------------- IntroductionThis blog post describes two different attacks which can be used to compromise companies which use Kerio Control in their network. Kerio Control is a hardware appliance which can be used as network firewall, router and VPN gateway. Both attacks spawn a reverse shell on Kerio Control. Since both attack payloads are delivered via CSRF (cross site request forgery) or XSS (cross site scripting) no ports must be open from the Internet. --------------------------------------------- http://blog.sec-consult.com/2016/09/controlling-kerio-control-when-your.html *** Future attack scenarios against ATM authentication systems *** --------------------------------------------- The report comprises two papers in which we analyze all existing methods of authentication used in ATMs and those expected to be used in the near future, including: contactless authentication through NFC, one-time password authentication and biometric authentication systems, as well as potential vectors of attacks using malware, through to network attacks and attacks on hardware components. --------------------------------------------- http://securelist.com/analysis/publications/76099/future-attack-scenarios-a… *** Cisco plugs two Cloud Services Platform system compromise flaws *** --------------------------------------------- Cisco has patched two serious vulnerabilities in Cisco Cloud Services Platform 2100, both of which could allow a remote attacker to execute arbitrary code on a targeted system. Both vulnerabilities affect version 2.0 of the platform and there are no workarounds to address them, so administrators are advised to update to release 2.1.0 and later to plug the holes. What's the problem? Cisco Cloud Services Platform 2100 is a popular Linux Kernel-based Virtual Machine software... --------------------------------------------- https://www.helpnetsecurity.com/2016/09/22/cisco-plugs-cloud-services-platf… *** Fixing the mixed content problem with Automatic HTTPS Rewrites *** --------------------------------------------- CloudFlare aims to put an end to the unencrypted Internet. But the web has a chicken and egg problem moving to HTTPS. Long ago it was difficult, expensive, and slow to set up an HTTPS capable web site. Then along came services like CloudFlare's Universal SSL that made switching... --------------------------------------------- https://blog.cloudflare.com/fixing-the-mixed-content-problem-with-automatic… *** OpenSSL Update Released, (Thu, Sep 22nd) *** --------------------------------------------- As announced earlier this week,OpenSSLreleased an update today for all currently supported versions (1.0.1, 1.0.2, 1.1.0). The update fixes 14 different vulnerabilities. Only one vulnerability is rated High. This vulnerability,CVE-2016-6304, can lead to memory exhaustion and a denial of service if the client sends multiple largeOCSP">OCSP">">">SWEET32">">OOB write in">">MalformedSHA512">">">">Pointer... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21509&rss *** OpenSSL Security Advisory [22 Sep 2016] *** --------------------------------------------- OCSP Status Request extension unbounded memory growth (CVE-2016-6304) SSL_peek() hang on empty record (CVE-2016-6305) SWEET32 Mitigation (CVE-2016-2183) OOB write in MDC2_Update() (CVE-2016-6303) Malformed SHA512 ticket DoS (CVE-2016-6302) OOB write in BN_bn2dec() (CVE-2016-2182) OOB read in TS_OBJ_print_bio() (CVE-2016-2180) Pointer arithmetic undefined behaviour (CVE-2016-2177) Constant time flag not preserved in DSA signing (CVE-2016-2178) DTLS buffered message DoS (CVE-2016-2179) DTLS... --------------------------------------------- https://www.openssl.org/news/secadv/20160922.txt *** Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2016-004 *** --------------------------------------------- Description Users who have rights to edit a node, can set the visibility on comments for that node. Advisory ID: DRUPAL-SA-CORE-2016-004Project: Drupal core Version:li 8.xDate: 2016-September-21Security risk: 18/25 ( Critical) AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: DescriptionUsers without "Administer comments" can set comment visibility on nodes they can edit. (Less critical) Users who have rights to edit a node, can set the visibility on comments for that --------------------------------------------- https://www.drupal.org/SA-CORE-2016-004 *** ZDI-16-526: (0Day) Google Chrome Protocol Handler Logic Error Restrictions Bypass Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to bypass restrictions on vulnerable installations of Google Chrome. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-526/ *** ZDI-16-525: (0Day) Fatek Automation PM Designer Heap Memory Corruption Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Fatek Automation PM Designer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-525/ *** [2016-09-22] Potential backdoor access through multiple vulnerabilities in in Kerio Control Unified Threat Management *** --------------------------------------------- Kerio Control contains multiple vulnerabilities which can be used by an attacker to obtain a reverse root shell to the internal firewall system of a network. An attacker can use this reverse root shell to further compromise the victims local network, sniff VPN traffic (including VPN credentials) or just backdoor the firewall/VPN gateway. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016… *** HPSBGN03649 rev.1 - HPE Network Automation using Java Deserialization, Remote Code Execution *** --------------------------------------------- A vulnerability in Apache Commons-Collections and Commons-BeanUtils library used for handling Java object deserialization was addressed by HPE Network Automation. The vulnerability could be exploited remotely to allow remote code execution. --------------------------------------------- https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05279098 *** SSA-342135 (Last Update 2016-09-22): Web Vulnerability in SCALANCE M-800 / S615 *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-342135… *** SSA-301706 (Last Update 2016-09-22): GNU C Library Vulnerability in Industrial Products *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-301706… *** Cisco Security Advisories *** --------------------------------------------- *** Cisco Application Policy Infrastructure Controller Binary Privilege Escalation Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS and IOS XE iox Command Injection Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Firepower Management Center and FireSIGHT System Software SSLIinspection Bypass Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS and IOS XE Software Data in Motion Component Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Cloud Services Platform 2100 Remote Command Execution Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Cloud Services Platform 2100 Command Injection Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Prime Home Web-Based User Interface XML External Entity Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Application-Hosting Framework HTTP Header Injection Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS and IOS XE Software Application-Hosting Framework Unauthorized File Access Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 21-09-2016
by Daily end-of-shift report 21 Sep '16

21 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 20-09-2016 18:00 − Mittwoch 21-09-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Spear Phishing: Deutsche Politiker mit Malware-Mails angegriffen *** --------------------------------------------- Politiker aller Parteien waren im August Ziel von Spear-Phishing-Angriffen. Angebliche Nato-Informationen zum Putsch in der Türkei und zum Erdbeben in Italien sollten zum Klicken auf Malware verleiten. --------------------------------------------- http://www.golem.de/news/spear-phishing-deutsche-politiker-mit-malware-mail… *** Windows Events log for IR/Forensics ,Part 2, (Tue, Sep 20th) *** --------------------------------------------- In a previous diary[i] I talked about Windows Events and I gave some examples about some of the most useful events for Forensics/IR. In this diary I will talk about how to use Windows PowerShell to search for events Get-WinEvent The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the Windows Event Log technology introduced in Windows Vista. It also gets events in log files generated by... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21501&rss *** ISAKMP Scanning and Potential Vulnerabilities *** --------------------------------------------- Introduction As many of you are aware, we scan the Internet on a daily basis for many different protocols. We have added several new ones over time mostly depending on our own time available to engineer a scan for that protocol. Occasionally, we add one that is more topical and addresses a recent vulnerability or... --------------------------------------------- http://blog.shadowserver.org/2016/09/20/isakmp-scanning-and-potential-vulne… *** Mamba Ransomware Encrypts Hard Drives Rather Than Files *** --------------------------------------------- A new ransomware strain called Mamba opts to encrypts hard drives rather than individual files and folders stored on the local disk. --------------------------------------------- http://threatpost.com/mamba-ransomware-encrypts-hard-drives-rather-than-fil… *** Should you trust your security software? *** --------------------------------------------- The complaint that security is broken isn't new and even industry insiders are joining the chorus. Companies spent an estimated $75 billion last year on security products and yet cyber attacks and data breaches are still a common occurrence. Now, we're finding that security tools themselves have vulnerabilities that are putting organizations at risk. Given that vulnerabilities in software are the root cause of most attacks and security tools are inherently intrusive in order to... --------------------------------------------- https://www.helpnetsecurity.com/2016/09/21/security-software/ *** macOS Sierra beseitigt fast 70 Sicherheitslücken *** --------------------------------------------- Mit der neuen Version 10.12 hat Apple 68 Schwachstellen in macOS respektive OS X behoben, darunter kritische. Für ältere OS-X-Versionen liegt derzeit kein Sicherheits-Update vor. --------------------------------------------- http://heise.de/-3328701 *** Considerations on the Traffic Light Protocol *** --------------------------------------------- The Traffic Light Protocol (TLP) is a means for someone sharing information to inform their audience about any limitations in further spreading this information. It is used in almost all CSIRT communities and some Information Analysis and Sharing Centres (ISACs). The TLP can be used in all forms of communication, whether written or oral. This Glossary Entry presents the TLP and its possible variants, and proposes some considerations on its use and its limitations. --------------------------------------------- https://www.enisa.europa.eu/topics/national-csirt-network/glossary/consider… *** Did You Really Lock that Door? *** --------------------------------------------- One of my favorite books about information security is Ghost in the Wires, by Kevin Mitnick. Kevin, of course is one of the notorious early hackers whose exploits are brilliant and quite entertaining. If you have not already done so, add that book to your reading list. This post however is not a book review. I was reminded of Kevin's book the other evening when my son went dashing to the door in the middle of the night to make sure that he locked it. Normally, like all teenagers, he just... --------------------------------------------- https://feeds.feedblitz.com/~/200516044/0/alienvault-blogs~Did-You-Really-L… *** InfoArmor Uncovers Malicious Torrent Distribution Network *** --------------------------------------------- InfoArmor has identified a special tool used by cybercriminals to distribute malware by packaging it with the most popular torrent files on the Internet. The bad actors have analyzed trends on video, audio, software and other digital content downloads from around the globe and have created seeds on famous torrent trackers using weaponized torrents packaged with malicious code. --------------------------------------------- https://www.infoarmor.com/infoarmor-uncovers-malicious-torrent-distribution… *** Opportunistic Encryption: Bringing HTTP/2 to the unencrypted web *** --------------------------------------------- Encrypting the web is not an easy task. Various complexities prevent websites from migrating from HTTP to HTTPS, including mixed content, which can prevent sites from functioning with HTTPS. Opportunistic Encryption provides an additional level of security to websites that have not yet moved to HTTPS and the performance benefits... --------------------------------------------- https://blog.cloudflare.com/opportunistic-encryption-bringing-http-2-to-the… *** Bugtraq: ESA-2016-093: RSA Adaptive Authentication (On-Premise) Cross-Site Scripting Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/539432 *** DSA-3671 wireshark - security update *** --------------------------------------------- Multiple vulnerabilities were discovered in the dissectors for H.225,Catapult DCT2000, UMTS FP and IPMI, which could result in denial ofservice or the execution of arbitrary code. --------------------------------------------- https://www.debian.org/security/2016/dsa-3671 *** Filr 2.0 - Hot Patch 3 *** --------------------------------------------- Abstract: This patch provides a number of general bug fixes and security updates for Novell Filr, Search and MySQL 2.0.0 appliances including an updated Filr 2.0 Desktop client.Document ID: 5255170Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:preinstall-Search-20HP3.zip (24.95 MB)preinstall-MySQL-20HP3.zip (24.18 MB)preinstall-Filr-20HP3.zip (34.59 MB)Filr-2.0.0.474.HP.zip (155.89 MB)Search-2.0.0.417.HP.zip (10.67 MB)MySQL-2.0.0.197.HP.zip (1.44 kB)Products:Filr... --------------------------------------------- https://download.novell.com/Download?buildid=LMP8JAI5Lrc~ *** Security Advisory - DoS Vulnerability in Multiple Huawei Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160921-… *** Security Advisory - DoS Vulnerability in Multiple Huawei Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160921-… *** Security Advisory - DOS Vulnerability in Video Driver of Huawei Smart Phone *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160921-… *** Apple Security Updates *** --------------------------------------------- *** Safari 10 *** https://support.apple.com/kb/HT207157 --------------------------------------------- *** macOS Sierra 10.12 *** https://support.apple.com/kb/HT207170 --------------------------------------------- *** tvOS 10 *** https://support.apple.com/kb/HT207142 --------------------------------------------- *** iTunes 12.5.1 for Windows *** https://support.apple.com/kb/HT207158 --------------------------------------------- *** macOS Server 5.2 *** https://support.apple.com/kb/HT207171 --------------------------------------------- *** iCloud for Windows 6.0 *** https://support.apple.com/kb/HT207147 --------------------------------------------- *** Vuln: OpenStack Nova Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/93068 *** ShoreTel Connect ONSITE Blind SQL Injection Vulnerability *** --------------------------------------------- Topic: ShoreTel Connect ONSITE Blind SQL Injection Vulnerability Risk: Medium Text:ShoreTel Connect ONSITE Blind SQL Injection Vulnerability == vulnerability type: Unauthenticated Blin... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016090154 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Rational Software Architect, Rational Software Architect for WebSphere Software and Rational Software Architect RealTime Edition *** http://www-01.ibm.com/support/docview.wss?uid=swg21990374 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2016-2119) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009255 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in XML processing affect IBM DataPower Gateways *** http://www-01.ibm.com/support/docview.wss?uid=swg21990046 --------------------------------------------- *** IBM Security Bulletin: Multiple security vulnerabilities affect IBM WebSphere Application Server for Bluemix *** http://www.ibm.com/support/docview.wss?uid=swg21990236 --------------------------------------------- *** IBM Security Bulletin: IBM WebSphere MQ Invalid client protocol flows could cause denial of service (CVE-2016-0379) *** http://www-01.ibm.com/support/docview.wss?uid=swg21984565 --------------------------------------------- *** IBM Security Bulletin: IBM WebSphere Cast Iron Solution is affected by Apache Tomcat vulnerability CVE-2015-5174 *** http://www-01.ibm.com/support/docview.wss?uid=swg21988742 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 20-09-2016
by Daily end-of-shift report 20 Sep '16

20 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 19-09-2016 18:00 − Dienstag 20-09-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** European Cyber Security Month - NIS Quiz *** --------------------------------------------- This tool is designed to help you update your internet security knowledge, begin whenever you feel ready. It will take max 10 minutes and we hope youll enjoy the quiz and learn something useful! --------------------------------------------- https://cybersecuritymonth.eu/references/quiz-demonstration/intro *** The banker that can steal anything *** --------------------------------------------- The use of root privileges is not typical for banking malware attacks, because money can be stolen in numerous other ways that dont require exclusive rights. However, in early February 2016, Kaspersky Lab discovered Trojan-Banker.AndroidOS.Tordow.a, whose creators decided that root privileges would come in handy. --------------------------------------------- http://securelist.com/blog/mobile/76101/the-banker-that-can-steal-anything/ *** Erpressungs-Trojaner HDDCryptor soll Computer von Opfern abriegeln *** --------------------------------------------- HDDCryptor verschlüsselt nicht nur Daten, sondern überschreibt offensichtlich auch den MBR von Windows-Computern und gibt infizierte Rechner erst nach einer Lösegeld-Zahlung wieder frei, warnen Sicherheitsforscher. --------------------------------------------- http://heise.de/-3327880 *** Encryption Week *** --------------------------------------------- Since CloudFlare's inception, we have worked tirelessly to make encryption as simple and as accessible as possible. Over the last two years, we've made CloudFlare the easiest way to enable encryption for web properties and internet services. From the launch of Universal SSL, which gives HTTPS to millions --------------------------------------------- https://blog.cloudflare.com/encryption-week/ *** Mozilla und Tor schließen Certificate-Pinning-Lücke *** --------------------------------------------- Durch einen Fehler beim Bau neuer Versionen von Firefox und des Tor Browsers waren diese anfällig gegen Man-in-the-Middle-Angriffe, über die Schadcode eingeschleust werden konnte. --------------------------------------------- http://heise.de/-3328039 *** Hacking WordPress Sites on Shared Servers *** --------------------------------------------- A website is only as safe as the weakest link on its shared server. Once a hacker gains access to one site on the server, they can easily infect other sites that share the same server permissions. This is called cross-site contamination. When it comes to WordPress websites, the core structure is well known by... --------------------------------------------- https://blog.sucuri.net/2016/09/hacking-wordpress-sites-shared-servers.html *** Steganography... what is that? *** --------------------------------------------- When people think about Information Security the first word that generally comes mind is "Hacking", but there are many disciplines in security and one of them is called "Steganography", an offshoot of encryption and "data hiding". The word "steganography" can... --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Steganography----what-i… *** Vulnerability Patched in WordPress Theme That Allows Unrestricted Uploads *** --------------------------------------------- A vulnerability has been patched in a popular WordPress theme called Neosense that allows an attacker to upload code without authentication. --------------------------------------------- http://threatpost.com/vulnerability-patched-in-wordpress-theme-that-allows-… *** High-Tech Bridge releases a new version of its free SSL testing service *** --------------------------------------------- The new version of the service enables companies to easily test any SSL/TLS-based services for compliance with PCI DSS, HIPAA and NIST, while the new API provides much more flexibility for software developers. --------------------------------------------- https://www.htbridge.com/news/ssl-testing-service-api-hipaa-compliance.html *** Bugtraq: ESA-2016-096: EMC Celerra, VNX1, VNX2 and VNXe SMB NTLM Authentication Weak Nonce Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/539424 *** Bugtraq: ESA-2016-065: EMC Avamar Data Store and Avamar Virtual Edition Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/539423 *** VMSA-2016-0014 *** --------------------------------------------- VMware ESXi, Workstation, Fusion, and Tools updates address multiple security issues --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2016-0014.html *** VMSA-2016-0010.1 *** --------------------------------------------- VMware product updates address multiple important security issues --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2016-0010.html *** ZDI-16-517: AlienVault Unified Security Management Remote Authentication Bypass Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to bypass authentication requirements on vulnerable installations of AlienVault Unified Security Manager. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-517/ *** ZDI-16-518: Rockwell Automation RSLogix Micro Starter Lite Project File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Rockwell Automation RSLogix Micro Starter Lite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-518/ *** Vuln: QEMU hw/usb/hcd-xhci.c Information Disclosure Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/93029 *** Security Advisories Relating to Symantec Products - Symantec Decomposer Engine Security Update *** --------------------------------------------- Symantec has released an update to address two issues in the RAR file parser component of the antivirus decomposer engine used by multiple Symantec products. Parsing of maliciously formatted RAR container files may cause an application-level denial of service condition. --------------------------------------------- https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=s… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Rational DOORS Next Generation with potential for Cross-Site Scripting attack (CVE-2016-5955) *** http://www.ibm.com/support/docview.wss?uid=swg21990054 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in libtiff affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024132 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in libxml2 affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024088 --------------------------------------------- *** IBM Security Bulletin: Rational Asset Analyzer (CVE-2016-5967) *** http://www-01.ibm.com/support/docview.wss?uid=swg21990215 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in node.js processing affect IBM DataPower Gateways *** http://www-01.ibm.com/support/docview.wss?uid=swg21990050 --------------------------------------------- *** IBM Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed (CVE-2016-1181 and CVE-2016-1182) *** http://www.ibm.com/support/docview.wss?uid=swg21989496 --------------------------------------------- *** IBM Security Bulletin: IBM Connections Security Update for Multiple Vulnerabilities *** http://www-01.ibm.com/support/docview.wss?uid=swg21989067 --------------------------------------------- *** IBM Security Bulletin: Information Disclosure in IBM WebSphere Application Server Liberty (CVE-2016-0378) *** http://www-01.ibm.com/support/docview.wss?uid=swg21981529 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 19-09-2016
by Daily end-of-shift report 19 Sep '16

19 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 16-09-2016 18:00 − Montag 19-09-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** The Week in Ransomware - September 16 2016 - Stampado, Locky, Atom, and More *** --------------------------------------------- Thankfully, it was a slow week this week when it comes to ransomware. For this week we had 3 new variants of existing ransomware, 2 new ransomware infections, and an updated decryptor. [...] --------------------------------------------- http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-septem… *** Windows Events log for IR/Forensics ,Part 1, (Sun, Sep 18th) *** --------------------------------------------- In the time of incidents, Windows Event logs provide a plenty of useful information for the Incident responder.As you know Windows can generate thousands of events in few minutes ,in this diary I will talk about some of the most useful events and in the next diary I would discuss how to use PowerShell to search for them . Here is of the most useful events for Forensics/Incident response: Event ID Description Log Name 4624 Successful Logon Security 4625 Failed Login... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21493&rss *** Mozilla will patch zero-day Firefox bug to fiddle man-in-the-middle diddle *** --------------------------------------------- Researcher revealed Tor flaw after initially being ignored Mozilla will patch a flaw in its Firefox browser that could allow well-resourced attackers to launch man-in-the-middle impersonation attacks that also affects the Tor anonymity network. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/09/18/mozilla_tor… *** Untangling the Ripper ATM Malware *** --------------------------------------------- Last August , security researchers released a blog discussing a new ATM malware family called Ripper which they believe was involved in the recent ATM attacks in Thailand. Large numbers of ATMs were also temporarily shut down as a precautionary measure.During our analysis we noticed some additional details that where not called out, or which appear to contradict this earlier analysis. We highlight these differences in this blog post. We have also included technical indicators such as code... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/ddt8SN3uzhs/ *** Periscope ATM Skimmers *** --------------------------------------------- "Periscope skimmers" are the most sophisticated kind of ATM skimmers. They are entirely inside the ATM, meaning theyre impossible to notice.Theyre been found in the US. --------------------------------------------- https://www.schneier.com/blog/archives/2016/09/periscope_atm_s.html *** 324,000 payment cards breached, CVVs included, source still unknown! *** --------------------------------------------- When you decide to add debugging logs to your payment application, the PCI DSS rules about what you are allowed to store DO NOT CHANGE! --------------------------------------------- http://feedproxy.google.com/~r/nakedsecurity/~3/NpR-rDlVOj0/ *** Does it Matter If You Cover Your Webcam?, (Mon, Sep 19th) *** --------------------------------------------- During security conferences, laptops with tape covering the webcam has certainly been a common sight. But recently, covering webcams has become somewhat of a main-stream phenomenon, after Mark Zuckerberg was sighted with a covered webcam [1], and even the FBI director suggests people covering their cameras [2]. Laptops are often used in private spaces, and an attacker, with access to the camera, is expected to be able to spy on the user of the laptop. Attacks like this have happened, and even... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21497&rss *** Reverse Engineering Cisco ASA for EXTRABACON Offsets *** --------------------------------------------- [...] One of the zero-day vulnerabilities released was a remote code execution in the Cisco Adaptive Security Appliance (ASA) device. The Equation Groups exploit for this was named EXTRABACON. [...] At RiskSense we had spare ASAs lying around in our red team lab, and my colleague Zachary Harding was extremely interested in exploiting this vulnerability. I told him if he got the ASAs properly configured for remote debugging I would help in the exploitation process. --------------------------------------------- https://zerosum0x0.blogspot.cz/2016/09/reverse-engineering-cisco-asa-for.ht… *** BENIGNCERTAIN-like flaw affects various Cisco networking devices *** --------------------------------------------- The leaking of BENIGNCERTAIN, an NSA exploit targeting a vulnerability in legacy Cisco PIX firewalls that allows attackers to eavesdrop on VPN traffic, has spurred Cisco to search for similar flaws in other products - and they found one. CVE-2016-6415 arises from insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. The IKE protocol is used in the Internet Protocol Security (IPsec) protocol suite to negotiate cryptographic... --------------------------------------------- https://www.helpnetsecurity.com/2016/09/19/beningcertain-cisco-networking-d… *** IKEv1 Information Disclosure Vulnerability in Multiple Cisco Products *** --------------------------------------------- A vulnerability in IKEv1 packet processing code in Cisco IOS, Cisco IOS XE and Cisco IOS XR Software could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information.The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept... --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** iPrint Appliance 2.1 Hot Patch 2 *** --------------------------------------------- Abstract: iPrint Appliance 2.1 Hot Patch 2 is the first patch set for the iPrint Appliance version 2.1. Document ID: 5254950Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:iPrint-2.1.0.68.HP.zip (755.2 MB)Products:iPrint Appliance 2.1Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=AJTQmn_Q1yk~ *** iPrint Appliance 2.0 Hot Patch 2 *** --------------------------------------------- Abstract: Hot Patch 2 includes bug fixes, security fixes and a consolidation of previously released patches, including iPrint Appliance 2.0 Patch 2. Document ID: 5254970Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:iPrint-2.0.0.533.HP.zip (881.14 MB)Products:iPrint Appliance 2Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=C1Xh-X9MGcc~ *** Forthcoming OpenSSL releases *** --------------------------------------------- The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.0a, 1.0.2i, 1.0.1u. These releases will be made available on 22nd September 2016 at approximately 0800 UTC. They will fix several security defects: one classfied as severity "high", one as "moderate", and the rest "low". --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2016-September/000076.ht… *** IBM Security Bulletin: Spice-server vulnerabilities affect IBM SmartCloud Entry (CVE-2016-0749 CVE-2016-2150 ) *** --------------------------------------------- SmartCloud Entry is vulerable to Spice-server vulnerabilities. Attackers could exploit them to cause improper bounds checking by smartcard interaction or bypass security restrictions CVE(s): CVE-2016-0749, CVE-2016-2150 Affected product(s) and affected version(s): IBM SmartCloud Entry 3.2 through Appliance fix pack 21 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www.ibm.com/support/docview.wss?uid=isg3T1024006X-Force... --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1024006 *** IBM Security Bulletin: Vulnerability in openssl affects IBM System Networking Switch products (CVE-2016-2108) *** --------------------------------------------- IBM System Networking Switch products have addressed the following vulnerability in openssl. CVE(s): CVE-2016-2108 Affected product(s) and affected version(s): Product Affected Version IBM Flex System Fabric EN4093R 10Gb Scalable Switch 7.8.14.0 IBM Flex System Fabric CN4093 10Gb Converged Scalable Switch 7.8.14.0 IBM Flex System Fabric SI4093 System Interconnect Module 7.8.14.0 IBM Flex System EN2092 1Gb... --------------------------------------------- https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099464 *** BINOM3 Electric Power Quality Meter Vulnerabilities *** --------------------------------------------- Topic: BINOM3 Electric Power Quality Meter Vulnerabilities Risk: Medium Text:*Universal multifunctional Electric Power Quality Meter BINOM3 - Multiple Vulnerabilities* *About* The meters are designed... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016090122 *** MyBB 1.8.6 Improper validation of data passed to eval *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016090124 *** MyBB 1.8.6 CSRF Weak Hashing, Plaintext Passwords *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016090126 *** MyBB 1.8.6 SQL Injection *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016090125

1 0

Tageszusammenfassung - Freitag 16-09-2016
by Daily end-of-shift report 16 Sep '16

16 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 15-09-2016 18:00 − Freitag 16-09-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** DSA-3668 mailman - security update *** --------------------------------------------- It was discovered that there was a CSRF vulnerability in mailman, aweb-based mailing list manager, which could allow an attacker to obtaina users password. --------------------------------------------- https://www.debian.org/security/2016/dsa-3668 *** Yokogawa STARDOM Authentication Bypass Vulnerability *** --------------------------------------------- This advisory contains mitigation details for an authentication bypass vulnerability in the Yokogawa STARDOM controller. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-259-01 *** ABB DataManagerPro Credential Management Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a credential management vulnerability in ABB’s DataManagerPro application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-259-02 *** Trane Tracer SC Sensitive Information Exposure Vulnerability *** --------------------------------------------- This advisory contains mitigation details for an information exposure vulnerability in Trane U.S. Inc.’s Tracer SC field panel. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-259-03 *** Attack Leverages Windows Safe Mode *** --------------------------------------------- Researchers say a proof-of-concept attack using Windows Safe Mode can lead to credential theft and allow hackers to move laterally within a corporate network. --------------------------------------------- http://threatpost.com/attack-leverages-windows-safe-mode/120622/ *** Ransomware Getting More Targeted, Expensive *** --------------------------------------------- I shared a meal not long ago with a source who works at a financial services company. The subject of ransomware came up and he told me that a server in his .. --------------------------------------------- http://krebsonsecurity.com/2016/09/ransomware-getting-more-targeted-expensi… *** DSA-3670 tomcat8 - security update *** --------------------------------------------- Dawid Golunski of LegalHackers discovered that the Tomcat init scriptperformed unsafe file handling, which could result in local privilegeescalation. --------------------------------------------- https://www.debian.org/security/2016/dsa-3670 *** DSA-3669 tomcat7 - security update *** --------------------------------------------- Dawid Golunski of LegalHackers discovered that the Tomcat init scriptperformed unsafe file handling, which could result in local privilegeescalation. --------------------------------------------- https://www.debian.org/security/2016/dsa-3669 *** Necurs – the Heavyweight Malware Spammer *** --------------------------------------------- Today we want to dwell upon a pesky botnet that goes by the name of Necurs, and in particular its spamming activities. The botnet has been responsible for a massive .. --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/Necurs-%e2%80%93-the-Heavywe… *** Trend Micro Internet Security vulnerability where files may be excluded as scan targets *** --------------------------------------------- Trend Micro Internet Security provided by Trend Micro Incorporated contains a vulnerability where arbitrary files or folders may be excluded as scan targets. --------------------------------------------- http://jvn.jp/en/jp/JVN98126322/ *** Splunk Enterprise and Splunk Lite vulnerable to cross-site scripting *** --------------------------------------------- Splunk Enterprise and Splunk Lite contain a cross-site scripting vulnerability.Note that this vulnerability is different from JVN#74244518. --------------------------------------------- http://jvn.jp/en/jp/JVN71462075/ *** Gefährliche Inhalte effektiver erkennen: Google baut Webseiten-Scan aus *** --------------------------------------------- Webmaster können ihre Seiten nun noch tiefgehender nach unter anderem Malware-Verweisen und gefährlichen Downloads durchsuchen lassen. --------------------------------------------- http://heise.de/-3325042 *** Erste Sicherheitslücken im Krypto-Messenger Signal entdeckt *** --------------------------------------------- Ein Programmierfehler in Signal erlaubt die Manipulation von Dateianhängen. Über einen zweiten hätten Angreifer Schadcode aus der Ferne einschleusen können, hätte ein dritter Bug diesen Angriff nicht verhindert. --------------------------------------------- http://heise.de/-3325242 *** Erpressungstrojaner: Stampado verschlüsselt von Ransomware verschlüsselte Dateien *** --------------------------------------------- Ein neuer Erpressungstrojaner hat eine besonders gemeine Taktik: Verschlüsselt werden Dateien, die bereits von anderer Ransomware verschlüsselt wurden. Zum Glück gibt es Abhilfe. --------------------------------------------- http://www.golem.de/news/erpressungstrojaner-stampado-verschluesselt-von-ra…

1 0

Tageszusammenfassung - Donnerstag 15-09-2016
by Daily end-of-shift report 15 Sep '16

15 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 14-09-2016 18:00 − Donnerstag 15-09-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Cisco IOS and IOS XE Software IOx Local Manager Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability in the web framework code of the Cisco Local Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of the affected .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco WebEx Meetings Server Remote Command Execution Vulnerability *** --------------------------------------------- A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to bypass security restrictions on a host located in a DMZ and inject arbitrary commands on a targeted system.The vulnerability is due .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Unified Computing System Command Line Interface Privilege Escalation Vulnerability *** --------------------------------------------- A vulnerability in the command-line interface (CLI) of the Cisco Unified Computing System (UCS) Manager and UCS 6200 Series Fabric Interconnects could allow an authenticated, local attacker to access the underlying operating system .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Fog Director for IOx Arbitrary File Write Vulnerability *** --------------------------------------------- A vulnerability in the Cisco Fog Director for IOx could allow an authenticated, remote attacker to write a file to arbitrary locations. The vulnerability is due to insufficient input validation. An attacker could exploit this .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** iOS 10 schließt Sicherheitslücken in Tastatur und Sandbox *** --------------------------------------------- Das Update auf iOS 10.0.1 räumt sieben Schwachpunkte aus, darunter eine mögliche Preisgabe 'sensibler Informationen' durch die Autokorrektur des Keyboards. watchOS 3 stopft eine Lücke. --------------------------------------------- http://heise.de/-3323066 *** DSA-3666 mysql-5.5 - security update *** --------------------------------------------- Dawid Golunski discovered that the mysqld_safe wrapper provided by theMySQL database server insufficiently restricted the load path for custommalloc implementations, which could result in privilege escalation. --------------------------------------------- https://www.debian.org/security/2016/dsa-3666 *** Science press site hacked; hackers release .. random crap *** --------------------------------------------- http://arstechnica.com/science/2016/09/science-press-site-hacked-hackers-re… *** Cryptocurrencies a Target for Cybercriminals, Part 1: the Risks of Innovation *** --------------------------------------------- All cryptocurrencies are a target for cybercriminals. Anywhere there is value, criminals, fraudsters, and charlatans will soon follow. Call it the Willie Sutton principle. Sutton, a famous bank robber in the 1920s–30s, was asked why he .. --------------------------------------------- https://blogs.mcafee.com/mcafee-labs/cryptocurrencies-a-target-for-cybercri… *** Russian Hackers Get Bolder in Anti-Doping Agency Attack *** --------------------------------------------- The attack on the World Anti-Doping Agency, following the DNC hack, signals Russian hackers emerging from the shadows to brazenly flaunt their work. --------------------------------------------- https://www.wired.com/2016/09/anti-doping-agency-attack-shows-russian-hacke… *** Virtueller Schiffsdiebstahl bei Star Citizen *** --------------------------------------------- Im bisher noch unfertigen Weltraumepos Star Citizen kann man für hunderte Euros virtuelle Raumschiffe kaufen. Nun häufen sich anscheinend Angriffe auf die Konten der Spieler, mit dem Ziel, diese Schiffe zu klauen. --------------------------------------------- http://heise.de/-3323060 *** DSA-3667 chromium-browser - security update *** --------------------------------------------- https://www.debian.org/security/2016/dsa-3667 *** Erpressungs-Trojaner Locky nun mit Autopilot *** --------------------------------------------- Sicherheitsforschern zufolge kann Locky sein Schadenswerk jetzt auch offline ohne Kontakt zum Command-and-Control-Server der Kriminellen verrichten. --------------------------------------------- http://heise.de/-3324553

1 0

Tageszusammenfassung - Mittwoch 14-09-2016
by Daily end-of-shift report 14 Sep '16

14 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 13-09-2016 18:00 − Mittwoch 14-09-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** MS16-SEP - Microsoft Security Bulletin Summary for September 2016 - Version: 1.0 *** --------------------------------------------- This bulletin summary lists security bulletins released for September 2016. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS16-SEP *** Announcing the Project Zero Prize *** --------------------------------------------- Posted by Natalie Silvanovich, Exploit EnthusiastDespite the existence of vulnerability rewards programs at Google and other companies, many unique, high-quality security bugs have been discovered as a result of hacking contests. Hoping to continue the stream of great bugs, we've decided to start our own contest: The Project Zero Prize.The goal of this contest is to find a vulnerability or bug chain that achieves remote code execution on multiple Android devices knowing only the... --------------------------------------------- http://googleprojectzero.blogspot.com/2016/09/announcing-project-zero-prize… *** MSRT September 2016 release feature: Prifou *** --------------------------------------------- As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this September includes detections for: BrowserModifier:Win32/Prifou TrojanClicker:Win32/NightClick Trojan:Win32/Suweezy Trojan:Win32/Xadupi This blog discusses BrowserModifier:Win32/Prifou (Prifou). Windows Defender detects this threat because it limits your choice and control over your browser and operating system. The unwanted behaviors... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/09/13/msrt-september-2016-rel… *** Angst vor Spam: Swisscom deaktiviert mehrere Tausend Mailaccounts *** --------------------------------------------- Weil die Kunden zu einfache E-Mail-Passwörter gewählt hatten, sperrte die Swisscom Tausende Accounts. Das Unternehmen fürchtet offenbar, sonst auf Spam-Blacklists von Google oder anderen Providern zu landen. Die Kunden müssen nun aktiv werden. --------------------------------------------- http://www.golem.de/news/angst-vor-spam-swisscom-deaktiviert-mehrere-tausen… *** Letzter klassischer Microsoft-Patchday bringt sieben kritische Updates *** --------------------------------------------- Heute können Windows-Admins zum letzten Mal auswählen, welche Windows-Updates sie am monatlichen Patchday installieren wollen. Ab nächsten Monat gibt es dann nur noch monolithische Rollup-Pakete. --------------------------------------------- http://heise.de/-3321310 *** Adobe-Patchday: Flash jetzt patchen! *** --------------------------------------------- Kritische Lücken im Flash Player erlauben das Kapern von Rechnern. Adobe hat Updates veröffentlicht, um diese zu stopfen. Ebenso erhalten die eBook-Software Digital Editions und die Entwicklungswerkzeuge von AIR Patches. --------------------------------------------- http://heise.de/-3321895 *** Rio 2016: Fancybear veröffentlicht medizinische Daten von US-Sportlern *** --------------------------------------------- Vertrauliche medizinische Daten von US-Sportlern stehen im Netz. Angeblich russische Hacker haben mehrere Datensätze veröffentlicht, die Unregelmäßigkeiten bei Dopingkontrollen beweisen sollen. Die Wada ist entsetzt - und spricht von legalen Ausnahmegenehmigungen. --------------------------------------------- http://www.golem.de/news/rio-2016-fancybear-veroeffentlicht-medizinische-da… *** Exploit Attempts for Drupal RESTWS .x Module Vulnerability, (Wed, Sep 14th) *** --------------------------------------------- Attackers usually dont have to worry much about Drupal administrators applying patches. The majority of exploit attempts I see in our honeypots use pretty ancient vulnerabilities. So I was happy to see a script kiddie go the extra mile and use a vulnerabilityreleased in July of this year [1] [2]. The vulnerability itself is very straight forward. The attacker can send arbitrary php code that will be executed on the server. No special encoding beyond URL encoding appears to be required. Here is... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21481&rss *** Geldautomaten: Hintermann von Skimmingbande muss fünf Jahre in Haft *** --------------------------------------------- Eine Skimmingbande hat in Sachsen fast 270.000 Euro mit gefälschten Bankkarten erbeutet. Die Tat fand bereits im Jahr 2011 statt, nun wurde ein Hintermann der Gruppe zu einer Freiheitsstrafe verurteilt. --------------------------------------------- http://www.golem.de/news/geldautomaten-hintermann-von-skimmingbande-muss-fu…

1 0

Tageszusammenfassung - Dienstag 13-09-2016
by Daily end-of-shift report 13 Sep '16

13 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 12-09-2016 18:00 − Dienstag 13-09-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** FortiClient Unencrypted Password Vulnerability *** --------------------------------------------- FOne of the processes in FortiClient stores VPN credentials unencrypted in memory. A malicious attacker who compromised the workstation could dump the credentials. --------------------------------------------- http://fortiguard.com/advisory/FG-IR-16-021 *** FortiClient DLL Hijacking vulnerability *** --------------------------------------------- When executed, the FortiClient installer (FortiClientOnlineInstaller.exe), if downloaded before August 11th, 2016 (build 0842), would attempt to load DLLs from the directory where it resides. --------------------------------------------- http://fortiguard.com/advisory/FG-IR-16-046 *** Türkische Hacker griffen offenbar österreichische Nationalbank an *** --------------------------------------------- Es handelt sich laut Kurier um dieselbe Gruppe, die schon den Flughafen Wien-Schwechat angegriffen hat --------------------------------------------- http://derstandard.at/2000044275176 *** Gefälschte A1 Online Rechnung im Postfach *** --------------------------------------------- Mit vermeintlichen papierlosen A1 Rechnungen wollen Kriminelle, dass Empfänger/innen eine Website aufrufen und dort die Datei „A1_rechnung.zip“ öffnen. Sie verbirgt Schadsoftware. Wer diese ausführt, installiert Programme, die den Computer unbrauchbar machen oder Bankdaten stehlen. Am sichersten ist es, wenn Sie die Nachrichten löschen. --------------------------------------------- https://www.watchlist-internet.at/gefaelschte-rechnungen/gefaelschte-a1-onl… *** Cache Flooding in TYPO3 Frontend *** --------------------------------------------- It has been discovered, that TYPO3 is vulnerable to Cache Flooding --------------------------------------------- https://typo3.org/news/article/cache-flooding-in-typo3-frontend/ *** DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices *** --------------------------------------------- Over the past two years, we’ve observed many cases of Microsoft Windows and Apple iOS malware designed to attack mobile devices. This attack vector is increasingly .. --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-troj… *** Sicherheits-Updates für Xen-Hypervisor *** --------------------------------------------- Insgesamt vier Sicherheitslücken erfordern Updates. Für Debian, Oracle VM und Fedora gibt es aktualisierte Pakete. --------------------------------------------- http://heise.de/-3319523 *** "Pokémon Go": Fake-App spioniert Millionen Smartphones aus *** --------------------------------------------- Spionieren Internet-Daten der User aus und installieren Adware auf dem Smartphone --------------------------------------------- http://derstandard.at/2000044305667 *** Antivirenentwickler: John McAfee soll Morde und Vergewaltigung begangen haben *** --------------------------------------------- Ein Dokumentarfilm erhebt schwere Anschuldigungen gegen John McAfee. Während seiner Zeit in Belize soll er zwei Männer getötet und eine Frau vergewaltigt haben. McAfee bestreitet alle Vorwürfe und unterstellt dem Filmteam Bestechung von Quellen. --------------------------------------------- http://www.golem.de/news/antiviren-entwickler-john-mcafee-soll-morde-und-ve… *** Neutrino EK’s Afraidgate pushed in malvertising attack *** --------------------------------------------- With a rise in malvertising attacks lately, we take a look at an ad server pushing the Afraidgate, traditionally found on compromised sites. --------------------------------------------- https://blog.malwarebytes.com/cybercrime/exploits/2016/09/neutrino-eks-afra… *** Security Bulletins Posted *** --------------------------------------------- Adobe has published security bulletins for Adobe Digital Editions (APSB16-28), Adobe Flash Player (APSB16-29) and Adobe AIR SDK & Compiler (APSB16-31). Adobe recommends users update their product installations to the latest versions using .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1399

1 0

Tageszusammenfassung - Montag 12-09-2016
by Daily end-of-shift report 12 Sep '16

12 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 09-09-2016 18:00 − Montag 12-09-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** DSA-3664 pdns - security update *** --------------------------------------------- Multiple vulnerabilities have been discovered in pdns, an authoritativeDNS server. The Common Vulnerabilities and Exposures project identifies .. --------------------------------------------- https://www.debian.org/security/2016/dsa-3664 *** WordPress 4.6.1 stopft zwei Lücken *** --------------------------------------------- Die Hersteller des CMS WordPress empfehlen, das Update auf WordPress 4.6.1 schnellstmöglich einzuspielen, da es zwei gefährliche Sicherheitslücken schließt. Installationen mit Auto-Update haben die neue Version automatisch in den vorigen Tagen bekommen. --------------------------------------------- http://heise.de/-3317796 *** OSX.Mokes: Mächtige Mac-Malware entdeckt *** --------------------------------------------- Ermöglicht Angreifern weitreichende Überwachung – sucht zudem System nach Daten ab --------------------------------------------- http://derstandard.at/2000044172706 *** Android: Google-Sicherheitspatch vom September stopft erneute Stagefright-Lücke *** --------------------------------------------- Google behebt im Security Bulletin vom September mehrere Fehler in Android, darunter eine vom eigenen Team Zero gefundene Erweiterung des Stagefright-Bugs. Der Patch ist an die Hersteller ausgeliefert, einige haben schon Updates bereitgestellt. --------------------------------------------- http://heise.de/-3317825 *** Sicherheitsexperten finden IoT-Botnet *** --------------------------------------------- Eine Linux-Malware greift aktuell IoT-Geräte wie IP-Kameras mit veralteter Firmware an. Das Besondere an diesem Schädling: Nach der Infektion verwischt er seine Spuren und bleibt nur im Arbeitsspeicher der Geräte präsent. Das erschwert die Analyse. --------------------------------------------- http://heise.de/-3317830 *** WooCommerce <= 2.6.3 - Stored Cross Site Scripting (XSS) via REST API *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8619 *** l+f: Anti-ROP Mainframe-Style *** --------------------------------------------- Nach Intel, Microsoft, OpenBSD und diversen anderen stellt nun auch IBM seine eigene Anti-ROP-Technik vor. --------------------------------------------- http://heise.de/-3317746 *** USB Killer: 50-Dollar-Stick zerstört Computer beim Anstecken *** --------------------------------------------- Version 2.0 des Sticks veröffentlicht – Hochspannungsimpuls führt zu irreparablem Schaden --------------------------------------------- http://derstandard.at/2000044216572 *** Gugi: from an SMS Trojan to a Mobile-Banking Trojan *** --------------------------------------------- In the previous article, we described the mechanisms used by Trojan-Banker.AndroidOS.Gugi.c to bypass a number of new Android 6 security features. In this article, we review the entire Gugi mobile-banking Trojan family in more detail. --------------------------------------------- http://securelist.com/blog/mobile/76023/gugi-from-an-sms-trojan-to-a-mobile… *** Vdos: Betreiber des größten DDoS-Anbieters in Israel verhaftet *** --------------------------------------------- Der Hack eines DDoS-Anbieters zeigt: Die Vermietung von Angriffskapazitäten ist ein einträgliches Geschäft. Ironischerweise versuchen die Anbieter, sich hinter dem DDoS-Schutz Cloudflare zu verstecken. Die Betreiber wurden mittlerweile in Israel festgenommen. --------------------------------------------- http://www.golem.de/news/vdos-betreiber-des-groessten-ddos-anbieters-in-isr… *** Remote Root Code Execution / Privilege Escalation (0day) *** --------------------------------------------- An independent research has revealed multiple severe MySQL vulnerabilities. This advisory focuses on a critical vulnerability with a CVEID of CVE-2016-6662 which can allow attackers to (remotely) inject malicious settings into MySQL configuration files (my.cnf) leading to critical consequences. --------------------------------------------- http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution… *** DSA-3665 openjpeg2 - security update *** --------------------------------------------- Multiple vulnerabilities in OpenJPEG, a JPEG 2000 image compression /decompression library, may result in denial of service or the executionof arbitrary code if a malformed JPEG 2000 file is processed. --------------------------------------------- https://www.debian.org/security/2016/dsa-3665 *** Linux Malware: Novelties in the Threat Landscape *** --------------------------------------------- In the last couple of years, security firms have observed an increasing number of malware specifically designed to target Linux-based systems. Linux, like .. --------------------------------------------- http://resources.infosecinstitute.com/linux-malware-novelties-threat-landsc… *** Payment Card Industry Council: Kreditkartenterminals bald mit Firmware-Update *** --------------------------------------------- Skimming, Kreditkartenbetrug und manipulierte Bezahlterminals: Der Sicherheitstandard für EC- und Kreditkartenterminals wird überarbeitet. Künftig sollen die Geräte signierte Updates erhalten und gegen Laser resistent werden. --------------------------------------------- http://www.golem.de/news/payment-card-industry-council-kreditkartenterminal… *** LuaBot: Malware targeting cable modems *** --------------------------------------------- CERT/CC released the Vulnerability Note VU#419568 and it got lots of media coverage. I did not provide any POCs during that time because I was pretty sure that those vulnerabilities were easily wormable... And guess what? Someone is actively exploiting those devices since May/2016. --------------------------------------------- https://w00tsec.blogspot.co.at/2016/09/luabot-malware-targeting-cable-modem…

1 0

Tageszusammenfassung - Freitag 9-09-2016
by Daily end-of-shift report 09 Sep '16

09 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 08-09-2016 18:00 − Freitag 09-09-2016 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** Cisco ACE30 Application Control Engine Module and Cisco ACE 4710 Application Control Engine Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the SSL/TLS functions of the Cisco ACE30 Application Control Engine Module and the Cisco ACE 4700 Series Application Control Engine Appliances could allow an unauthenticated, remote attacker to cause a denial of .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** DSA-3662 inspircd - security update *** --------------------------------------------- It was discovered that incorrect SASL authentication in the InspircdIRC server may lead to users impersonating other users. --------------------------------------------- https://www.debian.org/security/2016/dsa-3662 *** ZDI-16-505: AlienVault Unified Security Management get_directive_kdb directive_id SQL Injection Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of AlienVault Unified Security Management. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-505/ *** ZDI-16-504: AlienVault Unified Security Management Multiple PHP Scripts Remote Code Execution Vulnerabilities *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of AlienVault Unified Security Management. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-504/ *** Multiple Security Vulnerabilities in Citrix NetScaler Platform IPMI Lights Out Management (LOM) firmware *** --------------------------------------------- A number of security vulnerabilities have been identified in firmware used in the Lights Out Management (LOM) component across all NetScaler .. --------------------------------------------- http://support.citrix.com/article/CTX216642 *** iPrint Appliance 2.0 Hot Patch 1 *** --------------------------------------------- https://download.novell.com/Download?buildid=S7GK9olwBDk~ *** iPrint Appliance 2.1 Hot Patch 1 *** --------------------------------------------- https://download.novell.com/Download?buildid=lVbNSynhgHU~ *** Asterisk RTP Session Management Bug Lets Remote Authenticated Users Consume Excessive Resources on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1036750 *** Asterisk Error in Processing Unknown Endpoints Lets Remote Users Cause the Target Service to Crash *** --------------------------------------------- http://www.securitytracker.com/id/1036749 *** Collecting Users Credentials from Locked Devices, (Fri, Sep 9th) *** --------------------------------------------- Its a fact: When a device can be physically accessed, you may consider it as compromised. And if the device is properly hardened, its just a matter of time. The best .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21461 *** Samsung Android Security Updates *** --------------------------------------------- SMR-SEP-2016 - Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung. --------------------------------------------- http://security.samsungmobile.com/smrupdate.html *** Picture Perfect: CryLocker Ransomware Uploads User Information as PNG Files *** --------------------------------------------- Taking advantage of legitimate sites for command-and-control (C&C) purposes is typically done by most malware to avoid rousing suspicion from their targets. While .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/picture-perfect-… *** Your Seagate Central NAS could be hosting mining malware *** --------------------------------------------- If you have discovered cryptocurrency mining malware on your system, have removed it, and got compromised again without an idea about how it happened, it could be that the .. --------------------------------------------- https://www.helpnetsecurity.com/2016/09/09/seagate-central-nas-hosting-malw… *** Chrome soll vor nicht verschlüsselnden Webseiten warnen *** --------------------------------------------- Zunächst brandmarkt der Browser nur Seiten, die Passwörter oder Kreditkarteninformationen enthalten. Nach und nach soll die Warnung dann ausgeweitet werden. --------------------------------------------- http://heise.de/-3317393 *** Red Hat JBoss Enterprise Application Platform Input Validation Flaw Lets Remote Users Conduct HTTP Response Splitting and Content Injection Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1036758 *** HTTPS: Google Chrome will vor unverschlüsselten Webseiten warnen *** --------------------------------------------- Wie umgehen mit unverschlüsselten Webseiten? Google will in Chrome künftig warnen, wenn unverschlüsselte Webseiten Passwörter und Kreditkartendaten abfragen. Doch das ist nur der Beginn der Planungen. --------------------------------------------- http://www.golem.de/news/https-google-chrome-will-vor-unverschluesselten-we… *** Asterisk RTP Session Management Bug Lets Remote Authenticated Users Consume Excessive Resources on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1036750 *** Asterisk Error in Processing Unknown Endpoints Lets Remote Users Cause the Target Service to Crash *** --------------------------------------------- http://www.securitytracker.com/id/1036749 *** Collecting Users Credentials from Locked Devices, (Fri, Sep 9th) *** --------------------------------------------- Its a fact: When a device can be physically accessed, you may consider it as compromised. And if the device is properly hardened, its just a matter of time. The best .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21461 *** Samsung Android Security Updates *** --------------------------------------------- SMR-SEP-2016 - Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung. --------------------------------------------- http://security.samsungmobile.com/smrupdate.html *** Picture Perfect: CryLocker Ransomware Uploads User Information as PNG Files *** --------------------------------------------- Taking advantage of legitimate sites for command-and-control (C&C) purposes is typically done by most malware to avoid rousing suspicion from their targets. While .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/picture-perfect-… *** Your Seagate Central NAS could be hosting mining malware *** --------------------------------------------- If you have discovered cryptocurrency mining malware on your system, have removed it, and got compromised again without an idea about how it happened, it could be that the .. --------------------------------------------- https://www.helpnetsecurity.com/2016/09/09/seagate-central-nas-hosting-malw… *** Chrome soll vor nicht verschlüsselnden Webseiten warnen *** --------------------------------------------- Zunächst brandmarkt der Browser nur Seiten, die Passwörter oder Kreditkarteninformationen enthalten. Nach und nach soll die Warnung dann ausgeweitet werden. --------------------------------------------- http://heise.de/-3317393 *** Red Hat JBoss Enterprise Application Platform Input Validation Flaw Lets Remote Users Conduct HTTP Response Splitting and Content Injection Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1036758

1 0

Tageszusammenfassung - Donnerstag 8-09-2016
by Daily end-of-shift report 08 Sep '16

08 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 07-09-2016 18:00 − Donnerstag 08-09-2016 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** Cisco Firepower Management Center and FireSIGHT System Software Session Fixation Vulnerability *** --------------------------------------------- A vulnerability in session identification management functionality of the web-based management interface for Cisco Firepower Management Center and Cisco FireSIGHT System Software could allow an unauthenticated, remote attacker to hijack a valid user session .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Firepower Management Center and FireSIGHT System Software Malware Bypass Vulnerability *** --------------------------------------------- A vulnerability in the malicious file detection and blocking features of Cisco Firepower Management Center and Cisco FireSIGHT System Software could allow an unauthenticated, remote attacker to bypass malware detection mechanisms on .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Firepower Management Center and FireSIGHT System Software Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability in the web-based management interface of Cisco Firepower Management Center and Cisco FireSIGHT System Software could allow an authenticated, remote attacker .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Return to libstagefright: exploiting libutils on Android *** --------------------------------------------- I’ve been investigating different fuzzing approaches on some Android devices recently, and this turned up the following rather interesting bug (CVE 2016-3861 fixed in the most recent Android Security Bulletin), deep in the .. --------------------------------------------- http://googleprojectzero.blogspot.com/2016/09/return-to-libstagefright-expl… *** [R1] LCE 4.8.1 Fixes Multiple Third-party Library Vulnerabilities *** --------------------------------------------- http://www.tenable.com/security/tns-2016-14 *** Critical Flaws Found in Network Management Systems *** --------------------------------------------- Four leading network management system providers patched nearly a dozen critical cross-site scripting vulnerabilities disclosed Wednesday by Rapid7. --------------------------------------------- http://threatpost.com/critical-flaws-found-in-network-management-systems-2/… *** Updated DShield Blocklist *** --------------------------------------------- Earlier today, I updated how our block list is generated. The idea behind this is to avoid some false positives and to make the list more meaningful. As usual, .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21453& *** Stealing login credentials from a locked PC or Mac just got easier *** --------------------------------------------- 20 seconds of physical access with a $50 device is all it takes. --------------------------------------------- http://arstechnica.com/security/2016/09/stealing-login-credentials-from-a-l… *** The Limits of SMS for 2-Factor Authentication *** --------------------------------------------- A recent ping from a reader reminded me that Ive been meaning to blog about the security limitations of using cell phone text messages for two-factor authentication .. --------------------------------------------- http://krebsonsecurity.com/2016/09/the-limits-of-sms-for-2-factor-authentic… *** Erpressungstrojaner: FBI hofft auf mehr Anzeigen *** --------------------------------------------- Die Erpresser, die Computer kapern und verschlüsseln, werden immer professioneller. In den USA wünscht sich das FBI möglichst viele Anzeigen der Opfer, da jede Information im Kampf gegen die Verbrecher helfen könne. --------------------------------------------- http://heise.de/-3316101 *** Ten-year-old Windows Media Player hack is the new black, again *** --------------------------------------------- Why bother buying a zero-day when casual piracy and old code can p0wn thousands? Net scum are still finding ways to take down users with a decade-old Windows Media Player attack. --------------------------------------------- www.theregister.co.uk/2016/09/08/windows_media_player_malware_drm_security/ *** WordPress 4.6.1 upgrades security, fixes 15 bugs *** --------------------------------------------- WordPress 4.6.1 is now available. This is a security release for all previous versions and all users are strongly encouraged to update their sites immediately. The two .. --------------------------------------------- https://www.helpnetsecurity.com/2016/09/08/wordpress-4-6-1-upgrades-securit… *** Netzwerkanalyse: Version 2.2 von Wireshark freigegeben *** --------------------------------------------- Version 2.2 von Wireshark versteht eine Reihe neuer Protokolle. Zudem spricht es selbst inzwischen JSON und kann Pakete in diesem Format exportieren. --------------------------------------------- http://heise.de/-3316297 *** Denial of Service in extension "Speaking URLs for TYPO3" (realurl) *** --------------------------------------------- https://typo3.org/news/article/denial-of-service-in-extension-speaking-urls… *** Xen Security Advisory CVE-2016-7154 / XSA-188 *** --------------------------------------------- http://xenbits.xen.org/xsa/advisory-188.html *** Xen Security Advisory CVE-2016-7094 / XSA-187 *** --------------------------------------------- http://xenbits.xen.org/xsa/advisory-187.html *** Xen Security Advisory CVE-2016-7093 / XSA-186 *** --------------------------------------------- http://xenbits.xen.org/xsa/advisory-186.html *** Xen Security Advisory CVE-2016-7092 / XSA-185 *** --------------------------------------------- http://xenbits.xen.org/xsa/advisory-185.html *** Citrix XenServer Multiple Security Updates *** --------------------------------------------- A number of security vulnerabilities have been identified in Citrix XenServer that may allow malicious privileged code running within a guest VM to compromise the host. --------------------------------------------- https://support.citrix.com/article/CTX216071 *** IBM Security Bulletin: A security vulnerability for cross-site scripting affects multiple IBM Rational products based on IBM Jazz technology (CVE-2016-2986) *** --------------------------------------------- This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials .. --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21989940 *** IBM Security Bulletin: A vulnerability in PostgreSQL affects IBM Security Access Manager version 9 (CVE-2016-0773) *** --------------------------------------------- IBM Security Access Manager version 9 appliances are affected by a vulnerability in postgreSQL. CVE(s): CVE-2016-0773 Affected product(s) and affected version(s): IBM .. --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21989543 *** Urheberrecht: Datenpanne bei Abmahnsoftware *** --------------------------------------------- Eine Kanzlei, die gegen unrechtmäßige Nutzung von Fotos vorgeht, nutzt offenbar Software, die nachlässig konfiguriert ist. Unberechtigte Nutzer konnten Daten zu Mandaten und Abmahnungen einsehen. --------------------------------------------- http://www.golem.de/news/urheberrechte-datenpanne-bei-abmahnkanzlei-1609-12…

1 0

Tageszusammenfassung - Mittwoch 7-09-2016
by Daily end-of-shift report 07 Sep '16

07 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 06-09-2016 18:00 − Mittwoch 07-09-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Cleaning the Wp-Page Pharma Hack in WordPress *** --------------------------------------------- Pharma hacks are common website infections categorized under SEO spam. With pharma hacks, the attacker exploits vulnerable websites to distribute pharmaceutical advertisements to visitors. Symptoms of a pharma hack include embedded links and anchor text on pages or modified listings in Search Engine Results Pages (SERPs). These attacks most often target search engines like Google... --------------------------------------------- https://blog.sucuri.net/2016/09/cleaning-the-wp-page-pharma-hack-in-wordpre… *** How to Set Up Your Own Malware Trap, (Tue, Sep 6th) *** --------------------------------------------- I am sure what you really want is more malware ;-). But a few people asked for tricks to collect malware.Malware can be useful for a number of reasons: First of all, you could extract indicators of compromise from malware using various more or less automated methods. In addition, it is a good idea to keep an eye on what your users may be seeing, in particular if they receive e-mail from sources other then your corporate e-mail system. Sadly, many corporations these days switch to cloud... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21447&rss *** Google stopft letzte QuadRooter-Lücken in Android *** --------------------------------------------- Im Rahmen seines allmonatliche Android-Patches stopft Google 47 Sicherheitslücken im Betriebssystem. Sieben der Lücken gelten als kritisch. --------------------------------------------- http://heise.de/-3315023 *** Ungepatchte Lücken in Load-Balancern von Fortinet *** --------------------------------------------- Fortinet hat mit einem Update eine Sicherheitslücke in seinen Load-Balancern der FortiWAN-Serie geschlossen. Andere Lücken scheinen davon aber unbenommen, was es Angreifern erlauben würde, Admin-Kommandos ohne entsprechende Rechte auszuführen. --------------------------------------------- http://heise.de/-3315178 *** Keine Bestätigung persönlicher Daten bei Amazon erforderlich *** --------------------------------------------- In einer Phishingmail schreiben Kriminelle, dass Amazon das Benutzerkonto von Empfänger/innen zeitweise eingefroren habe. Aus diesem Grund sollen Kund/innen ihre persönlichen Daten bestätigen. Dazu müssen sie einen Link aufrufen und Zugangsdaten auf einer Website bekannt geben. Das dürfen Nutzer/innen nicht tun! --------------------------------------------- https://www.watchlist-internet.at/phishing/keine-bestaetigung-persoenlicher… *** Back-dooring PE Files on Windows *** --------------------------------------------- Introduction: Portable Executable (PE) files are very commonly used today. Many people download these files from the internet or get it from a friend and run it on their systems without realizing the dangers involved in running these kind of files. It is very easy to add malicious code to these files and have it... --------------------------------------------- http://resources.infosecinstitute.com/back-dooring-pe-files-windows/ *** The Missing Piece - Sophisticated OS X Backdoor Discovered *** --------------------------------------------- In a nutshell Backdoor.OSX.Mokes.a is the most recently discovered OS X variant of a cross-platform backdoor which is able to operate on all major operating systems (Windows,Linux,OS X). Please see also our analysis on the Windows and Linux variants. --------------------------------------------- http://securelist.com/blog/research/75990/the-missing-piece-sophisticated-o… *** A bite of Python *** --------------------------------------------- Being easy to pick up and progress quickly towards developing larger and more complicated applications, Python is becoming increasingly ubiquitous in computing environments. Though apparent language clarity and friendliness could lull the vigilance of software engineers and system administrators -- luring them into coding mistakes that may have serious security implications. In this article, which primarily targets people who are new to Python, a handful of security-related quirks are looked... --------------------------------------------- https://access.redhat.com/blogs/766093/posts/2592591 *** OUCH! 2016 Newsletter *** --------------------------------------------- September 2016: Email Dos and Donts --------------------------------------------- https://securingthehuman.sans.org/resources/newsletters/ouch/2016 *** WordPress 4.6.1 Security and Maintenance Release *** --------------------------------------------- https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance… *** FortiWAN Multiple Vulnerabilities *** --------------------------------------------- FortWan 4.2.4 and below is exposed to cross site scripting, information leak and escalation of privilege vulnerabilities.CVE-2016-4965 FortiWAN Non-administrative authenticated user having access privileges to the nslookup functionality can perform OS command injection in the root user contextCVE-20... --------------------------------------------- http://fortiguard.com/advisory/fortiwan-multiple-vulnerabilities *** [R5] PHP < 5.6.21 Vulnerabilities Affect Tenable SecurityCenter *** --------------------------------------------- http://www.tenable.com/security/tns-2016-09 *** TA16-250A: The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations *** --------------------------------------------- Original release date: September 06, 2016 Systems Affected Network Infrastructure Devices Overview The advancing capabilities of organized hacker groups and cyber adversaries create an increasing global threat to information systems. The rising threat levels place more demands on security personnel and network administrators to protect information systems. Protecting the network infrastructure is critical to preserve the confidentiality, integrity, and availability of communication and... --------------------------------------------- https://www.us-cert.gov/ncas/alerts/TA16-250A *** Security Advisory: Expat XML parser vulnerability CVE-2012-6702 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/65/sol65460334.html?… *** Security Advisory: FreeType vulnerabilities CVE-2014-9746 and CVE-2014-9747 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/52/sol52439336.html?… *** Bugtraq: Infoblox Cross-site scripting vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/539367 *** Bugtraq: [CVE-2016-6484] Infoblox Network Automation CRLF Injection/ HTTP splitting *** --------------------------------------------- http://www.securityfocus.com/archive/1/539366 *** BMC BladeLogic Server Automation For Linux 8.7 Directory Dump *** --------------------------------------------- Topic: BMC BladeLogic Server Automation For Linux 8.7 Directory Dump Risk: Medium Text:Title: Unauthenticated Arbitrary Directory Dump in BMC BladeLogic Server Automation Affected Software: BMC Bla... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016090036 *** VU#282991: DEXIS Imaging Suite 10 contains hard-coded credentials *** --------------------------------------------- Vulnerability Note VU#282991 DEXIS Imaging Suite 10 contains hard-coded credentials Original Release date: 07 Sep 2016 | Last revised: 07 Sep 2016 Overview DEXIS is a dental x-ray imaging software that manages patient records. DEXIS Imaging Suite 10 contains several hard-coded credentials allowing administrative or root access to the patient database. Description CWE-798: Use of Hard-coded Credentials - CVE-2016-6532 DEXIS Imaging Suite 10 contains several hard-coded database credentials... --------------------------------------------- http://www.kb.cert.org/vuls/id/282991 *** VU#548399: Dentsply Sirona SchickTech CDR contains multiple hard-coded credentials *** --------------------------------------------- Vulnerability Note VU#548399 Dentsply Sirona SchickTech CDR contains multiple hard-coded credentials Original Release date: 06 Sep 2016 | Last revised: 06 Sep 2016 Overview The Dentsply Sirona ShickTech CDR DICOM is software for managing medical dental records. CDR DICOM contains several hard-coded credentials allowing administrative or root access. Description CWE-798: Use of Hard-coded Credentials - CVE-2016-6530 ShickTech CDR DICOM version 5 and below contains several hard-coded database... --------------------------------------------- http://www.kb.cert.org/vuls/id/548399 *** VU#619767: Open Dental contains hard-coded credentials *** --------------------------------------------- Vulnerability Note VU#619767 Open Dental contains hard-coded credentials Original Release date: 06 Sep 2016 | Last revised: 06 Sep 2016 Overview Open Dental is a medical dental records management software. Open Dental contains hard-coded default credentials allowing administrative or root access to the patient database. Description CWE-798: Use of Hard-coded Credentials - CVE-2016-6531Open Dental contains a hard-coded default database credential. An unauthenticated remote attacker with... --------------------------------------------- http://www.kb.cert.org/vuls/id/619767 *** VU#548399: Dentsply Sirona CDR DICOM contains multiple hard-coded credentials *** --------------------------------------------- Vulnerability Note VU#548399 Dentsply Sirona CDR DICOM contains multiple hard-coded credentials Original Release date: 06 Sep 2016 | Last revised: 06 Sep 2016 Overview The Dentsply Sirona (previously known as Shick Technologies) CDR DICOM is software for managing medical dental records. CDR DICOM contains several hard-coded credentials allowing administrative or root access. Description CWE-798: Use of Hard-coded Credentials - CVE-2016-6530 Dentsply Sirona CDR DICOM version 5 and below... --------------------------------------------- http://www.kb.cert.org/vuls/id/548399 *** Security Advisory - XML Bomb Vulnerability in AnyOffice *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160907-… *** Security Advisory - Two Vulnerabilities in Huawei WS331a *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160907-… *** Security Advisory - TCP Connection Hijack Vulnerability *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160907-… *** Security Advisory - Information Leak Vulnerability in Certain Huawei Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2015/hw-455876 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in NTP affect AIX (CVE-2015-7974, CVE-2016-1550, CVE-2016-1551, CVE-2016-2517, CVE-2016-2518, CVE-2016-2519, CVE-2016-1547, CVE-2016-4957, CVE-2016-4953, CVE-2016-4954, CVE-2016-4955) *** http://http://aix.software.ibm.com/aix/efixes/security/ntp_advisory7.asc --------------------------------------------- *** IBM Security Bulletin: Two vulnerabilities in libvirt affect PowerKVM (CVE-2015-5313, CVE-2016-5008) *** http://www.ibm.com/support/docview.wss?uid=isg3T1024185 --------------------------------------------- *** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple php vulnerabilities *** http://www.ibm.com/support/docview.wss?uid=isg3T1024229 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the Apache HTTP Server affects PowerKVM (CVE-2016-5387) *** http://www.ibm.com/support/docview.wss?uid=isg3T1024017 --------------------------------------------- *** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by a Pluggable Authentication Module (PAM) vulnerability (CVE-2013-7041) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1024221 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Struts v2 affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2016-1181, CVE-2016-1182 *** http://www.ibm.com/support/docview.wss?uid=swg21988638 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Control and Tivoli Storage Productivity Center April 2016 CPU (CVE-2016-3426) *** http://www.ibm.com/support/docview.wss?uid=swg21988636 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in libssh2 affect IBM Flex System FC3171 8Gb SAN Switch & SAN Pass-thru Firmware and QLogic Virtual Fabric Extension Module for IBM BladeCenter (CVE-2016-0787) *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099450 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Rational Team Concert with potential for Cross-Site Scripting attack (CVE-2016-0331) *** http://www.ibm.com/support/docview.wss?uid=swg21989899 --------------------------------------------- *** IBM Security Bulletin: OpenSource Apache Taglibs vulnerability affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2015-0254 *** http://www.ibm.com/support/docview.wss?uid=swg21988644 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in MD5 Signature and Hash Algorithm, glibc and OpenSSL affect IBM Netezza Firmware Diagnostics Tools *** http://www-01.ibm.com/support/docview.wss?uid=swg21980965 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 6-09-2016
by Daily end-of-shift report 06 Sep '16

06 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 05-09-2016 18:00 − Dienstag 06-09-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Hacker takes down CEO wire transfer scammers, sends their Win 10 creds to the cops *** --------------------------------------------- Whaling attackers fall for poison PDF invoices HITB Florian Lukavsky hacks criminals profiting from out of control multi-billion dollar CEO wire transfer scams and they hate him for it. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/09/06/hacker_hack… *** House of Keys: 9 Months later... 40% Worse *** --------------------------------------------- In November 2015 SEC Consult released the results of our study on hardcoded cryptographic secrets in embedded systems. Its time to summarize what has happened since.To accomplish the mammoth task of informing about 50 different vendors and various ISPs we teamed up with CERT/CC (VU#566724). We would really like to report that our efforts were successful, but as it turns out the number of devices on the web using known private keys for HTTPS server certificates has gone up by 40% in the last... --------------------------------------------- http://blog.sec-consult.com/2016/09/house-of-keys-9-months-later-40-worse.h… *** Too many Cisco ASA boxes still open to an EXTRABACON attack *** --------------------------------------------- Among the Equation Group exploits leaked by the Shadow Brokers, the one named EXTRABACON that targets Cisco ASA devices got the most attention from security researchers and attackers. It has been demonstrated that the original exploit can be easily modified to work on more recent versions of the Cisco ASA SSL VPN appliances, and researchers armed with honeypots noted that exploitation attempts started soon after the leak. You would think that news like this would... --------------------------------------------- https://www.helpnetsecurity.com/2016/09/06/cisco-asa-still-open-extrabacon/ *** Digital Forensics According to the FORZA Model and Diamond Model for Intrusion Analysis *** --------------------------------------------- The Bridge on the River Forza We can teach these barbarians a lesson in Western methods and efficiency that will put them to shame. -Colonel Nicholson (The Bridge on the River Kwai, 1957) Efficiency. Something we look to implement in everything we do, whether that be through the elimination of waste through Six Sigma, or other frameworks and methodologies, efficiency is what we strive for. When performing digital forensics, efficiency and rigor in our approach to ensure no stone left... --------------------------------------------- https://feeds.feedblitz.com/~/192237180/0/alienvault-blogs~Digital-Forensic… *** How False Positives can ruin your day - and how to stop them *** --------------------------------------------- False positives can seriously ruin your day, and can cost enterprises serious money. Highlighted by a recent example, we share some key tips on how to mitigate false alerts. --------------------------------------------- https://www.htbridge.com/blog/how-false-positives-can-ruin-your-day-and-how… *** A week in security (Aug 28 - Sep 03) *** --------------------------------------------- A compilation of notable security news and blog posts from August 28th to September 3rd. This week, we talked about browser-based fingerprinting; what was going on with the Mac app, Transmission; and a tech support scam that banked on an iPad error popping up on Windows systems.Categories: Security world Week in securityTags: recapweekly blog roundup(Read more...) --------------------------------------------- https://blog.malwarebytes.com/security-world/2016/09/a-week-in-security-aug… *** [2016-09-06] Private key for browser-trusted certificate embedded in multiple Aruba Networks / Alcatel-Lucent products *** --------------------------------------------- A browser-trusted certificate including its private key is embedded in the firmware of several Aruba Networks/Alcatel-Lucent products. The certificate is used for providing user access to a captive portal via HTTPS as well as EAP connections for WPA2-Enterprise clients. An attacker can use this vulnerability to impersonate a captive portal or Wi-Fi AP and gain access to sensitive information. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016… *** SSA-630413 (Last Update 2016-09-05): Vulnerabilities in SIPROTEC 4 and SIPROTEC Compact *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-630413… *** ArcServe UDP - Unquoted Service Path Privilege Escalation *** --------------------------------------------- Topic: ArcServe UDP - Unquoted Service Path Privilege Escalation Risk: High Text:Title: ArcServe UDP - Unquoted Service Path Privilege Escalation CWE Class: CWE-427: Uncontrolled Search Path Element Date: 0... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016090024 *** ArcServe UDP - Download Manager/Setup - DLL Hijacking *** --------------------------------------------- Topic: ArcServe UDP - Download Manager/Setup - DLL Hijacking Risk: Medium Text:Title: ArcServe UDP - Download Manager/Setup - DLL Hijacking CWE Class: CWE-427: Uncontrolled Search Path Element Date: 04/09... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016090030 *** ArcServe UDP - HTTP Installation MiTM *** --------------------------------------------- Topic: ArcServe UDP - HTTP Installation MiTM Risk: Low Text:Title: ArcServe UDP - MiTM CWE Class: CWE-300: Channel Accessible by Non-Endpoint (Man-in-the-Middle) | CWE-319: Cleartext T... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016090029 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Network Security Services (NSS) affects the IBM FlashSystem model V9000 (CVE-2016-1978) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009104 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Network Security Services (NSS) affect the IBM FlashSystem models 840 and 900 (CVE-2016-1978) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009103 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Network Security Services (NSS) affects the IBM FlashSystem model V840 (CVE-2016-1978) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009102 --------------------------------------------- *** IBM Security Bulletin: BigInsights is affected by a vulnerability in DB2 (CVE-2014-0919, CVE-2016-0211) *** http://www.ibm.com/support/docview.wss?uid=swg21987604 --------------------------------------------- *** IBM Security Bulletin: IBM Forms Viewer may be affected by an Apache Xerces-C XML Parser library vulnerability (CVE-2016-0729) *** http://www-01.ibm.com/support/docview.wss?uid=swg21988714 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in OpenSSL affects the IBM FlashSystem model V840 (CVE-2016-2107) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009106 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in OpenSSL affects the IBM FlashSystem models 840 and 900 (CVE-2016-2107) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009105 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 5-09-2016
by Daily end-of-shift report 05 Sep '16

05 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 02-09-2016 18:00 − Montag 05-09-2016 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** DNS tunneling threat drills into nearly half of networks tested *** --------------------------------------------- InfoBloxs new report showed nearly half of all networks tested to show signs of DNS tunnelling --------------------------------------------- http://www.scmagazine.com/dns-tunneling-threat-drills-into-nearly-half-of-n… *** Android Patch Fixes Nexus 5X Critical Vulnerability *** --------------------------------------------- Google patched an undocumented vulnerability that allowed attackers to bypass Nexus 5X devices lock screen via a forced memory dump that exposed the device owners password. --------------------------------------------- http://threatpost.com/android-patch-fixes-nexus-5x-critical-vulnerability/1… *** Cisco IOS Software Point-to-Point Tunneling Protocol Server Information Disclosure Vulnerability *** --------------------------------------------- A vulnerability in the implementation of Point-to-Point Tunneling Protocol (PPTP) server functionality in Cisco IOS Software could allow an unauthenticated, remote attacker to access data from a packet buffer that was previously .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Sundown EK – Stealing Its Way to the Top *** --------------------------------------------- Sundown is one of the newest Exploit Kits on the market these days, and like many up-and-coming exploit kits before it, this means that it is in under constant development. With .. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Sundown-EK-%e2%80%93-St… *** Mailman Access Control Flaw in User Options Page Lets Remote Users Conduct Cross-Site Request Forgery Attacks *** --------------------------------------------- Mailman Access Control Flaw in User Options Page Lets Remote Users Conduct Cross-Site Request Forgery Attacks --------------------------------------------- http://www.securitytracker.com/id/1036728 *** ‘Flash Hijacks’ Add New Twist to Muggings *** --------------------------------------------- A frequent crime in Brazil is a scheme in which thieves kidnap people as theyre leaving a bank, and free them only after theyve visited a number of ATMs to withdraw .. --------------------------------------------- http://krebsonsecurity.com/2016/09/flash-hijacks-add-new-twist-to-muggings/ *** Telnet is not dead – at least not on ‘smart’ devices *** --------------------------------------------- Depending on your age, you either might or might not have used Telnet to connect to remote computers in the past. But .. --------------------------------------------- http://en.blog.nic.cz/2016/09/01/telnet-is-not-dead-at-least-not-on-smart-d… *** "Wenn Ihre Daten in der Cloud sind, hat sie auch die NSA" *** --------------------------------------------- Der Kryptologe Bart Preneel im futurezone-Interview über Verschlüsselung in der Nach-Snowden-Ära, Hintertüren und Quantenkryptographie. --------------------------------------------- https://futurezone.at/science/wenn-ihre-daten-in-der-cloud-sind-hat-sie-auc… *** Microsoft thought of the children and decided to ban some browsers *** --------------------------------------------- Redmonds Family Settings now block browsers-without-filters by default, but which ones? Microsoft has updated its family filters to block some rival .. --------------------------------------------- www.theregister.co.uk/2016/09/05/microsoft_thought_of_the_children_and_deci… *** Hintergrund: Analysiert: Ransomware meets Info-Stealer - RAA und das diebische Pony, Teil II *** --------------------------------------------- Wie diese Analysiert:-Folge enthüllt, weist die scheinbar perfekte Verschlüsselung des RAA-Trojaners doch Lücken auf. Auch der von RAA gestartete Passwort-Dieb kann sich mit seinen Anti-Debugging-Tricks der Analyse nicht entziehen. --------------------------------------------- http://heise.de/-3303401 *** Fake attacks by insiders to fool companies *** --------------------------------------------- Famous cybercrime groups and hacktivists “brands” may be a smokescreen to cover sophisticated insider attacks. --------------------------------------------- https://www.htbridge.com/blog/fake-attacks-by-insiders-to-fool-companies.ht… *** Security Advisory - Information Leak Vulnerability in Huawei eSpace IAD *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160905-… *** Security Advisory - Multiple Security Vulnerabilities in Huawei HiSuite *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160905-… *** BKA geht mit SOKO Clavis gegen Ransomware vor *** --------------------------------------------- Nachdem sich in den vergangenen Wochen die Fälle häufen, will das Bundeskriminalamt nun gezielt gegen Ransomware vorgehen. Eine SOKO soll die Täter ausfindig machen. --------------------------------------------- https://futurezone.at/netzpolitik/bka-geht-mit-soko-clavis-gegen-ransomware… *** Sophos Windows users face black screens after false positive snafu *** --------------------------------------------- Black is the new BSOD Users of Sophos’s security software were confronted with a black screen on starting up .. --------------------------------------------- www.theregister.co.uk/2016/09/05/sophos_black_screen_snafu/ *** Vuln: Inspircd SSL Certificate Spoofing Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/92737 *** Totgesagte leben länger: Adobe poliert NPAPI-Flash auf Linux auf *** --------------------------------------------- Entgegen so manch einem Meinungsartikel ist Flash noch lange nicht am Ende. Das muss wohl auch Adobe einsehen und frischt nun die veraltete NPAPI-Version unter Linux auf. --------------------------------------------- http://heise.de/-3314084 *** 800.000 Klartext-Passwörter der Pornoseite Brazzers veröffentlicht *** --------------------------------------------- Wieder ist ein großer Hack mit kopierten Nutzerdaten bekannt geworden und wieder scheint der Einbruch in die Server 2012 stattgefunden zu haben. --------------------------------------------- http://heise.de/-3314087 *** Malware Delivered via .pub Files *** --------------------------------------------- While searching for new scenarios to deliver their malwares[1][2], attackers launched a campaignto deliver malicious code embedded in Microsoft Publisher[3] (.pub) files. The .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21443 *** Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems *** --------------------------------------------- The Trend Micro Forward Looking Threat Research team recently obtained samples of a new rootkit family from one of our trusted partners. We are providing a .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-u…

1 0

Tageszusammenfassung - Freitag 2-09-2016
by Daily end-of-shift report 02 Sep '16

02 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 01-09-2016 18:00 − Freitag 02-09-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Chrome 53 Fixes Address Spoofing Vulnerability, 32 Other Bugs *** --------------------------------------------- http://threatpost.com/chrome-53-fixes-address-spoofing-vulnerability-32-oth… *** Insecure Redis Instances at Core of Attacks Against Linux Servers *** --------------------------------------------- Attackers are targeting insecure Redis instances, exposed to the internet, to access Linux servers and delete web files and folders in exchange for ransom. --------------------------------------------- http://threatpost.com/insecure-redis-instances-at-core-of-attacks-against-l… *** Security Update 2016-001 El Capitan and Security Update 2016-005 Yosemite *** --------------------------------------------- https://support.apple.com/kb/HT207130 *** Safari 9.1.3 *** --------------------------------------------- https://support.apple.com/kb/HT207131 *** IoT Home Router Botnet Leveraged in Large DDoS Attack *** --------------------------------------------- We have been monitoring a large-scale Layer 7 HTTPS flood attack (i.e., application level DDoS) against a customer over the past few weeks. It is being distributed .. --------------------------------------------- https://blog.sucuri.net/2016/09/iot-home-router-botnet-leveraged-in-large-d… *** Wenn die Physik zur Sicherheitslücke wird *** --------------------------------------------- Bei der Sicherheitskonferenz Usenix haben Hacker neue Möglichkeiten demonstriert, Systeme mit Angriffen auf die Hardware zu manipulieren. --------------------------------------------- https://futurezone.at/science/wenn-die-physik-zur-sicherheitsluecke-wird/21… *** DSA-3658 libidn - security update *** --------------------------------------------- Hanno Boeck discovered multiple vulnerabilities in libidn, the GNUlibrary for Internationalized Domain Names (IDNs), allowing a remoteattacker to cause a denial of service against an application using thelibidn library (application crash). --------------------------------------------- https://www.debian.org/security/2016/dsa-3658 *** Mutmaßlicher Angreifer auf Web-Infrastruktur des Linux Kernels festgenommen *** --------------------------------------------- In den USA ist ein Hacker festgenommen worden, der für Angriffe auf die Linux Foundation und die Webseite kernel.org verantwortlich sein soll. Dabei handelt es sich wohl um den einschlägig bekannten Angriff von 2011. --------------------------------------------- http://heise.de/-3312595 *** Over 40 million usernames, passwords from 2012 breach of Last.fm surface *** --------------------------------------------- While Last.fm informed users in 2012, passwords were easily cracked. --------------------------------------------- http://arstechnica.com/security/2016/09/over-40-million-usernames-passwords…

1 0

Tageszusammenfassung - Donnerstag 1-09-2016
by Daily end-of-shift report 01 Sep '16

01 Sep '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 31-08-2016 18:00 − Donnerstag 01-09-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** There are really only two effectively distinct settings for the UAC slider *** --------------------------------------------- Theres a control panel that lets you specify how often you want to be prompted by UAC. You can set any of four levels: ... Although it looks like there are four settings, in a theoretical sense, there really are only two settings. --------------------------------------------- https://blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105 *** Flag - Moderately Critical - Access Bypass - SA-CONTRIB-2016-050 *** --------------------------------------------- https://www.drupal.org/node/2793115 *** So much for counter-phishing training: Half of people click anything sent to them *** --------------------------------------------- Even people who claimed to be aware of risks clicked out of curiosity. --------------------------------------------- http://arstechnica.com/security/2016/08/researchers-demonstrate-half-of-peo… *** New Version of Cerber Ransomware Distributed via Malvertising *** --------------------------------------------- Crber has become one of the most notorious and popular ransomware families to date. It now has a new variant that, while superficially similar to earlier variants, .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/new-version-cerb… *** MMD-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled.. *** --------------------------------------------- Background From August 4th 2016 several sysadmin friends were starting to upload this malware files to our dropbox. The samples warent easy to retrieve, so there are good ones and also some broken ones, I listed in this post for the good ones. This threat is made by the ELF trojan backdoor, the .. --------------------------------------------- http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html *** Maxmind.com (Ab)used As Anti-Analysis Technique *** --------------------------------------------- A long time ago I wrote a diary[1] about malware samples which use online geolocalization services. Such services are used to target only specific victims. If the malware detects that it is executed from a specific area, it just stops. This .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21435 *** Breaching a CA – Blind Cross-site Scripting (BXSS) in the GeoTrust SSL Operations Panel Using XSS Hunter *** --------------------------------------------- This is a continuation of a series of blog posts which will cover blind cross-site scripting (XSS) and its impact on the internal systems which suffer from it. Previously, .. --------------------------------------------- https://thehackerblog.com/breaching-a-ca-blind-cross-site-scripting-bxss-in… *** Spotify: Einfach mal Passwörter ändern *** --------------------------------------------- Schon wieder neue Passwörter: Einige Kunden von Spotify sollen sie als Vorsichtsmaßnahme ändern, der Hintergrund bleibt vage. Auch nach welchen Kriterien die Kunden ausgewählt wurden, ist nicht bekannt. --------------------------------------------- http://www.golem.de/news/spotify-einfach-mal-passwoerter-aendern-1609-12301… *** Bundeskriminalamt warnt vor Erpressungs-Trojaner in falschen Bewerbungsmails *** --------------------------------------------- Computer wird verschlüsselt und Lösegeld gefordert --------------------------------------------- http://derstandard.at/2000043687916 *** Unix: OpenBSD 6.0 erzwingt W^X für das Basissystem *** --------------------------------------------- Das OpenBSD-Projekt sichert sein Basissystem ab, indem der genutzte Speicher entweder beschreibbar oder ausführbar (W^X) ist. Zudem verzichtet das Team auf VAX- und Linux-Support, hat aber die ARMv7-Unterstützung erweitert. --------------------------------------------- http://www.golem.de/news/unix-openbsd-6-0-erzwingt-w-x-fuer-das-basissystem… *** Darknet: Festnahme nach Drogenrazzia bei Chemical-Love-Kunden *** --------------------------------------------- Bei einer bundesweiten Razzia konnten Ermittler größere Mengen Drogen sicherstellen, die die Verdächtigen zuvor im Darknet gekauft haben sollen. Die Beschuldigten sollen als Händler tätig gewesen sein. --------------------------------------------- http://www.golem.de/news/darknet-festnahme-nach-drogenrazzia-bei-chemical-l… *** Retefe-Trojaner in gefälschten Rechnungen *** --------------------------------------------- In E-Mailpostfachen finden sich Nachrichten mit dem Betreff „Ihre Zahlung 631 EUR“, „167 EUR Bestellung“, „33 EUR Zahlung“ oder „81 EUR Rechnung“. Sie stammen angeblich von der .. --------------------------------------------- https://www.watchlist-internet.at/gefaelschte-rechnungen/retefe-trojaner-in…

1 0

Tageszusammenfassung - Mittwoch 31-08-2016
by Daily end-of-shift report 31 Aug '16

31 Aug '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 30-08-2016 18:00 − Mittwoch 31-08-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Security Bulletin Posted for ColdFusion (APSB16-30) *** --------------------------------------------- Adobe has published a Security Bulletin (APSB16-30) announcing the availability of hotfixes for ColdFusion versions 11 and 10. These hotfixes resolve a critical vulnerability .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1395 *** Inside the Demise of the Angler Exploit Kit *** --------------------------------------------- Researchers at Kaspersky Lab today confirmed that the cybercriminals behind the Lurk Trojan were also responsible for the development and distribution of .. --------------------------------------------- http://threatpost.com/inside-the-demise-of-the-angler-exploit-kit/120222/ *** BASHLITE Family Of Malware Infects 1 Million IoT Devices *** --------------------------------------------- Over 1 million consumer web-connected video cameras and DVRs have have become the slaves to botnet herders that use the devices for DDoS and phishing attacks. --------------------------------------------- http://threatpost.com/bashlite-family-of-malware-infects-1-million-iot-devi… *** Ask Sucuri: How Modern Web Phishing Works *** --------------------------------------------- Most of us have experienced some kind of phishing attempt in our online lives, and we have seen phishing grow in complexity. Usually, we notice that the login pages are .. --------------------------------------------- https://blog.sucuri.net/2016/08/modern-web-phishing-works.html *** Ursnif: Deep Technical Dive *** --------------------------------------------- While attack tools around the world are stealthy and stay under the radar, we at Seculert examine many different malicious tools. This is done in order to stay at least one step ahead of the attackers, and improve our advanced analytics technology to detect their artistic evasive techniques. --------------------------------------------- http://www.seculert.com/blogs/ursnif-deep-technical-dive *** Das Ziel seien Banken: DDoS‑Erpresser fordern “nur” 1 Bitcoin und drohen Verschlüsselung an *** --------------------------------------------- Die aktuelle Gruppe nennt sich „HACKER TEAM – Armada Collective“. Die Kriminellen haben laut Link11 mehreren .. --------------------------------------------- http://www.it-finanzmagazin.de/ernstzunehmende-ddos-erpresser-fordern-nur-1… *** Adobe stopft ColdFusion-Lücken vor dem Patchday *** --------------------------------------------- Gut zwei Wochen vor dem regulären Patchday der Firma schließt Adobe zwei Lücken im Web-Application-Server ColdFusion. Das deutet darauf hin, dass Admins die Patches schnell einspielen sollten. --------------------------------------------- http://heise.de/-3309658 *** Blockchain-Technologie: Ein Drittel aller Bitcoin-Börsen wurde gehackt *** --------------------------------------------- Wie sicher sind Bitcoin bei Online-Börsen? Nicht besonders, wenn man einer aktuellen Studie Glauben schenkt. Demnach .. --------------------------------------------- http://www.golem.de/news/blockchain-technologie-ein-drittel-aller-bitcoin-b… *** [2016-08-31] Manipulation of pre-boot authentication in CryptWare CryptoPro Secure Disk for Bitlocker *** --------------------------------------------- CryptoPro Secure Disk for Bitlocker contains multiple vulnerabilities which can be used by an attacker to manipulate the PBA (pre-boot authentication). This allows .. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016… *** DSA-3657 libarchive - security update *** --------------------------------------------- Hanno Boeck and Marcin Noga discovered multiple vulnerabilities inlibarchive; processing malformed archives may result in denial ofservice or the execution of arbitrary code. --------------------------------------------- https://www.debian.org/security/2016/dsa-3657 *** Dropbox-Hack: Seit 2012 rund 68 Millionen Passwörter im Netz *** --------------------------------------------- Datenbank konnte offenbar wegen LinkedIn-Hack gestohlen werden, wo Dropbox-Mitarbeiter gleiches Passwort nutzte --------------------------------------------- http://derstandard.at/2000043625840 *** Swift spricht von weiteren Hackerattacken auf Banken *** --------------------------------------------- http://derstandard.at/2000043626250 *** BitTorrent-Client Transmission brachte erneut Malware auf Macs *** --------------------------------------------- Zum zweiten Mal konnten sich Nutzer durch den Download der populären BitTorrent-App Malware auf ihrem Mac .. --------------------------------------------- http://heise.de/-3310446 *** Sicherheitslücken in Defibrillatoren: Investmentfirma spekulierte mit Hersteller-Börsenkurs *** --------------------------------------------- Ein schwerer Vorwurf: Eine Sicherheitsfirma soll ein potenziell lebensbedrohliche Sicherheitslücken aufgebauscht und an eine Investmentfirma verraten haben, um dann an der Börse Geld zu scheffeln. --------------------------------------------- http://heise.de/-3309906 *** Zertifizierungsstelle: Wosign stellt unberechtigtes Zertifikat für Github aus *** --------------------------------------------- Eine ganze Reihe von Vorfällen bringt die Zertifizierungsstelle Wosign in Erklärungsnot. Verschiedene Sicherheitslücken ermöglichten die unberechtigte Ausstellung von .. --------------------------------------------- http://www.golem.de/news/zertifizierungsstelle-wosign-stellt-unberechtigtes…

1 0

Tageszusammenfassung - Dienstag 30-08-2016
by Daily end-of-shift report 30 Aug '16

30 Aug '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 29-08-2016 18:00 − Dienstag 30-08-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Browser-based fingerprinting: implications and mitigations *** --------------------------------------------- This post covers the information disclosure bugs in Internet Explorer and Edge that we sometimes refer to as fingerprinting. We review past .. --------------------------------------------- https://blog.malwarebytes.com/cybercrime/exploits/2016/08/browser-based-fin… *** Double-click me not: Malicious proxy settings in OLE Embedded Script *** --------------------------------------------- Attackers have been using social engineering to avoid the increasing costs of exploitation due to the significant hardening and exploit mitigations investments in .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/08/29/double-click-me-not-mal… *** Hintergrund: Analysiert: Ransomware meets Info-Stealer - RAA und das diebische Pony *** --------------------------------------------- Im Rahmen unserer Analysiert:-Serie geht es diesmal einem Erpressungs-Trojaner an den Code: Olivia von Westernhagen untersucht den in JavaScript realisierte RAA-Trojaner, der gleich auch noch eine Passwort-Klau-Malware im Gepäck hat. --------------------------------------------- http://heise.de/-3303113 *** Skurriles Motiv für Cyberangriff auf Präsidenten-Website in Sri Lanka *** --------------------------------------------- 17 Jahre alter Angreifer forderte Verschiebung der Abiturprüfungen --------------------------------------------- http://derstandard.at/2000043545769 *** Linux-Paketmanager: RPM-Entwicklung verläuft chaotisch *** --------------------------------------------- Unser Autor hat versucht, potenzielle Sicherheitslücken im Paketmanager RPM zu melden, der von Red Hat, Suse und weiteren Linux-Distributionen genutzt wird. Doch das war gar .. --------------------------------------------- http://www.golem.de/news/linux-paketmanager-rpm-entwicklung-verlaeuft-chaot… *** The Hunt for Lurk *** --------------------------------------------- In June, 2016, the Russian police arrested the alleged members of the criminal group known as Lurk. The police suspected Lurk of stealing nearly three billion rubles. The story of Lurk gives some idea of the amount of work that has to be done to obtain enough evidence to arrest and prosecute suspects. --------------------------------------------- http://securelist.com/analysis/publications/75944/the-hunt-for-lurk/ *** Ripper: Geldautomaten-Malware gibt bis zu 40 Scheine aus *** --------------------------------------------- Sicherheitsforscher haben eine Schadsoftware entdeckt, die Geldautomaten gleich dreier Hersteller infizieren soll. Vieles deutet daraufhin, dass Kriminelle mit Hilfe der Malware in Thailand Geld im Wert von mehr als 300.000 Euro entwenden konnten. --------------------------------------------- http://www.golem.de/news/ripper-geldautomaten-malware-gibt-bis-zu-40-schein… *** Linux servers hit with FairWare ransomware – or is it just a scam? *** --------------------------------------------- Users posting on Bleeping Computer’s forums have alerted the world to a new threat targeting Linux server admins: the FairWare ransomware. Whether the ransomware actually .. --------------------------------------------- https://www.helpnetsecurity.com/2016/08/30/linux-fairware-ransomware/ *** Sicherheit implantierbarer Medizintechnik: Herzschrittmacher von St. Jude Medical sollen hackbar sein *** --------------------------------------------- Streit mit harten Bandagen: Der US-amerikanische Medizingerätehersteller St. Jude Medical zofft sich mit dem Sicherheitsspezialisten MedSec und der Investmentfirma Muddy Waters Capital über die Sicherheit von lebenswichtigen Geräten. --------------------------------------------- http://heise.de/-3307510 *** 71,000 Minecraft World Map accounts leaked online after hack *** --------------------------------------------- Dumped creds have been exposed since January Some 71,000 user accounts and IP addresses have been leaked from Minecraft fan website Minecraft World Map. --------------------------------------------- www.theregister.co.uk/2016/08/30/71000_minecraft_world_map_accounts_leak/

1 0

Tageszusammenfassung - Montag 29-08-2016
by Daily end-of-shift report 29 Aug '16

29 Aug '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 26-08-2016 18:00 − Montag 29-08-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** VMSA-2016-0007.2 *** --------------------------------------------- VMware NSX and vCNS product updates address a critical information disclosure vulnerability --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2016-0007.html *** Another Day - Another Ransomware Sample *** --------------------------------------------- Catching ransomware is pretty easy these days. I setup a procmail filter that will extract all e-mails with compressed JavaScript attachments. Whatever is .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21413 *** QNAP QTS Bugs Let Remote Users Conduct Cross-Site Scripting Attacks, Overwrite Arbitrary Files, and Inject Commands *** --------------------------------------------- http://www.securitytracker.com/id/1036699 *** Tips for Securing SSL Renegotiation *** --------------------------------------------- A number of Internet connections require SSL renegotiation, a Secure Sockets Layer/Transport .. --------------------------------------------- https://blogs.mcafee.com/mcafee-labs/tips-securing-ssl-renegotiation/ *** Amazon: Gehackte Händlerkonten locken mit Schnäppchen *** --------------------------------------------- Bei besonders günstigen Artikeln im Amazon Marketplace versuchen die vermeintlichen Händler die Kaufabwicklung außerhalb des Shops vorzunehmen. --------------------------------------------- http://futurezone.at/digital-life/amazon-gehackte-haendlerkonten-locken-mit… *** Dropbox setzt Passwörter aus dem Jahr 2012 und davor zurück *** --------------------------------------------- Der Cloud-Speicher-Dienst fordert aktuell einige Nutzer dazu auf, ihr Dropbox-Kennwort zurückzusetzen und neu zu vergeben. Hintergrund ist ein Datenleck aus dem Jahr 2012. --------------------------------------------- http://heise.de/-3306240 *** Cybercriminals Select Insiders To Attack Telecom Providers *** --------------------------------------------- An anonymous reader quotes a report from Help Net Security: Cybercriminals are using insiders to gain access to telecommunications networks and subscriber data, according to Kaspersky Lab. In addition, these .. --------------------------------------------- https://tech.slashdot.org/story/16/08/27/0739204/cybercriminals-select-insi… *** Opera warns Opera Sync users of possible security breach *** --------------------------------------------- The Norwegian company warned the users that the Opera Sync service of a possible security breach that might have exposed their data. On Friday, Opera, published .. --------------------------------------------- http://securityaffairs.co/wordpress/50690/data-breach/opera-sync-security-b… *** Observatory: Mozilla bietet Sicherheitscheck für Websites *** --------------------------------------------- Wie sicher ist die eigene Internetseite? Der Test mit einem neuen Tool von Browserhersteller Mozilla könnte für viele Betreiber ernüchternd sein. --------------------------------------------- http://www.golem.de/news/observatory-mozilla-bietet-sicherheitscheck-fuer-w… *** Ransomware: Trojaner Fantom gaukelt kritisches Windows-Update vor *** --------------------------------------------- Ein Windows-Update wiegt die Nutzer in Sicherheit, haben sich die Hersteller des Erpressungstrojaners Fantom wohl gedacht. In diesem Fall ist jedoch besondere Vorsicht geboten. --------------------------------------------- http://www.golem.de/news/ransomware-trojaner-fantom-gaukelt-kritisches-wind… *** Exploits: Treiber der Android-Hersteller verursachen Kernel-Lücken *** --------------------------------------------- Die Zahl der Angriffe auf den Linux-Kernel in Android wächst sehr stark. Der mit Abstand größte Teil der bekannten Sicherheitslücken findet sich dabei in den Gerätetreibern der Hersteller, die mit der Kernel-Pflege offenbar überfordert sind. --------------------------------------------- http://www.golem.de/news/exploits-treiber-der-android-hersteller-verursache… *** Wartungsarbeiten Donnerstag, 1. 9. 2016, nachmittags *** --------------------------------------------- Am Donnerstag, 1. September 2016, werden wir ab etwa 13h notwendige Wartungsarbeiten an unserer Infrastruktur vornehmen. Dies wird zu keinen Ausfällen der extern .. --------------------------------------------- http://www.cert.at/services/blog/20160829150342-1783.html *** l+f: Passwort-Safe mit Löchern *** --------------------------------------------- Googles Security Crack Tavis Ormandy nimmt sich nach der Anitviren-Software jetzt Passwort-Safes zur Brust -- mit ähnlich erschreckenden Resultaten. --------------------------------------------- http://heise.de/-3306993 *** ZDI-16-497: Apple OS X AppleHDA Buffer Overflow Privilege Escalation Vulnerability *** --------------------------------------------- This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of Apple OS X. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-497/

1 0

Tageszusammenfassung - Freitag 26-08-2016
by Daily end-of-shift report 26 Aug '16

26 Aug '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 25-08-2016 18:00 − Freitag 26-08-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** OpenSSL schützt vor Sweet32-Attacke und tanzt ChaCha20 *** --------------------------------------------- Version 1.1.0 mistet alte, unsichere Krypto-Verfahren aus und unterstützt dafür modernere wie ChaCha20. Das Update stoppt zudem die Sweet32-Attacke auf SSL/TLS und OpenVPN. --------------------------------------------- http://heise.de/-3305647 *** Hintergrund: Die iOS-Spyware Pegasus - eine Bestandsaufnahme *** --------------------------------------------- Die Spionage-Software Pegasus erschüttert die iPhone-Welt. Wie kann ich mich schützen? Liegt das iOS-Sicherheitskonzept in Schutt und Asche? Ist das das Ende? Eine Analyse der bekannten Fakten schafft Klarheit. --------------------------------------------- http://heise.de/-3305780 *** What's The Deal With Machine Learning? *** --------------------------------------------- We've recently received quite a few questions regarding the use of machine learning techniques in cyber security. I figured it was time for a blog post. Interestingly, while I was writing this post, we got asked even more questions, so the timing couldn't be better. It seems that there are quite a few companies out... --------------------------------------------- https://labsblog.f-secure.com/2016/08/26/whats-the-deal-with-machine-learni… *** Floating Domains - Taking Over 20K DigitalOcean Domains via a Lax Domain Import System *** --------------------------------------------- DigitalOcean is a cloud service provider similar to Amazon Web Services or Google Cloud. They offer cloud DNS hosting as one of their product lines - a nice guide on how to set up your domain to use their DNS can be found here. Take a moment to read it over and see if you can spot any potential issues with their domain name set up process. --------------------------------------------- https://thehackerblog.com/floating-domains-taking-over-20k-digitalocean-dom… *** 5 security practices hackers say make their lives harder *** --------------------------------------------- Whether they identify as white hats, black hats or something in-between, a majority of hackers agree that no password is safe from them - or the government for that matter. Regardless of where they sit with respect to the law, hackers mostly agree that five key security measures can make it a lot harder to penetrate enterprise networks.At the Black Hat USA 2016 conference in Las Vegas earlier this month, Thycotic, a specialist in privileged account management (PAM) solutions, surveyed... --------------------------------------------- http://www.cio.com/article/3112740/security/5-security-practices-hackers-sa… *** iOS 9.3.5 *** --------------------------------------------- This document describes the security content of iOS 9.3.5. --------------------------------------------- https://support.apple.com/en-us/HT207107 *** F-Secure Policy Manager 12.00.67239 - Remote code execution by authenticated user *** --------------------------------------------- The F-Secure Policy Manager client relies on Spring remoting to communicate with the server. Spring remoting uses Java serialization as transfer protocol. Spring internal mechanisms first deserialize before validating the deserialization class is authorized. That behavior leads to remote command execution if we are able to send objects present in the classpath that execute code when they are deserialized. --------------------------------------------- https://remoteawesomethoughts.blogspot.com/2016/08/f-secure-policy-manager-… *** PowerDNS Recursor 4.0.2 - Released August 26th 2016 *** --------------------------------------------- This release fixes a regression in 4.x where CNAME records for DNSSEC signed domains were not sorted before the final answers, leading to some clients (notably some versions of Chrome) not being able to extract the required answer from the packet. [...] Further fixes and changes can be found below:... --------------------------------------------- https://doc.powerdns.com/md/changelog/ *** VU#305607: Accellion Kiteworks contains multiple vulnerabilities *** --------------------------------------------- Vulnerability Note VU#305607 Accellion Kiteworks contains multiple vulnerabilities Original Release date: 26 Aug 2016 | Last revised: 26 Aug 2016 Overview The Accellion Kiteworks appliance prior to version kw2016.03.00 contains multiple vulnerabilities. Description CWE-276: Incorrect Default Permissions - CVE-2016-5662 The `/opt/bin/cli` script has setuid permissions by default, allowing an authenticated KiteWorks users to escalate privileges of commands to root. In practice, the user would... --------------------------------------------- http://www.kb.cert.org/vuls/id/305607 *** AlienVault USM/OSSIM 5.2 conf/reload.php DOM-based XSS *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016080229 *** FreePBX 13.0.35 Remote command execution *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016080231 *** Apple libc incomplete fix of Security Update for OS X El Capitan 10.11.2 *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016080232 *** OpenBSD SMTP Processing Bug in rfc2822_parser_init() May Let Remote Users Bypass Security Restrictions on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1036691 *** DFN-CERT-2016-1391: OpenSSL: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen und Ausspähen von Informationen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1391/ *** OpenVPN Blowfish Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases *** --------------------------------------------- http://www.securitytracker.com/id/1036695 *** DSA-3651 rails - security update *** --------------------------------------------- Andrew Carpenter of Critical Juncture discovered a cross-site scriptingvulnerability affecting Action View in rails, a web applicationframework written in Ruby. Text declared as HTML safe will not havequotes escaped when used as attribute values in tag helpers. --------------------------------------------- https://www.debian.org/security/2016/dsa-3651 *** DSA-3654 quagga - security update *** --------------------------------------------- Two vulnerabilities were discovered in quagga, a BGP/OSPF/RIP routingdaemon. --------------------------------------------- https://www.debian.org/security/2016/dsa-3654 *** DSA-3653 flex - security update *** --------------------------------------------- Alexander Sulfrian discovered a buffer overflow in theyy_get_next_buffer() function generated by Flex, which may result indenial of service and potentially the execution of code if operating ondata from untrusted sources. --------------------------------------------- https://www.debian.org/security/2016/dsa-3653 *** DSA-3652 imagemagick - security update *** --------------------------------------------- This updates fixes many vulnerabilities in imagemagick: Various memoryhandling problems and cases of missing or incomplete input sanitisingmay result in denial of service or the execution of arbitrary code ifmalformed TIFF, WPG, RLE, RAW, PSD, Sun, PICT, VIFF, HDR, Meta, Quantum,PDB, DDS, DCM, EXIF, RGF or BMP files are processed. --------------------------------------------- https://www.debian.org/security/2016/dsa-3652

1 0

Tageszusammenfassung - Donnerstag 25-08-2016
by Daily end-of-shift report 25 Aug '16

25 Aug '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 24-08-2016 18:00 − Donnerstag 25-08-2016 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** Cisco AnyConnect Secure Mobility Client Local Privilege Escalation Vulnerability *** --------------------------------------------- A vulnerability in Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to install and execute an arbitrary executable file with privileges equivalent .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** IBM Security Bulletin: Multiple vulnerabilities in IBM Financial Transaction Manager for ACH Services, Check Services, Corporate Payment Services (CVE-2016-5920, CVE-2016-1181, CVE-2016-1182, CVE-2016-3060) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21989060 *** IBM Security Bulletin: IBM Tivoli Storage Manager FastBack Demo package on the Web Potential DLL Loading Code Execution Vulnerability (CVE-2016-5934 ) *** --------------------------------------------- IBM Tivoli Storage Manager FastBack Demo package on the Web contains a DLL hijacking vulnerability that could allow an unauthenticated, remote attacker to execute .. --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21988908 *** IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by vulnerabilities in OpenSSL *** --------------------------------------------- Vulnerabilities have been identified in OpenSSL. IBM Security Access Manager for Mobile uses OpenSSL and is affected by these vulnerabilities. CVE(s): CVE-2016-0799, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, .. --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21988189 *** Hacked Email: Why Cyber Criminals Want to Get Into Your Inbox *** --------------------------------------------- “I don’t care about getting hacked, there’s nothing valuable in my email” If I got a nickel .. --------------------------------------------- https://heimdalsecurity.com/blog/hacked-email-why-cyber-criminals-want-inbo… *** Example of Targeted Attack Through a Proxy PAC File, (Wed, Aug 24th) *** --------------------------------------------- Yesterday, I discovered a nice example of targeted attack against a Brazilian bank. It started with an email sample like this: This message was sent to a .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21405 *** Bugtraq: WebKitGTK+ Security Advisory WSA-2016-0005 *** --------------------------------------------- http://www.securityfocus.com/archive/1/539295 *** [2016-08-25] Multiple vulnerabilities in Micro Focus (Novell) GroupWise *** --------------------------------------------- Micro Focus (Novell) GroupWise 2014 (up to R2 SP1) contains vulnerabilities that allow an attacker to take over user sessions by sending the victim a crafted email, take over administrator accounts or potentially compromise the system (heap based buffer overflow). --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016… *** SWEET32: Kurze Verschlüsselungsblöcke sorgen für Kollisionen *** --------------------------------------------- Ein neuer Angriff auf TLS- und VPN-Verbindungen betrifft alte Verschlüsselungsalgorithmen wie Triple-DES und Blowfish, die Daten in 64-Bit-Blöcken verschlüsseln. Der Angriff erfordert das Belauschen vieler Gigabytes an Daten und dürfte damit nur selten praktikabel sein. --------------------------------------------- http://www.golem.de/news/sweet32-kurze-verschluesselungsbloecke-sorgen-fuer… *** Cisco liefert Sicherheits-Patches für NSA-Exploit ExtraBacon aus *** --------------------------------------------- Admins müssen Firewalls mit der Adaptive-Security-Appliance-Software (ASA) nun nicht mehr mittels eines Workarounds absichern: Cisco stopft die Schwachstelle mit abgesicherten Versionen. --------------------------------------------- http://heise.de/-3304688 *** Falsche Bank Austria-Mail: „Zahlungsbestätigung Monatsbeitrag“ *** --------------------------------------------- Internet-Nutzer/innen erhalten eine angebliche Benachrichtigung der Bank Austria. In dieser heißt es, dass der Newsletter und ein Gewinnspiel monatlich EUR 39,99- kosten. Den Gebrauch des Services sollen Kund/innen auf einer Website bestätigen. Empfänger/innen der E-Mail dürfen das nicht tun, denn andernfalls übermitteln sie Zugangsdaten an Kriminelle. --------------------------------------------- https://www.watchlist-internet.at/phishing/falsche-bank-austria-mail-zahlun… *** Security Advisory - Resource Management Vulnerability in Huawei Servers *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160824-… *** Stolen devices to blame for many breaches in the financial services sector *** --------------------------------------------- Bitglass performed an analysis of all breaches in the financial services sector since 2006, with data aggregated from public databases and government mandated disclosures. They found that leaks nearly doubled between .. --------------------------------------------- https://www.helpnetsecurity.com/2016/08/25/breaches-financial-services-sect… *** Falsche Verbund-Rechnung verbreitet Schadsoftware *** --------------------------------------------- Im E-Mailpostfach findet sich eine Rechnung des Stromanbieters Verbund. Kund/innen können die Zahlungaufforderung auf der Website „verbund-bill.com“ ansehen. Das dürfen Empfänger/innen nicht tun, denn andernfalls installieren sie Schadsoftware auf ihrem Computer. Diese macht den PC unbrauchbar. Kriminelle fordern Bitcoins, um das zu ändern. --------------------------------------------- https://www.watchlist-internet.at/gefaelschte-rechnungen/falsche-verbund-re… *** BMI warnt: Erst Taschendiebstahl von iPhone, dann Phishing *** --------------------------------------------- Es werden vermehrt iPhones in Österreich gestohlen. Mit einer Masche wird danach die Fernsperre außer Kraft gesetzt. --------------------------------------------- http://futurezone.at/digital-life/bmi-warnt-erst-taschendiebstahl-von-iphon… *** How the Consumer Product Safety Commission is (Inadvertently) Behind the Internet’s Largest DDoS Attacks *** --------------------------------------------- The mission of the United States Governments Consumer Product Safety Commission (CPSC) is to protect consumers from injury by products. Its ironic then that the CPSC .. --------------------------------------------- https://blog.cloudflare.com/how-the-consumer-product-safety-commission-is-i…

1 0

Tageszusammenfassung - Mittwoch 24-08-2016
by Daily end-of-shift report 24 Aug '16

24 Aug '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 23-08-2016 18:00 − Mittwoch 24-08-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** The SWEET32 Issue, CVE-2016-2183 *** --------------------------------------------- Today, Karthik Bhargavan and Gaetan Leurent from Inria have unveiled a new attack on Triple-DES, SWEET32, Birthday attacks on 64-bit block ciphers in TLS and OpenVPN. It has been assigned CVE-2016-2183. This post gives a bit of background and describes what OpenSSL is doing. For more details, see their website. --------------------------------------------- https://www.openssl.org/blog/blog/2016/08/24/sweet32/ *** "Wildfire" Ransomware Extinguished by Tool From NoMoreRansom; Unlock Files for Free *** --------------------------------------------- Intel Security and Kaspersky Lab, partners in the project NoMoreRansom, are pleased to announce today the availability of a decryption tool for victims of the Wildfire variant of ransomware. This tool is available following successful collaboration with the Dutch police and the European Cybercrime Centre. This strong public-private partnership has led to the seizure of... --------------------------------------------- https://blogs.mcafee.com/mcafee-labs/wildfire-ransomware-extinguished-tool-… *** BSI veröffentlicht Update zu den Top 10 Bedrohungen für Industrial Control Systems *** --------------------------------------------- Das Bundesamt für Sicherheit in der Informationstechnik (BSI) beobachtet die Bedrohungslage für Industrial Control Systems deshalb kontinuierlich. Die schwerwiegendsten Gefahren sowie passende Gegenmaßnahmen fasst das BSI seit 2012 im Dokument "Industrial Control System Security - Top 10 Bedrohungen und Gegenmaßnahmen" zusammen. Für das Jahr 2016 hat das Bundesamt nun ein Update des Papiers herausgegeben. --------------------------------------------- https://www.allianz-fuer-cybersicherheit.de/ACS/DE/_/infos/20160823_Update_… *** NSA-Exploit ExtraBacon soll deutlich mehr Cisco-Firewalls bedrohen *** --------------------------------------------- Untersuchungen von Sicherheitsforschern legen nahe, dass auch neuere Version der Cisco Adaptive Security Appliance (ASA) angreifbar sind. --------------------------------------------- http://heise.de/-3303629 *** Privilege Escalation on Linux with Live examples *** --------------------------------------------- Introduction One of the most important phase during penetration testing or vulnerability assessment is Privilege Escalation. During that step, hackers and security researchers attempt to find out a way (exploit, bug, misconfiguration) to escalate between the system accounts. Of course, vertical privilege escalation is the ultimate goal. For many security researchers, this is a fascinating... --------------------------------------------- http://resources.infosecinstitute.com/privilege-escalation-linux-live-examp… *** Forscher sehen Löcher in Apples iOS-Sandbox *** --------------------------------------------- Die iOS-Sandbox weist Wissenschaftlern zufolge "bedenkliche Sicherheitslücken" auf, die Apps den eigentlich verwehrten Zugriff auf Nutzerdaten ermöglichen - und Eingriff ins System. Apple will die Schwachstellen offenbar mit iOS 10 schließen. --------------------------------------------- http://heise.de/-3304068 *** VMSA-2016-0013 *** --------------------------------------------- VMware Identity Manager and vRealize Automation updates address multiple security issues --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2016-0013.html *** Moxa OnCell Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for several vulnerabilities in Moxa's OnCell products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-236-01 *** Huawei Security Advisories *** --------------------------------------------- *** Security Advisory - IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability *** http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160824-… --------------------------------------------- *** Security Advisory - Weak Encryption Algorithm Vulnerability in Huawei Servers *** http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160824-… --------------------------------------------- *** Security Advisory - XXE Vulnerability in the E9000 *** http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160824-… --------------------------------------------- *** Security Advisory - Uncontrolled Format String Vulnerability on Multiple Products *** http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160824-… --------------------------------------------- *** Security Advisory - Reset Password and Information Leak Vulnerabilities in Huawei UMA *** http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160824-… --------------------------------------------- *** Security Advisory - Two Command Injection Vulnerabilities in Huawei UMA *** http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160824-… --------------------------------------------- *** Security Advisory - Information Leak Vulnerability in Huawei FusionSphere Product *** http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160824-… ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 23-08-2016
by Daily end-of-shift report 23 Aug '16

23 Aug '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 22-08-2016 18:00 − Dienstag 23-08-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Vuln: WordPress CVE-2016-6897 Cross Site Request Forgery Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/92572 *** Juniper Acknowledges Equation Group Targeted ScreenOS *** --------------------------------------------- Juniper Networks on Friday acknowledged that implants contained in the ShadowBrokers data dump target NetScreen firewalls running ScreenOS. --------------------------------------------- http://threatpost.com/juniper-acknowledges-equation-group-exploits-target-s… *** Obihai Patches Memory Corruption, DoS, CSRF Vulnerabilities in IP Phones *** --------------------------------------------- Obihai Technology recently patched a slew of issues in its ObiPhone IP phone products that could have led to memory corruption, a buffer overflow, and denial of service conditions, among other outcomes. --------------------------------------------- http://threatpost.com/obihai-patches-memory-corruption-dos-csrf-vulnerabili… *** Vuln: PHP php_quot_print_encode() Function Integer Overflow Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/92588 *** shellray. a php webshell detector *** --------------------------------------------- nimbusec shellray ist ein kostenloser Online Webshell Detector für .php-Dateien. --------------------------------------------- https://shellray.com/de/ *** Voice Message Notifications Deliver Ransomware *** --------------------------------------------- Bad guys need to constantly find new ways to lure their victims. If billing notifications were very common for a while, not all people in a company are working .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21397 *** Security Notice - Statement About Toolkit Released by Shadow Brokers *** --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2016/huawei-sn-20160823-01-… *** 'Sicherheits-Check' bei Bank Austria-Kunden *** --------------------------------------------- Eine falsche Bank Austria-Mail ist im Umlauf. Darin behaupten Kriminelle, dass Kund/innen einen Sicherheits-Check durchführen müssen. Aus diesem .. --------------------------------------------- https://www.watchlist-internet.at/phishing/sicherheits-check-bei-bank-austr… *** Sandscout: Angriff auf Apples Sandkasten *** --------------------------------------------- Im Sicherheitsvergleich mit Android schneidet iOS meist besser ab. In einem aktuellen Versuch gelang es Forschern aber, einen erfolgreichen Angriff auf die Sandboxing-Funktion von iOS-Apps durchzuführen. --------------------------------------------- http://www.golem.de/news/sandscout-angriff-auf-apples-sandkasten-1608-12285… *** Timing of Browser-Based Security Alerts Could Be Better *** --------------------------------------------- New academic research shows that security warnings should be better timed to pop up when computers users are less likely to be multitasking. --------------------------------------------- http://threatpost.com/timing-of-browser-based-security-alerts-could-be-bett…

1 0

Tageszusammenfassung - Montag 22-08-2016
by Daily end-of-shift report 22 Aug '16

22 Aug '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 19-08-2016 18:00 − Montag 22-08-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Shadow Brokers Release of Hacking Code *** --------------------------------------------- Juniper responds to hacking code released by The Shadow Brokers. --------------------------------------------- https://forums.juniper.net/t5/Security-Incident-Response/Shadow-Brokers-Rel… *** Cisco ASA SNMP Remote Code Execution Vulnerability, (Sun, Aug 21st) *** --------------------------------------------- Looking back through all the vulnerabilities announced this week, one caught my eye. CVE-2016-6366 is a vulnerability in the Cisco ASA products which could allow a remote attacker to remotely execute code. This vulnerability is part of the Equation Group disclosures and was not previously known by Cisco.The vulnerability is in the SNMP code on the ASA and would allow an attacker with knowledge of the SNMP community stringto send craftedIPv4SNMP traffic which could be used to reload the system... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21389&rss *** I got the power - over your IoT power-point *** --------------------------------------------- It never gets better, does it? The latest "your IoT security is rubbish" takes the world one step closer to "burn it all and try again": a "smart" electrical outlet thats actually a whole-of-network attack vector. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/08/22/i_got_the_p… *** How to get your network and security teams working together *** --------------------------------------------- Its not surprising that network and security teams arent always on the same page. After all, networks need to be fast and efficient, while security is about slowing things down and implementing extra steps to help meet security measures. While both teams are a part of the IT department, and need to work together in the event of a breach, each group has its own objectives and expectations. But when a data breach or security threat strikes, businesses need both teams working together to help get... --------------------------------------------- http://www.cio.com/article/3110264/careers-staffing/how-to-get-your-network… *** Threat intelligence report for the telecommunications industry *** --------------------------------------------- The telecoms sector is under fire on all sides - hit by direct attacks on organizations and networks, indirect attacks in search of subscribers, and collateral damage from unrelated, targeted campaigns. This report reveals the many layers of vulnerability. --------------------------------------------- http://securelist.com/analysis/publications/75846/threat-intelligence-repor… *** Open sourced: Cyber reasoning system that won third place in DARPA's Cyber Grand Challenge *** --------------------------------------------- Earlier this month, the DARPA-backed Cyber Grand Challenge (CGC) has shown that a future in which computer systems will (wholly or partially) replace bug hunters and patchers looms near. Now, the team that has won third place in the contest - Shellphish of Santa Barbara, California - has open sourced many of the components of its winning Mechanical Phish cyber reasoning system. But individuals and teams interested in testing and advancing the system will have... --------------------------------------------- https://www.helpnetsecurity.com/2016/08/22/cyber-reasoning-system/ *** Finding and Enumerating Processes within Memory-Part 3 *** --------------------------------------------- Continuing with the series, in this article, we will learn about enumeration of important structures like heaps, environment variables, DLLs pointed by main PEB. Just to recap in the previous two articles, we have looked at the way of finding the processes within memory and then enumerated structures like Page Tables, VADs, and PEB. Dynamic... --------------------------------------------- http://resources.infosecinstitute.com/finding-enumerating-processes-within-… *** Announcing the Heimdal Cyber Security Glossary *** --------------------------------------------- Not too long ago, I was a total newbie in the cyber security field. Although I understood some of the basics, there was an entire universe for me to explore, from concepts to how they translate into action. What I found most baffling in the beginning were some of the technical terms. Of course I... --------------------------------------------- https://heimdalsecurity.com/blog/heimdal-cyber-security-glossary/ *** Young European white hat hackers meet for the 2nd Cyber Security Challenge competition *** --------------------------------------------- On the 7th of November, young European white hat hackers will meet at Düsseldorf to measure their skills in attacking and defending computer systems. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/young-european-white-hat-hacker… *** Bugtraq: [security bulletin] HPSBNS03635 rev.1 - HPE NonStop Servers OSS Script Languages running Perl and PHP, Multiple Local and Remote Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/539280 *** Vuln: MatrixSSL Multiple Information Disclosure Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/91488 *** ZDI-16-487: AVG Internet Security avgtdix.sys Kernel Driver Untrusted Pointer Dereference Privilege Escalation Vulnerability *** --------------------------------------------- This vulnerability allows local attackers to escalate privileges on vulnerable installations of AVG Internet Security. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-487/ *** Security Advisory: Linux file utility vulnerabilities CVE-2014-8116 and CVE-2014-8117 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/16000/300/sol16347.htm… *** Self Service Password Reset 3.3.1.6 *** --------------------------------------------- Abstract: These files contain all updates made to SSPR 3.3.1 since the release of SSPR 3.3.1. This is a complete build of SSPR. SSPR 3.3.1 Patch 6 includes several new fixes. It also includes a security fix which was originally included in SSPR 3.3.1 HF2. Without this fix SSPR is vulnerable to a cross-site-scripting (XSS) attack (CVE-2016-1599, reported by Tom Ravenscroft of Datacom TSS). For more details see TID # 7017399 at https://www.netiq.com/support/kb/doc.php?id=7017399. It is mandatory... --------------------------------------------- https://download.novell.com/Download?buildid=AYDcXUSlNzI~ *** WordPress 4.5.3 - Authenticated Denial of Service (DoS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8606 *** Newtec Satellite Modem MDM6000 2.2.5 Cross-Site Scripting Vulnerability *** --------------------------------------------- Newtec Satellite Modem MDM6000 suffers from multiple reflected cross-site scripting vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a users browser session in context of an affected site. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5359.php *** Sakai 10.7 Multiple Vulnerabilities *** --------------------------------------------- Sakai suffers from multiple reflected cross-site scripting vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a users browser session in context of an affected site. Also there is a file disclosure vulnerability when calling custom tool script. It is not properly verified before being used to read files. This can be exploited to disclose... --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5358.php *** tcPbX - (tcpbx_lang) Local File Inclusion *** --------------------------------------------- Topic: tcPbX - (tcpbx_lang) Local File Inclusion Risk: Medium Text:Vulnerable hardware : tcpbx voip distro Vendor : www.tcpbx.org Author : Ahmed sultan (@0x4148) Email : 0x4148(a)gmail.com ... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016080196 *** ZYCOO IP Phone System - Remote Command Execution *** --------------------------------------------- Topic: ZYCOO IP Phone System - Remote Command Execution Risk: High Text:Vulnerable hardware : ZYCOO IP phone system Vendor : zycoo.com Author : Ahmed sultan (@0x4148) Email : 0x4148(a)gmail.com ... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016080195 *** C2S DVR Management Remote Credentials Disclosure & Authentication Bypass *** --------------------------------------------- Topic: C2S DVR Management Remote Credentials Disclosure & Authentication Bypass Risk: High Text:1. Advisory Information = Title : C2S DVR Management Remote Credentials Disclosure & Authentic... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016080192 *** IP-Camera Vulnerabilities *** --------------------------------------------- *** MESSOA NIC990 IP-Camera auth bypass configuration download *** https://cxsecurity.com/issue/WLB-2016080194 --------------------------------------------- *** TOSHIBA IK-WP41A IP-Camera auth bypass configuration download *** https://cxsecurity.com/issue/WLB-2016080193 --------------------------------------------- *** JVC IP-Camera (VN-T216VPRU) Remote Credentials Disclosure *** https://cxsecurity.com/issue/WLB-2016080191 --------------------------------------------- *** Vanderbilt IP-Camera (CCPW3025-IR + CVMW3025-IR) Remote Credentials Disclosure *** https://cxsecurity.com/issue/WLB-2016080190 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 19-08-2016
by Daily end-of-shift report 19 Aug '16

19 Aug '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 18-08-2016 18:00 − Freitag 19-08-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** 18 Jahre lang vorhersehbare Zufallszahlen bei GnuPG *** --------------------------------------------- Lange Zeit schlummerte eine Sicherheitslücke in Libgcrypt, der Krypto-Bibliothek des GnuPG-Projektes. Glücklicherweise scheint es so, als ob Nutzern ein großflächiger Austausch von PGP-Schlüsseln erspart bleiben wird. --------------------------------------------- http://heise.de/-3300159 *** Neues von Locky: Der Erpressungstrojaner greift jetzt massenhaft Krankenhäuser an *** --------------------------------------------- Die Drahtzieher hinter Locky verlegen sich von X-beliebigen Internetnutzern auf Firmen. Vor allem Krankenhäuser haben sich als lukratives Ziel erwiesen. --------------------------------------------- http://heise.de/-3300555 *** Doctor Web discovers self-spreading Linux Trojan that can create P2P botnets *** --------------------------------------------- August 19, 2016 The Linux operating system remains a major target for virus makers. Doctor Web's security researchers have examined yet another Trojan for Linux written in the Go programming language. This malware program attacks web servers that use various CMS, performs DDoS attacks, sends out spam messages, and distributes itself over networks. The new Trojan, named Linux.Rex.1, was first spotted by Kernelmode forum users who referred to this malware as "Drupal ransomware"... --------------------------------------------- http://news.drweb.com/show/?i=10157&lng=en&c=9 *** Erpressungs-Trojaner Cerber rüstet sich gegen Entschlüsselungs-Tools *** --------------------------------------------- Check Points und Trend Micros kostenlose Dechiffrierungs-Tools können Daten nicht mehr aus den Fängen der aktuellen Version des Verschlüsselungs-Trojaners Cerber befreien. --------------------------------------------- http://heise.de/-3300589 *** Schwerwiegende Lücke im Teamspeak-Server offengelegt *** --------------------------------------------- Angreifer können über die aktuelle Version des Teamspeak-Servers Schadcode einschleusen und auf dem Server ausführen. Da der Sicherheitsforscher, der die Lücke entdeckte, die Entwickler nicht vorher informiert hat, gibt es momentan keinen Patch. --------------------------------------------- http://heise.de/-3300608 *** Pixpocket: So hätte die NSA VPNs ausspionieren können *** --------------------------------------------- Der Shadow-Brokers-Datensatz liefert möglicherweise Informationen darüber, wie die NSA in der Lage war, VPN-Verbindungen abzuhören. Die Schwachstelle hat Ähnlichkeiten mit Heartbleed. --------------------------------------------- http://www.golem.de/news/pixpocket-so-haette-die-nsa-vpns-ausspionieren-koe… *** DFN-CERT-2016-1359: PHP: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1359/ *** Bugtraq: Horizontal Privilege Escalation/Code Injection in ownCloud's Windows Client *** --------------------------------------------- http://www.securityfocus.com/archive/1/539269 *** Cisco IOS and Cisco IOS XE Software OpenSSH TCP Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the handling of Secure Shell (SSH) TCP packets in the Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a partial denial of service (DoS) condition due to low memory on the device.The vulnerability is due to the handling of out-of-order, or otherwise invalid, TCP packets on an SSH connection to the device. An attacker could exploit this vulnerability by connecting via SSH to the device and then crafting TCP packets which are out of --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Navis WebAccess SQL Injection Vulnerability *** --------------------------------------------- NCCIC/ICS-CERT is aware of a public report of an SQL Injection vulnerability with proof-of-concept (PoC) exploit code affecting Navis WebAccess application. This report was released by "bRpsd" without coordination with either the vendor or ICS-CERT. ICS-CERT has reached out to the affected vendor to validate the report. ICS-CERT is issuing this alert to provide notice of the report and to identify baseline mitigations for reducing risks to this and other cybersecurity attacks. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-16-230-01 *** IBM Security Bulletin: IBM Connections Security Update *** --------------------------------------------- IBM Connections Security Update for multiple CVEs. There are multiple vulnerabilities in IBM Connections, see details below for remediation information. CVE(s): CVE-2016-2995, CVE-2016-2997, CVE-2016-2998, CVE-2016-3005, CVE-2016-3010 Affected product(s) and affected version(s): The following versions of IBM Connections are impacted: IBM Connections 5.5 IBM Connections 5.0 IBM Connections 4.5 IBM Connections 4.0 Refer to the following... --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21988991 *** IBM Security Bulletin: The IBM BigFix Platform has a Cross-Site Scripting vulnerability (CVE-2016-0293 ) *** --------------------------------------------- A .beswrpt can be injected/modified to contain malicious JavaScript CVE(s): CVE-2016-0293 Affected product(s) and affected version(s): 9.0, 9.1, 9.2 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www.ibm.com/support/docview.wss?uid=swg21985743X-Force Database:... --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21985743

1 0

Tageszusammenfassung - Donnerstag 18-08-2016
by Daily end-of-shift report 18 Aug '16

18 Aug '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 17-08-2016 18:00 − Donnerstag 18-08-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Cisco Firepower Management Center Remote Command Execution Vulnerability *** --------------------------------------------- A vulnerability in the web-based GUI of Cisco Firepower Management Center and Cisco Adaptive Security Appliance (ASA) 5500-X Series with FirePOWER Services could allow an authenticated, remote attacker to perform unauthorized remote command execution on the affected device. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Application Policy Infrastructure Controller Enterprise Module Remote Code Execution Vulnerability *** --------------------------------------------- A vulnerability in the Grapevine update process of the Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with the privileges of the root user. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Security Afterworks – Best of Summer of Security Conferences *** --------------------------------------------- https://www.sba-research.org/events/security-afterworks-best-of-summer-of-s… *** Cookie Parser Buffer Overflow Vulnerability *** --------------------------------------------- FortiGate firmware (FOS) released before Aug 2012 has a cookie parser buffer overflow vulnerability. This vulnerability, when exploited by a crafted HTTP request, can result .. --------------------------------------------- http://fortiguard.com/advisory/cookie-parser-buffer-overflow-vulnerability *** Browser Address Bar Spoofing Vulnerability Disclosed *** --------------------------------------------- Chrome, Firefox and likely other major browsers are afflicted by a vulnerability that allows attackers to spoof URLs in the address bar. --------------------------------------------- http://threatpost.com/browser-address-bar-spoofing-vulnerability-disclosed/… *** Panelizer - Moderately Critical - Access Bypass - SA-CONTRIB-2016-048 *** --------------------------------------------- https://www.drupal.org/node/2785687 *** Panels - Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-047 *** --------------------------------------------- https://www.drupal.org/node/2785631 *** Hosting - Less Critical - Access bypass - SA-CONTRIB-2016-046 *** --------------------------------------------- https://www.drupal.org/node/2785531 *** Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability *** --------------------------------------------- A vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Adaptive Security Appliance CLI Remote Code Execution Vulnerability *** --------------------------------------------- A vulnerability in the command-line interface (CLI) parser of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, local attacker to create a denial of service (DoS) condition or potentially .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Patches ASA Zero Days Exposed by ShadowBrokers *** --------------------------------------------- Cisco today patched two vulnerabilities in its Adaptive Security Appliance that were leaked in the ShadowBrokers data dump of Equation Group exploits. --------------------------------------------- http://threatpost.com/cisco-patches-asa-zero-days-exposed-by-shadowbrokers/… *** 1 compromised site - 2 campaigns, (Thu, Aug 18th) *** --------------------------------------------- Earlier today, I ran across a compromised website with injected script from both the pseudo-Darkleech campaign and the EITest campaign. This is similar to another compromised site I reported back in June .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21381 *** DSA-3649 gnupg - security update *** --------------------------------------------- Felix Doerre and Vladimir Klebanov from the Karlsruhe Institute ofTechnology discovered a flaw in the mixing functions of GnuPGs randomnumber generator. An attacker who obtains 4640 bits from the RNG cantrivially predict the next 160 bits of output. --------------------------------------------- https://www.debian.org/security/2016/dsa-3649 *** Bitcoin targeted by state sponsored attackers says Bitcoin.org *** --------------------------------------------- Bitcoin Core devs dont know about threat, advise usual signatures and hash checks Update Bitcoin.org is warning that the Bitcoin Core, the as-close-to-official-as-it-gets version of .. --------------------------------------------- www.theregister.co.uk/2016/08/18/bitcoin_targeted_by_state_sponsored_attack… *** PayPal patches 2FA portal bug *** --------------------------------------------- Attacker could log in to account without triggering confirmation text PayPal has patched a two-factor authentication (2FA) bug that could have let an attacker bypass its login processes. --------------------------------------------- www.theregister.co.uk/2016/08/18/paypal_patches_2fa_portal_bug/ *** If this headline was a security warning 90% of you would ignore it *** --------------------------------------------- Boffins find interrupting users with pop-ups in the middle of things just doesnt work Developers, advertisers, and scammers be warned; boffins say your pop ups will be almost universally ignored if they interrupt users. --------------------------------------------- www.theregister.co.uk/2016/08/18/coding_pop_ups_hit_em_when_theyre_idling_u… *** Gefälschte Software: Bitcoin fühlt sich durch Staaten angegriffen *** --------------------------------------------- Manipulierte Bitcoin-Software? Davon geht das Projekt offenbar aus. In einem Blogpost warnen die Macher vor staatlichen Angriffen auf das kommende Release. Das Projekt gibt auch Hinweise an die Nutzer. --------------------------------------------- http://www.golem.de/news/gefaelschte-software-bitcoin-fuehlt-sich-durch-sta… *** Lets Encrypt ups rate limits *** --------------------------------------------- 20 is plenty Lets Encrypt has revised its rate limits to make life easier for large organisations and hosting providers who use its services. --------------------------------------------- www.theregister.co.uk/2016/08/18/lets_encrypt_clarifies_rate_limit_rules/ *** The Shadow Brokers EPICBANANAS and EXTRABACON Exploits *** --------------------------------------------- On August 15th, 2016, Cisco was alerted to information posted online by the “Shadow Brokers”, which claimed to possess disclosures from the Equation Group. The files included exploit code that can be used against multi-vendor devices, including the Cisco ASA and legacy Cisco PIX firewalls. --------------------------------------------- https://blogs.cisco.com/security/shadow-brokers *** Locky Targets Hospitals In Massive Wave Of Ransomware Attacks *** --------------------------------------------- A massive wave of Locky ransomware delivered via DOCM attachments is targeting the healthcare sector this month. --------------------------------------------- http://threatpost.com/locky-targets-hospitals-in-massive-wave-of-ransomware…

1 0

Tageszusammenfassung - Mittwoch 17-08-2016
by Daily end-of-shift report 17 Aug '16

17 Aug '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 16-08-2016 18:00 − Mittwoch 17-08-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** SQL Injection Vulnerability in Ninja Forms *** --------------------------------------------- As part of our regular research audits for our Sucuri Firewall, we discovered an SQL Injection vulnerability affecting the Ninja Forms plugin for WordPress, currently installed on 600,000+ websites. --------------------------------------------- https://blog.sucuri.net/2016/08/sql-injection-vulnerability-ninja-forms.html *** PMASA-2016-38 *** --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2016-38/ *** PMASA-2016-34 *** --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2016-34/ *** PMASA-2016-39 *** --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2016-39/ *** PMASA-2016-43 *** --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2016-43/ *** PMASA-2016-54 *** --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2016-54/ *** PGP admins: Kill short keys now, or Alice will become Chuck *** --------------------------------------------- Someones impersonating the likes of Linus Torvalds with attacks via keyservers The issue of short .. --------------------------------------------- www.theregister.co.uk/2016/08/17/pgp_admins_kill_short_keys_now_or_alice_wi… *** Snowden: NSA-Leak von Hackern ist "russische Botschaft" an USA *** --------------------------------------------- Der NSA-Whistleblower insinuiert, dass russische Hacker damit die Reaktion auf den Einbruch bei den Demokraten abmildern wollen --------------------------------------------- http://derstandard.at/2000042924155 *** Wartungsarbeiten Donnerstag, 18. 8. 2016, nachmittags *** --------------------------------------------- Am Donnerstag, 18. August 2016, nachmittags, müssen wir dringende Wartungsarbeiten an unserer Infrastruktur vornehmen. Dies wird zu kurzen Ausfällen der extern erreichbaren Services (zB Email, Webserver, Mailinglisten) führen - es gehen dabei keine Daten (zb Emails) verloren, die .. --------------------------------------------- http://www.cert.at/services/blog/20160817111811-1777.html *** VxWorks: Execute My Packets *** --------------------------------------------- Earlier this year we reported 3 vulnerabilities in VxWorks to Wind River. Each of these vulnerabilities can be exploited by anonymous remote attackers on the same .. --------------------------------------------- https://blog.exodusintel.com/2016/08/09/vxworks-execute-my-packets/ *** Sicherheitsbedenken: Provider und Aktivisten vereint gegen Router-Lockdown *** --------------------------------------------- Auch in Österreich soll Routerfirmware künftig reguliert werden. Aktivisten und ISPs kritisieren die geplanten Regelungen. Diese gingen davon aus, dass es keine Sicherheitslücken bei Routern geben würde. --------------------------------------------- http://www.golem.de/news/sicherheitsbedenken-provider-und-aktivisten-verein… *** New wave of targeted attacks focus on industrial organizations *** --------------------------------------------- Kaspersky Lab researchers discovered a new wave of targeted attacks against the industrial and engineering sectors in 30 countries around the world. Dubbed Operation .. --------------------------------------------- https://www.helpnetsecurity.com/2016/08/17/operation-ghoul/

1 0

Tageszusammenfassung - Dienstag 16-08-2016
by Daily end-of-shift report 16 Aug '16

16 Aug '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 12-08-2016 18:00 − Dienstag 16-08-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Hacker veröffentlichte weitere Unterlagen der US-Demokraten *** --------------------------------------------- Darunter persönliche Handynummern und E-Mail-Adressen von fast 200 Parlamentariern --------------------------------------------- http://derstandard.at/2000042820320 *** Olympia: Hacker-Angriff auf Doping-Informantin Stepanowa *** --------------------------------------------- http://derstandard.at/2000042830707 *** CVE-2016-5696 and its effects on Tor *** --------------------------------------------- tl;dr: This vulnerability is quite serious, but it doesn't effect the Tor network any more than it effects the rest of the internet. In particular, the Tor-specific attacks mentioned in the paper will not work as described. --------------------------------------------- https://blog.patternsinthevoid.net/cve-2016-5696-and-its-effects-on-tor.html *** Forensik-Tool: Forscher stellen Inhalte von Whatsapp und Signal wieder her *** --------------------------------------------- Mit Hilfe einer App sollen Strafverfolgungsbehörden Inhalte von Messenger-Apps .. --------------------------------------------- http://www.golem.de/news/forensik-tool-forscher-stellen-inhalte-von-whatsap… *** Pokemon Go-Ransomware verschlüsselt, erpresst und schnüffelt *** --------------------------------------------- Hinter einer gefakten Version des Smartphone-Spiels PokemonGo für PCs steckt ein Erpressungs-Trojaner, der es auf Daten von Nutzern abgesehen hat. --------------------------------------------- http://heise.de/-3294543 *** Nutzer bringt Windows-Betrüger dazu, Ransomware zu installieren *** --------------------------------------------- User dreht den Spiess um und sorgt für Abschreckung bei Support-Fakern --------------------------------------------- http://derstandard.at/2000042856802 *** Verschlüsselung: Mails zu Veracrypt-Audit verschwinden spurlos *** --------------------------------------------- Ein Audit soll prüfen, ob der Truecrypt-Nachfolger Veracrypt Sicherheitslücken hat. Die Macher der Initiative berichten, dass der Versuch sabotiert werde - E-Mails würden unauffindbar verschwinden. --------------------------------------------- http://www.golem.de/news/geplanter-audit-mails-zu-veracrypt-audit-verschwin… *** Exploit kit shakedown: RIG EK grabs Neutrino EK campaigns *** --------------------------------------------- Something unusual happened in the exploit kit ecosystem. Two well-known malware distribution campaigns switched from Neutrino EK to RIG EK. A temporary .. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/exploits-threat-analysis/2016… *** Hacker behaupten, Spionagetools der NSA gestohlen zu haben *** --------------------------------------------- Sicherheitsforscher gehen von einer Echtheit des Leaks aus, Hacker kündigen "Versteigerung" an --------------------------------------------- http://derstandard.at/2000042884275 *** BlackBerry stopft auch die vierte Quadrooter-Schwachstelle *** --------------------------------------------- Drei der auf der BlackHat USA bekannt gewordenen Schwachstellen waren bereits mit dem monatlichen Sicherheitsupdate repariert. Die vierte schliesst BlackBerry nun mit einem Hotfix. --------------------------------------------- http://heise.de/-3295312 *** The Shadow Brokers: Lifting the Shadows of the NSA's Equation Group? *** --------------------------------------------- This week a hacker group going by the name The Shadow Brokers has surfaced and appears to be auctioning off computer exploits it claims are stolen from the Equation .. --------------------------------------------- https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-sh… *** Shade: not by encryption alone *** --------------------------------------------- Malefactors continue to expand the features of ransomware as they try to extract maximum benefit from the compromise of infected computers. We recently found an interesting example of such an 'upgrade': a new logic in the latest .. --------------------------------------------- https://securelist.com/blog/research/75645/shade-not-by-encryption-alone/ *** Bewerbungen verbreiten Schadsoftware *** --------------------------------------------- Mit vermeintlichen Bewerbungsschreiben treten Kriminelle an Firmen heran und ersuchen die .. --------------------------------------------- https://www.watchlist-internet.at/schadsoftware/bewerbungen-verbreiten-scha… *** Secunia Research: Mit schlechten Statistiken zum falschen Sicherheitseindruck *** --------------------------------------------- Secunia Research schaute sich an, wie gut Anwender ihre Systeme pflegen. Die gute Nachricht: Windows wird in der Regel aktualisiert. Die schlechte: Bei .. --------------------------------------------- http://www.golem.de/news/secunia-research-mit-schlechten-statistiken-zum-fa… *** Microsoft stellt Patchsystem für ältere Windows-Versionen um *** --------------------------------------------- In Zukunft sollen Patch-Pakete einmal im Monat erscheinen und auch ältere Fixes enthalten --------------------------------------------- http://derstandard.at/2000042906045 *** Detection and Prevention of DNS Anomalies *** --------------------------------------------- Malware and Botnets have been a threat to systems and networks for several years. The usual methods of detecting a virus with a local virus scanner or their spreading with intrusion detection system (IDS) will not mitigate the .. --------------------------------------------- http://resources.infosecinstitute.com/detection-prevention-dns-anomalies/ *** P@55w0rd5 - Blessing or curse? *** --------------------------------------------- By now, everybody has passwords for something, just like keys to different doors. The more doors you have to unlock, the bigger your keychain is going to be. This in turn .. --------------------------------------------- https://blog.gdatasoftware.com/2016/28917-p-55w0rd5-blessing-or-curse *** Das Schnurren einer Festplatte verrät Geheimnisse *** --------------------------------------------- Indem Sicherheitsforscher die Geräusche der Zugriffe auf eine Festplatte auswerten, lesen sie Daten von einem Computer aus, auf den sie keinen direkten Zugriff haben. --------------------------------------------- http://heise.de/-3295965 *** Cerber ransomware earns $2.3mil with 0.3% response rate *** --------------------------------------------- The fast-growing Cerber ransomware earned nearly $200,000 in July despite a payment rate of just 0.3 percent as a result of its affiliate distribution model, according to a new report by Check Point and IntSights Cyber .. --------------------------------------------- http://www.cio.com/article/3108368/cyber-attacks-espionage/cerber-ransomwar… *** Microsoft Authenticator: Zweiwege-Authentifizierungs-App kommt für Android und iOS *** --------------------------------------------- Microsoft hat seine neue Autorisierungs-App Authenticator auch für Android und iOS veröffentlicht. Damit können Nutzer Anmeldungen auf einem PC zusätzlich absichern. Praktischerweise können mehrere Konten verwendet werden, auch von Diensten, die Microsoft nicht selbst anbietet. --------------------------------------------- http://www.golem.de/news/microsoft-authenticator-zweiwege-authentifizierung… *** CEO Fraud: Deutscher Autozulieferer Leoni um Millionensumme betrogen *** --------------------------------------------- Der deutsche Autozulieferer Leoni ist Opfer eines millionenschweren Betrugs geworden. Die bisher unbekannten Täter .. --------------------------------------------- http://derstandard.at/2000042922341-406

1 0

Tageszusammenfassung - Freitag 12-08-2016
by Daily end-of-shift report 12 Aug '16

12 Aug '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 11-08-2016 18:00 − Freitag 12-08-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** An ATM hack and a PIN-pad hack show chip cards aren't impervious to fraud *** --------------------------------------------- The good news? Hacks are limited for now. The bad news? Hackers will get better. --------------------------------------------- http://arstechnica.com/security/2016/08/an-atm-hack-and-a-pin-pad-hack-show… *** Four free tools for handling Amazon Web Services security incident response *** --------------------------------------------- Responding to security incidents that involve deployments within Amazon Web Services is a lot different from responding to incidents that happen on corporate-owned gear, and two researchers have come up with free tools to make that process easier.Obtaining forensic evidence is different, primarily because security pros can't obtain physical access to the machines on which their AWS instances are running.+More on Network World: Black Hat: 9 free security tools for defense... --------------------------------------------- http://www.cio.com/article/3106302/security/four-free-tools-for-handling-am… *** Looking for the insider: Forensic Artifacts on iOS Messaging App, (Thu, Aug 11th) *** --------------------------------------------- Most of the times we care about and focus on external threats, looking for actors that may attack us via phishing emails, vulnerable web services, misconfigured network devices, etc. However, sometimes the threat may come from the inside. In fact, it is not so uncommon to have disloyal/disgruntled employees exfiltrating information from the company (e.g. Intellectual Property to competitors, confidential information to the press, etc.). In such situations, a full forensics analysis of the... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21363&rss *** Decrypting Chimera ransomware *** --------------------------------------------- We take a technical look at validating the leaked Chimera ransomware keys as well as if we can decrypt files with these keys. --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2016/08/decrypting-chimera-ransomw… *** Ransomware Decryption Tools *** --------------------------------------------- IMPORTANT! Before downloading and starting the solution, read the how-to guide. Make sure you remove the malware from your system first, otherwise it will repeatedly lock your system or encrypt files. --------------------------------------------- https://www.nomoreransom.org/decryption-tools.html *** Analyzing and Cleaning Hijacked Google SEO Spam Results *** --------------------------------------------- Blackhat SEO spam comes in many forms, and one of the most nefarious is hijacked search results. This happens when search engines crawl and display unwanted content in the title and description of infected web pages. The negative impact to the infected website cannot be understated. This harms the website's reputation with visitors and will... --------------------------------------------- https://blog.sucuri.net/2016/08/cleaning-hijacked-google-seo-spam-results.h… *** Microsofts compromised Secure Boot implementation *** --------------------------------------------- Theres been a bunch of coverage of this attack on Microsofts Secure Boot implementation, a lot of which has been somewhat confused or misleading. Heres my understanding of the situation.Windows RT devices were shipped without the ability to disable Secure Boot. Secure Boot is the root of trust for Microsofts User Mode Code Integrity (UMCI) feature, which is what restricts Windows RT devices to running applications signed by Microsoft. This restriction is somewhat inconvenient for developers, so... --------------------------------------------- http://mjg59.dreamwidth.org/44223.html *** Security-Fixes für Ruby on Rails verfügbar *** --------------------------------------------- Die Updates verhindern Cross-Site-Scritping-Attacken über html_safe in den Hauptversionen 3, 4 und 5 sowie die Möglichkeit, Queries in Rails 4.2.x zu manipulieren. --------------------------------------------- http://heise.de/-3293426 *** This is strictly a violation of the TCP specification *** --------------------------------------------- I was asked to debug another weird issue on our network. Apparently every now and then a connection going through CloudFlare would time out with 522 HTTP error. 522 error on CloudFlare indicates a connection issue between our edge server and the... --------------------------------------------- https://blog.cloudflare.com/this-is-strictly-a-violation-of-the-tcp-specifi… *** Finding and Enumerating Processes within Memory: Memory and Volatility *** --------------------------------------------- In this article series, we will learn about how processes reside in memory and various ways to find and enumerate them. I will be using Volatility plugins to find processes in memory. Once we know how to find processes within memory, in Part 2 we will see how to enumerate through them. Note: The scope... --------------------------------------------- http://resources.infosecinstitute.com/finding-and-enumerating-processes-wit… *** VU#301735: ZModo ZP-NE14-S DVR and ZP-IBH-13W cameras contain hard-coded credentials *** --------------------------------------------- Vulnerability Note VU#301735 ZModo ZP-NE14-S DVR and ZP-IBH-13W cameras contain hard-coded credentials Original Release date: 12 Aug 2016 | Last revised: 12 Aug 2016 Overview The ZModo ZP-NE14-S DVR and ZP-IBH-13W cameras contain hard-coded credentials and run telnet by default. Description CWE-798: Use of Hard-coded Credentials - CVE-2016-5081According to the reporter, the Zmodo ZP-NE14-S DVR and ZP-IBH-13W cameras contain undocumented credentials for accessing the device via telnet. --------------------------------------------- http://www.kb.cert.org/vuls/id/301735 *** HPSBHF03440 rev.1 - HPE iLO 3 using JQuery, Remote Cross-Site Scripting (XSS) *** --------------------------------------------- A potential security vulnerability in JQuery was addressed by HPE Integrated Lights-Out 3. The vulnerability could be remotely exploited to allow Cross-Site Scripting (XSS). --------------------------------------------- https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05232730 *** HPSBGN03630 rev.2 - HP Operations Manager for Unix, Solaris, and Linux using Apache Commons Collections (ACC), Remote Code Execution *** --------------------------------------------- A vulnerability in Apache Commons Collections (ACC) for handling Java object deserialization was addressed in the AdminUI of HP Operations Manager for Unix, Solaris and Linux. The vulnerability could be exploited remotely to allow remote code execution. --------------------------------------------- https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr… *** IDM 4.5 SOAP Driver Version 4.0.0.4 *** --------------------------------------------- Abstract: Patch update for the Novell Identity Manager SOAP driver. The patch will take the driver version to 4.0.0.4. You must have IDM 4.0.2 or later to use this driver. Document ID: 5251690Security Alert: YesDistribution Type: Field Test FileEntitlement Required: NoFiles:IDM45_SOAP_4004.zip (161.66 kB)Products:Identity Manager 4.5Superceded Patches:IDM 4.5 SOAP Driver Version 4.0.0.3 --------------------------------------------- https://download.novell.com/Download?buildid=95cHErCKIOQ~ *** F5 Security Advisory: libssh2 vulnerability CVE-2016-0787 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/21/sol21531693.html?… *** F5 Security Advisory: TMM vulnerability CVE-2016-5023 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/19/sol19784568.html?… *** VU#332115: D-Link routers contain buffer overflow vulnerability *** --------------------------------------------- Vulnerability Note VU#332115 D-Link routers contain buffer overflow vulnerability Original Release date: 11 Aug 2016 | Last revised: 11 Aug 2016 Overview D-Link DIR routers contain a stack-based buffer overflow vulnerability, which may allow a remote attack to execute arbitrary code. Description CWE-121: Stack-based Buffer Overflow - CVE-2016-5681A stack-based buffer overflow occurs in the function within the cgibin binary which validates the session cookie.This function is used by a service... --------------------------------------------- http://www.kb.cert.org/vuls/id/332115 *** Rockwell Automation MicroLogix 1400 SNMP Credentials Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a privileged simple network management protocol vulnerability in Rockwell Automation's MicroLogix 1400 programmable logic controllers. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-224-01 *** DSA-3646 postgresql-9.4 - security update *** --------------------------------------------- Several vulnerabilities have been found in PostgreSQL-9.4, a SQLdatabase system. --------------------------------------------- https://www.debian.org/security/2016/dsa-3646 *** FortiVoice 5.0 Filter Bypass & Persistent Web Vulnerabilities *** --------------------------------------------- A vulnerablity in FortiVoice 5.0 web-application could allow malicious script being injected in the affected module; this potentially enables XSS attacks. --------------------------------------------- http://fortiguard.com/advisory/fortivoice-5-0-filter-bypass-persistent-web-… *** Cisco Aironet 1800, 2800, and 3800 Series Access Point Platforms ARP Request Handling Denial of Service Vulnerability *** --------------------------------------------- A vulnerability exists in Cisco Access Point (AP) platforms when processing Address Resolution Protocol (ARP) packets that could allow an unauthenticated, adjacent attacker to inject crafted entries into the ARP table and eventually cause a reload of the affected device.The vulnerability is due to improper processing of illegal ARP packets. An attacker could exploit this vulnerability by sending crafted ARP packets to be processed by an affected device. An exploit could allow the attacker to... --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Web is affected by vulnerabilities in OpenSSL *** http://www.ibm.com/support/docview.wss?uid=swg21987903 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2109, CVE-2016-2176). *** http://www-01.ibm.com/support/docview.wss?uid=swg21988350 --------------------------------------------- *** IBM Security Bulletin: Multiple security vulnerabilities have been identified in WebSphere Application Server and bundling products shipped with IBM Cloud Orchestrator (CVE-2016-3426, CVE-2016-3427) *** http://www-01.ibm.com/support/docview.wss?uid=swg2C1000178 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by vulnerabilities in OpenSSH (CVE-2016-3115, CVE-2016-1908) *** http://www.ibm.com/support/docview.wss?uid=swg21987636 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Web is affected by vulnerabilities in OpenSSH (CVE-2016-3115, CVE-2016-1908) *** http://www.ibm.com/support/docview.wss?uid=swg21987638 --------------------------------------------- *** IBM Security Bulletin: IBM Netezza SQL Extensions is vulnerable to an OpenSource PCRE Vulnerability (CVE-2016-1283, CVE-2016-3191) *** http://www-01.ibm.com/support/docview.wss?uid=swg21985982 --------------------------------------------- Next End-of-Shift report: 2016-08-16

1 0

Tageszusammenfassung - Donnerstag 11-08-2016
by Daily end-of-shift report 11 Aug '16

11 Aug '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 10-08-2016 18:00 − Donnerstag 11-08-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Sicherheitsforscher kapern HTTP-Verbindungen von Linux *** --------------------------------------------- Eine Schwachstelle im Linux-Kernel gefährdet TCP-Verbindungen. Unter bestimmten Voraussetzungen konnten sich Sicherheitsforscher in Verbindungen einklinken und diese etwa lahmlegen und sogar manipulieren. --------------------------------------------- http://heise.de/-3292257 *** Bing.VC Hijacks Browsers Using Legitimate Applications *** --------------------------------------------- Browser hijackers are a type of malware that modifies a web browser's settings without the user's permission. Generally a browser hijacker injects unwanted advertising into the browser. It replaces the home page or search page with its own. It also steals cookies and can install a keylogger to fetch other sensitive information. McAfee Labs has recently... --------------------------------------------- https://blogs.mcafee.com/mcafee-labs/bing-vc-hijacks-browser-using-legitima… *** Profiling SSL Clients with tshark, (Wed, Aug 10th) *** --------------------------------------------- Cisco recently published a paper showing how malicious SSL traffic sometimes uses very specific SSL options. Once you know what set of SSL options to look for, you will then be able to identify individual pieces of malware without having to decrypt the SSL traffic. (and before anybody complains: SSL does include TLS. I am just old fashioned that way) I wanted to see how well this applies to HTTPS traffic hitting the ISC website. I collected about 100 MB of traffic, which covered client hello... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21361&rss *** Python-based TLS tester tool *** --------------------------------------------- We at Oulu University Secure Programming Group, OUSPG for short, have been developing a neat little gadget called TryTLS. It is a systematic tester tool that checks the safety of TLS libraries. We think we have something of value here, as certificate handling is a very complex and overlooked issue. The tool and info on how to get started can be found here: https://github.com/ouspg/trytls We would really value your input if you could think of some good backends, tests or other resources that... --------------------------------------------- http://www.reddit.com/r/netsec/comments/4x1z36/pythonbased_tls_tester_tool/ *** Linux Trojan Mines For Cryptocurrency Using Misconfigured Redis Servers *** --------------------------------------------- An anonymous reader writes: In another installment of "Linux has malware too," security researchers have discovered a new trojan that targets Linux servers running Redis, where the trojan installs a cryptocurrency miner. The odd fact about this trojan is that it includes a wormable feature that allows it to spread on its own. The trojan, named Linux.Lady, will look for Redis servers that dont have an admin account password, access the database, and then download itself on the new... --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/WKFxUVtVPG0/linux-trojan-mi… *** CRIME, TIME, BREACH and HEIST: A brief history of compression oracle attacks on HTTPS *** --------------------------------------------- The HEIST vulnerability was presented at Black Hat USA 2016 by Mathy Vanhoef and Tom Van Goethem. In this presentation, new techniques were presented that enhanced previously presented padding oracle attacks on HTTPS, making them more practical. In a padding oracle attack, the attacker has partial control of part of a message that contains secret information, and is compressed, then encrypted before being sent over the network. An example of this is a web page... --------------------------------------------- https://www.helpnetsecurity.com/2016/08/11/compression-oracle-attacks-https/ *** Volkswagen-Hack: Mit dem Arduino 100 Millionen Autos öffnen *** --------------------------------------------- Mit einem Arduino und Hardware im Wert von 40 US-Dollar lassen sich fast alle Modelle der VW-Gruppe aus den vergangenen 15 Jahren öffnen - sagen Sicherheitsforscher. Das Unternehmen hat die Lücke eingeräumt. 14 weitere Autohersteller sind betroffen. --------------------------------------------- http://www.golem.de/news/hack-mit-dem-arduino-100-millionen-autos-oeffnen-1… *** Road Warriors: Beware of "Video Jacking" *** --------------------------------------------- A little-known feature of many modern smartphones is their ability to duplicate video on the devices screen so that it also shows up on a much larger display -- like a TV. However, new research shows that this feature may quietly expose users to a simple and cheap new form of digital eavesdropping. Dubbed "video jacking" by its masterminds, the attack uses custom electronics hidden inside what appears to be a USB charging station. As soon as you connect a vulnerable phone to the... --------------------------------------------- http://krebsonsecurity.com/2016/08/road-warriors-beware-of-video-jacking/ *** EyeLock nano NXT 3.5 Remote Root Exploit *** --------------------------------------------- EyeLocks nano NXT firmware latest version 3.5 (released 25.07.2016) suffers from multiple unauthenticated command injection vulnerabilities. The issue lies within the rpc.php script located in the /scripts directory and can be triggered when user supplied input is not correctly sanitized while updating the local time for the device and/or get info from remote time server. The vulnerable script has two REQUEST parameters timeserver and localtime that are called within a shell_exec() function for... --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5357.php *** EyeLock nano NXT 3.5 Local File Disclosure Vulnerability *** --------------------------------------------- nano NXT suffers from a file disclosure vulnerability when input passed thru the path parameter to logdownload.php script is not properly verified before being used to read files. This can be exploited to disclose contents of files from local resources. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5356.php *** EyeLock Myris 3.3.2 SDK Service Unquoted Service Path Privilege Escalation *** --------------------------------------------- The application suffers from an unquoted search path issue impacting the service MyrisService for Windows deployed as part of Myris solution. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application... --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5355.php *** Bugtraq: [CORE-2016-0006] - SAP CAR Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/539180 *** SSA-378531 (Last Update 2016-08-11): Vulnerabilities in SIMATIC WinCC, PCS 7 and WinCC Runtime Professional *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-378531… *** Security Advisory: BIG-IP file validation vulnerability CVE-2015-8022 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/12/sol12401251.html?… *** Security Advisory: BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/10/sol10133477.html?… *** Cisco IOS XR Software for Cisco ASR 9001 Aggregation Services Routers Fragmented Packet Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the driver processing functions of Cisco IOS XR Software for Cisco ASR 9001 Aggregation Services Routers could allow an unauthenticated, remote attacker to cause a memory leak on the route processor (RP) of an affected device, which could cause the device to drop all control-plane protocols and lead to a denial of service condition (DoS) on a targeted system.The vulnerability is due to improper handling of crafted, fragmented packets that --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IP Phone 8800 Series Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability in the web application of the Cisco IP Phone 8800 Series could allow an authenticated, remote attacker to perform a stored, cross-site scripting (XSS) attack.The vulnerability is due to insufficient sanitization of parameter values. An attacker could exploit this vulnerability by storing malicious code on a device and waiting for a user to access a web page that triggers execution of the code. An exploit could allow the attacker to execute arbitrary script code in the context of --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Connected Streaming Analytics Unauthorized Access Vulnerability *** --------------------------------------------- A vulnerability in the administrative web interface of Cisco Connected Streaming Analytics could allow an authenticated, remote attacker to obtain sensitive information.The vulnerability is due to the inclusion of sensitive information in a server response when certain pages of the administrative web interface are accessed. An authenticated attacker who can view the affected configuration page of an affected system could obtain a service password used for event and report notification. This --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Redirect HTTP traffic vulnerability may affect IBM HTTP Server (CVE-2016-5387) *** http://www-01.ibm.com/support/docview.wss?uid=swg21988019 --------------------------------------------- *** IBM Security Bulletin: IBM API Connect server credentials used for a specific restricted scenario may have been exposed (CVE-2016-3012) *** http://www-01.ibm.com/support/docview.wss?uid=swg21988212 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Common Reporting (TCR) 2016Q2 Security Updater : IBM Tivoli Common Reporting is affected by multiple vulnerabilities *** http://www-01.ibm.com/support/docview.wss?uid=swg21986669 --------------------------------------------- *** IBM Security Bulletin: Security Bulletin: IBM Connections Security Refresh for CVE-2016-0310 *** http://www.ibm.com/support/docview.wss?uid=swg21988338 --------------------------------------------- *** IBM Security Bulletin: IBM Connections Security Refresh for CVE-2016-0305, CVE-2016-0307,CVE-2016-0308 *** http://www.ibm.com/support/docview.wss?uid=swg21986770 --------------------------------------------- *** IBM Security Bulletin: Flexara InstallShield vulnerability affects IBM Mobile Connect (CVE-2016-2542) *** http://www.ibm.com/support/docview.wss?uid=swg21986258 --------------------------------------------- *** IBM Security Bulletin: IBM Active Content Filtering Vunerability impacts IBM Docs (CVE-2016-0243 ) *** http://www.ibm.com/support/docview.wss?uid=swg21986626 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 10-08-2016
by Daily end-of-shift report 10 Aug '16

10 Aug '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 09-08-2016 18:00 − Mittwoch 10-08-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Fixing an Internet Security Threat *** --------------------------------------------- A weakness in the Transmission Control Protocol (TCP) of all Linux operating systems since late 2012 enables attackers to hijack users' Internet communications completely remotely, researchers said. --------------------------------------------- http://www.isssource.com/fixing-an-internet-security-threat/ *** August 2016 security update release *** --------------------------------------------- Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released. More information about this month's security updates and advisories can be found in the Security TechNet Library. --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2016/08/09/august-2016-security-up… *** Microsoft Patch Tuesday, August 2016, (Tue, Aug 9th) *** --------------------------------------------- Today, Microsoft released a total of 9 security bulletins. 5 of the bulletins are rated critical, the rest are rated important. You can find our usual summary here: https://isc.sans.edu/mspatchdays.html?viewday=2016-08-09(or via the API in various parsable formats) Some of the highlights: MS16-095/096: The usual Internet Explorer and Edge patches. Microsoft addresses nine vulnerabilities for Internet Explorer, and 8 for Edge. Note that there is a lot of overlap. Kind of makes you wonder how... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21357&rss *** MSRT August 2016 release adds Neobar detection *** --------------------------------------------- As part of our ongoing effort to provide better malware protection, the August 2016 release of the Microsoft Malicious Software Removal Tool (MSRT) includes detections for BrowserModifier: Win32/Neobar, unwanted software, and Win32/Rovnix, a trojan malware family. This blog discusses BrowserModifier:Win32/Neobar and its inclusion in MSRT supports our unwanted software family detections in Windows Defender, along... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/08/09/msrt-august-2016-releas… *** Kardinalfehler: Microsoft setzt aus Versehen Secure Boot Schachmatt *** --------------------------------------------- Durch eine vergessene Debug-Funktion hat Microsoft jedem Administrator die Möglichkeit gegeben, Secure Boot auch aus der Ferne abzuschalten. Damit aber nicht genug der Peinlichkeiten: Zwei Versuche, die Lücke zu stopfen, scheiterten bereits. --------------------------------------------- http://heise.de/-3291946 *** Google Chrome will beat Flash to death with a shovel: Why... wont... you... just... die! *** --------------------------------------------- Adobe plugin completely snubbed for HTML5 By the end of the year, Google Chrome will block virtually all Flash content and make whatevers left click-to-play by default. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/08/09/google_chro… *** Factsheet Use virtualisation wisely *** --------------------------------------------- Virtualisation of ICT services ensures more efficient and flexible use of hardware. This factsheet is about specific risks that arise when you use virtual servers to outsource ICT services. Your virtual server has an unknown number of virtual neighbours on the host. By using the newly discovered Flip Feng Shui attack method, an attacker can penetrate a virtual neighbour or have it install malware. To date, an attacker could only eavesdrop on the activity of virtual neighbours. The success... --------------------------------------------- https://www.ncsc.nl/english/current-topics/factsheets/factsheet-use-virtual… *** Research team presents Flip Feng Shui attack method at Usenix Security Symposium 2016 *** --------------------------------------------- Researchers of the Vrije Universiteit Amsterdam and the Katholieke Universteit Leuven discovered a new attack method, known as Flip Feng Shui. This is the first attack method that enables an attacker to change the contents of the memory of another virtual server. In this way, he can directly attack the virtual server. Previously discovered attack methods, so-called side channels, aim to eavesdrop on a virtual server on the same host, and gain access to confidential information. On August the --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/researchteam-presents-flip-… *** Verschlüsselung: Microsofts Edge und Internet Explorer 11 werfen RC4 über Bord *** --------------------------------------------- Ab sofort öffnen die Webbrowser Edge und Internet Explorer 11 keine Webseiten mehr, die auf das RC4-Verschlüsselungsverfahren setzen. Das dafür nötige Update verteilt Microsoft aktuell. --------------------------------------------- http://heise.de/-3291361 *** Verflixte Primzahlen: Eine subtile Hintertür im Diffie-Hellman-Schlüsselaustausch *** --------------------------------------------- Benutzt der Diffie-Hellman-Schlüsselaustausch an der richtigen Stelle die falschen Primzahlen, kann ein Angreifer unter Umständen an die geheimen Schlüssel kommen. Das würde ihm erlauben etwa SSL-Verbindungen aufzubrechen. --------------------------------------------- http://heise.de/-3289764 *** Determining the real economic impact of cyber-incidents: A mission (almost) impossible *** --------------------------------------------- Today ENISA publishes a systematic review of studies on the economic impact of cyber-security incidents on critical information infrastructures (CII). --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/determining-the-real-economic-i… *** IDG Contributor Network: Reach em and teach em--educating developers on application security *** --------------------------------------------- How are developers supposed to build security throughout the development lifecycle if they are not taught security at any stage of their education? Vulnerabilities exist because products made by developers who have close to no knowledge of security are hitting the market. Rather than accept the idea that software will never be 100 percent secure, academia and industry leaders can be more proactive and teach developers how to think about application security.In a white paper, "App-Sec... --------------------------------------------- http://www.csoonline.com/article/3105503/application-development/reach-em-a… *** Security Advisory - A Security Vulnerability of Using Insecure Random Numbers to Generate Self-signed Certificates in Huawei Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160810-… *** Security Advisory - Buffer Overflow Vulnerability in Huawei USG Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160810-… *** IBM Security Bulletin: XXE and XmlBomb vulnerability in FileNet Workplace (CVE-2016-3055) *** --------------------------------------------- FileNet Workplace is susceptible to the XXE and XmlBomb vulnerability. CVE(s): CVE-2016-3055 Affected product(s) and affected version(s): FileNet Workplace 4.0.2 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www.ibm.com/support/docview.wss?uid=swg21987128X-Force Database:... --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21987128 *** IBM Security Bulletin: IBM Forms Experience Builder vulnerable to CSRF when configured with non default settings (CVE-2016-2884) *** --------------------------------------------- A cross-site request forgery attack is possible when configured with non default settings, caused by improper validation of user-supplied input. CVE(s): CVE-2016-2884 Affected product(s) and affected version(s): IBM Forms Experience Builder 8.5 IBM Forms Experience Builder 8.5.1 IBM Forms Experience Builder 8.6.x Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin:... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21987252 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Service Tester (CVE-2016-3426) *** --------------------------------------------- There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 7 and Version 8. These issues were disclosed as part of the IBM Java SDK updates in April 2016. Rational Service Tester is only affected by one of these vulnerabilities. CVE(s): CVE-2016-3426 Affected product(s) and affected version(s): Rational Service Tester versions 8.3, 8.5, 8.6,... --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21988456 *** IBM Security Bulletin: A security vulnerability in IBM Java Runtime affects IBM Cognos Planning (CVE-2016-3427) *** --------------------------------------------- There are multiple vulnerabilities in IBM Runtime Environment Java Version 6 that is used by IBM Cognos Planning. These issues were disclosed as part of the IBM Java SDK updates in April 2016. CVE(s): CVE-2016-3427 Affected product(s) and affected version(s): IBM Cognos Planning 10.1 IBM Cognos Planning 10.1.1 Refer to the following reference URLs for... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21975745

1 0

Tageszusammenfassung - Dienstag 9-08-2016
by Daily end-of-shift report 09 Aug '16

09 Aug '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 08-08-2016 18:00 − Dienstag 09-08-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** "Cat-Loving" Mobile Ransomware Operates With Control Panel *** --------------------------------------------- Recently the McAfee Labs Mobile Malware Research team found a sample of ransomware for Android with botnet capabilities and a web-based control panel service. The malware is running on compromised legitimate servers. The payload of this malware can encrypt a victim's files, steal SMS messages, and block access to the device. In this variant the... --------------------------------------------- https://blogs.mcafee.com/mcafee-labs/cat-loving-mobile-ransomware-operates-… *** Researcher warns of flaws in Samsung Pay tokenization and mag stripe features *** --------------------------------------------- A researcher claims to have found vulnerabilities in Samsung Pays tokenization mechanism and its magnetic secure transmission (MST) technology that could allow hackers to steal users tokens and make fraudulent purchases. --------------------------------------------- http://www.scmagazine.com/researcher-warns-of-flaws-in-samsung-pay-tokeniza… *** Samsung Calls Reports of Samsung Pay Security Flaw "Inaccurate" *** --------------------------------------------- Researcher finds a way to make fraudulent transactions via Samsung Pay, but Samsung denies any issues --------------------------------------------- http://news.softpedia.com/news/samsung-calls-reports-of-samsung-pay-securit… *** Anonymes Dokument: Angriffe auf den FreeBSD-Update-Prozess *** --------------------------------------------- Ein anonymes Dokument beschreibt detailliert Sicherheitslücken im FreeBSD-Update-System. Betroffen sind Portsnap, Libarchive und Bspatch. Fixes gibt es bislang nur für wenige der Bugs. Möglicherweise existieren ähnliche Angriffe auch auf Linux-Systemen. --------------------------------------------- http://www.golem.de/news/anonymes-dokument-angriffe-auf-den-freebsd-update-… *** Sicherheit: Hacker knacken 12 von 16 Smartlocks *** --------------------------------------------- Zwei Hacker haben drei Viertel der von ihnen untersuchten Bluetooth-Smartlocks knacken können - mit stellenweise haarsträubend einfachen Mitteln. Die Reaktion der Hersteller zeugt nicht von großem Interesse, an den Problemen etwas ändern zu wollen. --------------------------------------------- http://www.golem.de/news/sicherheit-hacker-knacken-12-von-16-smartlocks-160… *** DFRWS EU/IMF 2017 *** --------------------------------------------- DFRWS EU 2017 will be held in Überlingen, Lake Constance, Germany. This year brings together two premier research conferences in Europe, the DFRWS digital forensics conference (DFRWS EU 2017) and the International Conference on IT Security Incident Management & IT Forensics (IMF 2017). Established in 2001, DFRWS has become the premier digital forensics conference, dedicated to solving real world challenges, and pushing the envelope of what is currently possible in digital forensics. --------------------------------------------- http://www.dfrws.org/conferences/dfrws-eu-2017 *** Unechte PayLife-Nachricht: Ihre Kreditkarte wird vorläufig eingeschränkt *** --------------------------------------------- In einer E-Mail behaupten Kriminelle, dass PayLife-Kund/innen ihre persönlichen Daten bestätigen müssen. Tun sie das nicht, müssen sie angeblich 89,95 Euro bezahlen. Empfänger/innen, die der Aufforderung nachkommen, übermitteln sensible Kreditkarteninformationen an Verbrecher/innen. --------------------------------------------- https://www.watchlist-internet.at/phishing/unechte-paylife-nachricht-ihre-k… *** Windows 10 Anniversary Update is infested with bugs *** --------------------------------------------- Last month, I warned readers that Microsofts Windows 10 Anniversary Update would likely be somewhat buggy and suggested consumers should wait awhile before installing it. Unfortunately, my advice proved valid.Windows 10 Anniversary Update infestationThere are widespread reports of significant bugs in the update, and theyre causing systems to freeze, browsers to misbehave, and peripherals - including Xbox One controllers - to malfunction. Two major antivirus companies also warn that... --------------------------------------------- http://www.cio.com/article/3104774/windows-security/windows-10-anniversary-… *** QuadRooter vulnerability: 5 things to know about this Android security scare *** --------------------------------------------- Once again, its Android security scare season. This morning news broke of the latest collection of vulnerabilities, discovered by security firm Check Point and grouped together under the catchy monicker "QuadRooter." As usual, most of the reporting has focused on worst-case scenarios and a shockingly huge number of potentially vulnerable devices - in this case, an estimated 900 million. Were going to break down exactly whats going on, and just how vulnerable youre likely to be. --------------------------------------------- http://www.androidcentral.com/quadrooter-5-things-know-about-latest-android… *** IPv6 router bug: Juniper spins out hotfix to thwart DDoS attacks *** --------------------------------------------- Vulnerability common to devices routing IPv6; Cisco offered partial fix in July. --------------------------------------------- http://arstechnica.com/security/2016/08/ipv6-router-bug-juniper-cisco-ddos-… *** Security Bulletin Posted for Adobe Experience Manager (APSB16-27) *** --------------------------------------------- Adobe has published a Security Bulletin for Adobe Experience Manager(APSB16-27). Adobe recommends users apply the relevant hotfix to their product installation using the instructions referenced in the security bulletin. Adobe is not planning to issue a security update for Flash Player this... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1385 *** Cisco IOS and IOS XE Software Crafted Network Time Protocol Packets Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the processing of Network Time Protocol (NTP) packets by Cisco IOS and Cisco IOS XE could allow an unauthenticated, remote attacker to cause an interface wedge and an eventual denial of service (DoS) condition on the affected device.The vulnerability is due to insufficient checks on clearing the invalid NTP packets from the interface queue. An attacker could exploit this vulnerability by sending a number of crafted NTP packets to be processed by an affected device. An exploit... --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Foxit Reader Multiple Flaws Let Remote Users Obtain Potentially Sensitive Information, Deny Service, and Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1036558 *** Vuln: OpenSSH CVE-2016-6515 Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/92212 *** Bugtraq: ESA-2016-070: RSA Authentication Manager Prime SelfService Insecure Direct Object Reference Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/539157 *** Bugtraq: [CVE-2016-6600/1/2/3]: Multiple vulnerabilities (RCE, file download, etc) in WebNMS Framework 5.2 / 5.2 SP1 *** --------------------------------------------- http://www.securityfocus.com/archive/1/539159 *** Trend Micro Control Manager (TMCM) Multiple Vulnerabilities *** --------------------------------------------- https://esupport.trendmicro.com/solution/en-US/1114749.aspx *** Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) Multiple Vulnerabilities *** --------------------------------------------- https://esupport.trendmicro.com/solution/en-US/1114746.aspx *** Trend Micro Smart Protection Server (Standalone) Multiple Vulnerabilities *** --------------------------------------------- https://esupport.trendmicro.com/solution/en-US/1114913.aspx *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: AppScan Source vulnerable to denial of service caused by an XML External Entity (CVE-2016-3033) *** http://www.ibm.com/support/docview.wss?uid=swg21987326 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Monitoring Buffer Overflow (CVE-2016-2946 ) *** http://www.ibm.com/support/docview.wss?uid=swg21984578 --------------------------------------------- *** IBM Security Bulletin: Lotus Protector for Mail Security affected by Cross Site Scripting (CVE-2016-2991) *** http://www-01.ibm.com/support/docview.wss?uid=swg21985280 --------------------------------------------- *** IBM Security Bulletin:Open Source Apache Xerces-C XML parser Vulnerabilities (CVE-2016-0729 CVE-2016-4463) *** http://www.ibm.com/support/docview.wss?uid=swg21987267 --------------------------------------------- *** IBM Security Bulletin: OpenStack vulnerabilities affect IBM Cloud Manager with Openstack (CVE-2015-7548, CVE-2015-8749 CVE-2015-1850) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1024106 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 8-08-2016
by Daily end-of-shift report 08 Aug '16

08 Aug '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 05-08-2016 18:00 − Montag 08-08-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** F5 Security Advisory: glibc vulnerability CVE-2016-3706 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/06/sol06493172.html?… *** Smoke Loader - downloader with a smokescreen still alive *** --------------------------------------------- This time we will have a look at another payload from recent RIG EK campaign. It is Smoke Loader (also known as Dofoil), a bot created several years ago. One of its early versions was advertised on the black marker in 2011.Categories: Malware Threat analysisTags: DofoildownloaderRIG EKsmoke loader(Read more...) --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-download… *** Docker Unspecified Flaw Lets Remote Authenticated Users Deny Service on the Target Swarm Cluster *** --------------------------------------------- http://www.securitytracker.com/id/1036548 *** Apple iOS Memory Corruption Error in IOMobileFrameBuffer Lets Applications Gain Elevated Privileges on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1036546 *** FortiAnalyzer & FortiManager - Client Side Cross Site Scripting Web Vulnerability *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016080052 *** This PC monitor hack can manipulate pixels for malicious effect *** --------------------------------------------- Don't believe everything you see. It turns out even your computer monitor can be hacked.On Friday, researchers at DEF CON presented a way to manipulate the tiny pixels found on a computer display.Ang Cui and Jatin Kataria of Red Balloon Security were curious how Dell monitors worked and ended up reverse-engineering one.They picked apart a Dell U2410 monitor and found that the display controller inside can be used to change and log the pixels across the screen.During their DEF CON... --------------------------------------------- http://www.cio.com/article/3104974/this-pc-monitor-hack-can-manipulate-pixe… *** Angriff auf Geldautomaten mit Fernsteuerung *** --------------------------------------------- Ein Sicherheitsforscher hat auf der Blackhat-Konferenz demonstriert, wie sich trotz PIN-Absicherung Bargeld von fremden Konten ziehen lässt. Angeblich lässt sich dabei auch an modernen Geldautomaten die PIN abgreifen, ohne Spuren zu hinterlassen. --------------------------------------------- http://heise.de/-3289469 *** Externe Festplatten mit Verschlüsselung knackbar *** --------------------------------------------- Viele USB-Festplatten mit Vollverschlüsselung und PIN-Tastatur lassen sich vermutlich entschlüsseln, wenn man die Firmware des USB-SATA-Bridge-Chips austauscht. --------------------------------------------- http://heise.de/-3289530 *** Video surveillance recorders RIDDLED with 0-days *** --------------------------------------------- Kit from NUUO, Netgear has face-palm grade stoopid There are multiple Web interface vulnerabilities in a network video recorder under Netgears ReadyNAS brand and various devices by video recording company NUUO. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/08/07/nuuo_netgea… *** Strider: Cyberespionage group turns eye of Sauron on targets *** --------------------------------------------- Low-profile group uses Remsec malware to spy on targets in Russia, China, and Europe. Twitter Card Style: summary_large_image A previously unknown group called Strider has been conducting cyberespionage-style attacks against selected targets in Russia, China, Sweden, and Belgium. The group uses an advanced piece of malware known as Remsec (Backdoor.Remsec) to conduct its attacks.read more --------------------------------------------- http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-ey… *** Week in review: Black Hat USA 2016 coverage, QRLJacking, exposed SAP systems *** --------------------------------------------- Here's an overview of some of last week's most interesting news and articles: Black Hat USA 2016 Want to learn the news from Black Hat USA 2016? Get is all from our dedicated coverage page. QRLJacking: A new attack vector for hijacking online accounts We all know that scanning random QR codes is a risky proposition, but a newly detailed social engineering attack vector dubbed QRLJacking adds another risk layer to their use. 36000 SAP... --------------------------------------------- https://www.helpnetsecurity.com/2016/08/08/week-review-black-hat-usa-2016-c… *** Bugtraq: vBulletin <= 5.2.2 Preauth Server Side Request Forgery (SSRF) *** --------------------------------------------- http://www.securityfocus.com/archive/1/539149 *** VMware product updates address multiple important security issues *** --------------------------------------------- VMware product updates address a DLL hijacking issue in Windows-based VMware Tools and an HTTP Header injection issue in vCenter Server and ESXi. Relevant Products: VMware vCenter Server VMware vSphere Hypervisor (ESXi) VMware Workstation Pro VMware Workstation Player VMware Fusion VMware Tools --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2016-0010.html *** Remote Butler attack: APT groups' dream come true *** --------------------------------------------- Microsoft security researchers have come up with an extension of the "Evil Maid" attack that allows attackers to bypass local Windows authentication to defeat full disk encryption: "Remote Butler". Demonstrated at Black Hat USA 2016 by researchers Tal Be'ery and Chaim Hoch, the Remote Butler attack has one crucial improvement over Evil Maid: it can be effected by attackers who do not have physical access to the target Windows computer that has, at one time,... --------------------------------------------- https://www.helpnetsecurity.com/2016/08/08/remote-butler-attack/ *** IBM Security Bulletin: Multiple vulnerabilities may affect IBM WebSphere Real Time *** --------------------------------------------- Java SE issues disclosed in the Oracle July 2016 Critical Patch Update CVE(s): CVE-2016-3598, CVE-2016-3511, CVE-2016-3485 Affected product(s) and affected version(s): These vulnerabilities affect IBM WebSphere Real Time Version 3 Service Refresh 9 Fix Pack 40 and earlier releases Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=swg21987762X-Force Database:... --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg21987762 *** IBM Security Bulletin: Multiple vulnerabilities may affect IBM SDK, Java Technology Edition *** --------------------------------------------- Java SE issues disclosed in the Oracle July 2016 Critical Patch Update CVE(s): CVE-2016-3610, CVE-2016-3598, CVE-2016-3606, CVE-2016-3587, CVE-2016-3511, CVE-2016-3550, CVE-2016-3485 Affected product(s) and affected version(s): These vulnerabilities affect IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 26 and earlier releases These vulnerabilities affect IBM SDK, Java Technology Edition, Version 6R1 Service... --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg21986642 *** IBM Security Bulletin: OpenStack vulnerabilities affect IBM SmartCloud Entry(CVE-2015-7548, CVE-2015-8749 CVE-2015-1850) *** --------------------------------------------- IBM SmartClound Entry is vulnerable to several Openstack Nova vulerabilities, which could allow a local authenticated attacker or a remote attacker to obtain sensitive information CVE(s): CVE-2015-8749, CVE-2015-7548, CVE-2015-1850 Affected product(s) and affected version(s): IBM SmartCloud Entry 3.2 through Appliance fix pack 21 IBM SmartCloud Entry 3.1 through Appliance fix pack 21 Refer to the... --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1023865 *** VU#735416: UltraVNC repeater does not restrict IP addresses or ports by default *** --------------------------------------------- Vulnerability Note VU#735416 UltraVNC repeater does not restrict IP addresses or ports by default Original Release date: 08 Aug 2016 | Last revised: 08 Aug 2016 Overview UltraVNC repeater versions prior to ultravnc_repeater_1300 do not restrict usage by IP address by default and cannot restrict by ports, which may be leveraged to induce connections to arbitrary hosts using any port. Description CWE-16: Configuration - CVE-2016-5673UltraVNC repeater acts as a proxy to route remote desktop VNC... --------------------------------------------- http://www.kb.cert.org/vuls/id/735416 *** Neuer auftretender Verschlüsselungs-Trojaner (Ransomware) machen Daten unwiederbringlich unbrauchbar *** --------------------------------------------- [...] Die derzeit auftretenden Varianten der Ransomware benennen sich Vegclass(a)aol.com, Salazar-Slytherin10(a)yahoo.com, usw., der eigentliche Schadcode dürfte dabei jedoch auf die aus Russland stammende Ransomware "Troldesh" zurück zu führen sein. --------------------------------------------- http://www.bmi.gv.at/cms/bmi/_news/bmi.aspx?id=524B7A526E703148456D553D&pag… *** Malware mit Barcodes und Excel in abgeschottete Netze einschleusen *** --------------------------------------------- Ein Hacker bringt Malware auf einem Umweg in Netzwerke, bei denen weder USB noch optische Laufwerke oder Netzwerktransfers funktionieren. Er verwandelt die Software in 2D-Barcodes, die er dann mit Excel wieder in ausführbaren Code verwandelt. --------------------------------------------- http://heise.de/-3290119 *** Qualcomm-powered Android devices plagued by four rooting flaws *** --------------------------------------------- Hundreds of millions of Android devices based on Qualcomm chipsets are likely exposed to at least one of four critical vulnerabilities that allow non-privileged apps to take them over.The four flaws were presented by security researcher Adam Donenfeld from Check Point Software Technologies on Sunday at the DEF CON security conference in Las Vegas. They were reported to Qualcomm between February and April, and the chipset maker has since released fixes for the vulnerabilities after classifying... --------------------------------------------- http://www.cio.com/article/3104896/qualcomm-powered-android-devices-plagued… *** Data Breach At Oracle's MICROS Point-of-Sale Division *** --------------------------------------------- A Russian organized cybercrime group known for hacking into banks and retailers appears to have breached more than 700 computer systems at software giant Oracle Corp., KrebsOnSecurity has learned. More alarmingly, the attackers appear to have compromised a customer support portal for companies using Oracles MICROS point-of-sale credit card payment systems. --------------------------------------------- http://krebsonsecurity.com/?p=35752

1 0

Tageszusammenfassung - Freitag 5-08-2016
by Daily end-of-shift report 05 Aug '16

05 Aug '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 04-08-2016 18:00 − Freitag 05-08-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** iPhone: Nach Diebstahl auf gezieltes Phishing achten *** --------------------------------------------- Diebe setzen auf nachgestellte Apple-Anschreiben, um Beklaute zur Eingabe der Zugangsdaten zu bewegen. Damit können sie die Aktivierungssperre aufheben und das gestohlene iPhone voll funktionsfähig verkaufen. --------------------------------------------- http://heise.de/-3288554 *** Microsoft Bounty Programs Expansion – Microsoft Edge Remote Code Execution (RCE) Bounty *** --------------------------------------------- I’m very happy to announce another addition to the Microsoft Bounty Programs. Microsoft will be hosting a .. --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2016/08/04/microsoft-bounty-progra… *** Pwnie Awards 2016: Die Oscars der Security-Szene gehen an … *** --------------------------------------------- Die süßen goldenen Pwnies gingen unter anderem an Tavis Ormandy, Charlie Miller, Juniper und Western Digital. Nicht .. --------------------------------------------- http://heise.de/-3288420 *** To Obfuscate, or not to Obfuscate *** --------------------------------------------- Introduction Malwares goal is to bypass computer defenses, infect a target, and often remain on the system as long as possible. A variety of techniques are used to accomplish .. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/To-Obfuscate,-or-not-to… *** Apple will Hackern 200.000 Dollar für Bug-Entdeckung zahlen *** --------------------------------------------- Während Microsoft, Google und Co schon länger Bug Bounty-Programme betreiben, hielt sich Apple bislang zurück --------------------------------------------- http://derstandard.at/2000042391260 *** Cyber Grand Challenge: IT-Security könnte sich radikal ändern *** --------------------------------------------- Wenn Computer völlig autonom Sicherheitslücken suchen, finden und dann entweder stopfen oder ausnutzen, bleibt .. --------------------------------------------- http://heise.de/-3288820 *** WPAD: 20 Jahre altes Protokoll bringt Millionen Nutzer in Gefahr *** --------------------------------------------- Das Protokoll WPAD dient zum automatischen Konfigurieren von Proxies und stellt eine lange bekannte .. --------------------------------------------- http://heise.de/-3288801 *** Odd Packet: Any ideas where this comes from?, (Fri, Aug 5th) *** --------------------------------------------- Out reader submitted to us severalodd packets. Of course, I cant resist to figure out what is exactly going on here: The packets appearto include a lengthy pre-ample, but I .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21343 *** Frequent Password Changes is a Bad Security Idea *** --------------------------------------------- Ive been saying for years that its bad security advice, that it encourages poor passwords. Lorrie Cranor, now the FTCs chief technologist, agrees:By studying the data, the researchers identified common techniques .. --------------------------------------------- https://www.schneier.com/blog/archives/2016/08/frequent_passwo.html *** Nach Bitcoin-Hack: Bitfinex-Diebe wollen jetzt spenden *** --------------------------------------------- Nachdem Angreifer bei Bitfinex Bitcoin im Wert von rund 72 Millionen US-Dollar entwendet haben, wollen sie offenbar einen Teil davon spenden. Insgesamt 1.000 Bitcoin .. --------------------------------------------- http://www.golem.de/news/nach-bitcoin-hack-bitfinex-diebe-wollen-jetzt-spen…

1 0

Tageszusammenfassung - Donnerstag 4-08-2016
by Daily end-of-shift report 04 Aug '16

04 Aug '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 03-08-2016 18:00 − Donnerstag 04-08-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Cisco TelePresence Video Communication Server Expressway Command Injection Vulnerability *** --------------------------------------------- A vulnerability in the administrative web interface of Cisco TelePresence Video Communication Server Expressway could allow an authenticated, remote attacker to execute arbitrary commands on the affected system.The .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco RV180 VPN and RV180W Wireless-N Multifunction VPN Routers Remote Code Execution Vulnerability *** --------------------------------------------- A vulnerability in the web interface of the Cisco RV180 VPN Router and Cisco RV180W Wireless-N Multifunction VPN Router could allow an authenticated, remote .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco RV110W, RV130W, and RV215W Routers Command Shell Injection Vulnerability *** --------------------------------------------- A vulnerability in the command-line interface (CLI) command parser of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Administration Views - Critical - Access bypass - SA-CONTRIB-2016-041 *** --------------------------------------------- https://www.drupal.org/node/2778501 *** Snitches get stitches: Little Snitch bugs were a blessing for malware *** --------------------------------------------- Now-patched kernel-level flaw in OS X app firewall will be revealed this week DEF CON Vulnerabilities in popular OS X security tool Little Snitch potentially granted malicious applications extra powers, undermining the protection offered by the software. --------------------------------------------- www.theregister.co.uk/2016/08/03/mac_firewall_littlesnitch/ *** A look into Neutrino EK’s jQueryGate *** --------------------------------------------- In the cybercrime landscape, Exploit Kits (EKs) are the tools of choice to infect endpoints by exploiting software vulnerabilities. However, a critical component EKs .. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/exploits-threat-analysis/2016… *** [20160802] - Core - XSS Vulnerability *** --------------------------------------------- https://developer.joomla.org/security-centre/653-20160802-core-xss-vulnerab… *** [20160801] - Core - ACL Violation *** --------------------------------------------- https://developer.joomla.org/security-centre/652-20160801-core-core-acl-vio… *** [20160803] - Core - CSRF *** --------------------------------------------- https://developer.joomla.org/security-centre/654-20160803-core-csrf.html *** XML External Entity Injection Opens Door to Attacks, Theft *** --------------------------------------------- XML is a popular language for web developers, partially due to its software and hardware independence. Recently, however, XML security is under threat from XML external .. --------------------------------------------- https://blogs.mcafee.com/mcafee-labs/xml-external-entity-injection-opens-do… *** A Plugin’s Expired Domain Poses a Security Threat to Websites *** --------------------------------------------- Do you keep all your website software (including all third-party themes, plugins and components) up-to-date? You should! We always recommend this to our .. --------------------------------------------- https://blog.sucuri.net/2016/08/plugin-expired-domain-security-threat.html *** DSA-3639 wordpress - security update *** --------------------------------------------- https://www.debian.org/security/2016/dsa-3639 *** Activity Log <= 2.3.2 - Cross-Site Scripting (XSS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8584 *** HEIST: Timing- und Kompressionsangriff auf TLS *** --------------------------------------------- Durch die geschickte Kombination eines Timing-Angriffs in Javascript und der bereits bekannten BREACH-Attacke ist es möglich, Geheimnisse in TLS-Verbindungen zu entschlüsseln. Anders als früher ist dafür kein Man-in-the-Middle-Angriff nötig. --------------------------------------------- http://www.golem.de/news/heist-timing-und-kompressionsangriff-auf-tls-1608-… *** Activity Log <= 2.3.2 - Cross-Site Scripting (XSS) in page *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8585 *** Phishing-Studie: Neugier siegt über Sicherheitsbedenken *** --------------------------------------------- Allen Warnungen und Sicherheitsvorkehrungen zum Trotz: Nutzer lassen sich sehr leicht auf eine Webseite locken, wenn die Phishing-Mail verführerisch genug klingt. Das sollte Auswirkungen auf die Sicherheitsarchitektur haben, fordern Forscher. --------------------------------------------- http://www.golem.de/news/phishing-studie-neugier-siegt-ueber-sicherheitsbed… *** Social Engineering: Jeder zweite fällt auf USB-Sticks und Facebook-Nachrichten rein *** --------------------------------------------- Würden Sie einen gerade gefundenen USB-Stick anschließen? Würden Sie auf den Link in einer Facebook-Nachricht einer Ihnen unbekannten Person klicken? Laut zwei Studien beantworten dies viele mit nein – tun es aber trotzdem. --------------------------------------------- http://heise.de/-3287818 *** DSA-3640 firefox-esr - security update *** --------------------------------------------- https://www.debian.org/security/2016/dsa-3640 *** DSA-3638 curl - security update *** ---------------------------------------------- https://www.debian.org/security/2016/dsa-3638

1 0

Tageszusammenfassung - Mittwoch 3-08-2016
by Daily end-of-shift report 03 Aug '16

03 Aug '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 02-08-2016 18:00 − Mittwoch 03-08-2016 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** MICROSOFT LIVE ACCOUNT CREDENTIALS LEAKING FROM WINDOWS 8 AND ABOVE *** --------------------------------------------- Discovered in 1997 by Aaron Spangler and never fixed, the WinNT/Win95 Automatic Authentication Vulnerability (IE Bug #4) is certainly an excellent vintage. In Windows 8 and 10, the same bug has now been found to potentially leak the user's Microsoft Live account login and (hashed) password information, which is also used to access OneDrive, Outlook, Office, Mobile, Bing, Xbox Live, MSN and Skype (if used with a Microsoft account). --------------------------------------------- https://hackaday.com/2016/08/02/microsoft-live-account-credentials-leaking-… *** Internet-Telefonie: Datenschützer raten zu Perfect Forward Secrecy *** --------------------------------------------- Die Internationale Arbeitsgruppe zum Datenschutz in der Telekommunikation empfiehlt den Einsatz von sicherer Verschlüsselung bei Apps für VoIP oder Chats. Anbieter sollten möglichst wenig personenbezogene Informationen speichern. --------------------------------------------- http://heise.de/-3285356 *** SAP ASE file creation vulnerability (CVE-2016-6196) *** --------------------------------------------- Recently SAP released a patch for an Adaptive Server Enterprise vulnerability that allows legitimate database users to create files on disk where the server process can write to. This is useful when doing a chained database attack - first create... --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/SAP-ASE-file-creation-v… *** The Dark Side of Certificate Transparency, (Wed, Aug 3rd) *** --------------------------------------------- I am a big fan of the idea behind Certificate Transparency [1]. The real problem with SSL (and TLS... it really doesnt matter for this discussion) is not the weak ciphers or subtle issues with algorithms (yes, you should still fix it), but the certificate authority trust model. It has been too easy in the past to obtain a fraudulent certificate [2]. There was little accountability when it came to certificate authorities issuing test certificates, or just messing up, and validating the wrong... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21329&rss *** Windows 10 Anniversary Update fordert signierte Treiber schärfer ein *** --------------------------------------------- Seit der 64-Bit-Version von Windows Vista verlangt Microsoft digital signierte Treiber für PC-Komponenten; die jüngste Windows-10-Version 1607 (Redstone) schraubt die Anforderungen höher. --------------------------------------------- http://heise.de/-3285419 *** Unsichere SMS-Authentifizierung: Telegram-Accounts in Iran offenbar gehackt *** --------------------------------------------- Der Messengerdienst Telegram gilt vielen als sichere Alternative zu Whatsapp. Doch es ist durchaus möglich, Sicherheitsvorkehrungen auszuhebeln und an Accounts zu gelangen. --------------------------------------------- http://www.golem.de/news/unsichere-sms-authentifizierung-telegram-accounts-… *** FossHub kompromittiert: Software-Installer mit Malware infiziert *** --------------------------------------------- Die Download-Plattform FossHub ist gehackt worden. Die Hacker haben die Installer von verbreiteten Open-Source-Programmen mit Malware infiziert die den Bootloader überschreibt. --------------------------------------------- http://heise.de/-3286347 *** A brief introduction to Forensic Readiness *** --------------------------------------------- Introduction As defined in the RFC 2350 (Expectations for Computer Security Incident Response), the security incident is any adverse event which compromises some aspect of computer or network security. The definition of an incident may vary between organizations but generally is related to the compromise of confidentiality (i.e. document theft), integrity (i.e. alteration of the... --------------------------------------------- http://resources.infosecinstitute.com/a-brief-introduction-to-forensic-read… *** Finding and Enumerating Processes within Memory-Part 1 *** --------------------------------------------- In this article series, we will learn about how processes reside in memory and various ways to find and enumerate them. I will be using Volatility plugins to find processes in memory. Once we know how to find processes within memory, in Part 2 we will see how to enumerate through them. Note: The scope... --------------------------------------------- http://resources.infosecinstitute.com/finding-and-enumerating-processes-wit… *** Social Engineering: Wie man anderen mit Schokolade das Passwort entlocken kann *** --------------------------------------------- Wissenschafter belegen erschreckend leichtfertigen Umgang mit vertraulichen Daten --------------------------------------------- http://derstandard.at/2000042272093-406 *** Four high-profile vulnerabilities in HTTP/2 revealed *** --------------------------------------------- Imperva released a new report at Black Hat USA 2016, which documents four high-profile vulnerabilities researchers at the Imperva Defense Center found in HTTP/2, the new version of the HTTP protocol that serves as one of the main building blocks of the Worldwide Web. HTTP/2 introduces new mechanisms that effectively increase the attack surface of business critical web infrastructure which then becomes vulnerable to new types of attacks. Imperva researchers took an in-depth look at... --------------------------------------------- https://www.helpnetsecurity.com/2016/08/03/vulnerable-http2/ *** Stealing payment card data and PINs from POS systems is dead easy *** --------------------------------------------- Many of the large payment card breaches that hit retail and hospitality businesses in recent years were the result of attackers infecting point-of-sale systems with memory-scraping malware. But there are easier ways to steal this sort of data, due to a lack of authentication and encryption between card readers and the POS payment applications.POS systems are specialized computers. They typically run Windows and have peripherals like keyboards, touch screens, barcode scanners and card readers... --------------------------------------------- http://www.cio.com/article/3102922/stealing-payment-card-data-and-pins-from… *** Nagios Core Access Control Flaw Lets Remote Users Conduct Cross-Site Request Forgery Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1036513 *** Moxa SoftCMS SQL Injection Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a SQL injection vulnerability in Moxas SoftCMS. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-215-01 *** Siemens SINEMA Server Privilege Escalation Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a privilege escalation vulnerability in the Siemens SINEMA Server. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-215-02

1 0

Tageszusammenfassung - Dienstag 2-08-2016
by Daily end-of-shift report 02 Aug '16

02 Aug '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 01-08-2016 18:00 − Dienstag 02-08-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Android Security Bulletin August 2016 *** --------------------------------------------- https://source.android.com/security/bulletin/2016-08-01.html *** Google Domain Enables HSTS Protection *** --------------------------------------------- Google ensures HTTPS connections to its domains with support for HTTP Strict Transport Security, or HSTS. --------------------------------------------- http://threatpost.com/google-domain-enables-hsts-protection/119597/ *** DSA-3637 chromium-browser - security update *** --------------------------------------------- https://www.debian.org/security/2016/dsa-3637 *** Slinging Hash: Speeding Cyber Threat Hunting Methodologies via Hash-Based Searching *** --------------------------------------------- Introduction The term "hash" is thrown around in casual IT conversation quite a bit nowadays, .. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Slinging-Hash--Speeding… *** 36000 SAP systems exposed online, most open to attacks *** --------------------------------------------- ERPScan released the first comprehensive SAP Cybersecurity Threat Report, which covers three main angles: Product Security, Implementation Security, and Security Awareness. The company used its own scanning method to gather .. --------------------------------------------- https://www.helpnetsecurity.com/2016/08/02/sap-cybersecurity-report/ *** Im Darknet werden 200 Millionen Yahoo-Accounts verkauft *** --------------------------------------------- Login-Informationen zu rund 200 Millionen Yahoo-Accounts werden zum Verkauf angeboten. Und Yahoo weiß darüber Bescheid. --------------------------------------------- http://futurezone.at/digital-life/im-darknet-werden-200-millionen-yahoo-acc… *** FireEye admits filtering out legitimate emails in sniffer snafu *** --------------------------------------------- Benign messages frogmarched into quarantine FireEye has admitted that a snafu involving its email filtering technology meant harmless messages were shuffled off to quarantine for no good reason. --------------------------------------------- www.theregister.co.uk/2016/08/02/fireeye_filtering_snafu/ *** Kasperskys Herz für Hacker: 50.000 US-Dollar für gemeldete Bugs *** --------------------------------------------- Als zweiter AV-Hersteller führen die Russen ein Bug-Bounty-Programm ein. Sicherheitsforscher sollen nun Geld dafür bekommen, Schwachstellen in Kaspersky-Produkten zu finden. --------------------------------------------- http://heise.de/-3284172 *** Introducing the p0f BPF compiler *** --------------------------------------------- Two years ago we blogged about our love of BPF (BSD packet filter) bytecode.CC BY 2.0 image by jim simonsonThen we published a set of utilities we are using to generate the BPF .. --------------------------------------------- https://blog.cloudflare.com/introducing-the-p0f-bpf-compiler/ *** Timing Attacks in the Modern Web *** --------------------------------------------- Before you explore all the details of these browser-based timing attacks, head over to my laboratories to play around with these attacks yourself! --------------------------------------------- https://tom.vg/2016/08/browser-based-timing-attacks/

1 0

Tageszusammenfassung - Montag 1-08-2016
by Daily end-of-shift report 01 Aug '16

01 Aug '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 29-07-2016 18:00 − Montag 01-08-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Fake FreeDNS Used to Redirect Traffic to Malicious Sites *** --------------------------------------------- During the last couple of days we performed a few similar cleanup requests where sites occasionally redirected visitors to malicious sites that displayed ads, spam and malicious downloads. One of our security analysts, Andrey Kucherov, .. --------------------------------------------- https://blog.sucuri.net/2016/07/fake-freedns-used-to-redirect-traffic-to-ma… *** SwiftKey zeigt Vorschläge fremder Nutzer *** --------------------------------------------- Nutzer des alternativen Smartphone-Keyboards SwiftKey haben Wortvorschläge fremder Nutzer erhalten. Neben Wörtern in anderen Sprachen sollen auch fremde E-Mail-Adressen darunter gewesen sein. --------------------------------------------- http://heise.de/-3282177 *** DSA-3636 collectd - security update *** --------------------------------------------- Emilien Gaspar discovered that collectd, a statistics collection andmonitoring daemon, incorrectly processed incoming networkpackets. This resulted in a heap overflow, allowing a remote attackerto either cause a DoS via application crash, or potentially executearbitrary code. --------------------------------------------- https://www.debian.org/security/2016/dsa-3636 *** HTML-Injection-Lücke erlaubte Zertifikatsklau bei Comodo *** --------------------------------------------- Eine Lücke im Zertifikats-Bestellsystem der Certification Authority Comodo erlaubte es Angreifern, sich SSL-Zertifikate für fremde Websites ausstellen zu lassen, was Man-in-the-middle-Lauschangriffe auf deren Traffic ermöglicht. --------------------------------------------- http://heise.de/-3282183 *** Xen Vulnerability Allows Hackers To Escape Qubes OS VM And Own the Host *** --------------------------------------------- Slashdot reader Noryungi writes: Qubes OS certainly has an intriguing approach to security, but a newly discovered Xen vulnerability allows a hacker to escape a VM and own the host. If you are running Qubes, make sure you update .. --------------------------------------------- https://tech.slashdot.org/story/16/07/30/1552244/xen-vulnerability-allows-h… *** DSA-3634 redis - security update *** --------------------------------------------- It was discovered that redis, a persistent key-value database, did notproperly protect redis-cli history files: they were created by defaultwith world-readable permissions. --------------------------------------------- https://www.debian.org/security/2016/dsa-3634 *** Are you getting I-CANNED? *** --------------------------------------------- One year ago, I already covered the impact that ICANNs latest money grab was having on security, see https://isc.sans.edu/forums/diary/httpsyourfakebanksupport+TLD+confusion+st…. ICANN is the organization that .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21323 *** Booking Calendar <= 6.2 - SQL Injection *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8576 *** Booking Calendar <= 6.2 - Reflected Cross-Site Scripting (XSS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8575 *** Pokémon GO Creators Twitter Account Hacked — Pika, Pikaaaa! *** --------------------------------------------- Twitter account of another high-profile CEO has been hacked! This time, its Niantic CEO John Hanke, the developer behind the worlds most popular game Pokémon GO. And it .. --------------------------------------------- https://thehackernews.com/2016/07/pokemon-go-hack.html *** Kaspersky DDoS Intelligence Report for Q2 2016 *** --------------------------------------------- In Q2 2016, the geography of DDoS attacks narrowed to 70 countries, with China accounting for 77.4% of attacks. In fact, 97.3% of the targeted resources were located in .. --------------------------------------------- http://securelist.com/analysis/quarterly-malware-reports/75513/kaspersky-dd… *** INTERPOL Arrests Business Email Compromise Scam Mastermind *** --------------------------------------------- Business Email Compromise (BEC) attacks have proven to be an effective tactic, with criminals stealing large amounts of money from various businesses. From 2013 to 2015, BEC-related damages were estimated at US$ 2.3 billion. Targeting .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/interpol-arrests… *** Sicherheitslücke: Millionen Daten von Flugreisenden jahrelang im Internet *** --------------------------------------------- Rechnungen, Namen und teilweise sogar die Bankdaten von Flugreisenden waren jahrelang ohne technische Hürden offen im Netz verfügbar - ohne, dass es jemandem aufgefallen wäre. Auch Kriminelle haben die Daten nach aktuellem Stand übersehen. --------------------------------------------- http://www.golem.de/news/sicherheitsluecke-millionen-daten-von-flugreisende…

1 0

Tageszusammenfassung - Freitag 29-07-2016
by Daily end-of-shift report 29 Jul '16

29 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 28-07-2016 18:00 − Freitag 29-07-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Long-running malvertising campaign infected thousands of computers per day *** --------------------------------------------- Security researchers have shut down a large-scale malvertising operation that used sophisticated techniques to remain undetected for months and served exploits to millions of computers.The operation, dubbed AdGholas, has been running since at least October 2015. According to security vendor Proofpoint, the gang behind it managed to distribute malicious advertisements through more than 100 ad exchanges, attracting between 1 million and 5 million page hits per day.The Proofpoint researchers... --------------------------------------------- http://www.cio.com/article/3101817/long-running-malvertising-campaign-infec… *** Would You Use This ATM? *** --------------------------------------------- One basic tenet of computer security is this: If you cant vouch for a networked things physical security, you also cannot vouch for its cybersecurity. Thats because in most cases, networked things really arent designed to foil a skilled and determined attacker who can freely connect his own devices. So you can imagine my shock and horror seeing a Cisco switch and wireless antenna sitting exposed atop of an ATM out in front of a bustling grocery store in my hometown of Northern Virginia. --------------------------------------------- http://krebsonsecurity.com/2016/07/would-you-use-this-atm/ *** Q2 DDoS activity up 83%, report *** --------------------------------------------- Nexusguard researchers noticed an 83 percent uptick in DDoS attacks in Q2 2016 compared to Q1. --------------------------------------------- http://www.scmagazine.com/q2-ddos-threat-report-notes-83-percent-uptick/art… *** Pwnie Express open sources IoT and Bluetooth security tools *** --------------------------------------------- Pwnie Express announced the availability of open sourced versions of its Blue Hydra and Android build system software. The release of these tools enable comprehensive Bluetooth detection and community based development of penetration testing Android devices. Bluetooth detection is critical for effective device threat detection and must cover both Low energy (LE) and Classic Bluetooth standards. Blue Hydra has also been integrated into Pwnie's monitoring platform, Pulse, to provide... --------------------------------------------- https://www.helpnetsecurity.com/2016/07/29/pwnie-express-iot-bluetooth-secu… *** Businesses need to protect data, not just devices *** --------------------------------------------- As organizations embrace the digital transformation of their business, they are increasingly facing new security concerns. More companies are moving away from device-centric, platform-specific endpoint security technologies toward an approach that secures their applications and data everywhere. A new Citrix Qualtrics survey revealed that: More than half of Citrix customers reported that they are changing the way their SecOps teams are operated because of the increase in ransomware, targeted... --------------------------------------------- https://www.helpnetsecurity.com/2016/07/29/protect-data-not-just-devices/ *** Virtually all business cloud apps lack enterprise grade security *** --------------------------------------------- Blue Coat Systems analyzed apps for their ability to provide compliance, data protection, security controls and more. Of the 15,000 apps analyzed, it was revealed that 99 percent do not provide sufficient security, compliance controls and features to effectively protect enterprise data in the cloud. Shadow data still a major threat Their report revealed that shadow data, unmanaged content employees store and share across cloud apps, continues to remain a major threat, with 23 percent... --------------------------------------------- https://www.helpnetsecurity.com/2016/07/29/business-cloud-apps-lack-enterpr… *** Elektronikversand Pollin bestätigt schwerwiegenden Hacker-Angriff *** --------------------------------------------- Nachdem die Kundendaten bereits für personalisierte Phishing-Angriffe missbraucht wurden, erklärte der Elektronik-Shop nun, dass seine Server angegriffen wurden. Die Täter haben viel mitgenommen, darunter auch offenbar die Bankverbindungen der Kunden. --------------------------------------------- http://heise.de/-3281324 *** Malicious RTF Files, (Fri, Jul 29th) *** --------------------------------------------- About a year ago I received RTF samples that I could not analyze with RTFScan or rtfobj (FYI: Philippe Lagadec has improved rtfobj.py significantly since then). So I started to write my own RTF analysis tool (rtfdump), but I was not satisfied enough with the way I presented the analysis result to warrant a release of my tool. Last week, I started analyzing new samples and updating my tool. I released it, and show how I analyze sample 07884483f95ae891845caf0d50ce507f in this diary entry. This... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21315&rss *** Unter Windows 10 Pro gelten bald nicht mehr alle Gruppenrichtlinien *** --------------------------------------------- Mit Windows 10, insbesondere dem "Anniversary Update", ändert Microsoft die Anwendungslogik von Gruppenrichtlinien. Künftig entscheidet nicht nur die Version des Betriebssystems (Windows 7/8/10), sondern auch die Edition (Pro, Enterprise). [...] Nach dem Update wird es mit Pro-Ausgaben von Windows 10 nicht mehr möglich sein, das Verhalten zentral zu steuern. Und ganz nebenbei werden auch Umwege verschlossen, zum Beispiel die Manipulation per Registry-Schlüssel. --------------------------------------------- http://www.heise.de/newsticker/meldung/Unter-Windows-10-Pro-gelten-bald-nic… *** Citrix NetScaler Service Delivery Appliance Multiple Security Updates *** --------------------------------------------- A number of vulnerabilities have been identified in the Citrix NetScaler Service Delivery Appliance (SDX) that could allow a malicious administrative user to crash the host or other VMs and execute arbitrary code on the SDX host. --------------------------------------------- https://support.citrix.com/article/CTX206006 *** iPrint Appliance 1.1 Patch 6 *** --------------------------------------------- Abstract: This patch includes bug fixes, security fixes and a consolidation of previously released patchesDocument ID: 5250978Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:iPrint-1.1.0.417.HP.zip (27.49 MB)iPrint-1.1.0.421.HP.zip (1,008.67 MB)Products:iPrint Appliance 1.1Superceded Patches:iPrint Appliance 1.1 Patch --------------------------------------------- https://download.novell.com/Download?buildid=vv7Z6imI7Js~ *** iPrint Appliance 2.0 Patch 2 *** --------------------------------------------- Abstract: This patch includes bug fixes, security fixes and a consolidation of previously released patchDocument ID: 5250983Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:iPrint-2.0.0.531.HP.zip (721.05 MB)Products:iPrint Appliance 2Superceded Patches:iPrint Appliance 2.0 --------------------------------------------- https://download.novell.com/Download?buildid=svMlzlyK0go~ *** Bugtraq: [SYSS-2016-046] Perixx PERIDUO-710W - Missing Protection against Replay Attacks *** --------------------------------------------- http://www.securityfocus.com/archive/1/539041 *** VU#217871: Intel CrossWalk project does not validate SSL certificates after first acceptance *** --------------------------------------------- Vulnerability Note VU#217871 Intel CrossWalk project does not validate SSL certificates after first acceptance Original Release date: 29 Jul 2016 | Last revised: 29 Jul 2016 Overview The Intel Crosswalk project is a framework for developing hybrid apps for Android and iOS. The Crosswalk project does not properly handle SSL certificate validation when a user accepts an invalid certificate, preventing the app for validating any future SSL certificates. Description CWE-356: Product UI does not --------------------------------------------- http://www.kb.cert.org/vuls/id/217871 *** Bugtraq: Vicon Network Cameras - Authentication Bypass *** --------------------------------------------- http://www.securityfocus.com/archive/1/539037 *** Bugtraq: [SYSS-2016-044] Logitech K520 - Insufficient Protection against Replay Attacks *** --------------------------------------------- http://www.securityfocus.com/archive/1/539040 *** Bugtraq: [SYSS-2016-059] Microsoft Wireless Desktop 2000 - Insufficient Verification of Data Authenticity (CWE-345) *** --------------------------------------------- http://www.securityfocus.com/archive/1/539045 *** Bugtraq: [SYSS-2016-047] Perixx PERIDUO-710W - Keystroke Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/539042

1 0

Tageszusammenfassung - Donnerstag 28-07-2016
by Daily end-of-shift report 28 Jul '16

28 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 27-07-2016 18:00 − Donnerstag 28-07-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Taking Steps to Fight Back Against Ransomware *** --------------------------------------------- Ransomware is an attack in which malware encrypts files and extorts money from victims. It has become a favorite among cybercriminals because it is easy to develop, simple to execute, and does a very good job of compelling users to pay to regain access to their precious files or systems. Almost anyone and every business... --------------------------------------------- https://blogs.mcafee.com/mcafee-labs/taking-steps-to-fight-back-against-ran… *** Infection Monkey: Test a network from an attacker's point of view *** --------------------------------------------- Infection Monkey, a tool designed to test the resiliency of modern data centers against cyber attacks, was developed as an open source tool by GuardiCore's research group. "Traditional testing tools are no longer able to effectively detect vulnerabilities in today's data center networks as they cannot continuously exploit the weakest link and propagate in-depth, resulting in a very partial view of network vulnerabilities" said Pavel Gurvich, CEO of GuardiCore. How... --------------------------------------------- https://www.helpnetsecurity.com/2016/07/28/infection-monkey-test-network-at… *** Verifying SSL/TLS certificates manually, (Thu, Jul 28th) *** --------------------------------------------- I think that we can surely say that, with all its deficiencies, SSL/TLS is still a protocol we cannot live without, and basis of todays secure communication on the Internet.Quite often I get asked on how certificates are really verified by browsers or other client utilities. Sure, the canned answer that certificates get signed by CAs and a browser verifies if signatures are correct is always there, but more persistent questions on how it exactly works happen here and there as well. So, if you... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21311&rss *** Passwort Manager: Lastpass behebt kritische Lücke *** --------------------------------------------- Die gestern von Tavis Ormandy gemeldete kritische Schwachstelle im Passwort-Manager Lastpass ist nach Angaben des Unternehmens inzwischen geschlossen worden. Ein neue Lastpass-Version soll unter Firefox bereitstehen. --------------------------------------------- http://www.golem.de/news/passwort-manager-lastpass-bestaetigt-behebung-krit… *** Phishing-Angriff auf Pollin-Kunden *** --------------------------------------------- Bei heise Security haben sich mehrere Kunden des Elektronikhändlers Pollin gemeldet, die befürchten, dass ihre persönlichen Daten einschließlich Bankverbindung bei dem Händler kopiert wurden. --------------------------------------------- http://heise.de/-3280449 *** You cant turn off Cortana in the Windows 10 Anniversary Update *** --------------------------------------------- Microsoft made an interesting decision with Windows 10's Anniversary Update, which is now in its final stages of development before it rolls out on August 2. Cortana, the personal digital assistant that replaced Windows 10's search function and taps into Bing's servers to answer your queries with contextual awareness, no longer has an off switch. --------------------------------------------- http://www.pcworld.com/article/3100358/windows/you-cant-turn-off-cortana-in… *** Security Holes Exposed In Smart Lighting System *** --------------------------------------------- Sylvania Osram Lightify vulnerabilities could allow an attacker to turn out the lights or ultimately infiltrate the corporate network. --------------------------------------------- http://www.darkreading.com/cloud/security-holes-exposed-in-smart-lighting-s… *** Hintergrund: Windows 10 mit Schutz vor Pass-the-Hash-Angriffen *** --------------------------------------------- Mit Hilfe moderner Virtualisierungstechnik soll der Credential Guard eine der gefährlichsten Angriffstechniken für Windows-Netze entschärfen. --------------------------------------------- http://heise.de/-3280610 *** DSA-3633 xen - security update *** --------------------------------------------- Multiple vulnerabilities have been discovered in the Xen hypervisor. TheCommon Vulnerabilities and Exposures project identifies the followingproblems: --------------------------------------------- https://www.debian.org/security/2016/dsa-3633 *** DSA-3632 mariadb-10.0 - security update *** --------------------------------------------- Several issues have been discovered in the MariaDB database server. Thevulnerabilities are addressed by upgrading MariaDB to the new upstreamversion 10.0.26. Please see the MariaDB 10.0 Release Notes for furtherdetails: --------------------------------------------- https://www.debian.org/security/2016/dsa-3632 *** Vuln: DBD::mysql my_login() Function Use After Free Remote Code Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/92118 *** Vuln: QEMU hw/scsi/esp.c Remote Code Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/92119 *** F5 Security Advisory: glibc vulnerability CVE-2016-4429 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/17/sol17075474.html?… *** AXIS Authenticated Remote Command Execution *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016070209 *** DFN-CERT-2016-1153: Apache Software Foundation HTTP-Server, Lighttpd: Eine "Schwachstelle" ermöglicht HTTP-Proxy-Umleitungen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1153/ *** DFN-CERT-2016-1216: Red Hat JBoss Operations Network: Mehrere Schwachstelle ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1216/ *** Xen Security Advisory CVE-2016-5403 / XSA-184 *** --------------------------------------------- A guest can submit virtio requests without bothering to wait for completion and is therefore not bound by virtqueue size. (This requires reusing vring descriptors in more than one request, which is incorrect but possible.) Processing a request allocates a VirtQueueElement and therefore causes unbounded memory allocation controlled by the guest. --------------------------------------------- http://xenbits.xen.org/xsa/advisory-184.html *** Sentinel 7.3 SP3 (Sentinel 7.3.3.0) *** --------------------------------------------- Abstract: Sentinel 7.3.3 upgrade for Sentinel 7.3Document ID: 5250650Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:sentinel_server-7.3.3.0-2205.x86_64.tar.gz.sha256 (109 bytes)sentinel_server-7.3.3.0-2205.x86_64.tar.gz (1.69 GB)Products:Sentinel 7.3.2Sentinel 7.1.1Sentinel 7.1Sentinel 7.3.1Sentinel 7.2Sentinel 7.2.1Sentinel 7.3Sentinel 7.2.2Sentinel 7.0Sentinel 7.0.1Sentinel 7.0.2Sentinel 7.0.3Sentinel 7.3.3Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=aGwCXcABsl0~ *** Cisco Security Advisories *** --------------------------------------------- *** Cisco Nexus 1000v Application Virtual Switch Cisco Discovery Protocol Packet Processing Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Wireless LAN Controller Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Videoscape Session Resource Manager Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Prime Service Catalog Reflected Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco FireSIGHT System Software Snort Rule Bypass Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Email Security Appliance File Type Filtering Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 27-07-2016
by Daily end-of-shift report 27 Jul '16

27 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 26-07-2016 18:00 − Mittwoch 27-07-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Dridex Re-Mastered *** --------------------------------------------- Well, its been quite an eventful time since last I posted. I have so much in the works that it is hard to tell where to begin. It seems that we are seeing new flavors of ransomware every week and botnets seem to come and go with a frequency weve not seen in a while. This week, though, I promised Dridex, so Dridex it is. --------------------------------------------- http://www.scmagazine.com/dridex-re-mastered/article/511683/ *** Analyze of a Linux botnet client source code, (Wed, Jul 27th) *** --------------------------------------------- I like to play active-defense. Every day, I extract attackers IP addresses from my SSH honeypots and performa quick Nmap scan against them. The goal is to gain more knowledge about the compromised hosts. Most of the time, hosts are located behind a residential broadband connection. But sometimes, you find more interesting stuff. When valid credentials are found, the classic scenario is the installation of a botnet client that will be controlled via IRC to launchmultiple attacks or scans. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21305&rss *** Erpressungs-Trojaner: Malware-Entwickler spioniert bei der Konkurrenz - Opfer profitieren davon *** --------------------------------------------- Auf Pastebin sind tausende Schlüssel zum Dechiffrieren von Daten aufgetaucht, die vom Verschlüsselungs-Trojaner Chimera gefangengenommen wurden. --------------------------------------------- http://heise.de/-3279201 *** Kritische Lücke in Lastpass: Entwickler arbeiten an Lösung *** --------------------------------------------- Tavis Ormandy hat eine kritische Sicherheitslücke im Passwort-Manager Lastpass gefunden und über Twitter gemeldet. Die Entwickler der Software arbeiten demnach bereits an einer Lösung. --------------------------------------------- http://heise.de/-3279424 *** Black Hat 2016: Neuer Angriff schafft Zugriff auf Klartext-URLs trotz HTTPS *** --------------------------------------------- Besonders in öffentlichen Netzwerken schützen verschlüsselte HTTPS-Verbindungen davor, dass Admins oder gar andere Nutzer im gleichen Netz den eigenen Datenverkehr belauschen. Dieser Schutz ist offenbar löchrig - und zwar auf fast allen Browsern und Betriebssystemen. --------------------------------------------- http://www.golem.de/news/black-hat-2016-neuer-angriff-schafft-zugriff-auf-k… *** Free and Commercial Tools to Implement the Center for Internet Security (CIS) Security Controls, Part 16: Account Monitoring and Control *** --------------------------------------------- This is Part 16 of a How-To effort to compile a list of tools (free and commercial) that can help IT administrators comply with what was formerly known as the "SANS Top 20 Security Controls". It is now known as the Center for Internet Security (CIS) Security Controls. A summary of the previous posts is here: Part 1 - we looked at Inventory of Authorized and Unauthorized Devices. Part 2 - we looked at Inventory of Authorized and Unauthorized Software. Part 3 - we looked at Secure... --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/free-and-commercial-to… *** From Locky with love - reading malicious attachments *** --------------------------------------------- Read on to learn how the latest downloaders used to deliver Locky ransomware and show how to statically decipher their hidden URLs.Categories: Malware Threat analysisTags: downloaderLocky(Read more...) --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2016/07/from-locky-with-love-… *** httpoxy in Österreich *** --------------------------------------------- Wir haben vorige Woche eine Warnung zu httpoxy veröffentlicht, dabei geht es um: CGI ist ein Standard, mit dem Webseiten dynamisch mit Hilfe von Scripten serverseitig erstellt werden können. Dazu werden die Informationen über den Client und zur Anfrage in Umgebungsvariablen an das Script übergeben. Enthält der HTTP-Request einen Header "Proxy:", dann wird der Inhalt dieses Headers in die Umgebungsvariable HTTP_PROXY... --------------------------------------------- http://www.cert.at/services/blog/20160727173056-1764.html *** Iris ID IrisAccess iCAM4000/iCAM7000 Hardcoded Credentials Remote Shell Access *** --------------------------------------------- The Iris ID IrisAccess iCAM4000/7000 series suffer from a use of hard-coded credentials. When visiting the device interface with a browser on port 80, the application loads an applet JAR file ICAMClient.jar into users browser which serves additional admin features. In the JAR file there is an account rou with password iris4000 that has read and limited write privileges on the affected node. An attacker can access the device using these credentials starting a simple telnet session on port 23 --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5347.php *** Iris ID IrisAccess ICU 7000-2 Remote Root Command Execution *** --------------------------------------------- The Iris ID IrisAccess ICU 7000-2 device suffers from an unauthenticated remote command execution vulnerability. The vulnerability exist due to several POST parameters in the /html/SetSmarcardSettings.php script not being sanitized when using the exec() PHP function while updating the Smart Card Settings on the affected device. Calling the $CommandForExe variable which is set to call the /cgi-bin/setsmartcard CGI binary with the affected parameters as arguments allows the attacker to execute --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5346.php *** Iris ID IrisAccess ICU 7000-2 Multiple XSS and CSRF Vulnerabilities *** --------------------------------------------- The application is prone to multiple reflected cross-site scripting vulnerabilities due to a failure to properly sanitize user-supplied input to the HidChannelID and HidVerForPHP POST parameters in the SetSmarcardSettings.php script. Attackers can exploit this issue to execute arbitrary HTML and script code in a users browser session. The application also allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5345.php *** F5 Security Advisory: MySQL vulnerability CVE-2016-2047 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/53/sol53729441.html?… *** Bugtraq: [security bulletin] HPSBST03603 rev.1 - HPE StoreVirtual Products running LeftHand OS using glibc, Remote Arbitrary Code Execution, Denial of Service (DoS) *** --------------------------------------------- http://www.securityfocus.com/archive/1/539015 *** Siemens SIMATIC WinCC, PCS 7, and WinCC Runtime Professional Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for two vulnerabilities in the Siemens SIMATIC WinCC, PCS 7, and WinCC Runtime Professional. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-208-01 *** Siemens SIMATIC NET PC-Software Denial-of-Service Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a denial-of-service vulnerability in the Siemens SIMATIC NET PC-Software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-208-02 *** Siemens SINEMA Remote Connect Server Cross-site Scripting Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a cross-site scripting vulnerability in the Siemens SINEMA Remote Connect Server application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-208-03 *** Rockwell Automation FactoryTalk EnergyMetrix Vulnerabilities *** --------------------------------------------- This advisory was originally posted to the US-CERT secure Portal library on June 21, 2016, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for authentication vulnerabilities in the Rockwell Automation FactoryTalk EnergyMetrix application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-173-03

1 0

Tageszusammenfassung - Dienstag 26-07-2016
by Daily end-of-shift report 26 Jul '16

26 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 25-07-2016 18:00 − Dienstag 26-07-2016 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** Devices with Qualcomm modems safe from critical ASN.1 telecom flaw *** --------------------------------------------- Despite initial concerns, smartphones equipped with Qualcomm modems are not vulnerable to a recently announced vulnerability that could potentially allow attackers to take over cellular network gear and consumer mobile .. --------------------------------------------- http://www.cio.com/article/3099688/devices-with-qualcomm-modems-safe-from-c… *** Patchwork cyberespionage group expands targets from governments to wide range of industries *** --------------------------------------------- Symantec finds that Patchwork now targets a variety of industries in the US, China, Japan, South East Asia, and the UK. --------------------------------------------- http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expand… *** Bugtraq: [security bulletin] HPSBGN03630 rev.1 - HP Operations Manager for Unix, Solaris, and Linux using Apache Commons Collections (ACC), Remote Code Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/539001 *** Trump, DNC, RNC Flunk Email Security Test *** --------------------------------------------- Donald J. Trump has repeatedly bashed Sen. Hillary Clinton for handling classified documents on her private email server, even going so far as to suggest that anyone who is so lax with email security isn’t fit to become .. --------------------------------------------- http://krebsonsecurity.com/2016/07/trump-dnc-rnc-flunk-email-security-test/ *** Bugtraq: July 2016 - Bamboo Server - Critical Security Advisory *** --------------------------------------------- http://www.securityfocus.com/archive/1/539003 *** DFN-CERT-2016-1197/">Perl: Zwei Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1197/ *** Mobilfunk: Sicherheitslücke macht auch Smartphones angreifbar *** --------------------------------------------- Große Teile der Mobilfunkinfrastruktur sind laut Sicherheitsforschern über eine Lücke in einer Software-Bibliothek gefährdet. Ein Fix steht zwar bereit, doch Updates wird es für die meisten Geräte wohl nicht geben. --------------------------------------------- http://www.golem.de/news/mobilfunk-sicherheitsluecke-macht-auch-smartphones… *** Amazon Silk browser removes Google’s default encryption *** --------------------------------------------- Google’s good intentions of keeping searches made via its search engine protected through default encryption have been stymied by Amazon. A bug in the Amazon Silk .. --------------------------------------------- https://www.helpnetsecurity.com/2016/07/26/amazon-silk-bug-encryption/ *** 50+ vulnerabilities found in popular home gateway modems/routers *** --------------------------------------------- Researcher Gergely Eberhardt with Hungarian security testing outfit SEARCH Laboratory has unearthed over fifty vulnerabilities in five home gateway modems/routers used by Hungarian Cable TV operator UPC Magyarország, but also by many ISPs around the .. --------------------------------------------- https://www.helpnetsecurity.com/2016/07/26/home-gateway-modems-vulnerabilit… *** Citrix XenServer Multiple Security Updates *** --------------------------------------------- A number of security vulnerabilities have been identified in Citrix XenServer that may allow a malicious administrator of a PV guest VM to compromise or crash the host. --------------------------------------------- https://support.citrix.com/article/CTX214954 *** Low-cost wireless keyboards open to keystroke sniffing and injection attacks *** --------------------------------------------- Bastille Networks researcher Marc Newlin has discovered a set of security vulnerabilities in low-cost wireless keyboards that could be exploited to collect all passwords, security questions, sensitive personal, bank account and .. --------------------------------------------- https://www.helpnetsecurity.com/2016/07/26/keystroke-sniffing-wireless-keyb… *** DFN-CERT-2016-1199/">Xen: Zwei Schwachstellen ermöglichen u.a. das Erlangen von Administratorrechten *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1199/ *** Command and Control Channels Using "AAAA" DNS Records, (Tue, Jul 26th) *** --------------------------------------------- Dataexfiltration and command and control channels via DNS are nothing new exactly. In many ways, DNS is an ideal covert channel. Even well-protected systems usually can connect to a recursive name server that will forward queries .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21301 *** DFN-CERT-2016-1200/">Moodle: Mehrere Schwachstellen ermöglichen u.a. das Ausspähen von Informationen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1200/

1 0

Tageszusammenfassung - Montag 25-07-2016
by Daily end-of-shift report 25 Jul '16

25 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 22-07-2016 18:00 − Montag 25-07-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Gratis Entschlüsselungs-Tools nehmen es mit elf Erpressungs-Trojanern auf *** --------------------------------------------- AVG und Trend Micro haben ihre kostenlosen Tools aktualisiert, mit denen Opfer von diversen Verschlüsselungs-Trojanern unter Umständen wieder Zugriff auf ihre Daten bekommen können. --------------------------------------------- http://heise.de/-3277015 *** PowerWare Ransomware Masquerades as Locky to Intimidate Victims *** --------------------------------------------- PowerWare ransomware spoofs Locky malware family in an attempt to scare victims into paying up. --------------------------------------------- http://threatpost.com/ransomware-powerware-masquerades-as-locky-to-intimida… *** Cross-platform malware Adwind infects Mac *** --------------------------------------------- We examine a cross-platform malware with a Mac payload and found the hackers behind it really didnt put that much effort into making it work on the Mac.Categories: Mac Threat analysisTags: Applemacmalwarerat(Read more...) --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2016/07/cross-platform-malwar… *** Kovter becomes almost file-less, creates a new file type, and gets some new certificates *** --------------------------------------------- Trojan:Win32/Kovter is a well-known click-fraud malware which is challenging to detect and remove because of its file-less persistence on infected PCs. In this blog, we will share some technical details about the latest changes we have seen in Kovter's persistence method and some updates on their latest malvertising campaigns. New persistence method Since June 2016,... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/07/22/kovter-becomes-almost-f… *** It Is Our Policy, (Sat, Jul 23rd) *** --------------------------------------------- How many times have you heard someone say out loud our our security policy requires...?Many times we hear and are sometimes even threatened with the security policy. Security policy should set behavioral expectations and be the basis for every technical, administrative and physical control that is implemented. Unfortunately, solid security policies are often elusive for several key reasons. I regularly get the question, How many security policiesshould I have? My response is often found by... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21293&rss *** Nemucod dot dot..WSF *** --------------------------------------------- The latest Nemucod campaign shows the malware distributing a spam email attachment with a .wsf extension, specifically ..wsf (with a double dot) extension. It is a variation of what has been observed since last year (2015) - the TrojanDownloader:JS/Nemucod malware downloader using JScript. It still spreads through spam email attachment, typically inside a .zip file,... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/07/23/nemucod/ *** Europol will Opfern von Internet-Erpressung helfen *** --------------------------------------------- Mit der Website nomoreransom.org will die Europol Opfern von Krypto-Trojanern helfen, wieder Zugang zu ihren Daten zu bekommen. --------------------------------------------- http://futurezone.at/digital-life/europol-will-opfern-von-internet-erpressu… *** Stealing Bitcoin With Math - HOPE XI *** --------------------------------------------- by Filippo Valsorda Published July 23, 2016 in Programming Explaining Bitcoin and attacks old and new. WARNING: contains more than 15 math formulas. --------------------------------------------- https://speakerdeck.com/filosottile/stealing-bitcoin-with-math-hope-xi *** Bypassing UAC on Windows 10 using Disk Cleanup *** --------------------------------------------- Matt Graeber (@mattifestation) and I recently dug into Windows 10, and discovered a rather interesting method of bypassing User Account Control [...]. Currently, there are a couple of public UAC bypass techniques, most of which require a privileged file copy using the IFileOperation COM object or WUSA extraction to take advantage of a DLL hijack. [...] The technique covered in this post differs from the other methods and provides a useful alternative as it does not rely on a privileged file... --------------------------------------------- https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cle… *** Researchers discover 110 snooping Tor nodes *** --------------------------------------------- In a period spanning 72 days, two researchers from Northeastern University have discovered at least 110 "misbehaving" and potentially malicious hidden services directories (HSDirs) on the Tor anonymity network. What's an HSDir? An HSDir is a Tor node that receives descriptors for hidden services - servers configured to receive inbound connections only through Tor, meaning their IP address and network location remains hidden - and, upon request, directs users to... --------------------------------------------- https://www.helpnetsecurity.com/2016/07/25/snooping-tor-nodes/ *** DSA-3625 squid3 - security update *** --------------------------------------------- Several security issues have been discovered in the Squid caching proxy. --------------------------------------------- https://www.debian.org/security/2016/dsa-3625 *** DSA-3626 openssh - security update *** --------------------------------------------- Eddie Harari reported that the OpenSSH SSH daemon allows userenumeration through timing differences when trying to authenticateusers. When sshd tries to authenticate a non-existing user, it will pickup a fixed fake password structure with a hash based on the Blowfishalgorithm. If real users passwords are hashed using SHA256/SHA512, thena remote attacker can take advantage of this flaw by sending largepasswords, receiving shorter response times from the server fornon-existing users. --------------------------------------------- https://www.debian.org/security/2016/dsa-3626 *** DSA-3627 phpmyadmin - security update *** --------------------------------------------- Several vulnerabilities have been fixed in phpMyAdmin, the web-basedMySQL administration interface. --------------------------------------------- https://www.debian.org/security/2016/dsa-3627 *** [2016-07-25] Multiple vulnerabilities in Micro Focus (Novell) Filr appliance *** --------------------------------------------- The Micro Focus (Novell) Filr Appliance contains several vulnerabilities that, when combined, allow an unauthenticated attacker to execute arbitrary system commands as the user "root" or allow an authenticated attacker to hijack user and administrator sessions. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016… *** Filr 2.0 - Security Update 2 *** --------------------------------------------- Abstract: This patch provides a number of Security Updates for Filr, Search and MySQL 2.0.0 appliances including updated Java applets.Document ID: 5250090Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:Filr-2.0.0.465.HP.zip (204.82 MB)preinstall-filr20su2.zip (409 bytes)Search-2.0.0.414.HP.zip (24.96 MB)MySQL-2.0.0.195.HP.zip (24.2 MB)Products:Filr 2Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=3V-3ArYN85I~ *** Filr 1.2 - Security Update 3 *** --------------------------------------------- Abstract: This patch provides a number of Security Updates for Filr, Search and MySQL 1.2 appliances including updated Java applets.Document ID: 5250470Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:MySQL-1.2.0.416.HP.zip (11 kB)Filr-1.2.0.871.HP.zip (153.52 MB)Search-1.2.0.1008.HP.zip (11.04 kB)Products:Filr 1.2Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=BOTiHcBFfv0~ *** Bugtraq: CA20160721-01: Security Notice for CA eHealth *** --------------------------------------------- CA20160721-01: Security Notice for CA eHealth --------------------------------------------- http://www.securityfocus.com/archive/1/538982 *** Vuln: Objective Systems ASN1C CVE-2016-5080 Heap Based Buffer Overflow Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/91836 *** Vulnerability in Objective Systems ASN1C Compiler Affecting Cisco Products *** --------------------------------------------- A vulnerability in the ASN1C compiler by Objective Systems affects Cisco ASR 5000 devices running StarOS and Cisco Virtualized Packet Core (VPC) systems. The vulnerability could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition or potentially execute arbitrary code. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the Linux kernel affects PowerKVM (CVE-2016-3044) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023969 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in ImageMagick affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1023934 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in ntp affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1023885 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in PCRE affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1023886 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in lcms affects PowerKVM (CVE-2013-7455) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023876 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in InstallAnywhere affects IBM Tivoli Storage Manager Administration Center (CVE-2016-4560) *** http://www.ibm.com/support/docview.wss?uid=swg21985483 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in InstallAnywhere affects IBM Tivoli Monitoring for Tivoli Storage Manager Server (CVE-2016-4560) *** http://www.ibm.com/support/docview.wss?uid=swg21984949 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 22-07-2016
by Daily end-of-shift report 22 Jul '16

22 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 21-07-2016 18:00 − Freitag 22-07-2016 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** 15 Vulnerabilities in SAP HANA Outlined *** --------------------------------------------- SAP recently fixed 15 different vulnerabilities that existed in the database management system HANA and subsequent communication channels. The bugs affect 10,000 users running the software. --------------------------------------------- http://threatpost.com/15-vulnerabilities-in-sap-hana-outlined/119406/ *** IDM 4.5 JDBC Fanout 1.0.1.0 *** --------------------------------------------- https://download.novell.com/Download?buildid=GfcX9EX05Hs~ *** DSA-3624 mysql-5.5 - security update *** --------------------------------------------- Several issues have been discovered in the MySQL database server. Thevulnerabilities are addressed by upgrading MySQL to the new upstreamversion 5.5.50. Please see the MySQL 5.5 Release Notes and OraclesCritical Patch Update advisory for further details: --------------------------------------------- https://www.debian.org/security/2016/dsa-3624 *** CrypMIC ransomware is a CryptXXX copycat, with a few twists *** --------------------------------------------- CryptXXX ransomware has a doppelganger - its called CrypMIC. And the resemblance doesnt appear to be a coincidence. --------------------------------------------- http://www.scmagazine.com/crypmic-ransomware-is-a-cryptxxx-copycat-with-a-f… *** Security Notice - Statement on Heap Overflow Vulnerability in Code Generated by Objective Systems ASN1C *** --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2016/huawei-sn-20160722-01-… *** HPE IceWall Identity Manager and HPE IceWall SSO Password Reset Option running Apache Commons FileUpload, Remote Denial of Service (DoS) *** --------------------------------------------- A potential security vulnerability has been identified with HPE IceWall Identity Manager and HPE IceWall SSO Password Reset Option running Apache Commons .. --------------------------------------------- https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05204371 *** US-Polizei will Smartphone eines Toten mittels künstlichem Finger entsperren *** --------------------------------------------- Eine US-Polizeibehörde will mittels eines 3D-gedruckten Fingers das Smartphone eines Toten entsperren. Sie erhofft sich, so den Mörder des Smartphone-Besitzers zu fassen. --------------------------------------------- http://heise.de/-3276618 *** Sicherheitsfirma Quadsys hat Konkurrenten gehackt *** --------------------------------------------- Mitglieder des Managements einer britischen Security-Firma sollen die Datenbanken einer konkurrierenden Firma gehackt haben, um an Kundendaten zu gelangen. Das haben die Beschuldigten nun auch zugegeben. --------------------------------------------- http://heise.de/-3276742 *** STARTTLS: Keine Verschlüsselung mit der SPD *** --------------------------------------------- Der Mailanbieter Posteo hat die Möglichkeit eingeführt, E-Mails nur noch zu verschicken, wenn der Zielserver die STARTTLS-Verschlüsselung anbietet. Dabei fielen einige Mailserver auf, die den längst etablierten Verschlüsselungsstandard nicht unterstützen. --------------------------------------------- http://www.golem.de/news/starttls-keine-verschluesselung-mit-der-spd-1607-1… *** Decrypter for Locky-mimicking PowerWare ransomware released *** --------------------------------------------- Palo Alto Networks’ researchers have created a decrypter for the variant of the PoshCoder ransomware that imitates the Locky ransomware. Dubbed PowerWare by the researchers, the malware adds the “.locky” filename .. --------------------------------------------- https://www.helpnetsecurity.com/2016/07/22/powerware-ransomware-decrypter/ *** Promi-Mailaccounts gehackt: Gefängnisstrafe für US-Amerikaner *** --------------------------------------------- Ein junger US-Amerikaner spionierte unter anderem Hollywood-Stars aus, indem er sich per Phishing Zugriff auf über 360 Mailaccounts verschaffte. Dafür wurde er nun verurteilt. --------------------------------------------- http://heise.de/-3276992

1 0

Tageszusammenfassung - Donnerstag 21-07-2016
by Daily end-of-shift report 21 Jul '16

21 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 20-07-2016 18:00 − Donnerstag 21-07-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Cisco Unified Computing System Performance Manager Input Validation Vulnerability *** --------------------------------------------- A vulnerability in the web framework of Cisco Unified Computing System (UCS) Performance Manager could allow an authenticated, remote attacker to execute arbitrary commands.The vulnerability is due to insufficient input validation performed on parameters .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** SoakSoak Botnets Now Pushing Neutrino Exploit Kit and CryptXXX Ransomware *** --------------------------------------------- Research spot SoakSoak botnets spreading the Neutrino Exploit Kit that in turn infect the unsuspecting with the CryptXXX ransomware. --------------------------------------------- http://threatpost.com/soaksoak-botnets-now-pushing-neutrino-exploit-kit-and… *** Everyones favorite infosec biz - Blue Coat - must cough up $40m to rival in patent rip-off row *** --------------------------------------------- >From SSL cert blowup to busted infringement appeal Blue Coat has lost its appeal challenging a nearly $40m patent infringement lawsuit brought by rival security company .. --------------------------------------------- www.theregister.co.uk/2016/07/20/blue_coat_finjan_lawsuit/ *** Tor Could Protect Your Smart Fridge From Spies and Hackers *** --------------------------------------------- There's a growing fear that the exploding internet of things - from baby cams to pacemakers - could be a goldmine for spies and criminal hackers alike. Tor could help protect them.The post Tor Could Protect Your Smart Fridge From Spies and Hackers appeared first on The Intercept. --------------------------------------------- https://theintercept.com/2016/07/20/tor-could-protect-your-smart-fridge-fro… *** Facebook malware - the missing piece *** --------------------------------------------- Recently we revealed that a threat actors exploited social networks to spread a Trojan that captures a victim's entire browser traffic. Approximately 10,000 Facebook users with Windows PCs were hit by malicious friend notifications. In this article we will explain the security issue and attack. --------------------------------------------- http://securelist.com/blog/research/75476/facebook-malware-the-missing-piec… *** Firefox blockiert bald Flash-Inhalte *** --------------------------------------------- Ab Version 48 folgt ein strengerer Umgang mit der sterbenden Web-Technologie --------------------------------------------- http://derstandard.at/2000041512429 *** Dell SonicWALL GSM comes with hidden default account *** --------------------------------------------- While developing new audit modules for the company's vulnerability scanning technology, Digital Defense researchers found six vulnerabilities in Dell's SonicWALL Global Management System, four of them deemed critical. SonicWALL GMS is a central control, .. --------------------------------------------- https://www.helpnetsecurity.com/2016/07/21/dell-sonicwall-gsm-backdoor/ *** Kritischer Fehler: Wichtiges Update für Mac-Netzwerkkontrolleur Little Snitch *** --------------------------------------------- Ein Bug ermöglicht einem Angreifer, den Netzwerkfilter der Mac-Software zu überlisten – die neu veröffentlichte Version soll das Problem ausräumen. Little Snitch überwacht ausgehende Netzwerkverbindungen in Mac OS X. --------------------------------------------- http://heise.de/-3275508 *** Ciscos Unified Computing System anfällig für Schad-Code *** --------------------------------------------- Im Unified Computing System Performance Manager klafft eine kritische Sicherheitslücke. Admins sollten die verfügbare abgesicherte Version zügig installieren. --------------------------------------------- http://heise.de/-3275609 *** Canadian Man Behind Popular 'Orcus RAT' *** --------------------------------------------- Far too many otherwise intelligent and talented software developers these days apparently think they can get away with writing, selling and supporting malicious software and then couching their commerce .. --------------------------------------------- http://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-…

1 0

Tageszusammenfassung - Mittwoch 20-07-2016
by Daily end-of-shift report 20 Jul '16

20 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 19-07-2016 18:00 − Mittwoch 20-07-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** DDoS trends: Bigger, badder but not longer *** --------------------------------------------- 10Gbps is the new norm, warns Arbor Networks DDoS attacks once again escalated in both size and frequency during the first six months of 2016. --------------------------------------------- www.theregister.co.uk/2016/07/19/ddos_sitrep/ *** Critical Patch Update - July 2016 *** --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html *** Solaris Third Party Bulletin - July 2016 *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.h… *** Oracle Linux Bulletin - July 2016 *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090… *** Oracle VM Server for x86 Bulletin - July 2016 *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-309054… *** ASN.1 Anyone? CVE-2016-5080, (Tue, Jul 19th) *** --------------------------------------------- *Queue Back to the Future Music* Over more than a decade ago there was a major discovery in ASN.1 that contributed to arguably one of the worst vulnerabilities in a long time. Fast forward *Queue awful fast forward tape music* to .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21277 *** WordPress admin? Thinking of spending time with the family? Think again *** --------------------------------------------- P0wnage party pops plugins, providing plenty of party-pooping projects The Dutch hacking communitys Summer of Pwnage (SoP) has disclosed three vulnerabilities in WordPress plugins, including an XSS in the popular Ninja Forms. --------------------------------------------- www.theregister.co.uk/2016/07/20/wordpress_admin_thinking_of_spending_time_… *** Flaws found in security products from AVG, Symantec and McAfee *** --------------------------------------------- Patch frenzy imminent, say researchers, thanks to bad use of code hooking Hundreds of security products may not be up the job, researchers say, thanks to flawed uses of code hooking.… --------------------------------------------- www.theregister.co.uk/2016/07/20/hooks_cooked_hackers_crack_tonnes_of_secur… *** Ruining the Magic of Magentos Encryption Library *** --------------------------------------------- Lets look at how Magento implements cryptography, with a series of exhibits followed by an explanation of whats happening and why its dangerous: ... If you looked at the code, I promise this is every bit as bad as it looks at a glance. --------------------------------------------- http://www.openwall.com/lists/oss-security/2016/07/19/3 *** Hackers Allegedly Steal 1.4M Passwords From Mac Forums, Web Hosting Talk *** --------------------------------------------- A hacker or hackers has allegedly stolen more than 1.4 million passwords, email addresses, and other data from the databases of popular forums including Web Hosting Talk, and Mac Forums and HotScripts. --------------------------------------------- https://motherboard.vice.com/read/hackers-allegedly-steal-14m-passwords-fro… *** DNSSEC-Schlüsseltausch 2017 – die Vorbereitungen laufen *** --------------------------------------------- Wer am 11. Oktober 2017 meint, dass sein Internet kaputt ist, der sollte bei seinem Provider nachfragen, ob das mit dem DNSSEC-Schlüsseltausch zu tun hat. Bis dahin ist es zwar noch ein wenig hin, doch die Vorbereitungen laufen auf Hochtouren. --------------------------------------------- http://heise.de/-3273136 *** ICS Security Training In London *** --------------------------------------------- SANS ICS London takes place on September 19-25th, at the Grand Connaught Rooms. - Attend the one-day European ICS Security Summit on Monday 19th September. - Take ICS515: ICS Active Defence and Incident Response - a 5-day course, .. --------------------------------------------- https://www.sans.org/event/ics-london-2016 *** Vtiger CRM does not properly restrict access to application data *** --------------------------------------------- http://jvn.jp/en/jp/JVN01956993/ *** WordPress plugin "Nofollow Links" vulnerable to cross-site scripting *** --------------------------------------------- http://jvn.jp/en/jp/JVN13582657/ *** Petya Ransomware Analysis Part I *** --------------------------------------------- Introduction What makes Petya a special ransomware is that it doesn’t aim to encrypt each file individually, but aims for low-level disk encryption. In this series, we’ll be looking .. --------------------------------------------- http://resources.infosecinstitute.com/petya-ransomware-analysis-part-i/ *** Rekord-Quartals-Update: Oracle fixt 276 Sicherheitslücken in seinen Produkten *** --------------------------------------------- Die meisten Schwachstellen klaffen in Fusion Middleware und der Sun System Products Suite. Aber auch Java SE ist verwundbar und bekommt Sicherheits-Updates spendiert. --------------------------------------------- http://heise.de/-3273522 *** Unechte Bank Austria-Mails und Phishing-Apps im Umlauf *** --------------------------------------------- Mit unechten Bank Austria-Nachrichten oder der Phishing-App „Bank Austria SmsSecurity“ versuchen Kriminelle, an Zugangsdaten von Kunden des Unternehmens zu gelangen. Damit verfolgen sie das Ziel, auf fremde Kosten Transaktionen durchzuführen und sich zu bereichern. --------------------------------------------- https://www.watchlist-internet.at/phishing/unechte-bank-austria-mails-und-p…

1 0

Tageszusammenfassung - Dienstag 19-07-2016
by Daily end-of-shift report 19 Jul '16

19 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 18-07-2016 18:00 − Dienstag 19-07-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Third time (un)lucky – improved Petya is out *** --------------------------------------------- So far, we dedicated several articles to the interesting, low-level ransomware called Petya, hijacking the boot sector. Each of those versions was using Salsa20 algorithm to encrypt Master File Table and make disk inaccessible. However, .. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-im… *** DSA-3622 python-django - security update *** --------------------------------------------- It was discovered that Django, a high-level Python web developmentframework, is prone to a cross-site scripting vulnerability in theadmins add/change related popup. --------------------------------------------- https://www.debian.org/security/2016/dsa-3622 *** World-Check terror suspect DB hits the web at just US$6750 *** --------------------------------------------- Last months borked Couchdb breach delivers more pain to Thomson Reuters The World-Check database that lists "heightened risk individuals and organizations" is reportedly up for sale on the dark web. --------------------------------------------- www.theregister.co.uk/2016/07/19/6750_buys_you_22_million_worldcheck_citize… *** Carbanak Gang Tied to Russian Security Firm? *** --------------------------------------------- Among the more plunderous cybercrime gangs is a group known as "Carbanak," Eastern European hackers blamed for stealing more than a billion dollars from banks. Today .. --------------------------------------------- http://krebsonsecurity.com/2016/07/carbanak-gang-tied-to-russian-security-f… *** Lauschangriff: Netzwerk-Geräte von Juniper akzeptierten selbst signierte Zertifikate *** --------------------------------------------- Juniper hat in seinem Betriebssystem Junos OS einen Bug geschlossen, der die Signatur-Prüfung von Zertifikaten aushebelte. --------------------------------------------- http://heise.de/-3270285 *** Apple aktualisiert alle seine Betriebssysteme *** --------------------------------------------- iOS 9.3.3, OS X El Captian 10.11.6, watchOS 2.2.2 und tvOS 9.2.2 stehen zum Download bereit – und beheben Fehler vor dem nächsten großen Update. --------------------------------------------- http://heise.de/-3270059 *** Malware History: Code Red *** --------------------------------------------- Fifteen years (5479 days) ago… Code Red hit its peak. An infamous computer worm, Code Red exploited a vulnerability in Microsoft Internet Information Server (IIS) to propagate. Infected servers displayed the following .. --------------------------------------------- https://labsblog.f-secure.com/2016/07/19/malware-history-code-red/ *** Cross-Site Scripting in third party library mso/idna-convert *** --------------------------------------------- https://typo3.org/news/article/cross-site-scripting-in-third-party-library-… *** Cross-Site Scripting vulnerability in typolinks *** --------------------------------------------- https://typo3.org/news/article/cross-site-scripting-vulnerability-in-typoli… *** SQL Injection in TYPO3 Frontend Login *** --------------------------------------------- https://typo3.org/news/article/sql-injection-in-typo3-frontend-login/ *** Cross-Site Scripting in TYPO3 Backend *** --------------------------------------------- https://typo3.org/news/article/cross-site-scripting-in-typo3-backend-1/ *** Pokémon Go: Sicherheitsforscher stoßen auf 215 Fake-Apps *** --------------------------------------------- In verschiedenen Android-App-Stores sollen gefährliche Trittbrettfahrer-Apps lauern, die mit Pokémon Go bis auf den Namen nichts gemein haben. Im schlimmsten Fall spionieren sie Geräte aus. --------------------------------------------- http://heise.de/-3270676 *** Long lasting Magnitude EK malvertising campaign not affected by slowdown in EK activity *** --------------------------------------------- We have been tracking a malvertising campaign distributing the Cerber ransomware linked to the actor behind the Magnitude exploit kit for months. Despite a global slowdown in .. --------------------------------------------- https://blog.malwarebytes.com/cybercrime/exploits/2016/07/long-lasting-magn…

1 0

Tageszusammenfassung - Montag 18-07-2016
by Daily end-of-shift report 18 Jul '16

18 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 15-07-2016 18:00 − Montag 18-07-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** New Realstatistics Attack Vector Compromising Joomla Sites *** --------------------------------------------- Over the past few weeks we’ve seen a large number of Joomla websites compromised with the Realstatistics malware campaign. This mass infection is still evolving and continues .. --------------------------------------------- https://blog.sucuri.net/2016/07/new-realstatistics-attack-vector-compromisi… *** Security Advisory - Input Validation Vulnerabilities in Camera Driver of Huawei Smart Phones *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160716-… *** Zwei Millionen Nutzerdaten vom Ubuntu-Forum gestohlen *** --------------------------------------------- Das Internet-Forum der Linux-Distribution Ubuntu wurde gehackt. Zwei Millionen Datensätze von Nutzern wurden dabei gestohlen. Passwörter sollen nicht betroffen sein. --------------------------------------------- http://futurezone.at/digital-life/zwei-millionen-nutzerdaten-vom-ubuntu-for… *** Alter Trillian-Forumsserver gehackt, gut drei Millionen Nutzerdatensätze abgegriffen *** --------------------------------------------- Bei den Betreibern des Instant Messengers Trillian ist ein Server gehackt worden, der zu Archivzwecken Support-Forum und Blog hostete. Ein paar Millionen Nutzerdaten sind dabei in fremde Hände gelangt. Der eigentliche Messenger-Dienst ist nicht betroffen. --------------------------------------------- http://heise.de/-3269058 *** OWASP just posted AppSecEU 16 videos. Heres the playlist for those interested. *** --------------------------------------------- https://www.youtube.com/watch?v=qrTShcOW8kM&list=PLpr-xdpM8wG-Kf1_BOnT2LFZU… *** OpenSSH has user enumeration bug *** --------------------------------------------- Blowfish is faster than SHA256, and thats a problem when servers talk back A bug in OpenSSH allows an .. --------------------------------------------- www.theregister.co.uk/2016/07/17/openssh_has_user_enumeration_bug/ *** Extortion trojan watches until crims find you doing something dodgy *** --------------------------------------------- And then the extortion starts and youre asked to steal critical data A newly-detected piece of malware dubbed "Delilah" has been fingered as probably the first such code created .. --------------------------------------------- www.theregister.co.uk/2016/07/18/first_insider_theft_extortion_trojan_found/ *** Security firm clarifies power-station SCADA malware claim *** --------------------------------------------- Its not the next Stuxnet, says SentinelOne, its just very naughty code Malware hyped as aimed at the hear of power plants is nothing of the sort according to security .. --------------------------------------------- www.theregister.co.uk/2016/07/18/firm_calls_bullshit_on_scada_malware/ *** Understanding Electronic Control Units (ECUs) in Connected Automobiles and How They Can Be Hacked *** --------------------------------------------- Before you read any further, I must caution you that the weaknesses described in this article impact multiple ECUs on the market today and therefore have had all identifiers, such as references to specific automobile and ECU .. --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/understanding-electron… *** Online Banking: User hatten Zugriff auf fremde Konten *** --------------------------------------------- Es ist eine Horrorvorstellung für viele Kunden: Ein Fremder schaut plötzlich auf das eigene Bankkonto. Das ist nun bei der Comdirect passiert - wegen einer technischen Panne. --------------------------------------------- http://futurezone.at/digital-life/online-banking-user-hatten-zugriff-auf-fr… *** Kritische Sicherheitslücke in CGI-Umgebungen (Apache, IIS, ...) *** --------------------------------------------- Es wurde ein Designfehler in diversen Implementationen des CGI Standards gefunden, der schwerwiegende Folgen für die Sicherheit der Webserver haben kann. CERT.at bittet daher um Beachtung der folgenden Hinweise. --------------------------------------------- https://cert.at/warnings/all/20160718.html

1 0

Tageszusammenfassung - Freitag 15-07-2016
by Daily end-of-shift report 15 Jul '16

15 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 14-07-2016 18:00 − Freitag 15-07-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Erpressungstrojaner: Locky kann jetzt auch offline *** --------------------------------------------- Eine neue Version der Locky-Ransomware kann jetzt auch Rechner ohne Internetverbindung verschlüsseln. Die Offline-Variante hat für die Opfer immerhin einen kleinen Vorteil. --------------------------------------------- http://www.golem.de/news/erpressungstrojaner-locky-kann-jetzt-auch-offline-… *** Untangling Kovter's persistence methods *** --------------------------------------------- Kovter is a click-fraud malware famous from the unconventional tricks used for persistence. It hides malicious modules in PowerShell scripts as well as in registry keys to make detection and analysis difficult. In this post we will take a deep dive into the techniques used by its latest samples to see all the elements and...Categories: Malware Threat analysisTags: click fraudkovter(Read more...) --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/ *** Security Best Practices for Azure App Service Web Apps, Part 5 *** --------------------------------------------- Microsoft's Azure App Service is a fully managed platform as a service for developers that provides features and frameworks to quickly and easily build apps for any platform and any device. Despite the ease of using Azure, developers need to keep security in mind because Azure will not take care of every aspect of security. In our first... --------------------------------------------- https://blogs.mcafee.com/mcafee-labs/azure-app-service-web-apps-security-be… *** Reverse engineering DUBNIUM - Stage 2 payload analysis *** --------------------------------------------- Recently, we blogged about the basic functionality and features of the DUBNIUM advanced persistent threat (APT) activity group Stage 1 binary and Adobe Flash exploit used during the December 2015 incident (Part 1, Part 2). In this blog, we will go through the overall infection chain structure and the Stage 2 executable details. Stage 2 executables... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/07/14/reverse-engineering-dub… *** Oracle Critical Patch Update Pre-Release Announcement - July 2016 *** --------------------------------------------- This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for July 2016, which will be released on Tuesday, July 19, 2016. --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html *** Spähsoftware: Maxthon-Browser sendet kritische Daten nach China *** --------------------------------------------- Forscher haben entdeckt, dass der alternative Browser Maxthon sicherheitsrelevante Nutzerdaten an einen Server in Peking sendet. Die Daten ließen sich hervorragend für gezielte Angriffe nutzen. Und sie sind nur schlecht gegen Dritte abgesichert. --------------------------------------------- http://www.golem.de/news/spaehsoftware-maxthon-browser-sendet-sensible-date… *** Steueranlagen von Kraftwerken ungeschützt im Netz *** --------------------------------------------- Journalisten haben über 100 Systeme - Steuerungen von Kraftwerken, Eigenheimen und Industrieanlagen - gefunden, die ungeschützt im Netz erreichbar sind - auch in Österreich. --------------------------------------------- http://futurezone.at/digital-life/steueranlagen-von-kraftwerken-ungeschuetz… *** Neutrino EK picks up momentum in recent attacks *** --------------------------------------------- The Neutrino developers have made some changes to the landing page source code as well as integrated a new exploit. The malware campaigns that once were Anglers continue to point to Neutrino including a large malvertising attack on top adult sites we detected a few days ago.Categories: Cybercrime ExploitsTags: AnglerEKexploit kitmalvertisingneutrino(Read more...) --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2016/07/neutrino-ek-picks-up-momen… *** Debian Security Advisory DSA-3618-1 - php5 security update *** --------------------------------------------- CVE ID: CVE-2016-5768 CVE-2016-5769 CVE-2016-5770 CVE-2016-5771 CVE-2016-5772 CVE-2016-5773 Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development. The vulnerabilities are addressed by upgrading PHP to the new upstream version 5.6.23, which includes additional bug fixes. --------------------------------------------- https://lists.debian.org/debian-security-announce/2016/msg00196.html *** DFN-CERT-2016-1140: FortiManager, FortiAnalyzer: Eine Schwachstelle ermöglicht einen Cross-Site-Scripting-Angriff *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1140/ *** F5 Security Advisories *** --------------------------------------------- *** sol53084033: OpenSSL vulnerability CVE-2016-2178 *** An attacker could trigger an exploit using a timing side-channel attack to discover a DSA private key. https://support.f5.com/kb/en-us/solutions/public/k/53/sol53084033.html?ref=… --------------------------------------------- *** sol04054286: Linux kernel TCP vulnerability CVE-2016-2070 *** Successful exploitation of this vulnerability leads to a denial-of-service (DoS) attack, due to a divide-by-zero error which causes the system to stop responding. Product/Versions known to be vulnerable: ARX 6.2.0 - 6.4.0, Traffix SDC 5.0.0, 4.0.0 - 4.4.0 https://support.f5.com/kb/en-us/solutions/public/k/04/sol04054286.html?ref=… --------------------------------------------- *** sol05125306: glibc vulnerability CVE-2016-1234 *** This vulnerability may allow a context-dependent attacker to cause a denial of service (DoS) via a long name. Product/Versions known to be vulnerable: Traffix SDC 5.0.0, 4.0.0 - 4.4.0 https://support.f5.com/kb/en-us/solutions/public/k/05/sol05125306.html?ref=… --------------------------------------------- *** sol23873366: OpenSSL vulnerability CVE-2016-2177 *** This vulnerability may allow remote attackers to cause a denial-of-service (DoS) attack. https://support.f5.com/kb/en-us/solutions/public/k/23/sol23873366.html?ref=… --------------------------------------------- *** Cisco Security Advisories *** --------------------------------------------- *** Cisco Meeting Server Persistent Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco WebEx Meetings Server Administrator Interface Reflected Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco WebEx Meetings Server Reflected Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco WebEx Meetings Server Administrator Interface SQL Injection Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco WebEx Meetings Server Command Injection Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: XML External Entities Injection Vulnerability in IBM Traveler (CVE-2016-3039) *** http://www-01.ibm.com/support/docview.wss?uid=swg21985858 --------------------------------------------- *** IBM Security Bulletin: Multiple security vulnerabilities have been identified in IBM JRE and WebSphere Application Server shipped with IBM Tivoli Service Automation Manager (CVE-2016-3426, CVE-2016-3427) *** http://www-01.ibm.com/support/docview.wss?uid=swg2C1000148 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Application Dependency Discovery Manager (TADDM) - IBM Java SDK updates April 2016 *** http://www-01.ibm.com/support/docview.wss?uid=swg21985875 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Monitoring embedded WebSphere Application Server (CVE-2016-3426, CVE-2016-3427, CVE-2016-0306, CVE-2015-0254) *** http://www-01.ibm.com/support/docview.wss?uid=swg21984732 --------------------------------------------- *** IBM Security Bulletin: A cross-site scripting vulnerability in IBM WebSphere Application Server affects IBM Security Access Manager Version 9 (CVE-2015-7417) *** http://www.ibm.com/support/docview.wss?uid=swg21987056 --------------------------------------------- *** ICS-CERT Advisories *** --------------------------------------------- *** Schneider Electric Pelco Digital Sentry Video Management System Vulnerability *** https://ics-cert.us-cert.gov/advisories/ICSA-16-196-01 --------------------------------------------- *** Moxa MGate Authentication Bypass Vulnerability *** https://ics-cert.us-cert.gov/advisories/ICSA-16-196-02 --------------------------------------------- *** Schneider Electric SoMachine HVAC Unsafe ActiveX ControL Vulnerability *** https://ics-cert.us-cert.gov/advisories/ICSA-16-196-03 --------------------------------------------- *** Philips Xper-IM Connect Vulnerabilities *** https://ics-cert.us-cert.gov/advisories/ICSMA-16-196-01 --------------------------------------------- *** Advantech WebAccess ActiveX Vulnerabilities (Update A) *** https://ics-cert.us-cert.gov/advisories/ICSA-16-173-01 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 14-07-2016
by Daily end-of-shift report 14 Jul '16

14 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 13-07-2016 18:00 − Donnerstag 14-07-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Troldesh ransomware influenced by (the) Da Vinci code *** --------------------------------------------- We at the MMPC are constantly tracking new and emerging ransomware threats so we can be one step ahead of active campaigns and help protect our users. As part of these efforts, we recently came across a new variant of the Win32/Troldesh ransomware family. Ransomware, like most malware, is constantly trying to change itself in... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-inf… *** The Power of Web Shells, (Wed, Jul 13th) *** --------------------------------------------- [Warning: this diary contains many pictures and may take some time to load on slow links] Web shellsare not new in the threats landscape. A web shell is a script (written in PHP, ASL, Perl, ... - depending on the available environment) that can be uploaded to a web server to enable remote administration. If web shells are usually installed for good purposes, many of them are installed on compromisedservers. Once in place, the web shell will allow a complete takeover of the victims server but it... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21257&rss *** PCI for SMB - Requirement 2- Do Not Use Defaults *** --------------------------------------------- In this series of articles, we talk about PCI and how it affects SMBs (small/medium sized businesses) that are going through the compliance process using the PCI SAQ's (Self Assessment Questionaries). --------------------------------------------- https://blog.sucuri.net/2016/07/pci-for-smb-requirement-2-do-not-use-defaul… *** Beware of ws-xmlrpc library in your Java App *** --------------------------------------------- Apache XML-RPC is a XML-RPC library for Java. XML-RPC is a protocol for making remote procedure call via HTTP with the help of XML. Apache XML-RPC can be used on the client's side to make XML-RPC calls as well as on the server's side to expose some functionality via XML-RPC. Now ws-xmlrpc library is not supported by Apache. Last version is 3.1.3 which was released in 2013. However, many applications still use ws-xmlrpc library. Among them are Apache Continuum and Apache Archiva. --------------------------------------------- https://0ang3el.blogspot.co.at/2016/07/beware-of-ws-xmlrpc-library-in-your.… *** Join ENISA study on cloud security and eHealth *** --------------------------------------------- ENISA, using its prior knowledge on cloud security, launches a study on cloud and eHealth. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/join-enisa-study-on-cloud-secur… *** DLL Hijacking Attacks Revisited *** --------------------------------------------- This article is all about different DLL hijacking attacks techniques used by malware to achieve persistence. We will be discussing DLL search order hijacking, DLL Side loading, and Phantom DLL Hijacking techniques. Also, we will see how can we detect it and prevent the DLL hijacking attack. What is DLL hijacking? DLL provide common code... --------------------------------------------- http://resources.infosecinstitute.com/dll-hijacking-attacks-revisited/ *** Github Engineering: SYN Flood Mitigation with synsanity *** --------------------------------------------- In an effort to reduce the impact of these attacks, we began work on a series of additional mitigation strategies and systems to better prepare us for a future attack of a similar nature. Today we're sharing our mitigation for one of the attacks we received: synsanity, a SYN flood DDoS mitigation module for Linux 3.x. --------------------------------------------- http://githubengineering.com/syn-flood-mitigation-with-synsanity/ *** The Value of a Hacked Company *** --------------------------------------------- Most organizations only grow in security maturity the hard way -- that is, from the intense learning that takes place in the wake of a costly data breach. That may be because so few company leaders really grasp the centrality of computer and network security to the organizations overall goals and productivity, and fewer still have taken an honest inventory of what may be at stake in the event that these assets are compromised. --------------------------------------------- http://krebsonsecurity.com/2016/07/the-value-of-a-hacked-company/ *** Warnung vor der Verschlüsselungssoftware "Cerber" *** --------------------------------------------- [...] Die Ransomware „Cerber“ wird aktuell durch gefälschte Bewerbungsschreiben verbreitet. Die Täter antworten auf Stellenangebote im Internet und versenden den Schadcode mit den beigefügten Dateien, die beispielsweise als Lebenslauf getarnt sind. Dadurch verleihen sie ihren Emails eine erhöhte Plausibilität und Glaubwürdigkeit. Beim Öffnen der Datei wird der Schadcode ausgeführt bzw. aus dem Internet nachgeladen. In weiterer Folge werden Daten auf sämtlichen im Netzwerk befindlichen Computern und Laufwerken verschlüsselt. --------------------------------------------- http://www.bmi.gv.at/cms/BK/betrug/files/C4_Newsletter_Ransomware_Cerber.pdf *** LibTIFF Buffer Index Error in TIFFReadRawStrip1() and TIFFReadRawTile1() Lets Remote Users Obtain Potentially Sensitive Information on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1036300 *** Bugtraq: [ERPSCAN-16-021] SAP xMII - Reflected XSS vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/538900 *** Bugtraq: [ERPSCAN-16-020] SAP NetWeaver AS JAVA UDDI component - XXE vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/538901 *** Bugtraq: [ERPSCAN-16-019] SAP NetWeaver Enqueue Server - DoS vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/538902 *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect StoredIQ (CVE-2016-2107) *** --------------------------------------------- OpenSSL vulnerabilities were disclosed on May 3, 2016 by the OpenSSL Project. OpenSSL is used by StoredIQ. StoredIQ has addressed the applicable CVEs. CVE(s): CVE-2016-2107 Affected product(s) and affected version(s): StoredIQ v7.6 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21985359X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/112854 --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21985359 *** IBM Security Bulletin: A JMX component vulnerability in IBM Java SDK and IBM WebSphere Application Server affects IBM Emptoris Strategic Supply Management Suite and IBM Emptoris Services Procurement (CVE-2016-3427) *** --------------------------------------------- The IBM Emptoris Strategic Supply Management Suite and IBM Emptoris Services Procurement products are affected by a JMX component security vulnerability that exists in IBM SDK Java Technology Edition and IBM WebSphere Application Server. This issue was disclosed as part of the IBM Java SDK updates in April 2016. CVE(s): CVE-2016-3427 Affected product(s) and affected... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21986797 *** IBM Security Bulletin: IBM Traveler installer impacted by vulnerability in InstallAnywhere (CVE-2016-2542) *** --------------------------------------------- IBM Traveler installer utilizes a version of Flexera InstallAnywhere which could allow a local attacker to gain elevated privileges on the system. CVE(s): CVE-2016-2542 Affected product(s) and affected version(s): IBM Traveler 8.5.3 IBM Traveler 9.0 IBM Traveler 9.0.1 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www.ibm.com/support/docview.wss?uid=swg21984632X-Force Database: --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21984632 *** IBM Security Bulletin: Vulnerability in InstallAnywhere affects IBM License Metric Tool v7.5 & v7.2.2, IBM Tivoli Asset Discovery for Distributed and IBM Endpoint Manger for Software Use Analysis v2.2 (CVE-2016-4560) *** --------------------------------------------- A vulnerability in InstallAnywhere on Windows systems affects IBM License Metric Tool v7.5 & v7.2.2, IBM Tivoli Asset Discovery for Distributed and IBM Endpoint Manger for Software Use Analysis v2.2. CVE(s): CVE-2016-4560 Affected product(s) and affected version(s): IBM License Metric Tool v7.5 & v7.2.2 IBM Tivoli Asset Discovery for Distributed IBM Endpoint Manger for Software... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21983503 *** USN-3032-1: eCryptfs vulnerability *** --------------------------------------------- Ubuntu Security Notice USN-3032-114th July, 2016ecryptfs-utils vulnerabilityA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Ubuntu 15.10SummaryeCryptfs could be made to expose sensitive information.Software description ecryptfs-utils - eCryptfs cryptographic filesystem utilities DetailsIt was discovered that eCryptfs incorrectly configured the encrypted swappartition for certain drive types. An attacker could use this issue to discoversensitive... --------------------------------------------- http://www.ubuntu.com/usn/usn-3032-1/ *** VU#665280: Accela Civic Platform Citizen Access portal contains multiple vulnerabilities *** --------------------------------------------- Vulnerability Note VU#665280 Accela Civic Platform Citizen Access portal contains multiple vulnerabilities Original Release date: 13 Jul 2016 | Last revised: 13 Jul 2016 Overview Accela Civic Platform Citizen Access portal contains cross-site scripting and arbitrary file upload vulnerabilities. Description CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) - CVE-2016-5660Accela Civic Platform Citizen Access portal contains a cross-site scripting (XSS) --------------------------------------------- http://www.kb.cert.org/vuls/id/665280 *** Cisco ASR 5000 Series SNMP Community String Disclosure Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IOS XR Software Command Injection Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IOS XR for NCS 6000 Packet Timer Leak Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** RESTWS - Highly critical - Remote code execution - SA-CONTRIB-2016-040 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2016-040Project: RESTful Web Services (third-party module)Version: 7.xDate: 2016-July-13Security risk: 22/25 ( Highly Critical) AC:None/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionDescriptionThis module enables you to expose Drupal entities as RESTful web services.RESTWS alters the default page callbacks for entities to provide additional functionality.A vulnerability in this approach allows an attacker to send specially... --------------------------------------------- https://www.drupal.org/node/2765567 *** Coder - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-039 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2016-039Project: Coder (third-party module)Version: 7.xDate: 2016-July-13Security risk: 20/25 ( Highly Critical) AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionDescriptionThe Coder module checks your Drupal code against coding standards and other best practices. It can also fix coding standard violations and perform basic upgrades on modules.The module doesnt sufficiently validate user inputs in a script file that has... --------------------------------------------- https://www.drupal.org/node/2765575 *** Webform Multiple File Upload - Critical - Remote Code Execution - SA-CONTRIB-2016-038 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2016-038Project: Webform Multiple File Upload (third-party module)Version: 7.xDate: 2016-July-13Security risk: 17/25 ( Critical) AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Arbitrary PHP code executionDescriptionThe Webform Multiple File Upload module allows users to upload multiple files on a Webform.The Webform Multifile File Upload module contains a Remote Code Execution (RCE) vulnerability where form inputs will be unserialized and a... --------------------------------------------- https://www.drupal.org/node/2765573 *** sol08440897: Linux kernel vulnerability CVE-2016-0774 *** --------------------------------------------- Impact: A local unprivileged user may be able to leak kernel memory to user space or cause a denial-of-service (DoS). --------------------------------------------- https://support.f5.com/kb/en-us/solutions/public/k/08/sol08440897.html?ref=… *** sol55181425: Wget vulnerability CVE-2016-4971 *** --------------------------------------------- Impact: An attacker with local access may be able to upload arbitrary files to the system. Product/Versions known to be vulnerable: ARX 6.2.0 - 6.4.0, Traffix SDC 5.0.0, 4.0.0 - 4.4.0 --------------------------------------------- https://support.f5.com/kb/en-us/solutions/public/k/55/sol55181425.html?ref=… *** sol55922302: XSS in F5 WebSafe Dashboard vulnerability CVE-2016-5236 *** --------------------------------------------- Cross-Site-Scripting (XSS) vulnerabilities in F5 WebSafe Dashboard allow privileged authenticated user to inject arbitrary web script or HTML when creating a new user, account or signature. (CVE-2016-5236) --------------------------------------------- https://support.f5.com/kb/en-us/solutions/public/k/55/sol55922302.html?ref=… *** Juniper Security Advisories *** --------------------------------------------- *** JSA10751 - 2016-07 Security Bulletin: SRX Series: On High-End SRX-Series, ALGs applied to in-transit traffic may trigger high CP (central point) utilization leading to denial of services. (CVE-2016-1276) *** http://kb.juniper.net/index?page=content&id=JSA10751&actp=RSS --------------------------------------------- *** JSA10758 - 2016-07 Security Bulletin: Junos: Crafted UDP packet can lead to kernel crash on 64-bit platforms (CVE-2016-1263) *** http://kb.juniper.net/index?page=content&id=JSA10758&actp=RSS --------------------------------------------- *** JSA10756 - 2016-07 Security Bulletin: Junos: FreeBSD-SA-09:07.libc - Information leak in db(3) (CVE-2009-0590) *** http://kb.juniper.net/index?page=content&id=JSA10756&actp=RSS --------------------------------------------- *** JSA10755 - 2016-07 Security Bulletin: Junos: Self-signed certificate with spoofed trusted Issuer CN accepted as valid (CVE-2016-1280) *** http://kb.juniper.net/index?page=content&id=JSA10755&actp=RSS --------------------------------------------- *** JSA10754 - 2016-07 Security Bulletin: Junos J-Web: Privilege Escalation due to information leak (CVE-2016-1279) *** http://kb.juniper.net/index?page=content&id=JSA10754&actp=RSS --------------------------------------------- *** JSA10750 - 2016-07 Security Bulletin: Junos: mbuf leak when flooding new IPv6 MAC addresses received via VPLS instances (CVE-2016-1275) *** http://kb.juniper.net/index?page=content&id=JSA10750&actp=RSS --------------------------------------------- *** JSA10753 - 2016-07 Security Bulletin: SRX Series: Upgrades using partition option may allow unauthenticated root login (CVE-2016-1278) *** http://kb.juniper.net/index?page=content&id=JSA10753&actp=RSS --------------------------------------------- *** JSA10752 - 2016-07 Security Bulletin: Junos: Kernel crash with crafted ICMP packet (CVE-2016-1277) *** http://kb.juniper.net/index?page=content&id=JSA10752&actp=RSS --------------------------------------------- *** JSA10756 - 2016-07 Security Bulletin: Junos: FreeBSD-SA-09:07.libc - Information leak in db(3) (CVE-2009-1436) *** http://kb.juniper.net/index?page=content&id=JSA10756&actp=RSS ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 13-07-2016
by Daily end-of-shift report 13 Jul '16

13 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 12-07-2016 18:00 − Mittwoch 13-07-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** VU#123799: libbpg contains a type confusion vulnerability that leads to out of bounds write *** --------------------------------------------- Vulnerability Note VU#123799 libbpg contains a type confusion vulnerability that leads to out of bounds write Original Release date: 12 Jul 2016 | Last revised: 12 Jul 2016 Overview libbpg is a library for the BPG graphics format. libbpg 0.9.5 through 0.9.7 may allow a crafted file to write out-of-bounds, which may lead to denial of service or arbitrary code execution. Description CWE-787: Out-of-bounds Write - CVE-2016-5637According to the reporter, improper checking of... --------------------------------------------- http://www.kb.cert.org/vuls/id/123799 *** MSRT July 2016 - Cerber ransomware *** --------------------------------------------- As part of our ongoing effort to provide better malware protection, the July 2016 release of the Microsoft Malicious Software Removal Tool (MSRT) includes detection for Win32/Cerber, a prevalent ransomware family. The inclusion in MSRT complements our Cerber-specific family detections in Windows Defender, and our ransomware-dedicated cloud protection features. We started seeing Cerber in February... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/07/12/msrt-july-2016-cerber-r… *** Tollgrade Smart Grid EMS LightHouse Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for vulnerabilities in Tollgrade Communications, Inc.'s Smart Grid LightHouse Sensor Management System Software EMS. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-194-01 *** GE Proficy HMI SCADA CIMPLICITY Privilege Management Vulnerability *** --------------------------------------------- This advisory contains mitigation details for an improper privilege management vulnerability and recently released exploit code for the GE Proficy HMI/SCADA CIMPLICITY application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-194-02 *** Hunting for Malicious Files with MISP + OSSEC, (Tue, Jul 12th) *** --------------------------------------------- A few months ago, I wrote a diary called Unity Makes Strength which was illustrated with an example of integrationbetween a malware analysis solution and a next-generation firewall. The goal is to increase the ability to block malicious traffic as soon as possible. Today, Id like to explain how to improve the detection of malware on Windows computers thanks to the integration of MISPand OSSEC. I already presented the Malware Information Sharing Platformin another diary. About OSSEC, in a few... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21251&rss *** Patchday: Microsoft stopft Lücken in Windows, Office und SecureBoot *** --------------------------------------------- Microsoft hat elf Sicherheitsupdates für seine Produkte veröffentlicht. Die meisten davon sind als kritisch vermerkt und erlauben Angreifern aus dem Netz, eigenen Schadcode nach Belieben auszuführen. --------------------------------------------- http://heise.de/-3265524 *** Securing Smart Cars - Join ENISA study and workshop *** --------------------------------------------- ENISA is currently performing a study on cyber security measures for smart cars and earlier this year launched the ENISA CaRSEC (Cars and Roads SECurity) expert group. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/securing-smart-cars-join-enisa-… *** Security Advisory - Input Validation Vulnerability in Huawei Routers *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160713-… *** Security Advisory - Input Validation Vulnerability in WiFi Driver of Huawei Smart Phone *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160713-… *** Security Advisory - Input Validation Vulnerability in Multiple Huawei Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160713-… *** Drupal: Patch released today to fix a highly critical RCE in contributed modules, (Wed, Jul 13th) *** --------------------------------------------- Drupal announced that they will release today (Wed July13th 2016 16:00 UTC) a patch that will fix highly critical remote code execution vulnerabilities in contributed modules. Drupal core is not affected. The vulnerability is a PHP Arbitrary Code Execution and is rated up to 22/25 (based on risk calculation model used by Drupal - details here). The vulnerable modules are used on between 1.000 and 10.000 instances. If you maintain one or more Drupal websites, review the list of affected... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21255&rss *** IBM Security Bulletin: IBM Personal Communications could allow a remote user to obtain sensitive information including user passwords, allowing unauthorized access. (CVE-2016-0321) *** --------------------------------------------- IBM Personal Communications is susceptible to unauthorized access vulnerability when running on a compromised system (by the victim opening a mail with a malicious attachment or visiting a malicious website). Malware could run with user privileges but not necessarily having access to the password. An attacker could retrieve user credentials by running PowerShell Script and... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21981692 *** Using the Java Security Manager in Enterprise Application Platform 7 *** --------------------------------------------- JBoss Enterprise Application Platform 7 allows the definition of Java Security Policies per application. The way its implemented means that well also be able to define security policies per module, in addition to define one per application. The ability to apply the Java Security Manager per application, or per module in EAP 7, makes it a versatile tool in the mitigation of serious security issues, or useful for applications with strict security requirements.The main difference between EAP 6,... --------------------------------------------- https://access.redhat.com/blogs/766093/posts/2276521

1 0

Tageszusammenfassung - Dienstag 12-07-2016
by Daily end-of-shift report 12 Jul '16

12 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 11-07-2016 18:00 − Dienstag 12-07-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Security updates available for Adobe Flash Player (APSB16-25) *** --------------------------------------------- Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Platform: Windows, Macintosh, Linux and ChromeOS --------------------------------------------- https://helpx.adobe.com/security/products/flash-player/apsb16-25.html *** Bugtraq: Persistent Cross-Site Scripting in WP Live Chat Support plugin *** --------------------------------------------- A persistent Cross-Site Scripting (XSS) vulnerability has been found in the WP Live Chat Support plugin. By using this vulnerability an attacker can supply malicious code on behalf of a logged on WordPress user in order to perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes. --------------------------------------------- http://www.securityfocus.com/archive/1/538871 *** Serious flaw fixed in widely used WordPress plug-in *** --------------------------------------------- If youre running a WordPress website and you have the hugely popular All in One SEO Pack plug-in installed, its a good idea to update it as soon as possible. The latest version released Friday fixes a flaw that could be used to hijack the sites admin account.The vulnerability is in the plug-ins Bot Blocker functionality and can be exploited remotely by sending HTTP requests with specifically crafted headers to the website.The Bot Blocker feature is designed to detect and block spam bots based --------------------------------------------- http://www.csoonline.com/article/3093379/security/serious-flaw-fixed-in-wid… *** Hiding in White Text: Word Documents with Embedded Payloads, (Wed, Jul 6th) *** --------------------------------------------- This is a guest diary by Yaser Mansour. Due to the extensive use of images, please note that all the images are clickable to view them at full size. A PDF version of this diary is available here Malicious macros in Office documents are not new, and several samples have been analyzed here at the ISC Diary website. Usually, the macro script is used to drop the second stage malware either by reaching to the internet or by extracting a binary embedded in the Office document itself. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21227&rss *** Jigsaw Ransomware Decrypted, Again *** --------------------------------------------- Jigsaw ransomware's encryption has been thwarted by Check Point researchers that discover a fatal flaw. --------------------------------------------- http://threatpost.com/jigsaw-ransomware-decrypted-again/119186/ *** [RCESEC-2016-003][CVE-2016-4469] Apache Archiva 1.3.9 Multiple Cross-Site Request Forgeries *** --------------------------------------------- The application basically offers a Cross-Site Request Forgery protection using the a Struts-based token called "token". While many administrative functionalities like adding new users are protected on this way, the following HTTP POST-based functions are missing this token and are therefore vulnerable to CSRF: --------------------------------------------- http://www.securityfocus.com/archive/1/538877 *** [security bulletin] HPSBHF03608 rev.1 - HPE iMC PLAT and other Network Products using Apache Java Commons Collection (ACC), Remote Execution of Arbitrary Code *** --------------------------------------------- Potential Security Impact: Remote Execution of Arbitrary Code VULNERABILITY SUMMARY: A vulnerability in Apache Commons Collections (ACC) for handling Java object deserialization was addressed by HPE iMC PLAT and other network products. The vulnerability could be exploited remotely to allow execution of arbitrary code. --------------------------------------------- http://www.securityfocus.com/archive/1/538880 *** SSA-301706 (Last Update 2016-07-12): GNU C Library Vulnerability in Industrial Products *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-301706… *** The July 2016 issue of our SWITCH Security Report is available! *** --------------------------------------------- A new issue of our monthly SWITCH Security Report has just been released. The topics covered in this report are: * DAO-ism on the ethereal plane - hacker bags cryptocurrency worth USD 50 million * Ransomware - smart, greedy and unkillable * CANVAS ready to launch - bridging cybersecurity and ethics * US border guards want to be your Facebook friend - and other news on anti-terror measures The Security Report is available in both English and German. --------------------------------------------- https://securityblog.switch.ch/2016/07/12/july-2016-issue-switch-security-r… *** Erpressungs-Trojaner Ranscam schickt Daten unwiederbringlich ins digitale Nirwana *** --------------------------------------------- Wie jede Ransomware behauptet auch Ranscam, alle als Geiseln genommenen persönlichen Daten nach einer Lösegeldzahlung freizugeben. In diesem Fall haben das die Drahtzieher aber grundsätzlich gar nicht vorgesehen, warnen Sicherheitsforscher. --------------------------------------------- http://heise.de/-3265137 *** SFG: Furtim's Parent *** --------------------------------------------- The Labs team at SentinelOne recently discovered a sophisticated malware campaign specifically targeting at least one European energy company. --------------------------------------------- https://sentinelone.com/blogs/sfg-furtims-parent/ *** IBM Security Bulletins*** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Flex System FC3171 8Gb SAN Switch & SAN Pass-thru Firmware (CVE-2016-2107 CVE-2016-2176) *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099429 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in icu affects IBM Flex System Chassis Management Module (CVE-2014-9654) *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099427 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management could expose sensitive information produced in log files of certain URLs (CVE-2016-0393) *** http://www-01.ibm.com/support/docview.wss?uid=swg21986053 --------------------------------------------- *** IBM Security Bulletin: Multiple Security Vulnerabilities fixed in IBM Security Privileged Identity Manager *** http://www-01.ibm.com/support/docview.wss?uid=swg21986260 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 11-07-2016
by Daily end-of-shift report 11 Jul '16

11 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 08-07-2016 18:00 − Montag 11-07-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Researchers Develop A Way To Stop Ransomware By Watching The Filesystem *** --------------------------------------------- An anonymous reader quotes a report from Phys.Org: Ransomware -- what hackers use to encrypt your computer files and demand money in exchange for freeing those contents -- is an exploding global problem with few solutions, but a team of University of Florida researchers says it has developed a way to stop it dead in its tracks. The answer, they say, lies not in keeping it out of a computer but rather in confronting it once its there ... --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/Z6eYMxY95mo/researchers-dev… *** BMWs ConnectedDrive ist löchrig *** --------------------------------------------- Die eine Schwachstelle betrifft die Registrierung von Fahrzeugen anhand einer Fahrzeugnummer (VIN). Die dafür vorgesehene Überprüfung lässt sich überrumpeln, sodass Konfigurationsdaten anderer Fahrzeuge offen stehen. Damit sollen sich nicht nur Playlisten, E-Mail-Konten, Fahrrouten und Verkehrsinformationen manipulieren, sondern Fahrzeuge auch auf- und abschließen lassen. --------------------------------------------- http://heise.de/-3262756 *** Researchers Find Over 6,000 Compromised Redis Installations *** --------------------------------------------- An anonymous Slashdot reader writes: Security researchers have discovered over 6,000 compromised installations of Redis, the open source in-memory data structure server, among the tens of thousands of Redis servers indexed by Shodan. "By default, Redis has no authentication or security mechanism enabled, and any security mechanisms must be implemented by the end user." --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/UFahhS2H-bU/researchers-fin… *** Polycom HDX 7000 Series Input Validation Flaw Lets Remote Conduct Cross-Site Scripting Attacks *** --------------------------------------------- The web client does not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. --------------------------------------------- http://www.securitytracker.com/id/1036261 *** Lessons Learned from Industrial Control Systems, (Sun, Jul 10th) *** --------------------------------------------- However, like many of you, I have certain business-critical systems running on legacy hardware or requiring now-unsupported Operating Systems. These are the systems that you can't patch, or that even if they experience a compromise, you can't immediately shut them down. How to you secure networks with such constraints? --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21243&rss *** Industrial cybersecurity threat landscape *** --------------------------------------------- Expansion of the Internet makes ICS easier prey to attackers. The number of ICS components available over the Internet increases every year. Taking into account that initially many ICS solutions and protocols were designed for isolated environments, such availability often provides a malicious user with multiple capabilities to cause impact to the infrastructure behind the ICS due to lack of security controls. --------------------------------------------- http://securelist.com/analysis/publications/75343/industrial-cybersecurity-… *** System Management Mode (SMM) BIOS Vulnerability *** --------------------------------------------- Lenovo Security Advisory: LEN-8324 Potential Impact: Execution of code in SMM by an attacker with local administrative access Severity: High Scope of Impact: Industry-wide Update as of 7/7/2016: The "Product Impact" section below of this advisory has been updated. --------------------------------------------- https://support.lenovo.com/ch/en/solutions/LEN-8324 *** D-Link kündigt Sicherheits-Patch für einige Produkt-Serien an *** --------------------------------------------- Sicherheitsforscher haben eine Lücke in einer Webcam von D-Link entdeckt, über die Angreifer das Administrator-Kennwort überschreiben können. Die Schwachstelle soll noch weitere Produkte des Herstellers bedrohen. --------------------------------------------- http://heise.de/-3263433 *** Berichte über neue Erpressungswelle mit iPhone-Fernsperre *** --------------------------------------------- Angreifer setzen offenbar erneut auf 'Mein iPhone suchen', um das Gerät aus der Ferne zu sperren. Die Freigabe des iPhones erfolge nur nach Zahlung einer Lösegeldsumme, so die Drohung. --------------------------------------------- http://heise.de/-3263761 *** Cisco Adaptive Security Appliance Access Control List ICMP Echo Request Code Filtering Vulnerability *** --------------------------------------------- A vulnerability in the Cisco Adaptive Security Appliance (ASA) Software implementation of access control list (ACL) permit and deny filters for ICMP Echo Reply messages could allow an unauthenticated, remote attacker to bypass ACL configurations for an affected device. ICMP traffic that should be denied may instead be allowed through an affected device. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect Rational Insight *** http://www-01.ibm.com/support/docview.wss?uid=swg21986564 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect Rational Reporting for Development Intelligence *** http://www-01.ibm.com/support/docview.wss?uid=swg21986563 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Apache Tomcat affects Rational Insight (CVE-2015-5174) *** http://www-01.ibm.com/support/docview.wss?uid=swg21986559 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Apache Tomcat affects Rational Reporting for Development Intelligence (CVE-2015-5174) *** http://www-01.ibm.com/support/docview.wss?uid=swg21986558 --------------------------------------------- *** IBM Security Bulletin: The IBM BigFix Platform has a cross-site scripting vulnerability (CVE-2016-0269) *** http://www.ibm.com/support/docview.wss?uid=swg21985734 --------------------------------------------- *** IBM Security Bulletin: A security vulnerability has been identified in IBM Tivoli / Security Directory Server *** http://www-01.ibm.com/support/docview.wss?uid=swg21986452 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 8-07-2016
by Daily end-of-shift report 08 Jul '16

08 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 07-07-2016 18:00 − Freitag 08-07-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Pentesters (and Attackers) Love Internet Connected Security Cameras!, (Wed, Jul 6th) *** --------------------------------------------- A recent story making the rounds in both the infosec and public press is the recent use of internet-connected security cameras as a base for DDOS attacks. They dont have a lot of CPU, but theyre linux platforms that are easily hackable, never get updated and usually have good bandwidth available to them. This shouldnt come as any surprise to folks who are in the security business, or those who do any kind of a product eval before they plug new gear into their network. I see security cameras on... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21231&rss *** D-Link Wi-Fi Camera Flaw Extends to 120 Products *** --------------------------------------------- A software component that exposed D-Link Wi-Fi cameras to remote attacks is also used in more than 120 other products sold by the company. --------------------------------------------- http://threatpost.com/d-link-wi-fi-camera-flaw-extends-to-120-products/1190… *** Zero-day flaw lets hackers tamper with your car through BMW portal *** --------------------------------------------- Researchers have disclosed zero-day vulnerabilities affecting the BMW web domain and ConnectedDrive portal which remain unpatched and open to attack. According to researchers from Vulnerability Labs, there are two main bugs both related to the BMW online service web app for ConnectedDrive, the connected car hub for new, internet-connected vehicles produced by the automaker. --------------------------------------------- http://www.zdnet.com/article/hackers-can-tamper-with-car-registration-throu… *** CryptXXX, Cryptobit Ransomware Spreading Through Campaign *** --------------------------------------------- Researchers have spotted several types of ransomware, including CryptXXX and a fairly new strain, Cryptobit, being pushed through the same shady series of domains. --------------------------------------------- http://threatpost.com/cryptxxx-cryptobit-ransomware-spreading-through-campa… *** BMW ConnectedDrive flaws could be misused to tamper with car settings *** --------------------------------------------- Security researcher Benjamin Kunz Mejri has found two vulnerabilities in the BMW ConnectedDrive web portal/web application. About the vulnerabilities in BMW ConnectedDrive The first one is a client-side cross site scripting web vulnerability that could be exploited by a remote attacker without a privileged account to inject his own malicious script codes to the client-side of the affected module context. Minimal user interaction is needed for this attack to work. --------------------------------------------- https://www.helpnetsecurity.com/2016/07/08/bmw-connecteddrive-flaws/ *** BSI-Lagedossier erklärt Krypto-Trojaner *** --------------------------------------------- Das BSI erklärt auf 35 Seiten, was es mit Ransomware auf sich hat, welche Familien wie verbreitet sind und wie man sich die Dinger vom Hals hält. --------------------------------------------- http://heise.de/-3262333 *** Keydnap: Mac-Malware will Passwörter aus Schlüsselbund klauen *** --------------------------------------------- Der als harmlose Datei getarnte Schädling versucht mit einem Trick, das Passwort des Nutzers zu erlangen. Mit Root-Rechten geht Keydnap dann auf die Jagd nach den im Schlüsselbund von OS X abgelegten Kennwörtern. --------------------------------------------- http://heise.de/-3262501 *** 1,025 Wendy's Locations Hit in Card Breach *** --------------------------------------------- At least 1,025 Wendys locations were hit by a malware-driven credit card breach that began in the fall of 2015, the nationwide fast-food chain said Thursday. The announcement marks a significant expansion in a data breach that is costing banks and credit unions plenty: Previously, Wendys had said the breach impacted fewer than 300 locations. --------------------------------------------- http://krebsonsecurity.com/2016/07/1025-wendys-locations-hit-in-card-breach/ *** Dropping Elephant APT Targets Old Windows Flaws *** --------------------------------------------- Dropping Elephant, an advanced persistent threat group, is using old exploits to target unpatched version of Windows in highly effective cyber espionage campaign. --------------------------------------------- http://threatpost.com/dropping-elephant-apt-targets-old-windows-flaws/11912… *** Initiative im Bundesrat: Härteres Vorgehen gegen Botnetz-Kriminalität *** --------------------------------------------- Wer in ein Haus einbricht, kann wegen Hausfriedensbruch oder Diebstahl zur Verantwortung gezogen werden. Wer sich Zugang zu einem fremden Rechner verschafft, soll laut einer Gesetzesinitiative ähnliches zu erwarten haben. --------------------------------------------- http://heise.de/-3262684 *** Security Advisories Relating to Symantec Products - Symantec Client IDS Driver PE File Memory Corruption Denial of Service *** --------------------------------------------- Symantecs Client Intrusion Detection System (CIDS) driver may cause a system crash when interacting with a specifically-crafted Portable Executable file. --------------------------------------------- https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=s… *** Security Advisories Relating to Symantec Products - Symantec Workspace Streaming and Workspace Virtualization Path Traversal and Arbitrary File Read *** --------------------------------------------- Symantec Workspace Streaming (SWS) and Workspace Virtualization (SWV) management consoles were susceptible to a path traversal in a file download configuration file that could allow a malicious user who could access the vulnerable file to view unauthorized application files of specific file types. An authenticated console user could manipulate this same file to read any file on the host system. This could potentially provide additional information for staging additional attacks on the... --------------------------------------------- https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=s… *** WECON LeviStudio Buffer Overflow Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for buffer overflow vulnerabilities in WECON's LeviStudio software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-189-01 *** Moxa Device Server Web Console Authorization Bypass Vulnerability *** --------------------------------------------- This advisory contains mitigation details for an authorization bypass vulnerability in Moxa's Device Server Web Console. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-189-02 *** Security Advisory - Two Buffer Overflow Vulnerabilities in Wi-Fi Driver of Huawei Smart Phone *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160708-… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects ProtecTIER (CVE-2016-2108) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1007982 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM MessageSight *** http://www-01.ibm.com/support/docview.wss?uid=swg21986473 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Oracle Outside In Technology affects IBM Rational DOORS Next Generation (CVE-2016-3455) *** http://www.ibm.com/support/docview.wss?uid=swg21985994 --------------------------------------------- *** IBM Security Bulletin: Fixes for Multiple Security Vulnerabilities in IBM Security Identity Manager Virtual Appliance available *** http://www-01.ibm.com/support/docview.wss?uid=swg21985736 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru Firmware, QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module and QLogic Virtual Fabric Extension Module for IBM *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099423 --------------------------------------------- *** IBM Security Bulletin: Vulnerability affects IBM Rational Team Concert GIT Integration (CVE-2016-2865 ) *** http://www.ibm.com/support/docview.wss?uid=swg21985865 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Libcurl affects IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru Firmware and QLogic Virtual Fabric Extension Module for IBM BladeCenter (CVE-2016-0755) *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099424 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in NTP affect IBM Flex System FC3171 8Gb SAN Switch & SAN Pass-thru Firmware, QLogic 8Gb Intelligent Pass-thru Module & SAN Switch Module and QLogic Virtual Fabric Extension Module for IBM BladeCenter *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099425 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Flex System FC3171 8Gb SAN Switch & SAN Pass-thru Firmware, QLogic 8Gb Intelligent Pass-thru Module & SAN Switch Module and QLogic Virtual Fabric Extension Module for IBM *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099426 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 7-07-2016
by Daily end-of-shift report 07 Jul '16

07 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 06-07-2016 18:00 − Donnerstag 07-07-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** New Mac backdoor malware: Eleanor *** --------------------------------------------- This new malware is only the second piece of true Mac malware spotted so far in 2016, with the first being the KeRanger ransomware. --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2016/07/new-mac-backdoor-malware-e… *** CryptXXX ransomware updated, (Wed, Jul 6th) *** --------------------------------------------- This morning, the decryption instructions for CryptXXX ransomware looked different. A closer examination indicates CryptXXX has been updated. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21229&rss *** [webapps] - OpenFire 3.10.2 - 4.0.1 - Multiple Vulnerabilities *** --------------------------------------------- Several vulnerabilities have been discovered between 2015, October and 2016, February. Reported vulnerabilities are similar to those previously discovered by hyp3rlinx, although they concern different pages. In brief, the flaws are of the following kinds: CSRF, XSS (reflected and stored), file upload and information disclosure. Most vulnerabilities need an administration access to the web application and may lead to personal information leakage or account take-over. --------------------------------------------- https://www.exploit-db.com/exploits/40065 *** Realstatistics Malware Campaign Leads To Ransomware *** --------------------------------------------- Our Incident Response Team (IRT) has been tracking a mass infection campaign over the last 2 weeks ( codenamed 'Realstatistics'). This campaign has compromised thousands of websites built on the Joomla! and WordPress Content Management System (CMS). We have codenamed the campaign 'Realstatistics' because of the domain being used by the attackers. --------------------------------------------- https://blog.sucuri.net/2016/07/joomla-wordpress-affected-by-realstatistics… *** EMC Avamar Backup Restoration Flaw Lets Remote Authenticated Users Read and Delete Files on the Target System *** --------------------------------------------- A vulnerability was reported in EMC Avamar. A remote authenticated user can read and delete files on the target system. A remote authenticated user can exploit a flaw in the backup restoration component to read and delete files on the target system. EMC Avamar Data Store and Avamar Virtual Edition are affected. --------------------------------------------- http://www.securitytracker.com/id/1036235 *** Androids July security bulletin patches 20 critical flaws *** --------------------------------------------- Google releases Android security bulletin, providing updates for 89 critical and high severity vulnerabilities affecting software and hardware components including Mediaserver, OpenSSL, BoringSSL, Bluetooth, Qualcomm, and numerous drivers. --------------------------------------------- http://www.scmagazine.com/androids-july-security-bulletin-patches-20-critic… *** mimikittenz *** --------------------------------------------- mimikittenz is a post-exploitation powershell tool that utilizes the Windows function ReadProcessMemory() in order to extract plain-text passwords from various target processes. --------------------------------------------- https://github.com/putterpanda/mimikittenz *** Acer Portal Android Application - MITM SSL Certificate Vulnerability (CVE-2016-5648) *** --------------------------------------------- The Acer Portal Android application (version 3.9.3.2006 and below), installed by the manufacturer on all Acer branded Android devices, does not validate the SSL certificate it receives when connecting to the mobile application login server. --------------------------------------------- http://www.securityfocus.com/archive/1/538851 *** Upcoming Security Updates for Adobe Acrobat and Reader (APSB16-26) *** --------------------------------------------- A prenotification Security Advisory (APSB16-26) has been posted regarding upcoming releases for Adobe Acrobat and Reader scheduled for Tuesday, July 12, 2016. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1374 *** Insecure Unserialize in extension "Page path" (pagepath) *** --------------------------------------------- It has been discovered that the extension "Page path" (pagepath) is susceptible to Insecure Unserialize. --------------------------------------------- https://typo3.org/news/article/insecure-unserialize-in-extension-page-path-… *** Cross-Site Scripting in extension "CCDebug" (cc_debug) *** --------------------------------------------- It has been discovered that the extension "CCDebug" (cc_debug) is susceptible to Cross-Site Scripting. --------------------------------------------- https://typo3.org/news/article/cross-site-scripting-in-extension-ccdebug-cc… *** ZDI-16-407: Eaton ELCSoft ELCSimulator Stack Buffer Overflow Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Eaton ELCSoft. Authentication is not required to exploit this vulnerability. --------------------------------------------- www.zerodayinitiative.com/advisories/ZDI-16-407/ *** ZDI-16-406: Novell NetIQ Sentinel Server ReportViewServlet fileName Directory Traversal Information Disclosure Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to disclose arbitrary file contents on vulnerable installations of Novell NetIQ Sentinel Server. Authentication is required to exploit this vulnerability but it can be bypassed using a separate flaw within the LogonFormController. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-406/ *** Cisco Video Communication Server and Expressway Trusted Certificate Authentication Bypass Vulnerability *** --------------------------------------------- A vulnerability in certificate management and validation for the Mobile and Remote Access (MRA) feature for Cisco Expressway Series and TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to bypass authentication and access internal HTTP system resources. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco AMP Threat Grid Unauthorized Clean IP Access Vulnerability *** --------------------------------------------- A vulnerability in the virtual network stack of the Cisco AMP Threat Grid Appliance could allow an unauthenticated, remote attacker to access internal interfaces within the appliance. The vulnerability is due to insufficient isolation between the sandbox and other internal components. An attacker could exploit this vulnerability by submitting a malware sample crafted to exploit this flaw. An exploit could allow the attacker to intercept interprocess calls and allow them to access, modify, and delete information from the system. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Security Virtual Server Protection for VMware (CVE-2015-3195) *** http://www.ibm.com/support/docview.wss?uid=swg21986312 --------------------------------------------- *** IBM Security Bulletin: IBM TRIRIGA Applications are vulnerable to a privilege escalation attack. (CVE-2016-2917) *** http://www-01.ibm.com/support/docview.wss?uid=swg21984304 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Cognos Metrics Manager (CVE-2016-3427) *** http://www-01.ibm.com/support/docview.wss?uid=swg21985522 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM eDiscovery Analyzer *** https://www-01.ibm.com/support/docview.wss?uid=swg21984496 --------------------------------------------- *** IBM Security Bulletin: Multiple Samba vulnerability issues in IBM Storwize V7000 Unified *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1005814 --------------------------------------------- *** IBM Security Bulletin: Multiple Samba vulnerability issue on IBM SONAS. *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1005813 --------------------------------------------- *** IBM Security Bulletin: Badlock Samba vulnerability issue on IBM Storwize V7000 Unified (CVE-2016-2118) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005816 --------------------------------------------- *** IBM Security Bulletin: Samba vulnerability issue on IBM Storwize V7000 Unified (CVE-2015-5252) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005810 --------------------------------------------- *** IBM Security Bulletin:Samba vulnerability issue on IBM Storwize V7000 Unified (CVE-2015-7560) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1005805 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in openldap2 affects IBM Flex System Chassis Management Module (CVE-2015-6908) *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099421 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Tomcat affects IBM UrbanCode Release (CVE-2015-5174) *** http://www-01.ibm.com/support/docview.wss?uid=swg2C1000164 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 6-07-2016
by Daily end-of-shift report 06 Jul '16

06 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 05-07-2016 18:00 − Mittwoch 06-07-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** EU-Parlament beschließt Cybersicherheitsgesetz mit Meldepflicht *** --------------------------------------------- Die europäischen Abgeordneten haben den lange umstrittenen Richtlinienentwurf zur Netz- und Informationssicherheit verabschiedet. Damit kommen auf größere Online-Anbieter und Betreiber kritischer Infrastrukturen Auflagen zu. --------------------------------------------- http://heise.de/-3258129 *** Encryption Bypass Vulnerability Impacts Half of Android Devices *** --------------------------------------------- More than half of Android devices are vulnerable to encryption bypass attack, say researchers. --------------------------------------------- http://threatpost.com/encryption-bypass-vulnerability-impacts-half-of-andro… *** Nasty BIOS bug slugs Gigabyte, hackers say *** --------------------------------------------- Vendors queue for punishment as ThinkPwn fallout spreads Gigabyte has been swept into turmoil surrounding low-level security vulnerabilities that allows attackers to kill flash protection, secure boot, and tamper with firmware on PCs by Lenovo and other vendors. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/07/06/nasty_bios_… *** HP sichert Router gegen Fremdzugriffe ab *** --------------------------------------------- Hewlett Packard Enterprise versorgt einige Netzwerk-Produkte mit Sicherheitsupdates für zum Teil zwei Jahre alten Lücken. --------------------------------------------- http://heise.de/-3256913 *** Security Advisory - Multiple Vulnerabilities in OpenSSL in May 2016 *** --------------------------------------------- CVE-2016-2108, CVE-2016-2107, CVE-2016-2106, CVE-2016-2105, CVE-2016-2109, CVE-2016-2176 Huawei has released software updates to fix this vulnerability. --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160706-… *** Android-App verrät auch WLAN-Passwörter von A1-Routern *** --------------------------------------------- Mit der Android-App RouterKeygen lassen sich auch WLAN-Passwörter von A1-Routern auslesen. Betroffen sind alte Router-Modelle aus dem Jahr 2011. --------------------------------------------- http://futurezone.at/digital-life/android-app-verraet-auch-wlan-passwoerter… *** Rexroth Bosch BLADEcontrol-WebVIS Vulnerabilities *** --------------------------------------------- This advisory provides mitigation details for an SQL injection vulnerability and a cross-site scripting vulnerability in the Rexroth Bosch BLADEcontrol-WebVIS. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-187-01 *** "Elanor": Getarnte Mac-Malware stiehlt Daten und steuert Webcam *** --------------------------------------------- Backdoor verbirgt sich in Fake-App "EasyDoc", die auf Download-Seiten angeboten wird --------------------------------------------- http://derstandard.at/2000040542729 *** Cisco Prime Infrastructure Administrative Web Interface HTML Injection Vulnerability *** --------------------------------------------- A vulnerability in the administrative web interface of Cisco Prime Infrastructure (PI) could allow an authenticated, remote attacker to execute arbitrary commands on the affected system and on the devices managed by the system. ... Cisco has not released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: IBM SDK for Node.js may be affected by CVE-2016-1669 *** http://www.ibm.com/support/docview.wss?uid=swg21986383 --------------------------------------------- *** IBM Security Bulletin: IBM SDK for Node.js may be affected by CVE-2014-9748 *** http://www.ibm.com/support/docview.wss?uid=swg21986384 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in ntp affects IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter systems (CVE-2015-5219) *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099409 --------------------------------------------- *** IBM Security Bulletin: Lotus Protector for Mail Security Affected By Multiple Open Source NTP Vulnerabilities. *** http://www-01.ibm.com/support/docview.wss?uid=swg21986167 --------------------------------------------- *** IBM Security Bulletin: Lotus Mail Security Affected By Multiple Open Source XMLsoft Libxml2 Vulnerabilities (CVE-2016-4447, CVE-2016-4448, CVE-2016-4449) *** http://www-01.ibm.com/support/docview.wss?uid=swg21986391 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the Apache Xerces-C XML parser affects IBM Cognos Metrics Manager (CVE-2016-0729) *** http://www.ibm.com/support/docview.wss?uid=swg21986259 --------------------------------------------- *** IBM Security Bulletin: Content Manager OnDemand for Multiplatforms is affected by Open Source Apache Xerces-C XML parser Vulnerabilities (CVE-2016-0729) *** http://www.ibm.com/support/docview.wss?uid=swg21985363 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in OpenSSL affects IBM Cognos Metrics Manager (CVE-2016-2106, CVE-2016-2107, CVE-2016-2108) *** http://www.ibm.com/support/docview.wss?uid=swg21977114 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Security Virtual Server Protection for VMware (CVE-2016-2176) *** http://www-01.ibm.com/support/docview.wss?uid=swg21986313 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Sterling Connect:Express for Unix *** http://www-01.ibm.com/support/docview.wss?uid=swg21986123 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 5-07-2016
by Daily end-of-shift report 05 Jul '16

05 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 04-07-2016 18:00 − Dienstag 05-07-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** EU: 450 Millonen Euro für Cyberkriminalitäts-Forschung *** --------------------------------------------- Im Kampf gegen Cyberkriminalität will die EU-Kommission bis 2020 insgesamt 450 Millionen Euro an Forschungsausgaben bereitstellen. --------------------------------------------- http://futurezone.at/digital-life/eu-450-millonen-euro-fuer-cyberkriminalit… *** Word hole patched in 2012 is unchallenged king of Office exploits *** --------------------------------------------- Its 2016, people, even the pirates have patched Possibly the most exploited unchallenged Microsoft Office vulnerability of the last decade was found and patched in 2012. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/07/05/magento_vul… *** Getting ready for the European Cyber Security Month (ECSM) *** --------------------------------------------- ENISA together with the European Commission and its partners are preparing for this year's cyber security month running across the EU during October, focusing each week on a different topic. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/getting-ready-for-the-european-… *** Emulating and Exploiting Firmware binaries - Offensive IoT Exploitation series *** --------------------------------------------- Welcome to the third post in the "Offensive IoT Exploitation" series. In the previous one, we learned about how we can get started with analyzing firmware and extracting file systems. In this post, we will take it a step further by analyzing individual binaries from firmware, and even exploiting commonly found vulnerabilities. There are two... --------------------------------------------- http://resources.infosecinstitute.com/emulating-and-exploiting-firmware-bin… *** Exploiting Format Strings: Getting the Shell *** --------------------------------------------- In this article, we will have a look at how to exploit format String vulnerabilities to get a shell. Overview: In this article, we will briefly have a look at how to overwrite specific memory location, how to inject our shellcode in current memory of program and further overwrite the some desired memory address to... --------------------------------------------- http://resources.infosecinstitute.com/exploiting-format-strings-getting-the… *** 85 Millionen Android-Geräte von HummingBad-Malware befallen *** --------------------------------------------- HummingBad rootet Geräte und klickt auf Werbebanner, warnen Sicherheitsforscher. Das bringe den Kriminellen 300.000 US-Dollar im Monat ein. In Deutschland sollen zehntausende Geräte infiziert sein. --------------------------------------------- http://heise.de/-3254664 *** SSD Advisory - Wget Arbitrary Commands Execution *** --------------------------------------------- A vulnerability in the way wget handles redirects allows attackers that are able to hijack a connection initiated by wget or compromise a server from which wget is downloading files from, would allow them to cause the user running wget to execute arbitrary commands. --------------------------------------------- https://blogs.securiteam.com/index.php/archives/2701 *** Paper: New Keylogger on the Block *** --------------------------------------------- In a new paper published by Virus Bulletin, Sophos researcher Gabor Szappanos takes a look at the KeyBase keylogger, sold as a commercial product and popular among cybercriminals who use it in Office exploit kits. Read more... --------------------------------------------- https://www.virusbulletin.com/blog/2016/07/paper-new-keylogger-block/ *** Lenovo ThinkPwn UEFI exploit also affects products from other vendors *** --------------------------------------------- A critical vulnerability that was recently found in the low-level firmware of Lenovo ThinkPad systems also reportedly exists in products from other vendors, including HP and Gigabyte Technology.An exploit for the vulnerability was published last week and can be used to execute rogue code in the CPUs privileged SMM (System Management Mode).This level of access can then be used to install a stealthy rootkit inside the computers Unified Extensible Firmware Interface (UEFI) -- the modern BIOS -- or... --------------------------------------------- http://www.csoonline.com/article/3091753/security/lenovo-thinkpwn-uefi-expl… *** Apache Update: TLS Certificate Authentication Bypass with HTTP/2 (CVE-2016-4979), (Tue, Jul 5th) *** --------------------------------------------- Apache released an important update today to fix a vulnerability that affects servers that have http/2 enabled and use TLS client certificates for authentication. Apache 2.4.18-20 are vulnerable if: - TLS certificates are used for authenticating clients (look for the SSLVerifyClient require directive in your configuration file) - http/2 is enabled. (see if the Protocols line includes h2 and/or h2c).">tshark -Y ssl.handshake.extensions_alpn_str == h2 -n -i en0 \ -T fields -e ip.src -e... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21223&rss *** Unechte Amazon-Nachricht: Rechnung uber Ihre Verkaeufergebuehren *** --------------------------------------------- Kriminelle versenden vermeintliche Amazon-Benachrichtigungen. Darin behaupten sie, dass eine Steuerrechnung verfügbar sei. Interessenten, die diese einsehen wollen, sollen einen Dateianhang öffnen und ihre persönlichen Zugangsdaten bekannt geben. Dabei handelt es sich um einen Datendiebstahlsversuch. --------------------------------------------- https://www.watchlist-internet.at/phishing/unechte-amazon-nachricht-rechnun… *** (Windows) Syslog Server "npriority" field remote Denial of Service vulnerability *** --------------------------------------------- Bug Description: Syslog Server 1.2.3 is a free syslog server for Windows systems. The syslog server cannot handle the content of the npriority field well, whereupon the server may be collapsed by receiving a customized packet. --------------------------------------------- http://www.securityfocus.com/archive/1/538836 *** VU#690343: Acer Portal app for Android does not properly validate SSL certificates *** --------------------------------------------- Vulnerability Note VU#690343 Acer Portal app for Android does not properly validate SSL certificates Original Release date: 05 Jul 2016 | Last revised: 05 Jul 2016 Overview The Acer Portal app for Android allows customers to connect to the Acer Cloud. The Acer Portal app, from version 3.9.3.2003 to 3.9.3.2006, does not properly validate SSL certificates when connecting to the Acer Cloud. Description CVE-2016-5648 - CWE-295: Improper Certificate ValidationThe Acer Portal app for Android, from --------------------------------------------- http://www.kb.cert.org/vuls/id/690343 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Workload Scheduler (CVE-2016-2108, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, CVE-2016-2176) *** http://www.ibm.com/support/docview.wss?uid=swg21985850 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Tivoli Netcool/Reporter *** http://www-01.ibm.com/support/docview.wss?uid=swg21986007 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in Firefox affect IBM SmartCloud Provisioning for IBM Software Virtual Appliance *** http://www.ibm.com/support/docview.wss?uid=swg2C1000114 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in NPM affects IBM API Connect (CVE-2016-3956, CVE-2016-2537, CVE-2016-2515) *** http://www-01.ibm.com/support/docview.wss?uid=swg21986144 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 4-07-2016
by Daily end-of-shift report 04 Jul '16

04 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 01-07-2016 18:00 − Montag 04-07-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Spotlight: WPBeginner's Approach to WordPress Security *** --------------------------------------------- WPBeginner offers tutorials, tips, and tricks for WordPress beginners to improve their sites. With over 150K Twitter followers and almost 10 million monthly visitors, the website is undeniably popular. The high-quality content provided by WPBeginner helps WordPress users make better decisions and gain awareness of their options. Using research and thought leadership, WPBeginner offers guidance... --------------------------------------------- https://blog.sucuri.net/2016/07/spotlight-wpbeginner-website-security.html *** SQLite developers need to push the patch *** --------------------------------------------- Tempfile permissions a can of worms SQLite has pushed out an update to fix a local tempfile bug, to address concerns that the bug could be exploitable beyond the merely local. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/07/04/sqlite_deve… *** Verschlüsselung: Sicherheitslücke bei Start Encrypt *** --------------------------------------------- Sicherheitsforscher haben im Client der Lets Encrypt-Alternative Start Encrypt zahlreiche Probleme gefunden, die die Ausstellung gültiger Zertifikate für beliebige URLs ermöglichte. Der Client hatte zudem zahlreiche weitere Probleme, die jetzt behoben sein sollen. --------------------------------------------- http://www.golem.de/news/verschluesselung-sicherheitsluecke-bei-start-encry… *** Zero-Day-Sicherheitslücke gefährdet Lenovo-Notebooks *** --------------------------------------------- Durch eine schwerwiegende Zero-Day-Lücke in der Firmware von Lenovos Thinkpads kann unter Umständen beliebiger Programmcode auf dem System ausgeführt werden. --------------------------------------------- http://futurezone.at/produkte/zero-day-sicherheitsluecke-gefaehrdet-lenovo-… *** Gratis-Tools entschlüsseln Erpressungstrojaner *** --------------------------------------------- Der Sicherheitssoftware-Hersteller AVG stellt kostenlose Werkzeuge zur Verfügung, mit denen man sich gegen diverse Verschlüsselungstrojaner wehren kann. --------------------------------------------- http://futurezone.at/digital-life/gratis-tools-entschluesseln-erpressungstr… *** Großes Sicherheits-Update für Foxit Reader und Phantom *** --------------------------------------------- In dem PDF-Anzeigeprogramm Foxit Reader klaffen kritische Sicherheitslöcher, die das Update auf Version 8.0 stopft. Ebenfalls betroffen ist der PDF-Editor Phantom. --------------------------------------------- http://heise.de/-3253936 *** UPC UBEE EVW3226 WPA2 Password Reverse Engineering *** --------------------------------------------- TL;DR: We reversed default WPA2 password generation routine for UPC UBEE EVW3226 router. This blog contains firmware analysis, reversing writeup, function statistical analysis and proof-of-concept generator. --------------------------------------------- https://deadcode.me/blog/2016/07/01/UPC-UBEE-EVW3226-WPA2-Reversing.html *** Security Alert: Adwind RAT Spotted in Targeted Attacks with Zero AV Detection *** --------------------------------------------- The malware economy is alive and well! And cyber criminals are making big money by using this business model. The re-emergence of Adwind RAT provides additional proof to support this. This Java-based malware has been spotted over the weekend in several targeted attacks against Danish companies. Given that the malicious email employed to deceive victims... --------------------------------------------- https://heimdalsecurity.com/blog/security-alert-adwind-rat-targeted-attacks… *** Bugtraq: HTTP session poisoning in EMC Documentum WDK-based applications causes arbitrary code execution and privilege elevation *** --------------------------------------------- http://www.securityfocus.com/archive/1/538819 *** DSA-3613 libvirt - security update *** --------------------------------------------- Vivian Zhang and Christoph Anton Mitterer discovered that setting anempty VNC password does not work as documented in Libvirt, avirtualisation abstraction library. When the password on a VNC server isset to the empty string, authentication on the VNC server will bedisabled, allowing any user to connect, despite the documentationdeclaring that setting an empty password for the VNC server prevents allclient connections. With this update the behaviour is enforced bysetting the password expiration --------------------------------------------- https://www.debian.org/security/2016/dsa-3613 *** DSA-3614 tomcat7 - security update *** --------------------------------------------- The TERASOLUNA Framework Development Team discovered a denial of servicevulnerability in Apache Commons FileUpload, a package to make iteasy to add robust, high-performance, file upload capability to servletsand web applications. A remote attacker can take advantage of this flawby sending file upload requests that cause the HTTP server using theApache Commons Fileupload library to become unresponsive, preventing theserver from servicing other requests. --------------------------------------------- https://www.debian.org/security/2016/dsa-3614 *** Sierra Wireless AirLink Raven XE and XT Gateway Vulnerabilities *** --------------------------------------------- NCCIC/ICS-CERT is aware of a public report of three vulnerabilities affecting the Sierra Wireless AirLink Raven XE and XT gateways. According to this report, the affected products allow unauthenticated access to directories on the system, which may allow remote file upload, download, and system reboot. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-16-182-01 *** ZDI-16-405: Trihedral VTScada Path Out-Of-Bounds Indexing Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trihedral VTScada. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-405/ *** ZDI-16-404: Trihedral VTScada Filter Bypass Information Disclosure Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trihedral VTScada. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-404/ *** ZDI-16-403: Trihedral VTScada Directory Traversal Information Disclosure Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trihedral VTScada. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-403/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: : Multiple Vulnerabilities in OpenSSL affect IBM Security Guardium *** http://www-01.ibm.com/support/docview.wss?uid=swg21984609 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in IBM Java SDK affect IBM Notes Standard Client *** http://www-01.ibm.com/support/docview.wss?uid=swg21983686 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling Control Center (CVE-2016-3427 and CVE-2016-3426) *** http://www.ibm.com/support/docview.wss?uid=swg21986174 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime Version 7 affect IBM Content Collector for SAP Applications (CVE-2016-3426 CVE-2016-0264) *** http://www-01.ibm.com/support/docview.wss?uid=swg21985957 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Security Guardium *** http://www-01.ibm.com/support/docview.wss?uid=swg21985729 --------------------------------------------- *** IBM Security Bulletin: IBM Sterling Connect:Direct FTP+ for Windows installers are vulnerable to attack (CVE-2016-4560) *** http://www-01.ibm.com/support/docview.wss?uid=swg21982722 --------------------------------------------- *** IBM Security Bulletin: OpenSource Oracle MySQL Vulnerability affects IBM Security Guardium (CVE-2016-2047) *** http://www-01.ibm.com/support/docview.wss?uid=swg21984605 --------------------------------------------- *** IBM Security Bulletin: : Vulnerabilities in OpenSSL affect IBM Security Guardium (CVE-2015-3197) *** http://www-01.ibm.com/support/docview.wss?uid=swg21984601 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 1-07-2016
by Daily end-of-shift report 01 Jul '16

01 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 30-06-2016 18:00 − Freitag 01-07-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** F5: Security Advisory: GraphicsMagick vulnerability CVE-2016-5118 *** --------------------------------------------- The OpenBlob function in blob.c in GraphicsMagick before 1.3.24 and ImageMagick allows remote attackers to execute arbitrary code via a | (pipe) character at the start of a filename. (CVE-2016-5118) --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/82/sol82747025.html?… *** The Types of Penetration Testing *** --------------------------------------------- Black Box/White Box/Gray Box Testing Red/Blue/Purple Teams --------------------------------------------- http://resources.infosecinstitute.com/the-types-of-penetration-testing/ *** Apache Xerces DTD Parsing Stack Overflow Lets Remote Users Cause the Target Application to Crash *** --------------------------------------------- Apache Xerces DTD Parsing Stack Overflow Lets Remote Users Cause the Target Application to Crash --------------------------------------------- http://www.securitytracker.com/id/1036211 *** Eaton ELCSoft Programming Software Memory Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for a heap-based memory corruption vulnerability and a stack buffer overflow vulnerability in Eaton's ELCSoft programming software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-182-01 *** Sofortmaßnahmen für Unternehmen bei Cyberangriffen *** --------------------------------------------- Die ersten 72 Stunden nach einem Cyber-Angriff können für die Rechtsverfolgung entscheidend sein, erklärten Wolf Theiss-Rechtsexperten vor Journalisten. --------------------------------------------- http://futurezone.at/b2b/sofortmassnahmen-fuer-unternehmen-bei-cyberangriff… *** SSA-444217 (Last Update 2016-06-30): Information Disclosure Vulnerabilities in SICAM PAS *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-444217… *** SSA-547990 (Last Update 2016-06-30): Information Disclosure Vulnerabilities in SIPROTEC 4 and SIPROTEC Compact *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-547990… *** Security Advisory 2016-01: Security Update for OTRS FAQ package *** --------------------------------------------- An attacker could access and manipulate the database with an HTTP request. --------------------------------------------- https://www.otrs.com/security-advisory-2016-01-security-update-otrs-faq-pac… *** Cracking Androids full-disk encryption is easy on millions of phones - with a little patience *** --------------------------------------------- Just need a couple of common bugs, some GPUs and time Androids full-disk encryption on millions of devices can be cracked by brute-force much more easily than expected - and theres working code to prove it. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/07/01/turns_out_b… *** Joomla com_smartformer 2.4.1 Shell Upload *** --------------------------------------------- * @package SmartFormer * @version 2.4.1 (J1.5 security fix) poc: 1 - choose a site and open it 2 - Upload shell.php 3 - Go to :/components/com_smartformer/files/shell.php --------------------------------------------- https://cxsecurity.com/issue/WLB-2016070002 *** Process Hallowing *** --------------------------------------------- In this article, we will learn what process hallowing is, how is it done, and how we can detect it while performing memory analysis. --------------------------------------------- http://resources.infosecinstitute.com/process-hallowing/ *** Exploiting Format Strings (Part 1) *** --------------------------------------------- Overview : In this article, we will learn what Format String Vulnerabilities is, how we exploit it to read specific values from the stack, further we will also have a look at how we can use different format specifiers to write arbitrary values to the stack. --------------------------------------------- http://resources.infosecinstitute.com/exploiting-format-strings-part-1/ *** UEFAs Euro 2016 app is airing football fans' privates in public *** --------------------------------------------- Offside! Lack of encryption bares usernames, passwords and more The official UEFA Euro 2016 app is leaking football fans' personal data, security researchers warn. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/07/01/euro_2016_a… *** Cracking Locky's New Anti-Sandbox Technique *** --------------------------------------------- This new trick may pose challenges for automated Locky tracking systems that utilize sandboxing due to the following considerations: New Locky binaries will not execute properly without the correct parameter. JavaScript downloaders may fail to download if the download locations are already down. --------------------------------------------- https://blog.fortinet.com/2016/06/30/cracking-locky-s-new-anti-sandbox-tech… *** Magento Re-Installation & Account Hijacking Vulnerabilities *** --------------------------------------------- Before discovering my latest Magento RCE, I've found two different vulnerabilities, both resulting in the complete compromise of customer data and/or the server. As they are far less complicated, I'm presenting both of them in this single blog post for your convenience. Vulnerable Versions: Magento EE & CE 2.x.x before 2.0.6. --------------------------------------------- http://netanelrub.in/2016/07/01/magento-re-installation-account-hijacking-v… *** F5: Security Advisory: Cross Site Scripting (XSS) vulnerability in F5 WebSafe Dashboard CVE-2016-5235 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/48/sol48572812.html?… *** A year of Windows kernel font fuzzing #2: the techniques *** --------------------------------------------- Posted by Mateusz Jurczyk of Google Project ZeroIn part #1 of the series (see here), we discussed the motivation and outcomes of our year long fuzzing effort against the Windows kernel font engine, followed by an analysis of two bug collisions with Keen Team and Hacking Team that ensued as a result of this work. While the bugs themselves are surely amusing, what we find even more interesting are the techniques and decisions we made to make the project as effective as it turned out to be. --------------------------------------------- http://googleprojectzero.blogspot.com/2016/07/a-year-of-windows-kernel-font… *** Cisco Configuration Assistant Request Processing Unauthorized Access Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Lotus Protector for Mail Security Affected By Multiple Open Source PHP Vulnerabilities. *** http://www-01.ibm.com/support/docview.wss?uid=swg21985802 --------------------------------------------- *** IBM Security Bulletin: Cross-site Request Forgery (CSRF) security vulnerability in IBM WebSphere Commerce (CVE-2016-2863) *** http://www.ibm.com/support/docview.wss?uid=swg21983626 --------------------------------------------- *** IBM Security Bulletin: HTTP response splitting attack in FastBack for Workstations Central Administration Console (CVE-2016-0359) *** http://www.ibm.com/support/docview.wss?uid=swg21986310 --------------------------------------------- *** IBM Security Bulletin: InstallAnywhere Vulnerability affects Daeja ViewONE Professional, Standard & Virtual (CVE-2016-4560) *** http://www.ibm.com/support/docview.wss?uid=swg21984799 --------------------------------------------- *** IBM Security Bulletin: OpenSource Apache Taglibs Vulnerability in FastBack for Workstations Central Administration Console (CVE-2015-0254) *** http://www.ibm.com/support/docview.wss?uid=swg21986309 --------------------------------------------- *** IBM Security Bulletin: IBM Cognos Business Intelligence Server 2016Q2 Security Updater : IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities. *** http://www-01.ibm.com/support/docview.wss?uid=swg21984323 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Open Source GNU glibc affects IBM OS Images for Red Hat Linux Systems. (CVE-2015-5277) *** http://www.ibm.com/support/docview.wss?uid=swg21986400 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 30-06-2016
by Daily end-of-shift report 30 Jun '16

30 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 29-06-2016 18:00 − Donnerstag 30-06-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Multiple vulnerabilities in Foxit Reader *** http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/dKs5CcUo7Us http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/XgoemmeT0GY http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/XNek5RDVxp0 http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/5xiMJFpDb9o http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/BO1ORv21ejs http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/Yvk8m_ilMEE http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/BEv0AHg6Das http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/wgd366hnP7k http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/XfbdbhhiNGQ http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/mGq36S5AkiI http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/-_uz9VtYDFE http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/2K_wjeRUsls *** DSA-3608 libreoffice - security update *** --------------------------------------------- Aleksandar Nikolic discovered that missing input sanitising in the RTFparser in Libreoffice may result in the execution of arbitrary code ifa malformed documented is opened. --------------------------------------------- https://www.debian.org/security/2016/dsa-3608 *** Ransomware auf Smartphones hat sich vervierfacht *** --------------------------------------------- Erpresserische Schadsoftware auf Android-Smartphones ist laut einer Untersuchung von Kaspersky innerhalb eines Jahres um das Vierfache gestiegen. --------------------------------------------- http://futurezone.at/digital-life/ransomware-auf-smartphones-hat-sich-vervi… *** Malware Authors Adopt CEO Fraud Techniques *** --------------------------------------------- CEO Fraud scams, a type of Business Email Compromise (BEC), have gained popularity among scammers recently. These scams use the power of the CEOs name to try and elicit a .. --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/Malware-Authors-Adopt-CEO-Fr… *** CEO Fraud Scams and How to Deal With Them at the Email Gateway *** --------------------------------------------- Email scams known as "CEO Fraud" are very common right now. They are a type of "Business Email Compromise" (BEC). There have .. --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/CEO-Fraud-Scams-and-How-to-D… *** Datenleck bei Terrordatenbank *** http://futurezone.at/digital-life/datenleck-bei-terrordatenbank/207.148.569 *** Phishing Campaign with Blurred Images, (Wed, Jun 29th) *** --------------------------------------------- For a few days, Im seeing a lot of phishing emails that try to steal credentials from victims. Well, nothing brand new but,this time, the scenario is quite different : The .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21207 *** DSA-3609 tomcat8 - security update *** --------------------------------------------- Multiple security vulnerabilities have been discovered in the Tomcatservlet and JSP engine, which may result in information disclosure, thebypass of CSRF protections, bypass of the SecurityManager or denial ofservice. --------------------------------------------- https://www.debian.org/security/2016/dsa-3609 *** Rooting Hummer malware brings $500,000 per day to its creator *** --------------------------------------------- Android malware with device rooting capabilities has been hitting Google Play for a while now, but for users third-party app stores the situation is even more dangerous. The Hummer malware family Hummer, an Android Trojan .. --------------------------------------------- https://www.helpnetsecurity.com/2016/06/30/rooting-hummer-malware/ *** StartEncrypt considered harmful today *** --------------------------------------------- Recently, one of our hackers (Thijs Alkemade) found a critical vulnerability in StartCom's new StartEncrypt tool, that allows an attacker to gain valid SSL certificates .. --------------------------------------------- https://www.computest.nl/blog/startencrypt-considered-harmful-today/ *** Wasserwaagen-App: Android-Trojaner im Play Store installiert ungewollt Apps *** --------------------------------------------- http://www.golem.de/news/wasserwagen-app-android-trojaner-im-play-store-ins… *** SBA Research got COMET *** --------------------------------------------- We are proud to announce that SBA Research got COMET funding for the next four years! Read the press release here. --------------------------------------------- https://www.sba-research.org/2016/06/30/sba-research-got-comet/ *** Fileless Malware - A Behavioural Analysis Of Kovter Persistence *** --------------------------------------------- During a recent talk by a representative of MalwareBytes, it was discussed that several modern malware families, notable Poweliks, Phase Bot and Kovter are moving away .. --------------------------------------------- http://blog.airbuscybersecurity.com/post/2016/03/FILELESS-MALWARE-%E2%80%93… *** What media companies don't want you to know about ad blockers *** --------------------------------------------- [...] Thompson did not say one word in his keynote address about the significant security benefits of ad blockers, which is ironic, because his paper was one of .. --------------------------------------------- http://www.cjr.org/opinion/ad_blockers_malware_new_york_times.php *** Passwort-Cracker hashcat versucht sich an Android und VeraCrypt *** --------------------------------------------- Version 3.00 des Passwort-Knackers hashcat knackt weitere Dateiformate .. --------------------------------------------- http://heise.de/-3251874

1 0

Tageszusammenfassung - Mittwoch 29-06-2016
by Daily end-of-shift report 29 Jun '16

29 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 28-06-2016 18:00 − Mittwoch 29-06-2016 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** How Red Hat uses CVSSv3 to Assist in Rating Flaws *** --------------------------------------------- Humans have been measuring risk since the dawn of time. "Im hungry, do I go outside my awesome cave here and forage for food? There might be something bigger, scarier, and hungrier than me out there...maybe I should wait?" Successfully navigating through life is a series of Risk/Reward calculations made each and every day. Sometimes, ideally, the choices are small ("Do I want fries with that?") while others can lead to catastrophic outcomes if the scenario isnt fully --------------------------------------------- https://access.redhat.com/blogs/766093/posts/CVSSv3 *** How to Compromise the Enterprise Endpoint *** --------------------------------------------- Posted by Tavis Ormandy.Symantec is a popular vendor in the enterprise security market, their flagship product is Symantec Endpoint Protection. They sell various products using the same core engine in several markets, including a consumer version under the Norton brand. Today we're publishing details of multiple critical vulnerabilities that we discovered, including many wormable remote code execution flaws.These vulnerabilities are as bad as it gets. --------------------------------------------- http://googleprojectzero.blogspot.com/2016/06/how-to-compromise-enterprise-… *** E-Mail-Verschlüsselung für jedermann: Volksverschlüsselung steht bereit *** --------------------------------------------- Ab sofort können Windows-Nutzer die kostenlose Volksverschlüsselungs-Software nutzen, um E-Mails verschlüsselt über gängige Clients zu verschicken. --------------------------------------------- http://heise.de/-3250728 *** Europäisches Konsortium für cloud-basierte Unterschriften und Siegel gegründet *** --------------------------------------------- Zum Start der eIDAS-Verordnung haben euopäische Signatur-Dienstleister auf Initiative von Adobe das Cloud Signature Consortium (CSC) gegründet. Es soll einen offenen Standard für cloud-basierte Signaturen und Siegel erarbeiten. --------------------------------------------- http://heise.de/-3250807 *** Malware gibt sich als WhatsApp aus und stiehlt Daten *** --------------------------------------------- Auch andere Android-Apps wie Uber oder der Google Play Store wird von der Schadsoftware imitiert, um Kreditkartendaten zu erbeuten. --------------------------------------------- http://futurezone.at/digital-life/malware-gibt-sich-als-whatsapp-aus-und-st… *** Home security systems hacked with 1234 password - Update *** --------------------------------------------- Many smart home security systems come with standard passwords. Potential intruders can deactivate them online and use them to spy on homes - the affected systems are in use in many countries globally. --------------------------------------------- http://www.heise.de/ct/artikel/Home-security-systems-hacked-with-1234-passw… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: WebSphere Application Server Liberty API Discovery feature has potential vulnerability (CVE-2016-2945) *** http://www-01.ibm.com/support/docview.wss?uid=swg21984502 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Power Hardware Management Console (CVE-2016-2108, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021361 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in java affect Power Hardware Management Console (CVE-2016-3426 ) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021385 --------------------------------------------- *** IBM Security Bulletin: Cross Site Scripting (XSS) security vulnerabilities in IBM WebSphere Commerce (CVE-2016-2862) *** http://www.ibm.com/support/docview.wss?uid=swg21983625 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Tivoli Storage Productivity Center (CVE-2016-0363) *** http://www.ibm.com/support/docview.wss?uid=swg21986168 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Open Source BeanShell has been addressed by IBM Kenexa LCMS Premier (CVE-2016-2510) *** http://www.ibm.com/support/docview.wss?uid=swg21985108 --------------------------------------------- *** IBM Security Bulletin: IBM Tealeaf Customer Experience installers vulnerable to attack (CVE-2016-2542) *** http://www-01.ibm.com/support/docview.wss?uid=swg21981024 --------------------------------------------- *** IBM Security Bulletin: Security Bulletin: Vulnerabilities in Ruby on Rails affect IBM License Metric Tool v9, IBM BigFix Inventory v9 and IBM Endpoint Manager for Software Use Analysis v9 & v2.2 *** http://www-01.ibm.com/support/docview.wss?uid=swg21985099 --------------------------------------------- *** Security Bulletin: Vulnerabilities in OpenSSL affect Power Hardware Management Console (CVE-2016-2108, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109) *** http://www-01.ibm.com/support/docview.wss?uid=nas8N1021361 --------------------------------------------- *** Security Bulletin: Vulnerabilities in java affect Power Hardware Management Console (CVE-2016-3426 ) *** http://www-01.ibm.com/support/docview.wss?uid=nas8N1021385 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 28-06-2016
by Daily end-of-shift report 28 Jun '16

28 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 27-06-2016 18:00 − Dienstag 28-06-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Reverse Engineering Malware *** --------------------------------------------- The AlienVault Labs team does a lot of malware analysis as a part of their security research. I interviewed a couple members of our Labs team, including Patrick Snyder, Eddie Lee, Peter Ewane and Krishna Kona, to learn more about how they do it. Here are some of the approaches and tools and .. --------------------------------------------- https://www.alienvault.com/blogs/labs-research/reverse-engineering-malware *** A year of Windows kernel font fuzzing #1: the results *** --------------------------------------------- Post by Mateusz Jurczyk of Google Project ZeroThis post series is about how we used at-scale fuzzing to discover and report a total of 16 vulnerabilities in the handling of TrueType and OpenType fonts in the Windows kernel during the .. --------------------------------------------- http://googleprojectzero.blogspot.com/2016/06/a-year-of-windows-kernel-font… *** Scientology Seeks Captive Converts Via Google Maps, Drug Rehab Centers *** --------------------------------------------- Fake online reviews generated by unscrupulous marketers blanket the Internet these days. Although online review pollution isnt exactly a hot-button consumer issue, there are plenty of cases in which phony reviews may endanger ones life or .. --------------------------------------------- http://krebsonsecurity.com/2016/06/scientology-seeks-captive-converts-via-g… *** Large CCTV Botnet Leveraged in DDoS Attacks *** --------------------------------------------- Our security operations team investigate and mitigate multiple denial of service (DDoS) attacks every single day. One recent case caught our attention because of the .. --------------------------------------------- https://blog.sucuri.net/2016/06/large-cctv-botnet-leveraged-ddos-attacks.ht… *** DDoS Extortion - Almost Universally an Empty Threat *** --------------------------------------------- Last year there was an emergence of threats of DDoS against financial websites (that eventually broadened to others) under the DD4BC moniker. Eventually that morphed into Armada Collective with both stopping around .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21199 *** Nuclear goes boom *** --------------------------------------------- Silver medallist exploit kit dies alongside Angler as new top dog doubles rental price Shake ups at the top of the exploit kit world continue, with news the worlds two top pop boxes have disappeared. --------------------------------------------- www.theregister.co.uk/2016/06/28/nuclear_goes_boom/ *** The Latest Android Overlay Malware Spreading via SMS Phishing in Europe *** --------------------------------------------- https://www.fireeye.com/blog/threat-research/2016/06/latest-android-overlay… *** Locky-Sprössling: Erpressungs-Trojaner Bart verschlüsselt anders und verlangt hohes Lösegeld *** --------------------------------------------- Sicherheitsforscher beobachteten bei der Ransomware Bart eine neue Methode, Daten als Geisel zu nehmen. --------------------------------------------- http://heise.de/-3250058 *** Cybersicherheit: "Sehr viel Wissen wird nicht umgesetzt" *** --------------------------------------------- Beim Start-up-Wettbewerb Security Rockstars werden innovative Sicherheitslösungen gesucht. Einreichungen sind noch bis zum 15. Juli möglich. --------------------------------------------- http://futurezone.at/thema/start-ups/cybersicherheit-sehr-viel-wissen-wird-… *** Verschlüsselungs-Trojaner verleibt sich Zimbra-Mails ein *** --------------------------------------------- Die Schädling ZimbraCryptor infiziert die Zimbra Collaboration Suite und verschlüsselt alle Daten im E-Mail-Ordner. Dafür muss sich ein Angreifer aber in einen Zimbra-Server hacken. --------------------------------------------- http://heise.de/-3250331 *** Press conference with Minister of Interior Wolfgang Sobotka, KSÖ and SBA: Security Rockstars *** --------------------------------------------- Er hoffe auf “frische und unkonventionelle Herangehensweisen an Cybersicherheitsthemen, sagte Innenminister Wolfgang Sobotka (ÖVP) am Mittwoch bei einem Pressegespräch .. --------------------------------------------- https://www.sba-research.org/2016/06/28/pressegesprach/

1 0

Tageszusammenfassung - Montag 27-06-2016
by Daily end-of-shift report 27 Jun '16

27 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 24-06-2016 18:00 − Montag 27-06-2016 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** Economical With The Truth: Making DNSSEC Answers Cheap *** --------------------------------------------- We launched DNSSEC late last year and are already signing 56.9 billion DNS record sets per day. At this scale, we care a great deal about compute cost. One of the ways we .. --------------------------------------------- https://blog.cloudflare.com/black-lies/ *** Security Advisory: Multiple Wireshark (tshark) vulnerabilities *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/87/sol87669052.html *** Security Advisory: Multiple Wireshark (tshark) vulnerabilities *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/01/sol01837042.html *** Option CloudGate Insecure Direct Object References Authorization Bypass *** --------------------------------------------- Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass .. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5333.php *** Bart - a new Ransomware *** --------------------------------------------- Phishme is reporting the discovery of a new ransomwarewhich its creators have named Bart. Bart shares several commonalities with the Locky ransomware. Bart is delivered by thesame downloader, RockLoader. The payment .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21195 *** Zwei populäre Exploit-Kits schlagartig verschwunden *** --------------------------------------------- Sicherheitsforscher haben seit mehreren Wochen keine Aktivitäten mehr durch die vormals bei Cyber-Ganoven beliebten Exploit-Kits Angler und Nuclear festgestellt. --------------------------------------------- http://heise.de/-3248999 *** How executives really feel about infosec reports *** --------------------------------------------- More than half of IT and security executives will lose their jobs as a result of failing to provide useful, actionable information. While the majority of board members say they understand everything they�re being told by IT and security .. --------------------------------------------- https://www.helpnetsecurity.com/2016/06/27/executives-infosec-reports/ *** Hackers peer into Uber passenger privates, find and plot trips on maps *** --------------------------------------------- Brute force efforts reveal 1000 discount codes Three hackers have found eight holes in Uber that could allow fake drivers to be created and user email addresses reveal, .. --------------------------------------------- www.theregister.co.uk/2016/06/27/hackers_peer_into_uber_passenger_privates_… *** Annual FiRST Conference Wrap-up *** --------------------------------------------- The 28th FiRST security event was held in - the land of morning calms' capital, Seoul this past June 12-17, 2016. This is the yearly conference for all CERT .. --------------------------------------------- https://blog.fortinet.com/2016/06/23/annual-first-conference-wrap-up *** The Threatening Evolution of Exploit Kits *** --------------------------------------------- Exploit Kits, even more sophisticated and profitable Exploit kits are rapidly evolving, threat actors improve them on a daily basis by adding the code for the exploitation of the most recent vulnerabilities. In October 2015, .. --------------------------------------------- http://resources.infosecinstitute.com/the-threatening-evolution-of-exploit-… *** Unechte PayLife-Mail: Verdacht auf Ihre letzte Transaktion *** --------------------------------------------- Mit einer unechten Benachrichtigung von PayLife versuchen Kriminelle, an Kontoinformationen von Opfern zu gelangen. Um das Ziel zu erreichen, behaupten sie, dass es bei der letzten PayLife-Transaktion zu Unstimmigkeiten gekommen sei. Aus .. --------------------------------------------- https://www.watchlist-internet.at/phishing/unechte-paylife-mail-verdacht-au… *** EU finanziert Code-Review: Open-Source-Projekte gesucht *** --------------------------------------------- Mit einem Pilotprojekt will die EU die IT-Sicherheit verbessern. Nun sind die Nutzer gefragt: Welches Open Souce-Projekt sollte einen Sicherheits-Check bekommen? --------------------------------------------- http://heise.de/-3249615 *** How to Backdoor Diffie-Hellman *** --------------------------------------------- Abstract: Lately, several backdoors in cryptographic constructions, protocols and implementations have been surfacing in the wild: Dual-EC in RSAs B-Safe product, a modified Dual-EC in Junipers operating system ScreenOS and a .. --------------------------------------------- https://eprint.iacr.org/2016/644 *** The Curious Case of an Unknown Trojan Targeting German-Speaking Users *** --------------------------------------------- Last week, an unidentified malware was discovered and circulated on Twitter by researcher @JAMES_MHT. Many researchers - including us - were unable to identify the malware so we decided to dig a bit further. In this post, .. --------------------------------------------- https://blog.fortinet.com/2016/06/21/the-curious-case-of-an-unknown-trojan-…

1 0

Tageszusammenfassung - Freitag 24-06-2016
by Daily end-of-shift report 24 Jun '16

24 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 23-06-2016 18:00 − Freitag 24-06-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Crypto Wars: Neue Bundesbehörde soll Verschlüsselung knacken *** --------------------------------------------- Immer mehr Kommunikationsdienste verschlüsseln Nachrichten und schützen sie vor fremden Zugriffen. Die Bundesregierung will dem offenbar nicht tatenlos zusehen und eine Behörde mit dem Knacken der Kryptographie beauftragen. --------------------------------------------- http://heise.de/-3247957 *** PCI Compliance for eCommerce – Choosing Between SAQ A and A-EP *** --------------------------------------------- The Payment Card Industry Data Security Standards (PCI DSS) is a set of security standards established in a joint venture between a number of the top credit card issuers in the world – Visa, MasterCard, American Express, .. --------------------------------------------- https://blog.sucuri.net/2016/06/navigating-pci-self-assessment-questionnair… *** How to: Testing Android Application Security, Part 2 *** --------------------------------------------- The popularity of Android devices and applications makes it a target for malware and other threats. This post is the second in a short series on Android .. --------------------------------------------- https://blogs.mcafee.com/mcafee-labs/testing-android-application-security-p… *** Necurs Botnet is Back, Updated With Smarter Locky Variant *** --------------------------------------------- After a mysterious three weeks off the grid, Necurs has returned to spewing massive volumes of email containing improved versions of the potent Locky ransomware and Dridex banking Trojan. --------------------------------------------- http://threatpost.com/necurs-botnet-is-back-updated-with-smarter-locky-vari… *** Rockwell Automation Allen-Bradley Stratix 5400 and 5410 Packet Corruption Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a resource management vulnerability in Rockwell Automation’s Allen-Bradley Stratix 5400 and Allen-Bradley Stratix 5410 industrial networking switches. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-175-01 *** Unitronics VisiLogic OPLC IDE vlp File Parsing Stack Buffer Overflow Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a buffer overflow vulnerability in the Unitronics VisiLogic. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-175-02 *** Meinberg NTP Time Server Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for a stack buffer overflow vulnerability and a privilege escalation vulnerability in Meinberg’s NTP Time Servers Interface. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-175-03 *** About Lenovo Solution Center 3.3.002 Vulnerabilities (CVE-2016-5249) *** --------------------------------------------- After patching set of issues reported by Trustwave SpiderLabs last month, Lenovo released another version of its Lenovo Solution Center software to address new security .. --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/About-Lenovo-Solution-Center… *** Sicherheitslücke in Alarmanlagen von ABUS und Climax *** --------------------------------------------- Vernetzte Alarmanlagen sollen für Sicherheit und mehr Bedienkomfort sorgen. Durch eine Sicherheitslücke können Angreifer jedoch auf viele Systeme zugreifen – übers Internet. --------------------------------------------- http://heise.de/-3247868 *** WordPress plugin "Welcart e-Commerce" vulnerable to cross-site scripting *** --------------------------------------------- http://jvn.jp/en/jp/JVN55826471/ *** WordPress plugin "Welcart e-Commerce" vulnerable to cross-site scripting *** --------------------------------------------- http://jvn.jp/en/jp/JVN95082904/ *** WordPress plugin "Welcart e-Commerce" vulnerable to PHP object injection *** --------------------------------------------- http://jvn.jp/en/jp/JVN47363774/ *** [2016-06-24] ASUS DSL-N55U cross site scripting and information disclosure vulnerability *** --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016… *** Erpressungs-Trojaner: Neue Locky-Welle infiziert Computer *** --------------------------------------------- Wer dieser Tage eine E-Mail mit Dateianhang bekommt, sollte diese noch kritischer als sonst beäugen: Aktuell verbreitet sich der Verschlüsselungs-Trojaner Locky erneut vornehmlich über vermeintliche Bewerbungs-Mails in Deutschland. --------------------------------------------- http://heise.de/-3248277 *** How to Spot Ingenico Self-Checkout Skimmers *** --------------------------------------------- A KrebsOnSecurity story last month about credit card skimmers found in self-checkout lanes at some Walmart locations got picked up by quite a few publications. Since then Ive heard from several readers who work at retailers that use .. --------------------------------------------- http://krebsonsecurity.com/2016/06/how-to-spot-ingenico-self-checkout-skimm… *** Pretty Good Privacy: 40 Jahre Diffie-Hellman *** --------------------------------------------- Am 23. Juni 1976 präsentierten Whitfield Diffie und Martin Hellman ihren Ansatz eines asymmetrischen Verschlüsselungsverfahren auf dem "Symposium on Information Theory" im schwedischen Ronneby. --------------------------------------------- http://heise.de/-3248793

1 0

Tageszusammenfassung - Donnerstag 23-06-2016
by Daily end-of-shift report 23 Jun '16

23 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 22-06-2016 18:00 − Donnerstag 23-06-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** After Angler: Shift in Exploit Kit Landscape and New Crytpo-Ransomware Activity *** --------------------------------------------- Early this year, we reported that in 2015, Angler came out as the top exploit kit, having contributed 59.5% in the total exploit kit activity for the year. Now, there's barely any pulse left.After the arrest of 50 people accused of using malware to steal US$25 million, it is interesting to .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-… *** ZDI-16-373: Trend Micro Deep Discovery hotfix_upload.cgi filename Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trend Micro Deep Discovery. Authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-373/ *** Fraudsters are Buying IPv4 Addresses *** --------------------------------------------- IPv4 addresses are valuable, so criminals are figuring out how to buy or steal them.Hence criminals interest in ways to land themselves IP addresses, some of which were detailed this week by ARINs senior director of global registry knowledge, Leslie Nobile, at the North American Network Operators .. --------------------------------------------- https://www.schneier.com/blog/archives/2016/06/fraudsters_are_.html *** WordPress 4.5.3 release mends eight security flaws, 17 bugs *** --------------------------------------------- WordPress has released version 4.5.3 of its content management system, fixing eight security vulnerabilities that surfaced in previous versions, as well as 17 other bugs. --------------------------------------------- http://www.scmagazine.com/wordpress-453-release-mends-eight-security-flaws-… *** Cisco Unified Contact Center Enterprise Web-Based Management Interface Cross-Site Scripting Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Email Security Appliance .zip File Scanning Security Bypass Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** TLS Certificate Validation Vulnerability in Citrix iOS Receiver *** --------------------------------------------- http://support.citrix.com/article/CTX213998 *** Rise of Darknet Stokes Fear of The Insider *** --------------------------------------------- With the proliferation of shadowy black markets on the so-called "darknet" -- hidden crime bazaars that can only be accessed through special software that obscures ones true location online -- it has never been easier for disgruntled employees to harm their current or former employer. At least, this is the fear driving a growing stable of companies seeking technical solutions to detect would-be insiders. --------------------------------------------- http://krebsonsecurity.com/2016/06/rise-of-darknet-stokes-fear-of-the-insid… *** Linux Kernel ROP - Ropping your way to # (Part 2) *** --------------------------------------------- Introduction In Part 1 of this tutorial, we have demonstrated how to find useful ROP gadgets and build a privilege escalation ROP chain for our test system (3.13.0-32 kernel - Ubuntu 12.04.5 LTS). We have also developed a vulnerable kernel .. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Linux-Kernel-ROP---Ropp… *** Kritische Sicherheitslücken in libarchive gefährden FreeBSD & Co. *** --------------------------------------------- Sicherheitsforscher entdecken drei schwerwiegende Sicherheitslücken in der Open-Source-Biblitohek libarchive. Patches stehen noch nicht nicht für alle Tools bereit, die auf libarchive setzen. --------------------------------------------- http://heise.de/-3246535 *** Krypto-Trojaner Cerber: Angebliche Mediamarkt-Bestellung kommt Empfänger teuer zu stehen *** --------------------------------------------- Online-Erpresser verschicken derzeit Mails, die vorgeben, dass ein bei Mediamarkt.de besteller Artikel in Kürze geliefert wird. Wer die Bestellung einsehen oder stornieren will, handelt sich einen Krypto-Trojaner ein. --------------------------------------------- http://heise.de/-3246780 *** RFC 7905: ChaCha20-Verschlüsselung für TLS standardisiert *** --------------------------------------------- Mit RFC 7905 gibt es nun eine Spezifikation, um den Verschlüsselungsalgorithmus ChaCha20 im Poly1305-Modus in TLS zu nutzen. Der von Dan Bernstein entwickelte Algorithmus ist insbesondere auf .. --------------------------------------------- http://www.golem.de/news/rfc-7905-chacha20-verschluesselung-fuer-tls-standa… *** Apple gibt erstmals Einblick in Kern von iPhone-Betriebssystem iOS10 *** --------------------------------------------- In der Beta-Variante der nächsten Version iOS 10 ist der Kernel nicht verschlüsselt --------------------------------------------- http://derstandard.at/2000039668786 *** Unpatched Remote Code Execution Flaw Exists in Swagger *** --------------------------------------------- Researchers at Rapid7 found a vulnerability in the Swagger Code Generator that could execute arbitrary code embedded in a Swagger document. --------------------------------------------- http://threatpost.com/unpatched-remote-code-execution-flaw-exists-in-swagge… *** Redefining how we share our security data. *** --------------------------------------------- Red Hat Product Security has long provided various bits of machine-consumable information to customers and users via our Security Data page. Today we are pleased to announce that we have made it even easier to access and .. --------------------------------------------- https://access.redhat.com/blogs/766093/posts/2387601 *** Defending Our Brand *** --------------------------------------------- Some months ago, it came to our attention that Comodo Group, Inc., is attempting to register at least three trademarks for the term "Let's Encrypt" for a variety of CA-related services. These trademark applications were .. --------------------------------------------- https://letsencrypt.org//2016/06/23/defending-our-brand.html *** Fünf Millionen Zertifikate: Lets Encrypt wächst rasant *** --------------------------------------------- Innerhalb von drei Monaten hat Let's Encrypt die Gesamtanzahl von kostenlos ausgestellten SSL-/TLS-Zertifikaten verfünffacht. --------------------------------------------- http://heise.de/-3247077

1 0

Tageszusammenfassung - Mittwoch 22-06-2016
by Daily end-of-shift report 22 Jun '16

22 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 21-06-2016 18:00 − Mittwoch 22-06-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Macro Malware Adds Tricks, Uses MaxMind to Avoid Detection *** --------------------------------------------- Macro malware continues to evolve and use new tricks to evade detection. This threat is responsible for downloading malicious Trojans such as Dridex and ransomware such as Locky. Recently McAfee Labs has encountered a new variant of macro .. --------------------------------------------- https://blogs.mcafee.com/mcafee-labs/macro-malware-adds-tricks-uses-maxmind… *** Advantech WebAccess ActiveX Vulnerabilities *** --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-173-01 *** Schneider Electric PowerLogic PM8ECC Cross-site Scripting Vulnerability *** --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-173-02 *** DHL Packstation: Sicherheitslücke begünstigt Missbrauch der fast 3000 Paketautomaten *** --------------------------------------------- Durch eine Sicherheitslücke konnten Online-Ganoven unnötig leicht auf die Paketfächer der rund acht Millionen Packstation-Nutzer zugreifen. Als DHL das Problem bestritt, hat c't es selbst versucht. --------------------------------------------- http://heise.de/-3243343 *** Hacker, Bromium donate $30,000 in bug bounty cash to charity *** --------------------------------------------- Google hacker Tavis Ormandy and security firm Bromium have handed Amnesty International US$30,000 in bug bounty cash awarded after the former broke the latters security controls. --------------------------------------------- www.theregister.co.uk/2016/06/22/hacker_bromium_donate_30000_in_bug_bounty_… *** ENISA discusses cyber challenges of the digital transformation *** --------------------------------------------- https://www.enisa.europa.eu/news/executive-news/enisa-discusses-cyber-chall… *** DNS-Sicherheitslücke bei Apple: Weitere Plattformen betroffen *** --------------------------------------------- Neben den AirPort-Basisstationen sind auch iOS, OS X und watchOS von einer kritischen Lücke betroffen .. --------------------------------------------- http://heise.de/-3244645 *** E-Mail-Verschlüsselung: EU-Kommission hat Angst vor verschlüsseltem Spam *** --------------------------------------------- PGP ist sicher, aber in der Handhabung oft kompliziert, gerade in grossen Unternehmen. Die EU-Kommission will die Technik in einem Pilotprojekt für alle Mitarbeiter einführen. Eine Angst geht dabei um: die vor verschlüsselten Spammails. --------------------------------------------- http://www.golem.de/news/e-mail-verschluesselung-eu-kommission-hat-angst-vo… *** KSN Report: Ransomware from 2014-2016 *** --------------------------------------------- The number of users attacked with ransomware is huge. But how big is it? Ransomware seems to be a global threat. But maybe there are regions at a higher risk of danger? There seem to be a lot of ransomware malware groups. But what are the most widespread and dangerous? --------------------------------------------- http://securelist.com/analysis/publications/75145/pc-ransomware-in-2014-201… *** Microsofts entrauscht homomorphe Krypto-Library SEAL *** --------------------------------------------- Das Rechnen mit verschlüsselten Daten rückt heran. Durch einen Wechsel des zugrundeliegenden Krypto-Systems will Microsoft die homomorphe Verschlüsselung auf eine neue Stufe heben. --------------------------------------------- http://heise.de/-3243299 *** Exploiting Public Information for OSINT *** --------------------------------------------- Open source intelligence is an act of finding the information using publicly available sources; these sources could be anything, for instance; newspaper, business directories, annual reports, etc. And the scope of OSINT is not only limited to .. --------------------------------------------- http://resources.infosecinstitute.com/exploiting-public-information-for-osi… *** Online-Backup-Anbieter Carbonite fordert Nutzer zu Passwort-Reset auf *** --------------------------------------------- Wegen einer vermehrten Anzahl von unautorisierten Zugriffen auf Accounts sollten Nutzer des Online-Backup-Services Carbonite ihr Passwort zurücksetzen. --------------------------------------------- http://heise.de/-3245465 *** Return of Locky *** --------------------------------------------- There's been a lot of discussion recently of the Necurs botnet being quiet. Today, Necurs activity resumed, and a new Locky malspam campaign began! Let's look at it! --------------------------------------------- https://malcat.moe/?p=53 *** Interview with a Craigslist scammer *** --------------------------------------------- Ever wondered what motivates people who swindle others on Craigslist? Read on for a fascinating look into the mind of a small-time .. --------------------------------------------- http://www.infoworld.com/article/3086304/cyber-crime/interview-with-a-craig… *** 105.386 Österreicher von LinkedIn-Datenleck betroffen *** --------------------------------------------- In der Datenbank des Karriere-Netzwerks LinkedIn befanden sich insgesamt 15.386 österreichische Mail-Adressen und 76.344 Passwörter. --------------------------------------------- http://futurezone.at/digital-life/105-386-oesterreicher-von-linkedin-datenl… *** Vulnerability Spotlight: Pidgin Vulnerabilities *** --------------------------------------------- Pidgin is a universal chat client that is used on millions of systems worldwide. The Pidgin chat client enables you to communicate on multiple chat networks simultaneously. Talos has identified multiple vulnerabilities in the way Pidgin handles the MXit .. --------------------------------------------- http://blog.talosintel.com/2016/06/vulnerability-spotlight-pidgin.html

1 0

Tageszusammenfassung - Dienstag 21-06-2016
by Daily end-of-shift report 21 Jun '16

21 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 20-06-2016 18:00 − Dienstag 21-06-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Exploiting Recursion in the Linux Kernel *** --------------------------------------------- On June 1st, I reported an arbitrary recursion bug in the Linux kernel that can be triggered by a local user on Ubuntu if the system was installed with home directory encryption support. If you want to see the crasher, the exploit .. --------------------------------- http://googleprojectzero.blogspot.com/2016/06/exploiting-recursion-in-linux… *** USN-3012-1: Wget vulnerability *** --------------------------------------------- Dawid Golunski discovered that Wget incorrectly handled filenames whenbeing redirected from an HTTP to an FTP URL. --------------------------------------------- http://www.ubuntu.com/usn/usn-3012-1/ *** USN-3011-1: HAProxy vulnerability *** --------------------------------------------- Falco Schmutz discovered that HAProxy incorrectly handled the reqdenyfilter. --------------------------------------------- http://www.ubuntu.com/usn/usn-3011-1/ *** Reverse-engineering DUBNIUM's Flash-targeting exploit *** --------------------------------------------- The DUBNIUM campaign in December involved one exploit in-the-wild that affected Adobe Flash Player. In this blog, we're going to examine the technical details of the exploit that targeted vulnerability CVE-2015-8651. For .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/06/20/reverse-engineering-dub… *** Cisco Integrated Services Routers OpenSSH TCP Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco 8800 Series IP Phone Filesystem Permission Enforcement Unauthorized Access Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco 8800 Series IP Phone Directory Traversal Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Red Line Drawn: China Recalculates Its Use of Cyber Espionage *** --------------------------------------------- https://www.fireeye.com/blog/threat-research/2016/06/red-line-drawn-china-e… *** Hacker erbeuten Kunden-Daten aus Acers Online-Shop *** --------------------------------------------- Unbekannte Datendiebe haben offensichtlich den nordamerikanischen Online-Shop von Acer geentert und Daten von Kunden kopiert. Darunter könnten dem Hersteller zufolge auch Kreditkarten-Daten inklusive Sicherheitscodes sein. --------------------------------------------- http://heise.de/-3242703 *** Unbefugte schleichen sich in GoToMyPC-Konten *** --------------------------------------------- Aufgrund unbefugter Zugriffe auf Nutzer-Konten, hat der Anbieter der Fernwartungs-Software GoToMyPC die Passwörter .. --------------------------------------------- http://heise.de/-3242747 *** Phishing mit gestohlenem iPhone *** --------------------------------------------- Kriminelle stehlen iPhones. Nach rund einer Woche melden sie sich bei ihren Opfern mit einer vermeintlich echten SMS von Apple. In ihr ist davon die Rede, dass das .. --------------------------------------------- https://www.watchlist-internet.at/phishing/phishing-mit-gestohlenem-iphone/ *** Apple: Mysteriöse Lücke in Airport-Router gepatcht *** --------------------------------------------- Der Airport-Router und Time-Capsule von Apple haben offenbar Probleme mit bestimmten DNS-Anfragen. Die Sicherheitslücke wurde jetzt geschlossen, möglicherweise konnten Angreifer das Netzwerk der Nutzer kompromittieren. --------------------------------------------- http://www.golem.de/news/apple-mysterioese-luecke-in-airport-router-gepatch… *** Poorly crafted LogMeIn password reset email looks phishy, but isn't *** --------------------------------------------- LogMeIn has been sending out password reset emails to some of its customers, to prevent account hijacking fuelled by the recent spate of massive login credential leaks. Unfortunately, their own legitimate email .. --------------------------------------------- https://www.helpnetsecurity.com/2016/06/21/poorly-crafted-logmein-password-… *** Zwei-Faktor-Authentifizierung: Smartphone als zweiter Schlüssel fürs Google-Konto *** --------------------------------------------- Wer die Zwei-Faktor-Authentifizierung für sein Google-Konto nutzt, muss ab sofort neben seinem Passwort keine Codes mehr eingeben, sondern kann direkt sein Smartphone zur Anmeldung nutzen. --------------------------------------------- http://heise.de/-3243338 *** Flash: Mac OS X blockiert wieder alte Versionen *** --------------------------------------------- Apples Browser Safari unterstützt das Flash-Plug-in nur noch, wenn es auf dem aktuellen Stand ist. Adobe hatte vor wenigen Tagen kritische Schwachstellen geschlossen, darunter eine Zero-Day-Lücke. --------------------------------------------- http://heise.de/-3243340 *** Finding Browser Extensions To Hunt Evil! *** --------------------------------------------- Browser extensions, sometimes called plug-ins or add-ons, provide all types of wondrous functionality on top of the web browser, some of which may be actually wanted by the user! These little gems, however, have also proved valuable .. --------------------------------------------- https://labs.opendns.com/2016/06/16/finding-browser-extensions-find-evil/

1 0

Tageszusammenfassung - Montag 20-06-2016
by Daily end-of-shift report 20 Jun '16

20 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 17-06-2016 18:00 − Montag 20-06-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Locky, Dridex, and Angler among cybercrime groups to experience fall in activity *** --------------------------------------------- There has been a sudden drop off in activity relating to a number of major malware families in recent weeks. Dridex (W32.Cridex), Locky (Trojan.Cryptolocker.AF), the Angler exploit kit and Necurs (Backdoor.Necurs), are among the threats who appear affected by this development. --------------------------------------------- http://www.symantec.com/connect/blogs/locky-dridex-and-angler-among-cybercr… *** Erpressungs-Trojaner RAA kommt mit Passwort-Dieb im Huckepack daher *** --------------------------------------------- Der Computer-Schädling RAA soll nicht nur Daten als Geisel nehmen und ein Lösegeld verlangen, sondern auch einen Trojaner mitbringen, der Passwörter abgreift. --------------------------------------------- http://heise.de/-3242139 *** You Acer holes! PC maker leaks payment cards in e-store hack *** --------------------------------------------- Lost info includes names, addresses, numbers and security codes Acers insecure customer database spilled peoples personal information - including full payment card numbers - into hackers hands for more than a year. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/06/17/what_a_pain… *** New Ransomware Written Entirely In JavaScript *** --------------------------------------------- An anonymous reader writes: Security researchers have discovered a new form of ransomware written entirely in JavaScript and using the CryptoJS library to encode a users files. Researchers say the file is being distributed through email attachments, according to SC Magazine, which reports that "Opening the attachment kicks off a series of steps that not only locks up the victims files, but also downloads some additional malware onto the target computer. ... --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/MLUCGZ3AfdM/new-ransomware-… *** GoToMyPC remote desktop service resets all passwords in wake of attack *** --------------------------------------------- GoToMyPC, a remote computer administration service offered by Citrix, has forced a password reset for all customers in the wake of what they call a 'very sophisticated password attack.' Effective immediately, you will be required to reset your GoToMyPC password before you can login again, the company told customers via email on Sunday, and advised them to use their regular GoToMyPC login link to reset the password, or go through the 'Forgot Password' link --------------------------------------------- https://www.helpnetsecurity.com/2016/06/20/gotomypc-resets-passwords/ *** Understanding Critical Windows Artifacts and Their Relevance During Investigation-Part 1 *** --------------------------------------------- In this article, we will learn about critical Windows artifacts, what they mean, where they are located in the system, what can be inferred from them and how can they help in actual during the investigation. This will be a series of articles and in Part 1, we will learn about the NTFS timestamps which ... --------------------------------------------- http://resources.infosecinstitute.com/understanding-critical-windows-artifa… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL and a vulnerability in GNU glibc affect IBM Security Proventia Network Enterprise Scanner *** http://www-01.ibm.com/support/docview.wss?uid=swg21984794 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting, caused by improper validation of user-supplied input (CVE-2016-0399) *** http://www-01.ibm.com/support/docview.wss?uid=swg21984134 --------------------------------------------- *** IBM Security Bulletin: Information disclosure vulnerability affects IBM Sterling B2B Integrator (CVE-2016-0341) *** http://www-01.ibm.com/support/docview.wss?uid=swg21985111 --------------------------------------------- *** Cisco Security Advisories *** --------------------------------------------- *** Cisco IOS XE Software SNMP Subsystem Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Firepower Management Center Persistent Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco cBR-8 Series Converged Broadband Router SNMP Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS Software Link Layer Discovery Protocol Processing Code Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS Software Link Layer Discovery Protocol Processing Code Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 17-06-2016
by Daily end-of-shift report 17 Jun '16

17 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 16-06-2016 18:00 − Freitag 17-06-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** SAP patches three-year-old vulnerability, plus 20 more flaws *** --------------------------------------------- SAP this week patched 21 product vulnerabilities, including an information disclosure flaw that was originally disclosed more than three years ago. --------------------------------------------- http://www.scmagazine.com/sap-patches-three-year-old-vulnerability-plus-20-… *** X86 Shellcode Obfuscation - Part 3 *** --------------------------------------------- Last time, Ive added obfuscation support for most common x86 instructions, which allowed to process the obfuscation output several times in order to get even better results. The obfuscated code output now, while being pretty well obfuscated, still is pretty easy to navigate as the execution flow is not changed. I will fix it this episode as I explain methods of implementing full blown execution flow obfuscation by injecting dozens of jumps to make the code output unrecognizable. --------------------------------------------- https://breakdev.org/x86-shellcode-obfuscation-part-3/ *** ENISA: Free online tool for the notification of personal data breaches *** --------------------------------------------- The purpose of the tool is to allow data controllers to complete and submit online a personal data breach notification to the competent authority (DPA/NRA). The tool covers all types of personal data breaches and business sectors, whether public or private. Based on the input of the notification, the tool also provides to the competent authority an assessment of the severity of the breach. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/free-online-tool-for-the-notifi… *** GitHub: Anmeldeversuche mit auf anderen Sites gestohlenen Zugangsdaten *** --------------------------------------------- Das GitHub-Team hat zahlreiche Log-in-Versuche festgestellt, die teilweise erfolgreich waren. Offensichtlich haben Hacker versucht, sich mit auf anderen Sites gestohlenen Zugangsdaten anzumelden. --------------------------------------------- http://heise.de/-3240522 *** Kryptowährung: Einbrecher stehlen 56 Millionen US-Dollar in Ether - fast *** --------------------------------------------- Sicherheitslücke bei der Bitcoin-Alternative Ethereum: Angreifer konnten 3,5 Millionen Einheiten der Ether stehlen. Eine ungewöhnliche Maßnahme soll aber verhindern, dass das Geld auch wirklich ausgezahlt wird. --------------------------------------------- http://www.golem.de/news/kryptowaehrung-einbrecher-stehlen-56-millionen-us-… *** Security updates available for Adobe Flash Player (APSB16-18) and Adobe AIR (APSB16-23) *** --------------------------------------------- Adobe has published a Security Bulletin (APSB16-18) regarding security updates that address critical vulnerabilities in Adobe Flash Player. Adobe is aware of a report that an exploit for CVE-2016-4171 exists in the wild, and is being used in limited, targeted... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1371 *** Bugtraq: [CVE-2016-1014] Escalation of privilege via executable (un)installers of Flash Player *** --------------------------------------------- http://www.securityfocus.com/archive/1/538699 *** Cisco Prime Network Registrar System Configuration Protocol Information Disclosure Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Bugtraq: User enumeration in Skype for Business 2013 *** --------------------------------------------- http://www.securityfocus.com/archive/1/538697 *** Bugtraq: [SECURITY] [DSA 3604-1] drupal7 security update *** --------------------------------------------- http://www.securityfocus.com/archive/1/538696 *** Python urllib HTTP Header Injection *** --------------------------------------------- Topic: Python urllib HTTP Header Injection Risk: Low Text:Pythons built-in URL library ("urllib2" in 2.x and "urllib" in 3.x) is vulnerable to protocol stream injection attacks (a.k.a... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016060130 *** Solarwinds Virtualization Manager 6.3.1 Java Deserialization *** --------------------------------------------- Topic: Solarwinds Virtualization Manager 6.3.1 Java Deserialization Risk: High Text:Java Deserialization in Solarwinds Virtualization Manager 6.3.1 Product: Solarwinds Virtualization Manager Vendor: Solarwin... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016060126 *** Json2Html Cross Site Scripting *** --------------------------------------------- Topic: Json2Html Cross Site Scripting Risk: Low Text:# Exploit Title: Json2Html Javascript Library - Reflective/Persistant XSS # Date: 0 day # Exploit Author: David Silveiro # E... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016060123 *** Gemalto Sentinel License Manager 18.0.1 Directory Traversal *** --------------------------------------------- Topic: Gemalto Sentinel License Manager 18.0.1 Directory Traversal Risk: Medium Text:Gemalto Sentinel License Manager 18.0.1 Directory Traversal Vulnerability Vendor: Gemalto NV | SafeNet, Inc Product we... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016060121 *** Security Advisory - Insufficient Input Validation Vulnerability in the FusionInsight *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160617-… *** Moxa PT-7728 Series Switch Improper Authorization Vulnerability *** --------------------------------------------- This advisory contains mitigation details for an improper authorization vulnerability in Moxa's Industrial Ethernet Switch PT-7728 series. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-168-01 *** sol64505405: NTP vulnerability CVE-2016-4956 *** --------------------------------------------- This vulnerability can only be exposed if the ntp.conf file is manually edited to enable "broadcastclient" mode in network time protocol (NTP). --------------------------------------------- https://support.f5.com/kb/en-us/solutions/public/k/64/sol64505405.html *** sol14969: BIG-IP Edge and FirePass client information leakage vulnerability CVE-2013-6024 *** --------------------------------------------- The Edge Client components in F5 BIG-IP APM, BIG-IP Edge Gateway, and FirePass allow attackers to obtain sensitive information from process memory via unspecified vectors. (CVE-2013-6024) An attacker with sufficient local privileges on a client machine running Windows or Mac OS X may be able to gain access to a users APM password. Note: This vulnerability is limited to the BIG-IP Edge Client and FirePass legacy client for Windows and Mac OS X only; it does not impact the BIG-IP or FirePass host. --------------------------------------------- https://support.f5.com/kb/en-us/solutions/public/14000/900/sol14969.html *** sol82644737: NTP vulnerability CVE-2016-4954 *** --------------------------------------------- Impact: The NTP service may be disrupted. Security Issue Status: F5 Product Development has assigned ID 597023 (BIG-IP), ID 598184 (BIG-IQ), ID 598186 (Enterprise Manager), and LRS-60784 (LineRate) to this vulnerability. --------------------------------------------- https://support.f5.com/kb/en-us/solutions/public/k/82/sol82644737.html *** IBM Security Bulletin: Vulnerability identified in IBM Java SDK affect WebSphere Service Registry and Repository Studio (CVE-2016-3426) *** --------------------------------------------- A vulnerability in IBM SDK Java Technology Edition, Version 6 that is shipped with IBM WebSphere Service Registry and Repository Studio. These issues were disclosed as part of the IBM Java SDK updates in April 2016. CVE(s): CVE-2016-3426 Affected product(s) and affected version(s): WebSphere Service Registry and Repository Studio V8.5, V8.0, V7.5 and V7.0 are... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21985335 *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM b-type SAN switches and directors (CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794) *** --------------------------------------------- OpenSSL vulnerabilities were disclosed on December 3, 2015 by the OpenSSL Project. OpenSSL is used by IBM b-type SAN switches and directors. IBM b-type SAN firmware has addressed the applicable CVEs. CVE(s): CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794 Affected product(s) and affected version(s): IBM b-type switches and directors running FOS versions prior to 7.4.1c are affected. --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1006391

1 0

Tageszusammenfassung - Donnerstag 16-06-2016
by Daily end-of-shift report 16 Jun '16

16 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 15-06-2016 18:00 − Donnerstag 16-06-2016 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** Estonia - Cryptographic Algorithms Lifecycle Report 2016 published *** --------------------------------------------- Estonian Information System Authority (RIA) and Cybernetica have published the "Cryptographic Algorithms Lifecycle Report 2016". --------------------------------------------- https://www.enisa.europa.eu/about-enisa/structure-organization/national-lia… *** TLS Certificate Validation Vulnerability in Citrix iOS Receiver *** --------------------------------------------- A vulnerability has been identified in Citrix iOS Receiver that could result in TLS certificates being incorrectly validated. This vulnerability has been assigned the following CVE number: CVE-2016-5433: TLS Certificate Validation Vulnerability in Citrix iOS Receiver. This vulnerability affects all versions of Citrix iOS Receiver earlier than 7.0. This vulnerability does not affect Citrix Receivers on any other platforms. --------------------------------------------- http://support.citrix.com/article/CTX213998 *** Citrix XenServer Security Update for CVE-2016-5302 *** --------------------------------------------- A security vulnerability has been identified in XenServer 7.0 that may allow an attacker on the management network who is in possession of Active Directory credentials for an AD account that is not authorised to manage a XenServer host to compromise that host. The following vulnerability has been addressed: CVE-2016-5302 (Low): Incorrect host management AD authentication --------------------------------------------- http://support.citrix.com/article/CTX213549 *** Views - Less Critical - Access Bypass - SA-CONTRIB-2016-036 *** --------------------------------------------- Project: Views (third-party module) Version: 7.x Date: 2016-June-15 Security risk: 7/25 ( Less Critical) Vulnerability: Access bypass DescriptionAn access bypass vulnerability exists in the Views module, where users without the "View content count" permission can see the number of hits collected by the Statistics module for results in the view. --------------------------------------------- https://www.drupal.org/node/2749333 *** Trend Micro: Sicherheitsfirma findet trojanisierte Teamviewer-Versionen *** --------------------------------------------- Wurde Teamviewer gehackt oder nicht? In den vergangenen Wochen beschwerten sich Hunderte Nutzer über Kriminelle, die über Teamviewer Konten plünderten. Der Hersteller selbst verwies auf schlechte Passwörter - eine Sicherheitsfirma hat jetzt eine weitere Idee. --------------------------------------------- http://www.golem.de/news/trend-micro-sicherheitsfirma-findet-trojanisierte-… *** Deep Discovery Inspector vulnerable to remote code execution *** --------------------------------------------- Deep Discovery Inspector provided by Trend Micro Incorporated contains a remote code execution vulnerability. --------------------------------------------- http://jvn.jp/en/jp/JVN55428526/ *** Facebook Privacy & Security Guide: Everything You Need to Know [Updated] *** --------------------------------------------- Facebook grew in the past years to become the largest online social network in the world. It spread so much that even our parents, neighbors and distant relatives, even from remote areas of the country, now constantly use it. It's the place where everybody is active, from friends, family, work colleagues, old school friends to ... --------------------------------------------- https://heimdalsecurity.com/blog/facebook-security-privacy-guide/ *** Bugtraq: [security bulletin] HPSBNS03625 rev.1 - HPE NonStop Application Server for Java (NSASJ) running SSL/TLS, Remote Disclosure of Information *** --------------------------------------------- [security bulletin] HPSBNS03625 rev.1 - HPE NonStop Application Server for Java (NSASJ) running SSL/TLS, Remote Disclosure of Information --------------------------------------------- http://www.securityfocus.com/archive/1/538693 *** Bugtraq: [security bulletin] HPSBGN03553 rev.1 - HP OneView Products using glibc and OpenSSL, Multiple Remote Vulnerabilties *** --------------------------------------------- [security bulletin] HPSBGN03553 rev.1 - HP OneView Products using glibc and OpenSSL, Multiple Remote Vulnerabilties --------------------------------------------- http://www.securityfocus.com/archive/1/538692 *** Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2016-002 *** --------------------------------------------- Project: Drupal core Version: 7.x, 8.x Security risk: 11/25 ( Moderately Critical) Vulnerability: Access bypass, Multiple vulnerabilities Description Saving user accounts can sometimes grant the user all roles --------------------------------------------- https://www.drupal.org/SA-CORE-2016-002 *** Cisco Security Advisories *** --------------------------------------------- *** Cisco RV110W, RV130W, and RV215W Routers HTTP Request Buffer Overflow Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco RV110W, RV130W, and RV215W Routers Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco RV110W, RV130W, and RV215W Routers Arbitrary Code Execution Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco RV110W, RV130W, and RV215W Routers HTTP Request Buffer Overflow Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Cross-Site Request Forgery Vulnerability in IBM WebSphere Portal (CVE-2016-2901) *** http://www-01.ibm.com/support/docview.wss?uid=swg21983974 --------------------------------------------- *** IBM Security Bulletin: IBM TRIRIGA Application platform is vulnerable to a cross-site scripting attack. (CVE-2016-2883) *** http://www.ibm.com/support/docview.wss?uid=swg21985158 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in BeanShell affects IBM Leads (CVE-2016-2510) *** http://www.ibm.com/support/docview.wss?uid=swg21982167 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in InstallAnywhere affects IBM InfoSphere Optim Performance Manager for DB2 on LUW and IBM InfoSphere Optim Configuration Manager on Windows Platform (CVE-2016-4560) *** http://www-01.ibm.com/support/docview.wss?uid=swg21984067 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in InstallShield affects IBM Tivoli Storage Manager FastBack for Bare Machine Recovery (CVE-2016-2542) *** http://www.ibm.com/support/docview.wss?uid=swg21984184 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in InstallShield affects IBM Tivoli Storage Manager FastBack (CVE-2016-2542) *** http://www.ibm.com/support/docview.wss?uid=swg21982809 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in IBM Notes KeyView PDF Filters (CVE-2016-0301, CVE-2016-0278, CVE-2016-0279, CVE-2016-0277) *** http://www.ibm.com/support/docview.wss?uid=swg21982277 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 15-06-2016
by Daily end-of-shift report 15 Jun '16

15 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 14-06-2016 18:00 − Mittwoch 15-06-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Security Advisory posted for Adobe Flash Player (APSA16-03) *** --------------------------------------------- A Security Advisory (APSA16-03) has been published regarding a critical vulnerability (CVE-2016-4171) in Adobe Flash Player. Adobe is aware of a report that an exploit for CVE-2016-4171 exists in the wild, and is being used in limited, .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1367 *** Security Bulletins Posted *** --------------------------------------------- Adobe has published security bulletins for the Adobe DNG SDK (APSB16-19), Adobe Brackets (APSB16-20), Adobe Creative Cloud Desktop Application (APSB16-21) and ColdFusion (APSB16-22). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1361 *** MS16-JUN - Microsoft Security Bulletin Summary for June 2016 - Version: 1.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS16-JUN *** DSA-3602 php5 - security update *** --------------------------------------------- Several vulnerabilities were found in PHP, a general-purpose scriptinglanguage commonly used for web application development. --------------------------------------------- https://www.debian.org/security/2016/dsa-3602 *** Where's the Macro? Malware authors are now using OLE embedding to deliver malicious files *** --------------------------------------------- Recently, we've seen reports of malicious files that misuse the legitimate Office object linking and embedding (OLE) capability to trick users into enabling and downloading malicious content. Previously, we've seen macros used .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/06/14/wheres-the-macro-malwar… *** Mofang: A politically motivated information stealing adversary *** --------------------------------------------- Mofang is a threat actor that almost certainly operates out of China and is probably government-affiliated. It is highly likely that Mofang's targets are selected based on involvement with .. --------------------------------------------- https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-informati… *** Safari 10 blockiert Flash standardmäßig *** ---------------------------------------------- Ab Herbst gaukelt Apples Browser Webseiten in der Standardeinstellung vor, dass Plug-ins wie Flash, Silverlight oder Java gar nicht installiert seien. Der Schritt soll Strom sparen und für mehr Sicherheit sorgen. --------------------------------------------- http://heise.de/-3238170 *** VMSA-2016-0009 *** --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2016-0009.html *** VMSA-2016-0005.4 *** --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2016-0005.html *** VMSA-2015-0009.3 *** --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2015-0009.html *** VMSA-2015-0007.6 *** --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2015-0007.html *** iOS-Apps müssen ab 2017 HTTPS verwenden *** --------------------------------------------- Apple hat angekündigt, ab 1. Jänner 2017 HTTPS-Verbindungen für iOS-Apps zu verlangen. Daten sollen nur noch verschlüsselt übertragen werden. --------------------------------------------- http://futurezone.at/apps/ios-apps-muessen-ab-2017-https-verwenden/204.603.… *** Russische Spione hacken Computer von US-Demokraten *** --------------------------------------------- http://derstandard.at/2000038962384-406 *** Adobe-Patchday lässt kritische Flash-Lücke ungepatcht *** --------------------------------------------- Adobe schliesst Lücken in ColdFusion, der Creative Cloud, dem DNG Development Kit und seinem Texteditor Brackets. Nur eine kritische Flash-Lücke bleibt erst mal ungepatcht. --------------------------------------------- http://heise.de/-3238271 *** DSA-3603 libav - security update *** --------------------------------------------- Several security issues have been corrected in multiple demuxers anddecoders of the libav multimedia library. A full .. --------------------------------------------- https://www.debian.org/security/2016/dsa-3603 *** Cross-Site Scripting in extension "Bootstrap Package" (bootstrap_package) *** --------------------------------------------- https://typo3.org/news/article/cross-site-scripting-in-extension-formhandle… *** Microsoft-Patchday: Uralt-Lücke aus Windows-95-Zeiten geschlossen *** --------------------------------------------- Microsoft hat für diesen Monat 16 Sicherheitsupdates herausgegeben. Fünf davon sind kritisch und eine wichtige Lücke namens "BadTunnel" betrifft alle Windows-Versionen seit Windows 95. --------------------------------------------- http://heise.de/-3238328 *** xDedic - the shady world of hacked servers for sale *** --------------------------------------------- Over the last two years, deep in the slums of the Internet, a different kind of underground market has flourished. The short, cryptic name perhaps doesnt say much about it: xDedic. However, on this obscure marketplace anyone can purchase more than 70,000 hacked servers from all around the Internet. --------------------------------------------- http://securelist.com/blog/research/75027/xdedic-the-shady-world-of-hacked-… *** Programmiersprache: Microsoft forscht an sicherer C-Erweiterung *** --------------------------------------------- Einige Modifikationen an Syntax, Compiler und Laufzeitumgebung sollen C-Programme vor typischen Fehlern der Programmiersprache schützen. Microsoft erforscht diese Technik gemeinsam mit Universitäten in einem Open-Source-Projekt. --------------------------------------------- http://www.golem.de/news/programmiersprache-microsoft-forscht-an-sicherer-c… *** Next Steps for Legacy Plug-ins *** --------------------------------------------- The web platform is capable of amazing things. Thanks to the ongoing hard work of standards bodies, browser vendors, and web developers, web standards are feature-rich and continuously improving. The WebKit project in particular .. --------------------------------------------- https://webkit.org/blog/6589/next-steps-for-legacy-plug-ins/ *** Forenbetreiber gehackt: 45 Millionen Nutzer betroffen *** --------------------------------------------- Cyberkriminelle haben 45 Millionen Datensätze von VerticalScope gestohlen. Die kanadische Firma hostet über 1.100 Webseiten und Online-Foren. --------------------------------------------- http://futurezone.at/digital-life/forenbetreiber-gehackt-45-millionen-nutze… *** TalkTalk-Kunden werden über TeamViewer-Zugänge angegriffen *** --------------------------------------------- Nicht genug, dass die Daten der TalkTalk-Kunden im Netz sind: Jetzt werden diese auch noch Opfer von Ganoven. Diese versuchen, .. --------------------------------------------- http://heise.de/-3238766

1 0

Tageszusammenfassung - Dienstag 14-06-2016
by Daily end-of-shift report 14 Jun '16

14 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 13-06-2016 18:00 − Dienstag 14-06-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** ATM Insert Skimmers In Action *** --------------------------------------------- KrebsOnSecurity has featured several recent posts on "insert skimmers," ATM skimming devices made to fit snugly and invisibly inside a cash machines card acceptance slot. Im revisiting the subject again because Ive recently .. --------------------------------------------- http://krebsonsecurity.com/2016/06/atm-insert-skimmers-in-action/ *** DSA-3601 icedove - security update *** --------------------------------------------- Multiple security issues have been found in Icedove, Debians version ofthe Mozilla Thunderbird mail client: Multiple memory safety errors maylead to the execution of arbitrary code or denial of service. --------------------------------------------- https://www.debian.org/security/2016/dsa-3601 *** Virenscanner infiziert Systeme mit Sality-Virus *** --------------------------------------------- Durch ein Update landete des Virenscanners Rising landet eine infizierte Datei auf den Systeme, die sich dann daran macht, den Sality-Virus weiter zu verbreiten. --------------------------------------------- http://heise.de/-3237654 *** Vawtrak banking Trojan shifts to new targets *** --------------------------------------------- The Vawtrak banking Trojan (aka Snifula) is slowly but surely becoming a serious threat. With version 2, the malware has acquired the capability to target .. --------------------------------------------- https://www.helpnetsecurity.com/2016/06/14/vawtrak-banking-trojan-shifts-ne… *** Kritische Sicherheitslücke: Angreifer können Adminrechte in Oxid-E-Shop erlangen *** --------------------------------------------- Eine Sicherheitslücke im E-Shop-System Oxid ermöglicht Angreifern den Zugriff auf das Admininterface, es kann auch Code ins Frontend injiziert werden. Aktuelle Versionen werden mit einem Patch abgesichert, für ältere existiert lediglich ein Workaround. --------------------------------------------- http://www.golem.de/news/kritische-sicherheitsluecke-angreifer-koennen-admi… *** Aufregung um Linkedin-Hack in .at: Nutzer sollten dringend Passwort ändern *** --------------------------------------------- Vollständige Nutzerdatenbank aus dem Jahr 2012 kursiert, und sorgt nun auch hierzulande für Schlagzeilen. --------------------------------------------- http://derstandard.at/2000038935519 *** Weaponizing Nessus *** --------------------------------------------- Once in a blue moon we come across a client that has truly done security right (or at least, tried really hard to do so). All the low hanging fruit has .. --------------------------------------------- http://www.shellntel.com/blog/2016/6/7/weaponizing-nessus *** The PhotoMiner Campaign *** --------------------------------------------- Over the past few months, we've been following a new type of worm we named PhotoMiner. PhotoMiner features a unique infection mechanism, reaching endpoints by infecting websites hosted on FTP servers while making money by .. --------------------------------------------- https://www.guardicore.com/2016/06/the-photominer-campaign/ *** Finding pearls; fuzzing ClamAV *** --------------------------------------------- Previously, I wrote about the general workflow to follow if you wanted to seriously begin fuzzing applications, while covering fuzzing a small YAML library. In this post, we will cover taking that workflow and applying it in real life to the open-source antivirus project ClamAV. This fuzz job was .. --------------------------------------------- https://foxglovesecurity.com/2016/06/13/finding-pearls-fuzzing-clamav/ *** phpMyAdmin Project Successfully Completes Security Audit *** --------------------------------------------- Software Freedom Conservancy congratulates its phpMyAdmin project on succesfuly completing completing a thorough security audit, as part of Mozillas Secure Open Source Fund. No serious issues were found in the phyMyAdmin codebase. --------------------------------------------- https://www.phpmyadmin.net/news/2016/6/13/phpmyadmin-project-successfully-c… *** Netgear-Router dank festinstallierter Schlüssel einfach zu knacken *** --------------------------------------------- Die Router D6000 und D3600 können von Angreifern gekapert werden, da sie fest installierte Krypto-Schlüssel nutzen, die immer gleich sind. Ausserdem lässt sich das Administrator-Passwort sehr einfach auslesen. --------------------------------------------- http://heise.de/-3237907 *** Making Curl | Bash safe(r) *** --------------------------------------------- You know those software installation instructions that tell you to download and run a script directly from the internet, as root, using something like the following? --------------------------------------------- https://sysdig.com/blog/making-curl-bash-safer/

1 0

Tageszusammenfassung - Montag 13-06-2016
by Daily end-of-shift report 13 Jun '16

13 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 10-06-2016 18:00 − Montag 13-06-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Linux Kernel ROP - Ropping your way to # (Part 1) *** --------------------------------------------- Kernel ROP In-kernel ROP (Return Oriented Programming) is a useful technique that is often used to bypass restrictions associated with non-executable memory regions. For example, on default kernels1, it presents a practical approach for .. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Linux-Kernel-ROP---Ropp… *** Siemens SIMATIC S7-300 Denial-of-Service Vulnerability *** --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-161-01 *** Is it the End of Angler ? *** --------------------------------------------- http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html *** Visual Studio 2015 stopft ungefragt Tracing-Code in C++-Programme *** --------------------------------------------- Microsofts aktuelle Entwicklungsumgebung baut ungefragt und automatisch Funktionsaufrufe in C++-Code ein, die dem Erfassen von Telemetrie-Daten dienen. Microsoft will das nun mit Updates abstellen. --------------------------------------------- http://heise.de/-3235676 *** Blackberry verteilt Nutzerdaten weltweit an Behörden *** --------------------------------------------- Blackberry entschlüsselt Nachrichten, die über seine Geräte verschickt und empfangen werden und teilt diese Informationen und andere Nutzerdaten mit Behörden in aller Welt. --------------------------------------------- http://futurezone.at/netzpolitik/blackberry-verteilt-nutzerdaten-weltweit-a… *** Petya and Mischa - Ransomware Duet (part 2) *** --------------------------------------------- After being defeated in April, Petya comes back with new tricks. Now, not as a single ransomware, but in a bundle with another malicious payload - Mischa. Both are named after the satellites from the GoldenEye movie. They deploy .. --------------------------------------------- https://blog.malwarebytes.org/threat-analysis/2016/06/petya-and-mischa-rans… *** DNS Sinkhole ISO Version 2.0 *** --------------------------------------------- After 4 years (previous version 1.3 Jun 2012), I containing the following changes: - Updated to Slackware 14.1 with Linux kernel 3.10.17 - Added inetsim in the /opt directory as a limited alternative to collect redirected sinkhole .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21153 *** Symantec übernimmt Blue Coat für 4,65 Milliarden Dollar *** --------------------------------------------- Blue Coat wurde vom Sicherheitssoftwareanbieter Symantec gekauft und will sich fortan vor allem auf Anti-Viren-Software konzentrieren. --------------------------------------------- http://futurezone.at/b2b/symantec-uebernimmt-blue-coat-fuer-4-65-milliarden… *** Verschlüsselung: Lets Encrypt veröffentlicht 7.618 E-Mail-Adressen *** --------------------------------------------- Lets Encrypt will Verbindungen im Internet besser absichern und so die privaten Daten der Nutzer besser schützen. Doch jetzt hat das Projekt durch eine Panne selbst zahlreiche Mailadressen preisgegeben. --------------------------------------------- http://www.golem.de/news/verschuesselung-let-s-encrypt-verraet-7-618-e-mail… *** FLocker Mobile Ransomware Crosses to Smart TV *** --------------------------------------------- Using multiple devices that run on one platform makes life easier for a lot of people. However, if a malware affects one of these devices, the said malware may eventually affect the others, too. This appears to be the case when we came across an .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/flocker-ransomwa… *** Statt Backups: Britische Firmen horten Bitcoins für Erpressungstrojaner *** --------------------------------------------- Anstatt für regelmäßige Backups zu sorgen, scheinen viele britische Firmen lieber Kryptogeldreserven anzulegen, um Lösegeld für ihre Daten bezahlen zu können. Laut einer Befragung sind viele Firmen bereit, bis zu 50.000 Pfund zu zahlen. --------------------------------------------- http://heise.de/-3236563 *** Intel verankert Anti-Exploit-Technik in (CPU-)Hardware *** --------------------------------------------- Mit der "Control-flow Enforcement Technology" will Intel dem Ausnutzen von Sicherheitslücken eine weitere Hürde in den Weg legen. Wann CET jedoch in Prozessoren debüttiert, steht noch in den Sternen. --------------------------------------------- http://heise.de/-3236707 *** Microsoft kauft LinkedIn für 26,2 Milliarden Dollar *** --------------------------------------------- Das Karriere-Netzwerk LinkedIn wird von Microsoft übernommen. Der Xing-Konkurrent werde dabei insgesamt mit 26,2 Milliarden Dollar bewertet, teilten die Unternehmen mit. --------------------------------------------- http://futurezone.at/b2b/microsoft-kauf-linkedin-fuer-26-2-milliarden-dolla… *** Process Explorer: Part 2 *** --------------------------------------------- For Windows operating systems (OS), especially those up to and including Windows 7, Process Explorer is an excellent replacement for Task Manager. After publishing .. --------------------------------------------- https://blog.malwarebytes.org/101/2016/05/process-explorer-part-2/ *** Empfehlungen für Cybersicherheitsgesetz veröffentlicht *** --------------------------------------------- Ein Jahr lang haben Experten aus Wirtschaft, Wissenschaft und Behörden über das Cybersicherheitsgesetz diskutiert, das eine Meldepflicht bei Cyberangriffen bringen soll. --------------------------------------------- http://futurezone.at/netzpolitik/empfehlungen-fuer-cyberischerheitsgesetz-v…

1 0

Tageszusammenfassung - Freitag 10-06-2016
by Daily end-of-shift report 10 Jun '16

10 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 09-06-2016 18:00 − Freitag 10-06-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Reverse-engineering DUBNIUM *** --------------------------------------------- DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features. We located multiple variants of multiple-stage droppers and payloads in the last few months, and although they are not really packed or obfuscated in a... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dub… *** "Webseiten werden angreifbarer" *** --------------------------------------------- Alexander Mitter von nimbusec und Andreas Tomek von SBA Research über Sicherheits-Start-ups in Österreich, Bedrohungsszenarien und Viagra-Shops auf Unternehmenswebseiten. --------------------------------------------- http://futurezone.at/thema/start-ups/webseiten-werden-angreifbarer/203.199.… *** Offensive or Defensive Security? Both!, (Thu, Jun 9th) *** --------------------------------------------- Sometimes students ask me the best way to jump into the security world. I usually compare information security to medicine: You start with a common base (a strong knowledge in IT) then you must choose a specialization: auditor, architect, penetrationtester, reverse engineer, incident handler, etc. Basically, those specializations can be grouped in two categories: offensiveand defensive. Many people like the first one because it looks more funny and the portrait of the hacker as depicted in Hollywood... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21149&rss *** Secure Open Source: Mozilla stiftet Fonds für bessere Security *** --------------------------------------------- In dem Programm Secure Open Source (SOS) stellt Mozilla zunächst 500.000 US-Dollar bereit, um die Sicherheit von Open-Source-Software zu verbessern. Anders als bei der Linux Foundation soll das Geld explizit für Audits und einen sauberen Umgang mit Sicherheitslücken genutzt werden. --------------------------------------------- http://www.golem.de/news/secure-open-source-mozilla-stiftet-fonds-fuer-bess… *** Crysis ransomware fills vacuum left by TeslaCrypt *** --------------------------------------------- TeslaCrypt has reached the end of the road, and other ransomware is ready to fill the vacuum left behind it. A relative newcomer to the market, Crysis ransomware is already laying claim to parts of TeslaCrypt's territory. The Crysis ransomware family � not to be confused with the Crisis backdoor/spyware Trojan that targeted both Windows and Mac users some four years ago - is currently in its second iteration, and doesn't differ much from other... --------------------------------------------- https://www.helpnetsecurity.com/2016/06/10/crysis-ransomware/ *** An Interview With the Hacker Probably Selling Your Password Right Now *** --------------------------------------------- A conversation with the stolen-data wholesaler selling 800 million stolen passwords, and plaguing the security teams of LinkedIn, Twitter, and Tumblr. --------------------------------------------- http://www.wired.com/2016/06/interview-hacker-probably-selling-password/ *** Optimizing TLS over TCP to reduce latency *** --------------------------------------------- The layered nature of the Internet (HTTP on top of some reliable transport (e.g. TCP), TCP on top of some datagram layer (e.g. IP), IP on top of some link (e.g. Ethernet)) has been very important in its development. Different link layers have come and gone over... --------------------------------------------- https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency/ *** EMC and VMware both suffer malicious user access messes *** --------------------------------------------- The wrong people can access data on Data Domain, NSX and vRealize VMware and EMC have each revealed security nasties. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/06/10/emc_and_vmw… *** VU#778696: Netgear D6000 and D3600 contain hard-coded cryptographic keys and are vulnerable to authentication bypass *** --------------------------------------------- Vulnerability Note VU#778696 Netgear D6000 and D3600 contain hard-coded cryptographic keys and are vulnerable to authentication bypass Original Release date: 10 Jun 2016 | Last revised: 10 Jun 2016 Overview The Netgear D6000 and D3600 routers are vulnerable to authentication bypass and contain hard-coded cryptographic keys embedded in their firmware. Description CWE-321: Use of Hard-coded Cryptographic Key -- CVE-2015-8288The firmware for these devices contains a hard-coded RSA private key,... --------------------------------------------- http://www.kb.cert.org/vuls/id/778696 *** USN-2995-1: Squid vulnerabilities *** --------------------------------------------- Ubuntu Security Notice USN-2995-19th June, 2016squid3 vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Ubuntu 15.10 Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummarySeveral security issues were fixed in Squid.Software description squid3 - Web proxy cache server DetailsYuriy M. Kaminskiy discovered that the Squid pinger utility incorrectlyhandled certain ICMPv6 packets. A remote attacker could use this issue tocause Squid to crash, resulting in a... --------------------------------------------- http://www.ubuntu.com/usn/usn-2995-1/ *** DSA-3599 p7zip - security update *** --------------------------------------------- Marcin Icewall Noga of Cisco Talos discovered an out-of-bound readvulnerability in the CInArchive::ReadFileItem method in p7zip, a 7zrfile archiver with high compression ratio. A remote attacker can takeadvantage of this flaw to cause a denial-of-service or, potentially theexecution of arbitrary code with the privileges of the user runningp7zip, if a specially crafted UDF file is processed. --------------------------------------------- https://www.debian.org/security/2016/dsa-3599 *** Security Advisory: Java vulnerabilities CVE-2013-5825 and CVE-2013-5830 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/48/sol48802597.html?… *** Security Advisory: iControl REST vulnerability CVE-2016-5021 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/99/sol99998454.html?… *** Bugtraq: ESA-2016-062: EMC Data Domain Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/538642 *** VMSA-2016-0008 *** --------------------------------------------- VMware vRealize Log Insight addresses important and moderate security issues. --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2016-0008.html *** VMSA-2016-0007 *** --------------------------------------------- VMware NSX and vCNS product updates address a critical information disclosure vulnerability --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2016-0007.html *** Bugtraq: [security bulletin] HPSBGN03617 rev.2 - HPE IceWall Federation Agent and IceWall File Manager using libXML2 library, Remote Denial of Service (DoS) *** --------------------------------------------- http://www.securityfocus.com/archive/1/538640 *** [R2] OpenSSL 20160503 Advisory Affects Tenable Products *** --------------------------------------------- Nessus and SecurityCenter are potentially impacted by several vulnerabilities in OpenSSL that were recently disclosed and fixed. Note that due to the time involved in doing a full analysis of each issue, Tenable has opted to upgrade the included version of OpenSSL as a precaution, and to save time. [...] Advisory Timeline 2016-05-19 - [R1] Initial Release | 2016-06-09 - [R2] Security Center details added --------------------------------------------- https://www.tenable.com/security/tns-2016-10 *** IBM Security Bulletin: Vulnerability in libxml2 affects IBM BigFix Compliance Analytics. (CVE-2016-3705) *** --------------------------------------------- There is a vulnerability in libxml2 that is used by IBM BigFix Compliance Analytics. IBM BigFix Compliance has addressed this vulnerability. CVE(s): CVE-2016-3705 Affected product(s) and affected version(s): IBM BigFix Security Compliance Analytics 1.7 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21984773X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/112885 --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21984773 *** IBM Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects IBM BigFix Compliance Analytics. (CVE-2016-0264) *** --------------------------------------------- There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 8 Service Refresh 2 Fixpack 11 that is used by IBM BigFix Compliance Analytics. These issues were disclosed as part of the IBM Java SDK updates in April 2016. CVE(s): CVE-2016-0264 Affected product(s) and affected version(s): IBM BigFix Security Compliance Analytics 1.8. Refer to... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21983689 *** IBM Security Bulletin: Multiple vulnerabilities in Apache Tomcat affect IBM UrbanCode Deploy (CVE-2015-5345, CVE-2015-5346, CVE-2015-5351) *** --------------------------------------------- Multiple vulnerabilities in Apache Tomcat affect IBM UrbanCode Deploy. CVE(s): CVE-2015-5345, CVE-2015-5346, CVE-2015-5351 Affected product(s) and affected version(s): IBM UrbanCode Deploy 6.0, 6.0.1, 6.0.1.1, 6.0.1.2, 6.0.1.3, 6.0.1.4, 6.0.1.5, 6.0.1.6, 6.0.1.7, 6.0.1.8, 6.0.1.9, 6.0.1.10, 6.0.1.11, 6.0.1.12, 6.1, 6.1.0.1, 6.1.0.2, 6.1.0.3, 6.1.0.4, 6.1.1, 6.1.1.1, 6.1.1.2, 6.1.1.3, 6.1.1.4, 6.1.1.5, 6.1.1.6, 6.1.1.7, 6.1.1.8, 6.1.2, 6.1.3, 6.1.3.1, 6.1.3.2, 6.2, 6.2.0.1,... --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg2C1000126 *** IBM Security Bulletin: IBM Notes InstallShield vulnerable to DLL planting (CVE-2016-2542) *** --------------------------------------------- IBM Notes uses InstallShield which generates install executables that are vulnerable to a DLL-planting vulnerability. CVE(s): CVE-2016-2542 Affected product(s) and affected version(s): This vulnerability affects installers of following versions of IBM Notes... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21979808 *** IBM Security Bulletin: Vulnerability in Apache Standard Taglibs affects IBM WebSphere Application Server (CVE-2015-0254) *** --------------------------------------------- There is an XML External Entity Injection (XXE) vulnerability in the Apache Standard Taglibs that affects IBM WebSphere Application Server. CVE(s): CVE-2015-0254 Affected product(s) and affected version(s): This vulnerability affects the following versions and releases of IBM WebSphere Application Server Version 8.5.5 Full Profile and Liberty Version 8.5 Full Profile and Liberty Version 8.0 Version... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21978495

1 0

Tageszusammenfassung - Donnerstag 9-06-2016
by Daily end-of-shift report 09 Jun '16

09 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 08-06-2016 18:00 − Donnerstag 09-06-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** AVM warnt vor Telefonmissbrauch bei Routern mit älterer Firmware *** --------------------------------------------- Fritzboxen mit "seltenen Konfigurationen" und älterer Firmware könnten aktuell Opfer von Angreifern werden, die auf Telefonbetrug zielen. AVM rät zu Updates. --------------------------------------------- http://heise.de/-3232343 *** Unpatched D-Link Wi-Fi Camera Flaw Remotely Exploitable *** --------------------------------------------- D-Links DCS930L Wi-Fi camera is vulnerable to a stack overflow vulnerability that can be remotely exploited. --------------------------------------------- http://threatpost.com/unpatched-d-link-wi-fi-camera-flaw-remotely-exploitab… *** Skype being used to distribute malware *** --------------------------------------------- Skype being used to distribute QRAT malware to unsuspecting travelers looking for help on filling out U.S, travel documents. --------------------------------------------- http://www.scmagazine.com/skype-being-used-to-distribute-malware/article/50… *** Searching for malspam, (Thu, Jun 9th) *** --------------------------------------------- Introduction About a week ago, I stopped seeing the daily deluge of malicious spam (malspam) distributing Dridex banking trojans or Locky ransomware. Before this month, I generally noticed multiple waves of Dridex/Locky malspam almost every day. This malspam contains attachments with zipped .js files or Microsoft Office documents designed to download and install the malware. I havent found much discussion about the current absence of Dridex/Locky malspam. Since the actor(s) behind Dridex... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21145&rss *** Security: Locky- und Dridex-Botnetz ist spurlos verschwunden *** --------------------------------------------- Sicherheitsforscher haben einen massiven Rückgang von Infektionen der bekannten Malware-Familien Dridex und Locky beobachtet. Schuld sind offenbar Probleme beim verteilenden Botnetz. Für Locky gibt es keine neue Infrastruktur. Was mit Opfern passiert, ist derzeit offen. --------------------------------------------- http://www.golem.de/news/security-wo-ist-nur-das-botnetz-hin-1606-121396-rs… *** REST JSON - Multiple Vulnerabilities - Highly Critical - Unsupported - SA-CONTRIB-2016-033 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2016-033Project: REST/JSON (third-party module)Version: 7.xDate: 2016-June-08Security risk: 19/25 ( Critical) AC:None/A:None/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Access bypass, Information Disclosure, Multiple vulnerabilitiesDescriptionThis module enables you to expose content, users and comments via a JSON API.The module contains multiple vulnerabilities includingNode access bypassComment access bypassUser enumerationField access bypassUser registration... --------------------------------------------- https://www.drupal.org/node/2744889 *** Citrix XenServer Security Update for CVE-2016-5302 *** --------------------------------------------- A security vulnerability has been identified in XenServer 7.0 that may allow an attacker on the management network who is in possession of Active Directory credentials for an AD account that is not authorised to manage a XenServer host to compromise that host. --------------------------------------------- https://support.citrix.com/article/CTX213549 *** Bugtraq: ESA-2016-072: EMC NetWorker Remote Code Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/538634 *** Bugtraq: ESA-2016-064: EMC Data Domain Information Disclosure Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/538635 *** Security Advisory: Custom monitor privilege escalation vulnerability CVE-2016-5020 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/00/sol00265182.html?… *** Security Advisory: PHP vulnerability CVE-2016-4070 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/42/sol42065024.html?… *** SSA-526760 (Last Update 2016-06-08): Weak Credentials Protection in SIMATIC WinCC flexible *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-526760… *** SSA-818183 (Last Update 2016-06-08): Denial-of-Service Vulnerability in S7-300 CPU *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-818183… *** SSA-301706 (Last Update 2016-06-08): GNU C Library Vulnerability in Industrial Products *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-301706… *** Bugtraq: [security bulletin] HPSBGN03618 rev.1 - HPE Service Manager remote Denial of Service (DoS), Disclosure of Information, Unauthorized Read Access to Files, Server Side Request Forgery *** --------------------------------------------- http://www.securityfocus.com/archive/1/538630 *** Bugtraq: [security bulletin] HPSBGN03624 rev.1 - HPE Project and Portfolio Management Center, Remote Disclosure of Sensitive Information, Execution of Arbitrary of Commands *** --------------------------------------------- http://www.securityfocus.com/archive/1/538629 *** Bugtraq: [security bulletin] HPSBMU03614 rev.1 - HPE Systems Insight Manager using Samba, Multiple Remote Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/538633 *** Bugtraq: [security bulletin] HPSBMU03584 rev.2 - HPE Network Node Manager I (NNMi), Multiple Remote Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/538632 *** Cisco Aironet 3800 Series Access Point Platforms ARP Request Handling Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Application Policy Infrastructure Controller Binary Files Privilege Escalation Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IP Phone 8800 Series Web Application Buffer Overflow Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in the IBM SDK Java Technology Edition affect IBM Domino *** http://www.ibm.com/support/docview.wss?uid=swg21984678 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in InstallShield/InstallAnywhere affects IBM Informix CSDK and Server installation on Windows(CVE-2016-2542, CVE-2016-4560) *** http://www-01.ibm.com/support/docview.wss?uid=swg21984231 --------------------------------------------- *** IBM Security Bulletin: IBM Client Application Access InstallShield vulnerable to DLL planting (CVE-2016-2542) *** http://www.ibm.com/support/docview.wss?uid=swg21981968 --------------------------------------------- *** IBM Security Bulletin: Secure Properties in IBM UrbanCode Deploy Vulnerable (CVE-2016-0267) *** http://www.ibm.com/support/docview.wss?uid=swg2C1000151 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tealeaf Customer Experience (CVE-2015-1794, CVE-2015-3194, CVE-2016-0702) *** http://www.ibm.com/support/docview.wss?uid=swg21981021 --------------------------------------------- *** IBM Security Bulletin: Security Bulletin: Vulnerabilities in OpenSSL and ReDoS vulnerability in semver module affect IBM SDK for Node.js in IBM Bluemix (CVE-2016-2107, CVE-2016-2105, CVE-2015-8855) *** http://www-01.ibm.com/support/docview.wss?uid=swg21983514 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security Network Protection *** http://www.ibm.com/support/docview.wss?uid=swg21984424 --------------------------------------------- *** IBM Security Bulletin: An unspecified JMX component vulnerability affects IBM SPSS Analytic Server (CVE-2016-3427) *** http://www.ibm.com/support/docview.wss?uid=swg21984436 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 8-06-2016
by Daily end-of-shift report 08 Jun '16

08 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 07-06-2016 18:00 − Mittwoch 08-06-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Microsoft Bounty Program expansion - .NET Core and ASP.NET RC2 Beta Bounty *** --------------------------------------------- Today I have another exciting expansion of the Microsoft Bounty Program. Please visit https://aka.ms/BugBounty to find out more. As we approach release for .NET Core and ASP.NET, we would like to get even more feedback from the security research community. We are offering a bounty on the .NET Core and ASP.NET Core RC2 Beta Build which... --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2016/06/07/microsoft-bounty-progra… *** SWIFT May Ban Banks Without Strong Cybersecurity (June 3, 2016) *** --------------------------------------------- The head of SWIFT says that banks without adequate cybersecurity measures in place could find themselves suspended from using the SWIFT financial transfer communication network... --------------------------------------------- http://www.sans.org/newsletters/newsbites/r/18/45/202 *** Ransomware Leaves Server Credentials in its Code *** --------------------------------------------- While SNSLocker isn't a stand-out crypto-ransomware in terms of routine or interface, its coarse and bland facade hid quite a surprise. After looking closer at its code, we discovered that this Ransomware contains the credentials for the access of its own server. We also found out that they used readily-available servers and payment systems. This... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/gADipA92iAA/ *** Phishers Abuse Hosting Temporary URLs *** --------------------------------------------- Recently we told you how hackers use alternative domain names provided by web hosts to make their URLs look less suspicious. This time we'll show a similar trick used by phishers. Phishing web pages get blacklisted very fast. That's why hackers need to purchase many domains or compromise many websites so that they can point... --------------------------------------------- https://blog.sucuri.net/2016/06/phishers-abuse-hosting-temporary-urls.html *** Neutrino EK and CryptXXX, (Wed, Jun 8th) *** --------------------------------------------- Introduction By Monday 2016-06-06, the pseudo-Darkleech campaign began using Neutrino exploit kit (EK) to send CryptXXX ransomware [1]. Until then, Id only seen Angler EK distribute CryptXXX. However, this is not the first time weve seen campaigns associated with ransomware switch between Angler EK and Neutrino EK [2, 3, 4, 5]. It was documented as early as August 2015 [2]. This can be confusing, especially if youre expecting Angler EK. Campaigns can (and occasionally do) switch EKs. For an... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21141&rss *** Millions of must be firewalled services are open to the entire internet - research *** --------------------------------------------- 15m telnet nodes, 4.5m printers TCP port 445... Millions of services that ought to be restricted are exposed on the open internet, creating a huge risk of hacker attack against databases and more. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/06/08/services_be… *** How to Prevent Ransomware in Industrial Control Systems *** --------------------------------------------- Del Rodillas, our solution lead for SCADA & Industrial Control Systems, recently appeared in Electric Light & Power to discuss ransomware as an emerging threat for Operational Technology environments. With ransomware on everyone's mind these... --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/06/how-to-prevent-ransomwar… *** Linkedln-Nutzer erhalten unechte Geschäftsrechnung *** --------------------------------------------- Kriminelle versenden gezielt vermeintlich offene Unternehmensrechnungen an Nutzer/innen des Sozialen Netzwerks Linkedln. Darin führen sie die auf der Plattform veröffentlichten und richtigen Informationen, wie den Namen, die Berufsposition und das Unternehmen, an. Empfänger/innen sollen den beigefügten Dateianhang öffnen. Er verbirgt Schadsoftware. --------------------------------------------- https://www.watchlist-internet.at/gefaelschte-rechnungen/linkedln-nutzer-er… *** Google To Deprecate SSLv3, RC4 in Gmail IMAP/POP Clients *** --------------------------------------------- Google will next week begin a gradual deprecation of unsafe crypto protocol SSLv3 and cipher RC4 in Gmail IMAP/POP clients. --------------------------------------------- http://threatpost.com/google-to-deprecate-sslv3-rc4-in-gmail-imappop-client… *** ENISA zeigt Möglichkeiten der forensischen Analyse bei Cloud-Vorfällen *** --------------------------------------------- Als Hilfestellung - nicht nur - für Anbieter von Cloud-Diensten hat die europäische Sicherheitsbehörde ENISA ein Papier zum technischen Stand der Analyse von Sicherheitsvorfällen in der Cloud veröffentlicht. --------------------------------------------- http://heise.de/-3231521 *** But have I really been pwned? Vetting your data *** --------------------------------------------- The news has been full of leaked passwords for some popular services recently. But these numbers of hacked accounts can be exaggerated for effect, and sometimes blatantly wrong.Categories: Criminals Threat analysis(Read more...) --------------------------------------------- https://blog.malwarebytes.org/threat-analysis/2016/06/but-have-i-really-bee… *** Cisco IOS XR Software LPTS Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** DSA-3597 expat - security update *** --------------------------------------------- Two related issues have been discovered in Expat, a C library for parsingXML. --------------------------------------------- https://www.debian.org/security/2016/dsa-3597 *** Symantec Embedded Security: Critical System Protection and Symantec Data Center Security: Server Advanced, Multiple Security Issues *** --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** DFN-CERT-2016-0918: GnuTLS: Eine Schwachstelle ermöglicht die Manipulation beliebiger Dateien *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0918/ *** Trihedral VTScada Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for several vulnerabilities in Trihedral Engineering Ltd.'s Trihedral VTScada. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-159-01 *** KMC Controls Conquest BACnet Router Vulnerabilities *** --------------------------------------------- This advisory was originally posted to the US-CERT secure Portal library on May 5, 2016, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for authentication and cross-site request forgery vulnerabilities in KMC Controls Conquest BACnet routers through its web interface. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-126-01 *** Security Advisory - Several Vulnerabilities in Huawei Honor Routers *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160607-… *** Security Advisory - Memory Leak Vulnerability in Some Huawei Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160608-… *** Security Advisory: SQLite vulnerabilities CVE-2015-3414 and CVE-2015-3415 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/37/sol37236006.html?… *** Security Advisory: SQLite vulnerability CVE-2015-3416 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16950.htm… *** Bugtraq: [security bulletin] HPSBGN03623 rev.1 - HPE Universal CMDB, Remote Disclosure of Sensitive Information *** --------------------------------------------- http://www.securityfocus.com/archive/1/538623 *** Bugtraq: [security bulletin] HPSBGN03622 rev.1 - HPE UCMDB, Universal Discovery, and UCMDB Configuration Manager using Apache Commons Collection, Remote Code Executon *** --------------------------------------------- http://www.securityfocus.com/archive/1/538622 *** Bugtraq: [security bulletin] HPSBGN03621 rev.1 - HPE Universal CMDB using OpenSSL, Remote Disclosure of Sensitive Information *** --------------------------------------------- http://www.securityfocus.com/archive/1/538621 *** IBM Security Bulletin: A vulnerability in the instance runAsUser function was found in IBM InfoSphere Streams (CVE-2016-2867) *** --------------------------------------------- There is a potential vulnerability in IBM InfoSphere Streams when the instance runAsUser property is set. IBM InfoSphere Streams has addressed this vulnerability. CVE(s): CVE-2016-2867 Affected product(s) and affected version(s): IBM InfoSphere Streams Version 4.0.1.1 and earlier IBM Streams Version 4.1.1.0 and earlier Refer to the following reference URLs for remediation and additional vulnerability details:Source --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21983444 *** IBM Security Bulletin:Multiple security vulnerabilities in Open Source Apache Tomcat affect IBM Cognos Business Viewpoint (CVE-2016-0714 , CVE-2015-5174) *** --------------------------------------------- There are multiple vulnerabilities in Open Source Apace Tomcat that is used by IBM Cognos Business Viewpoint. These were disclosed in the 02/22/2016 X-Force Reports. IBM Cognos Business Viewpoint has addressed the applicable CVEs. CVE(s): CVE-2016-0714, CVE-2015-5174 Affected product(s) and affected version(s): IBM Cognos Business Viewpoint 10.1 FP1 IBM Cognos Business Viewpoint 10.1.1 FP2 Refer... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21984197 *** IBM Security Bulletin:InstallAnywhere generates installation executables which are vulnerable to an DLL-planting vulnerability (CVE-2016-4560) *** --------------------------------------------- InstallAnywhere generates installation executables which are vulnerable to an DLL-planting vulnerability affect IBM Security AppScan Source CVE(s): CVE-2016-4560 Affected product(s) and affected version(s): IBM Security AppScan Source 8.7, 8.8, 9.0, 9.0.1, 9.0.2, 9.0.3 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21983037X-Force Database:... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21983037 *** IBM Security Bulletin: Vulnerabilities in IBM Domino Keyview PDF Filters (CVE-2016-0277, CVE-2016-0278, CVE-2016-0279, CVE-2016-0277) *** --------------------------------------------- IBM Domino has four vulnerabilities in Keyview PDF filters. CVE(s): CVE-2016-0277, CVE-2016-0278, CVE-2016-0279, CVE-2016-0301 Affected product(s) and affected version(s): IBM Domino 9.0.1 FP5 and earlier releases. IBM Domino 9.0 IF4 and earlier releases. IBM Domino 8.5.3 FP6 IF12 and earlier releases. IBM Domino 8.5.2 FP4 IF3 and earlier releases. IBM Domino 8.5.1 FP5 IF3 and... --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21983292 *** IBM Security Bulletin: Vulnerability in libxml2 affects IBM InfoSphere Streams. (CVE-2016-2073) *** --------------------------------------------- There is a vulnerability in libxml2 that is used by IBM InfoSphere Streams. IBM InfoSphere Streams has addressed this vulnerability. CVE(s): CVE-2016-2073 Affected product(s) and affected version(s): IBM InfoSphere Streams Version 1.2.1.0 IBM InfoSphere Streams Version 2.0.0.4 and earlier IBM InfoSphere Streams Version 3.0.0.5 and earlier IBM InfoSphere Streams Version 3.1.0.7 and earlier IBM InfoSphere... --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21983372 *** IBM Security Bulletin: Vulnerability in libxml2 affects IBM InfoSphere Streams. (CVE-2015-8710) *** --------------------------------------------- There is a vulnerability in libxml2 that is used by IBM InfoSphere Streams. IBM InfoSphere Streams has addressed this vulnerability. CVE(s): CVE-2015-8710 Affected product(s) and affected version(s): IBM InfoSphere Streams Version 1.2.1.0 IBM InfoSphere Streams Version 2.0.0.4 and earlier IBM InfoSphere Streams Version 3.0.0.5 and earlier IBM InfoSphere Streams Version 3.1.0.7 and earlier IBM InfoSphere... --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21983371 *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Sterling Connect:Direct for UNIX (CVE-2016-2108, CVE-2016-2107). *** --------------------------------------------- OpenSSL vulnerabilities were disclosed on May 3, 2016 by the OpenSSL Project. OpenSSL is used by IBM Sterling Connect:Direct for UNIX. IBM Sterling Connect:Direct for UNIX has addressed the applicable CVEs. CVE(s): CVE-2016-2108, CVE-2016-2107 Affected product(s) and affected version(s): IBM Sterling Connect:Direct for Unix 4.1.0 IBM Sterling Connect:Direct for Unix 4.0.0 Refer to the following... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21983909

1 0

Tageszusammenfassung - Dienstag 7-06-2016
by Daily end-of-shift report 07 Jun '16

07 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 06-06-2016 18:00 − Dienstag 07-06-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Gezielte Trojaner-Mails mit persönlichen Daten aus dem LinkedIn-Hack *** --------------------------------------------- Aktuell kursieren gefälschte Rechnungen mit Trojaner im Gepäck, die sich LinkedIn-Daten zunutze machen und deswegen plausibel wirken. --------------------------------------------- http://heise.de/-3228473 *** Locky Ransomware Hides Under Multiple Obfuscated Layers of JavaScript *** --------------------------------------------- This post was prepared with the invaluable assistance of Rahamathulla Hussain and Girish Kulkarni. During the last couple of weeks, McAfee Labs has observed a huge increase in spam related to Locky, a new ransomware threat spread via spam campaigns. The contents of the spam email are carefully crafted to lure victims using social engineering... --------------------------------------------- https://blogs.mcafee.com/mcafee-labs/locky-ransomware-hides-under-multiple-… *** Threat Actors Employ COM Technology in Shellcode to Evade Detection *** --------------------------------------------- COM (Component Object Model) is a technology in Microsoft Windows that enables software components to communicate with each other; it is one of the fundamental architectures in Windows. From the security point of view, several "features" built into COM have lead to many security vulnerabilities. These features include ActiveX (an Internet Explorer plug-in technology), the... --------------------------------------------- https://blogs.mcafee.com/mcafee-labs/threat-actors-employ-com-technology-sh… *** FastPOS malware exfiltrates data immediately after harvesting it *** --------------------------------------------- POS malware might have taken a backseat when ransomware became the go-to malware for many cyber crooks, but stealing payment card information to effect fraudulent transactions is still a lucrative business. Trend Micro researchers have recently analyzed a new POS malware family sporting some interesting functionalities. One of these is what made them dub the threat FastPOS: the malware does not wait to collect a batch of data and then send it periodically to the... --------------------------------------------- https://www.helpnetsecurity.com/2016/06/07/fastpos-malware/ *** Check your BITS, because deleting malware might not be enough *** --------------------------------------------- Attackers are abusing the Windows Background Intelligent Transfer Service (BITS) to re-infect computers with malware after theyve been already cleaned by antivirus products.The technique was observed in the wild last month by researchers from SecureWorks while responding to a malware incident for a customer. The antivirus software installed on a compromised computer detected and removed a malware program, but the computer was still showing signs of malicious activity at the network level. --------------------------------------------- http://www.cio.com/article/3080016/check-your-bits-because-deleting-malware… *** Android gets patches for serious flaws in hardware drivers and media server *** --------------------------------------------- The June batch of Android security patches addresses nearly two dozen vulnerabilities in system drivers for various hardware components from several chipset makers.The largest number of critical and high severity flaws were patched in the Qualcomm video driver, sound driver, GPU driver, Wi-Fi driver, and camera driver. Some of these privilege escalation vulnerabilities could allow malicious applications to execute malicious code in the kernel leading to a permanent device compromise. Similar... --------------------------------------------- http://www.csoonline.com/article/3079726/security/android-gets-patches-for-… *** Android Security Bulletin - June 2016 *** --------------------------------------------- [...] The most severe issue is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files. --------------------------------------------- https://source.android.com/security/bulletin/2016-06-01.html *** BlackBerry powered by Android Security Bulletin - June 2016 *** --------------------------------------------- BlackBerry has released a security update to address multiple vulnerabilities in BlackBerry powered by Android smartphones. We recommend users update to the latest available build, as outlined in the Available Updates section. --------------------------------------------- http://support.blackberry.com/kb/articleDetail?articleNumber=000038209 *** NTP.org ntpd is vulnerable to denial of service and other vulnerabilities *** --------------------------------------------- NTP.orgs reference implementation of NTP server, ntpd, contains multiple vulnerabilities. A brief overview follows, but details may be found in NTPs security advisory listing and in the individual links below. --------------------------------------------- https://www.kb.cert.org/vuls/id/321640 *** DFN-CERT-2016-0840: IPv6-Protokoll: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff *** --------------------------------------------- Version 1 (2016-05-26 11:34) Neues Advisory Version 2 (2016-05-27 09:49) Cisco aktualisiert die referenzierte Sicherheitsmeldung [...] Version 3 (2016-06-01 11:36) Cisco aktualisiert die referenzierte Sicherheitsmeldung [...] Version 4 (2016-06-03 14:31) Cisco aktualisiert cisco-sa-20160525-ipv6 und weist darauf hin, dass es sich nicht um einen Cisco spezifischen Fehler handelt, [...] Version 5 (2016-06-06 15:12) Juniper Networks informiert darüber, dass EX4300, EX4600, QFX3500 und QFX5100... --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0840/ *** Bugtraq: [security bulletin] HPSBGN03620 rev.1 - HPE Helion OpenStack using OpenSSL and QEMU, Remote Unauthorized Data Access *** --------------------------------------------- http://www.securityfocus.com/archive/1/538612 *** Bugtraq: [security bulletin] HPSBGN03619 rev.1 - HPE Discovery and Dependency Mapping Inventory (DDMi) using Java Deserialization, remote Code Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/538611 *** Bugtraq: [security bulletin] HPSBGN03442 rev.2 - HP Helion OpenStack using glibc, Remote Denial of Service (DoS), Arbitrary Code Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/538610 *** IBM Security Bulletin: Path Traversal affects IBM Security Guardium Database Activity Monitor (CVE-2016-0298) *** --------------------------------------------- IBM Security Guardium Database Activity Monitor could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to view arbitrary files on the system. CVE(s): CVE-2016-0298 Affected product(s) and affected version(s): IBM Security Guardium Database Activity Monitor V10 Refer to the following reference URLs for remediation and... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21981749 *** IBM Security Bulletin: Using Components with Known Vulnerabilities affects IBM Security Guardium (multiple CVEs) *** --------------------------------------------- IBM Security Guardium is vulnerable to several possible remote attacks CVE(s): CVE-2015-4881, CVE-2015-7181, CVE-2015-7981, CVE-2013-1981, CVE-2015-3416, CVE-2015-2730, CVE-2015-7704, CVE-2015-3238, CVE-2015-5312, CVE-2015-5288 Affected product(s) and affected version(s): IBM Security Guardium V10 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21981747X-Force Database:... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21981747 *** IBM Security Bulletin: Cacheable SSL Page vulenrability affects IBM Security Guardium Database Activity Monitor (CVE-2016-0237) *** --------------------------------------------- IBM Security Guardium Database Activity Monitor contains locally cached browser data, that could allow a local attacker to obtain sensitive information. CVE(s): CVE-2016-0237 Affected product(s) and affected version(s): IBM Security Guardium Database Activity Monitor V10 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21981631X-Force Database:... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21981631 *** IBM Security Bulletin: Use of Hard-coded Cryptographic Key vulenrability affects IBM Security Guardium Database Activity Monitor (CVE-2016-0235) *** --------------------------------------------- IBM Security Guardium Database Activity Monitor uses a hard-coded password for the which is available to the administrator or a user with root access. This password could be used across other GRUB systems. CVE(s): CVE-2016-0235 Affected product(s) and affected version(s): IBM Security Guardium Database Activity Monitor V10 Refer to the following reference URLs for remediation... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21981748 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM InfoSphere Streams (CVE-2016-0466, CVE-2016-0448) *** --------------------------------------------- There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 8 Service Refresh 2 Fix Pack 11 and earlier releases, Version 7R1 Service Refresh 3 Fix Pack 31 and earlier releases, and Version 6 Service Refresh 16 Fix Pack 21 and earlier releases. If you run your own Java code using the IBM Java... --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21983436 *** IBM Security Bulletin: Vulnerability in libxml2 affects IBM InfoSphere Streams. (CVE-2015-8317) *** --------------------------------------------- There is a vulnerability in libxml2 that is used by IBM InfoSphere Streams. IBM InfoSphere Streams has addressed this vulnerability. CVE(s): CVE-2015-8317 Affected product(s) and affected version(s): IBM InfoSphere Streams Version 1.2.1.0 IBM InfoSphere Streams Version 2.0.0.4 and earlier IBM InfoSphere Streams Version 3.0.0.5 and earlier IBM InfoSphere Streams Version 3.1.0.7 and earlier IBM InfoSphere... --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21983370 *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM MQ AMS (CVE-2015-3194, CVE-2015-3195, CVE-2015-3196) *** --------------------------------------------- OpenSSL vulnerabilities were disclosed on December 3, 2015 by the OpenSSL Project. OpenSSL is used by IBM MQ Advanced Message Security (AMS) on IBM i. IBM MQ has addressed the applicable CVEs. CVE(s): CVE-2015-3194, CVE-2015-3195, CVE-2015-3196 Affected product(s) and affected version(s): IBM MQ 8.0 Advanced Message Security (AMS) on IBM i only Fix Pack 8.0.0.4... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21983823 *** IBM Security Bulletin: A vulnerability in XML processing affects IBM InfoSphere Streams (CVE-2015-1819) *** --------------------------------------------- IBM InfoSphere Streams may be vulnerable to a denial of service attack due to the use of Libxml2 (CVE-2015-1819) CVE(s): , CVE-2015-1819 Affected product(s) and affected version(s): IBM InfoSphere Streams Version 1.2.1.0 IBM InfoSphere Streams Version 2.0.0.4 and earlier IBM InfoSphere Streams Version 3.0.0.5 and earlier IBM InfoSphere Streams Version 3.1.0.7 and earlier IBM InfoSphere... --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21981066 *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM BigFix Remote Control (CVE-2016-2107) *** --------------------------------------------- OpenSSL vulnerabilities were disclosed on May 3, 2016 by the OpenSSL Project. OpenSSL is used by IBM BigFix Remote Control. IBM BigFix Remote Control has addressed the applicable CVEs. CVE(s): CVE-2016-2107 Affected product(s) and affected version(s): IBM BigFix Remote Control version 9.1.2 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin:... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21984111

1 0

Tageszusammenfassung - Montag 6-06-2016
by Daily end-of-shift report 06 Jun '16

06 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 03-06-2016 18:00 − Montag 06-06-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Magento Credit Card Stealer for Braintree Extension *** --------------------------------------------- We regularly find and write about malware that steals credit card details from Magento sites because attackers discover new techniques to obtain sensitive data daily. This time, the malicious code is specifically designed for Magento sites that use the Braintree extension. This extension connects a Magento store with the Braintree payment processing service that is... --------------------------------------------- https://blog.sucuri.net/2016/06/magento-credit-card-stealer-braintree-exten… *** WordPress Sites Under Attack From New Zero-Day In WP Mobile Detector Plugin *** --------------------------------------------- An anonymous reader writes: A large number of websites have been infected with SEO spam thanks to a new zero-day in the WP Mobile Detector plugin that was installed on over 10,000 websites. The zero-day was used in real-world attacks since May 26, but only surfaced to light on May 29 when researchers notified the plugins developer. Seeing that the developer was slow to react, security researchers informed Automattic, who had the plugin delisted from WordPress.orgs Plugin Directory on May 31. In... --------------------------------------------- https://tech.slashdot.org/story/16/06/03/2243238/wordpress-sites-under-atta… https://blog.sucuri.net/2016/06/wp-mobile-detector-vulnerability-being-expl… *** Whats Going on With libtiff?, (Sun, Jun 5th) *** --------------------------------------------- libtiff, as the name implies, is a library used to parse TIFF formatted images. While you dont run into TIFF images on the web every day, the format is quite popular for higher-resolution/high qualityapplications like printing. TIFF allows the user to select between lossless or lossycompression depending on the preferences of the user. While the library is very popular, a reader wrote in last week asking if the library is still maintained. Currently, there are three security issues listed in... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21131&rss *** Destructive BadBlock ransomware can be foiled *** --------------------------------------------- If you have been hit with ransomware, you want that malware to be BadBlock - but only if you haven't restarted your computer. This particular malware is a lacklustre attempt to create something on par with more popular ransomware, and that allowed Emsisoft security researcher Fabian Wosar to create a decrypter tool for it. The tool can be downloaded for free, and Bleeping Computer has offered instructions on how to use it. But, aside from... --------------------------------------------- https://www.helpnetsecurity.com/2016/06/06/destructive-badblock-ransomware-… *** Researchers hack the Mitsubishi Outlander SUV, shut off alarm remotely *** --------------------------------------------- Mitsubishi Outlander, a popular hybrid SUV sold around the world, can be easily broken into by attackers exploiting security weaknesses in the setup that allows the car to be remotely controlled via an app. The weaknesses were discovered by Pen Test Partners, and include: The mobile app connects to the car through a Wi-Fi access point on it, instead via a web service and GSM module, making it impossible to use if one is not... --------------------------------------------- https://www.helpnetsecurity.com/2016/06/06/researchers-hack-mitsubishi-outl… *** Dangerous self-spreading successor of Zeus and Carberp discovered *** --------------------------------------------- June 3, 2016 In June, Doctor Web security researchers examined a new dangerous virus targeting Russian bank clients. The virus is designed to steal money from bank accounts and monitor user activity. It has borrowed a lot of features from its predecessors Zeus (Trojan.PWS.Panda) and Carberp. Yet, unlike them, it can be spread without any user intervention infecting executable files. Besides, curing of the infected computer is rather complicated and may take several hours. Due to the ability to... --------------------------------------------- http://news.drweb.com/show/?i=9999&lng=en&c=9 *** Firmware Analysis for IoT Devices *** --------------------------------------------- Introduction This is the second post in the IoT Exploitation and Penetration Testing series. In this post, we are going to have a look at a key component in an IoT device architecture - Firmware. Any IoT device you use, you will be interacting with firmware, and this is because firmware can be thought of... --------------------------------------------- http://resources.infosecinstitute.com/firmware-analysis-for-iot-devices/ *** Widespread exploits evade protections enforced by Microsoft EMET *** --------------------------------------------- Its bad news for businesses. Hackers have launched large-scale attacks that are capable of bypassing the security protections added by Microsofts Enhanced Mitigation Experience Toolkit (EMET), a tool whose goal is to stop software exploits.Security researchers from FireEye have observed Silverlight and Flash Player exploits designed to evade EMET mitigations such as Data Execution Prevention (DEP), Export Address Table Access Filtering (EAF) and Export Address Table Access Filtering Plus --------------------------------------------- http://www.cio.com/article/3079747/widespread-exploits-evade-protections-en… *** Cisco Aironet Access Points Command-Line Interpreter Linux Shell Command Injection Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IP 8800 Series Phones btcli Utility Command Injection Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** JSA10749 - IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability (CVE-2016-1409) *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10749&actp=RSS *** Security Advisory: NTP vulnerability CVE-2016-1548 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/63/sol63675293.html?… *** DSA-3595 mariadb-10.0 - security update *** --------------------------------------------- Several issues have been discovered in the MariaDB database server. Thevulnerabilities are addressed by upgrading MariaDB to the new upstreamversion 10.0.25. Please see the MariaDB 10.0 Release Notes for furtherdetails: --------------------------------------------- https://www.debian.org/security/2016/dsa-3595 *** Bugtraq: [security bulletin] HPSBUX03616 SSRT110128 rev.2 - HPE HP-UX running CIFS Server (Samba), Remote Denial of Service (DoS), Disclosure of Information, Unauthorized Access *** --------------------------------------------- http://www.securityfocus.com/archive/1/538597 *** DFN-CERT-2016-0908: VideoLAN VLC Media Player: Eine Schwachstelle ermöglicht u.a. die Ausführung beliebigen Programmcodes mit Benutzerrechten *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0908/ *** Citrix NetScaler Gateway Lets Remote Users Hijack the Target Users Login Form Credentials *** --------------------------------------------- http://www.securitytracker.com/id/1036020

1 0

Tageszusammenfassung - Freitag 3-06-2016
by Daily end-of-shift report 03 Jun '16

03 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 02-06-2016 18:00 − Freitag 03-06-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Trillium Exploit Kit Update Offers 'Security Tips' *** --------------------------------------------- McAfee Labs has previously blogged about the Trillium Exploit Kit Version 3.0, which is commonly used to create and distribute malware. Last week, Version 4.0 appeared on several underground forums. We have analyzed the new version of the tool .. --------------------------------------------- https://blogs.mcafee.com/mcafee-labs/trillium-exploit-kit-update-offers-sec… *** DSA-3593 libxml2 - security update *** --------------------------------------------- Several vulnerabilities were discovered in libxml2, a library providingsupport to read, modify and write XML and HTML files. A remote attackercould provide a specially crafted XML or HTML file that, when processedby an .. --------------------------------------------- https://www.debian.org/security/2016/dsa-3593 *** GE MultiLink Series Hard-coded Credential Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a hard-coded credential vulnerability in GE's MultiLink series managed switches. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-154-01 *** WP Mobile Detector <= 3.5 - Arbitrary File Upload *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8505 *** Understanding Angler Exploit Kit - Part 1: Exploit Kit Fundamentals *** --------------------------------------------- Generally speaking, criminal groups use two methods for widespread distribution of malware. The most common method is malicious spam (malspam). This is a fairly direct mechanism, usually through an email attachment or .. --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/06/unit42-understanding-ang… *** MySQL is YourSQL *** --------------------------------------------- Its The End of the World and We Know It If you listen to the press - those purveyors of doom, those nattering nabobs of negativism - you arrive at a single, undeniable conclusion: The worldis going to hell in a hand-basket. They .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21117 *** Nach Kontroversen: Teamviewer führte neue Accountsicherungen ein *** --------------------------------------------- Wenige Tage nach zahlreichen Nutzerbeschwerden über gehackte Accounts reagiert Teamviewer mit einem vorgezogenen Sicherheitsupdate. Wir haben mit dem Unternehmen darüber gesprochen. --------------------------------------------- http://www.golem.de/news/nach-kontroversen-teamviewer-fuehrte-neue-accounts…

1 0

Tageszusammenfassung - Donnerstag 2-06-2016
by Daily end-of-shift report 02 Jun '16

02 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 01-06-2016 18:00 − Donnerstag 02-06-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** DSA-3591 imagemagick - security update *** --------------------------------------------- Bob Friesenhahn from the GraphicsMagick project discovered a commandinjection vulnerability in ImageMagick, a program suite for imagemanipulation. An attacker with control on input image or the inputfilename can execute arbitrary commands with the privileges of the userrunning the application. --------------------------------------------- https://www.debian.org/security/2016/dsa-3591 *** Lenovo advises users to remove a vulnerable support tool preinstalled on their systems *** --------------------------------------------- PC maker Lenovo is recommending that users remove an application preloaded on their computers because it contains a high-severity flaw that could allow attackers to take over their systems.The vulnerable tool is called .. --------------------------------------------- http://www.csoonline.com/article/3077935/security/lenovo-advises-users-to-r… *** Opening hours - Moderately Critical - XSS - SA-CONTRIB-2016-031 *** --------------------------------------------- https://www.drupal.org/node/2738707 *** DSA-3592 nginx - security update *** --------------------------------------------- It was discovered that a NULL pointer dereference in the Nginx coderesponsible for saving client request bodies to a temporary file mightresult in denial of service: Malformed requests could crash workerprocesses. --------------------------------------------- https://www.debian.org/security/2016/dsa-3592 *** Researchers spot 35-fold increase in newly observed ransomware domains *** --------------------------------------------- A record 35-fold increase in newly observed ransomware domains compared to the fourth quarter of 2015 have been spotted by Infoblox researchers. --------------------------------------------- http://www.scmagazine.com/infoblox-researchers-spotted-a-huge-uptick-in-dns… *** Yahoo Publishes National Security Letters After FBI Drops Gag Orders *** --------------------------------------------- Yahoo just became the first company to disclose that it has received NSLs without having to go to court to do so. --------------------------------------------- http://www.wired.com/2016/06/yahoo-publishes-national-security-letters-fbi-… *** Docker Containers Logging *** --------------------------------------------- In a previous diary, Jim talked about forensic operations against Docker containers. To be able to perform investigations after an incident, we must have some .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21121 *** Die meisten Android-Virenscanner sind unsicher *** --------------------------------------------- Eigentlich sollte AV-Software das Smartphone vor Schadcode schützen. Wie Forscher nun festgestellt haben, weisen viele Virenjäger für Android allerdings selbst eklatante Sicherheitsmängel auf. --------------------------------------------- http://heise.de/-3225169 *** Trend Micro enterprise products multiple vulnerabilities *** --------------------------------------------- Multiple enterprise products provided by Trend Micro Incorporated contain multiple vulnerabilities. --------------------------------------------- http://jvn.jp/en/jp/JVN48847535/ *** Trend Micro Internet Security multiple vulnerabilities *** --------------------------------------------- Trend Micro Internet Security provided by Trend Micro Incorporated contains multiple vulnerabilities. --------------------------------------------- http://jvn.jp/en/jp/JVN48789425/ *** Mitnick Attack Reappears at GeekPwn Macau Contest *** --------------------------------------------- Cao Yue, a Ph.D. student from University of California, Riverside, delivered a stunning show at the GeekPwn 2016 Macau Contest on May 12 attended by top-caliber white hat hackers worldwide. Cao succeeded in remotely hijacking TCP connections at his random choice. --------------------------------------------- http://www.prnewswire.com/news-releases/mitnick-attack-reappears-at-geekpwn… *** Hacker Lexicon: What Is Fuzzing? *** --------------------------------------------- Sometimes hacking isnt about taking a program apart: Its about throwing random objects at it to see what breaks. --------------------------------------------- http://www.wired.com/2016/06/hacker-lexicon-fuzzing/ *** [2016-06-02] Multiple critical vulnerabilities in Ubee EVW3226 Advanced wireless voice gateway *** --------------------------------------------- The firmware for the cable modem Ubee EVW3226 contains multiple critical vulnerabilities, which can be exploited to gain full system-level access to the device. This allows for inspection, modification and redirection of traffic. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016… *** IRONGATE ICS Malware: Nothing to See Here...Masking Malicious Activityon SCADA Systems *** --------------------------------------------- https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.h… *** TeamViewer users claim accounts hacked *** --------------------------------------------- TeamViewer is a remote desktop connection software that allows users to share screens and allow remote access from anywhere in the world. In the past 24 hours, many customers .. --------------------------------------------- http://www.inquisitr.com/3156809/teamviewer-accounts-hacked-users-claim/ *** Erpresser-Mails drohen mit Rufschädigung über Social Media *** --------------------------------------------- Erpresser machen sich die Berichterstattung über aktuelle Hackerangriffe zunutze, um Droh-Mails zu verschicken, in denen sie den Opfern damit drohen, sensible Informationen auf deren Online-Konten zu veröffentlichen. --------------------------------------------- http://heise.de/-3225619 *** 93% Of Phishing Emails Are Now Ransomware *** --------------------------------------------- According to the latest data from security firm PhishMe, 93% of all phishing emails as of the end of March contained encryption ransomware. The numbers .. --------------------------------------------- https://tech.slashdot.org/story/16/06/02/1356241/93-of-phishing-emails-are-… *** How Russian cybercrime bosses crafted a ransomware empire out of an economic crisis *** --------------------------------------------- Amid a crashing ruble and shaken markets due to global sanctions over Russian president Vladimir Putins .. --------------------------------------------- http://www.neowin.net/news/how-russian-cybercrime-bosses-crafted-a-ransomwa… *** XSA-178 *** --------------------------------------------- http://xenbits.xen.org/xsa/advisory-178.html *** XSA-175 *** --------------------------------------------- http://xenbits.xen.org/xsa/advisory-175.html

1 0

Tageszusammenfassung - Mittwoch 1-06-2016
by Daily end-of-shift report 01 Jun '16

01 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 31-05-2016 18:00 − Mittwoch 01-06-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Tor Browser 6.0: Ditches SHA-1 Support, Uses DuckDuckGo For Default Search Results *** --------------------------------------------- The version 6.0 of Tor Browser, a free software for enabling anonymous communication, is now available to download. The new version introduces several changes, including disabling SHA-1 support, and removing .. --------------------------------------------- https://tech.slashdot.org/story/16/05/31/1643234/tor-browser-60-ditches-sha… *** Drupal SQLi (Drupalgeddon) Attack Trend CVE-2014-3704 / SA-CORE-2014-005 *** --------------------------------------------- It has been over 19 months since Drupalgeddon, which refers to Drupal's Security Advisory (SA) SA-CORE-2014-005. For those unfamiliar with it, it .. --------------------------------------------- https://blog.sucuri.net/2016/05/drupal-sqli-drupalgeddon-attack-trend-cve-2… *** Finding Conditional Drupal Database Spam *** --------------------------------------------- Nobody likes spam. It's never fun (unless you're watching Monty Python). For us it comes with the territory; removing SEO spam has been at the core of what we deal with since our inception, giving us some pretty good .. --------------------------------------------- https://blog.sucuri.net/2016/05/finding-conditional-drupal-database-spam.ht… *** Cluster of 'megabreaches' compromises a whopping 642 million passwords *** --------------------------------------------- MySpace, Tumblr, and Fling are the latest services to join discredited LinkedIn. --------------------------------------------- http://arstechnica.com/security/2016/05/cluster-of-megabreaches-compromise-… *** Moxa UC 7408-LX-Plus Firmware Overwrite Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a firmware overwrite vulnerability in Moxa's UC 7408-LX-Plus device. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-152-01 *** ABB PCM600 Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for one use of password hash with insufficient computational effort and three insufficiently protected credentials vulnerabilities in ABB's PCM600. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-152-02 *** Unfalsifiability of security claims *** --------------------------------------------- There is an inherent asymmetry in computer security: things can be declared insecure by observation, but not the reverse. There is no observation that allows us to declare an arbitrary system or technique secure. We .. --------------------------------------------- http://research.microsoft.com/pubs/256133/unfalsifiabilityOfSecurityClaims.… *** Lücke in ImageMagick und GraphicsMagick ermöglicht erneute Angriffe *** --------------------------------------------- Manipulierte Dateinamen können Schadcode über die popen()-Funktion des Betriebssystems zur Ausführung bringen. Patches stehen bereit. --------------------------------------------- http://heise.de/-3223811 *** Scrum.org hacked, may have lost crypto keys and some user data *** --------------------------------------------- Dont go dissing DevOps: a supplier has fessed up to a website vuln Scrum.org, the Scrum certification .. --------------------------------------------- www.theregister.co.uk/2016/06/01/scrumorg_hacked_may_have_lost_crypto_keys_… *** Heikle Sicherheitslücken in vorinstallierter Laptop-Software *** --------------------------------------------- http://derstandard.at/2000038006783 *** Microsoft: Spamfilter für Hotmail und Outlook kaputt *** --------------------------------------------- Unternehmen arbeitet mit Hochdruck an Lösung, manche Nutzer sollen "extreme Menge" an Spam-Mails erhalten --------------------------------------------- http://derstandard.at/2000038023486 *** The impossible task of creating a 'Best VPNs' list today *** --------------------------------------------- Our writer set out to make a list of reliable VPNs; turns out the task is complicated. --------------------------------------------- http://arstechnica.com/security/2016/06/aiming-for-anonymity-ars-assesses-t… *** VB2015 paper: Economic Sanctions on Malware *** --------------------------------------------- Financial pressure can be a proactive and potentially very effective tool in making our computer ecosystems safer. By cleverly employing various trust metrics and technologies such as digital signing, watermarking, and .. --------------------------------------------- https://www.virusbulletin.com/blog/2016/06/economic-sanctions-malware/ *** DRIDEX Poses as Fake Certificate in Latest Spam Run *** --------------------------------------------- At a glance, it seems that DRIDEX has dwindled its activities or operation, appearing only for a few days this May. This is quite unusual given that in the past five months or so, this prevalent online banking threat .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/dridex-poses-as-… *** Security: LG muss Android-Firmware reparieren *** --------------------------------------------- Zwei Sicherheitslücken in LGs-Android Firmware ermöglichen eine Reihe von Angriffen, teilweise auch aus der Ferne. Nutzer sollten schnell reagieren, die Updates stehen bereit. --------------------------------------------- http://www.golem.de/news/security-lg-muss-android-firmware-reparieren-1606-… *** Kindernahrung: Mein Baby Club von Hipp wurde gehackt *** --------------------------------------------- Kopierte Nutzerdaten sind immer ein Ärgernis - besonders, wenn die persönlichen Informationen von Kindern betroffen sind. Der Hersteller Hipp hat seine Kunden jetzt über einen Einbruch in die eigenen Serversysteme des Mein Baby Clubs informiert --------------------------------------------- http://www.golem.de/news/kindernahrung-mein-baby-club-von-hipp-wurde-gehack…

1 0

Tageszusammenfassung - Dienstag 31-05-2016
by Daily end-of-shift report 31 May '16

31 May '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 30-05-2016 18:00 − Dienstag 31-05-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Abgeschlossen: Wartungsarbeiten Dienstag, 31. 5. 2016 *** --------------------------------------------- Abgeschlossen: Wartungsarbeiten Dienstag, 31. 5. 201625. Mai 2016Am Dienstag, 31. Mai 2016, werden wir Wartungsarbeiten an unserer Infrastruktur vornehmen. Dies wird zu Ausfällen der extern erreichbaren Services (zB Mail, Webserver, Mailinglisten) führen, diese können jeweils .. --------------------------------------------- http://www.cert.at/services/blog/20160525113745-1748.html *** Österreichische Handy-Signatur anfällig für Phishing *** --------------------------------------------- Mit einer sogenannten Handy-Signatur können Österreicher auch Dokumente für Kommunikation Behörden rechtsverbindlich unterschreiben. Doch die digitale Unterschrift lässt sich mit einem einfachen Phishing-Angriff fälschen. --------------------------------------------- http://heise.de/-3222980 *** Vulnerability in Citrix Studio Could Result in Insecure Access Policy Configuration *** --------------------------------------------- A vulnerability has been identified in Citrix Studio that could allow Access Policy rules to be set insecurely on the Citrix XenDesktop Delivery Controller. --------------------------------------------- https://support.citrix.com/article/CTX213045 *** Nach Kritik: Pornhub überarbeitet sein Bounty-Programm *** --------------------------------------------- Mit ihrem Bug-Bounty-Programm hat eine Pornoseite Schlagzeilen gemacht. Doch die Kommunikation mit den Hackern und die gezahlten Bountys sorgten für viel Kritik. Das Unternehmen verspricht jetzt Besserung. --------------------------------------------- http://www.golem.de/news/nach-kritik-pornhub-ueberarbeitet-sein-bounty-prog… *** Twitter paid out $322,420 in bug bounties *** --------------------------------------------- Researchers have proven that bug bounties are a cheaper way for discovering vulnerabilities than hiring full-time bug hunters would be and, in the last few years, many Internet and tech companies have instituted such programs. The security community has praised those who have, and the .. --------------------------------------------- https://www.helpnetsecurity.com/2016/05/31/twitter-bug-bounty/ *** Neuer Tor Browser setzt bei der Suche auf DuckDuckGo *** --------------------------------------------- Die bisherige Standardsuche Disconnect habe auf von Google auf Bing umgestellt, mit katastrophalem Ergebnis, begründen die Entwickler ihre Entscheidung. Weitere Änderungen betreffen Mac-Nutzer und die Anzeige von YouTube-Videos. --------------------------------------------- http://heise.de/-3210346 *** Bloatware Insecurity Continues to Haunt Consumer, Business Laptops *** --------------------------------------------- High-severity vulnerabilities were found in pre-installed software updaters present in consumer and business laptops from vendors such as Dell, HP, Lenovo, Asus and Acer. --------------------------------------------- http://threatpost.com/bloatware-insecurity-continues-to-haunt-consumer-busi…

1 0

Tageszusammenfassung - Montag 30-05-2016
by Daily end-of-shift report 30 May '16

30 May '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 27-05-2016 18:00 − Montag 30-05-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Security baseline for Windows Server 2016 Technical Preview 5 (TP5) *** --------------------------------------------- Microsoft is pleased to announce the draft release of the security configuration baseline settings for Windows Server 2016, corresponding to Technical .. --------------------------------------------- https://blogs.technet.microsoft.com/secguide/2016/05/27/security-baseline-f… *** New Locky ransomware campaign sets sights on Amazon customers *** --------------------------------------------- Amazon customers are the target of a wide-ranging phishing email scam intended to fool recipients into opening up a malicious attachment that results in the downloading of Locky ransomware. --------------------------------------------- http://www.scmagazine.com/new-locky-ransomware-campaign-sets-sights-on-amaz… *** How Attackers Use a Flash Exploit to Distribute Crimeware and Other Malware *** --------------------------------------------- Background Adobe Flash is multimedia software that runs on more than 1 billion systems worldwide. Its long list of security vulnerabilities and huge market presence .. --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/how-attackers-use-a-fl… *** VMSA-2016-0005.2 *** --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2016-0005.html *** Security Advisory: Stored XSS in Jetpack *** --------------------------------------------- During regular research audits for our Sucuri Firewall (Cloud-based WAF), we discovered a stored XSS vulnerability affecting the WordPress Jetpack plugin, currently installed on more than a million WordPress sites. The .. --------------------------------------------- https://blog.sucuri.net/2016/05/security-advisory-stored-xss-jetpack-2.html *** ZDI-16-361: (Pwn2Own) Apple OS X libATSServer Heap-based Buffer Overflow Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Apple OS X. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-361/ *** ZDI-16-360: (Pwn2Own) Apple OS X fontd Sandbox Escape Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple OS X. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-360/ *** Microsoft stattet Windows 10 mit doppelten Virenschutz aus *** --------------------------------------------- http://derstandard.at/2000037805637 *** Nach LinkedIn Datenleck auch bei MySpace *** --------------------------------------------- Der LinkedIn-Hacker hat laut eigenen Angaben auch 360 Millionen E-Mail-Adressen von MySpace-Nutzern und .. --------------------------------------------- http://futurezone.at/digital-life/nach-linkedin-datenleck-auch-bei-myspace/… *** Duqu 2.0 kernel exploitation technique analysis (part 1 of 2) *** --------------------------------------------- Out of the multiple components used in the sophisticated Duqu 2.0 cyberespionage attack, we had a chance to look into one of the kernel exploits used for its .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/05/29/%e2%80%8bduqu-2-0-kerne… *** CVE Request: GraphicsMagick and ImageMagick popen() shell vulnerability via filename *** --------------------------------------------- All existing releases of GraphicsMagick and ImageMagick support a file open syntax where if the first character of the file specification is a |, then the remainder of the filename is passed to the shell for execution using the .. --------------------------------------------- http://permalink.gmane.org/gmane.comp.security.oss.general/19669 *** breaking into a wordpress site without knowing wordpress/php or infosec at all *** --------------------------------------------- This is a post about how I tried and broke into my colleges wordpress installation without having any prior knowledge of wordpress/php and without any experience with hacking web-servers. The attempts were spread out over a month, .. --------------------------------------------- https://notehub.org/5zo2v *** Saudi-Arabien soll Cyberangriffe gegen Iran gestartet haben *** --------------------------------------------- http://derstandard.at/2000037865736 *** Microsoft geht gegen zu einfache Passwörter vor *** --------------------------------------------- Künftig sollen Nutzer von Azure und anderen Diensten Warnungen erhalten, wenn ihr Kennwort .. --------------------------------------------- http://derstandard.at/2000037866342 *** Cisco Products IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the IP Version 6 (IPv6) packet processing functions of Cisco IOS XR Software, Cisco IOS XE Software, and Cisco NX-OS Software could allow an .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Angreifer erbeuten Nutzerdaten von sz-magazin.de *** --------------------------------------------- Ein Unbefugter habe sich Mitte Mai rechtswidrig Zugriff auf einen Datenbankserver des SZ-Magazins verschafft. --------------------------------------------- http://heise.de/-3222586 *** Hintergrund: Zertifikate sperren - so gehts *** --------------------------------------------- Verkehrte Welt -- um ein Zertifikat zu sperren, muss man es erst installieren. Mit der folgenden Anleitung .. --------------------------------------------- http://heise.de/-3222308 *** Zum Weltnichtrauchertag: BSI warnt vor Malware in E-Zigaretten *** --------------------------------------------- Wer E-Zigaretten raucht, erspart seiner Lunge Teer, setzt aber die Gesundheit seines Rechners aufs Spiel - zumindest, wenn die E-Zigarette per USB aufgeladen wird. --------------------------------------------- http://www.golem.de/news/zum-weltnichtrauchertag-bsi-warnt-vor-malware-in-e…

1 0

Tageszusammenfassung - Freitag 27-05-2016
by Daily end-of-shift report 27 May '16

27 May '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 26-05-2016 18:00 − Freitag 27-05-2016 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** VU#482135: MEDHOST Perioperative Information Management System contains hard-coded database credentials *** --------------------------------------------- MEDHOST Perioperative Information Management System (PIMS) versions prior to 2015R1 contain hard-coded credentials that are used for customer database access. --------------------------------------------- http://www.kb.cert.org/vuls/id/482135 *** Environmental Systems Corporation Data Controllers Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for data controller vulnerabilities in the Environmental Systems Corporation (ESC) 8832 Data Controller. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-147-01 *** Sixnet BT Series Hard-coded Credentials Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a hard-coded credential vulnerability in Sixnet's BT series routers. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-147-02 *** Black Box AlertWerks ServSensor Credential Management Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a credential management vulnerability in Black Box's AlertWerks ServSensor devices. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-147-03 *** Bugtraq: ESA-2016-061: EMC Isilon OneFS SMB Signing Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/538499 *** Up to a dozen banks are reportedly investigating potential SWIFT breaches *** --------------------------------------------- More banks have reportedly launched investigations into potential security breaches on their networks after hackers stole US$81 million from the Bangladesh .. --------------------------------------------- http://www.cio.com/article/3075448/up-to-a-dozen-banks-are-reportedly-inves… *** Cisco WebEx Meeting Center Site Access Control User Account Enumeration Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Security Advisory: NTP vulnerability CVE-2016-2519 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/41/sol41613034.html *** Security Advisory: NTP vulnerability CVE-2016-2517 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/61/sol61200338.html *** Multiple Buffalo wireless LAN routers vulnerable to information disclosure *** --------------------------------------------- http://jvn.jp/en/jp/JVN75813272/ *** Multiple Buffalo wireless LAN routers vulnerable to directory traversal *** --------------------------------------------- http://jvn.jp/en/jp/JVN81698369/ *** Link (.lnk) to Ransom *** --------------------------------------------- We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior. This ransom leverages removable and network drives to propagate .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/ *** Spoofer *** --------------------------------------------- Seeking to minimize Internets susceptibility to spoofed DDoS attacks, we are developing and supporting open-source software tools to assess and report on the deployment of source address validation (SAV) best anti-spoofing practices. This .. --------------------------------------------- http://www.caida.org/projects/spoofer/ *** Security Advisory - Apache Struts2 Remote Code Execution Vulnerability in Huawei Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160527-… *** Path Traversal in extension "Media management" (media) *** --------------------------------------------- https://typo3.org/news/article/path-traversal-in-extension-media-management… *** Cross-Site Scripting in extension "Formhandler" (formhandler) *** --------------------------------------------- https://typo3.org/news/article/cross-site-scripting-in-extension-formhandle… *** Global companies arent quick to patch 'high' severity flaw in OpenSSL *** --------------------------------------------- Yet another Padding Oracle flaw (CVE-2016-2107), allowing decrypting TLS traffic in a MITM attack, remains exploitable on the most popular web and email servers. --------------------------------------------- https://www.htbridge.com/blog/CVE-2016-2107-padding-oracle-exploit.html *** TLS-Zertifikate: Google zieht Daumenschrauben der CAs weiter an *** --------------------------------------------- Ab Juni müssen alle Symantec-CAs ihre Aktivitäten via Certificate Transparency registrieren. Sonst werden die Zertifikats-Inhaber abgestraft. Das könnte auch andere CAs treffen. --------------------------------------------- http://heise.de/-3215053 *** Cisco Firepower Management Center Web Interface Code Injection Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Android Banking Trojan 'SpyLocker' Targets More Banks in Europe *** --------------------------------------------- Since the discovery of the Android banking Trojan SpyLocker, Intel Security has closely monitored this threat. SpyLocker first appeared disguised as Adobe Flash Player and targeted customers of banks in Australia, New Zealand, and .. --------------------------------------------- https://blogs.mcafee.com/mcafee-labs/android-banking-trojan-spylocker-targe…

1 0

Tageszusammenfassung - Mittwoch 25-05-2016
by Daily end-of-shift report 25 May '16

25 May '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 24-05-2016 18:00 − Mittwoch 25-05-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** New Botnets Used for Low and Slow Credential Testing (May 23, 2016) *** --------------------------------------------- Botnets are being used to test account access credentials... --------------------------------------------- http://www.sans.org/newsletters/newsbites/r/18/41/306 *** Many Ubiquiti Wireless Devices Still Vulnerable (May 20 and 23, 2016) *** --------------------------------------------- Owners of Ubiquiti wireless devices are being urged to apply a patch that the company released last year; the flaw it fixes is being actively exploited... --------------------------------------------- http://www.sans.org/newsletters/newsbites/r/18/41/308 *** Nulled WordPress Themes: Malvertising and Black Hat SEO *** --------------------------------------------- If you have been following our blog for some time, you know that we regularly warn about risks associated with the use of third-party software on your site. A benign plugin may sneakingly inject ads into your site which cause malvertising problems for the site visitors (e.g. SweetCaptcha). Other plugins may be hijacked by hackers or... The post Nulled WordPress Themes: Malvertising and Black Hat SEO appeared first on Sucuri Blog. --------------------------------------------- https://blog.sucuri.net/2016/05/nulled-wordpress-themes-malvertising-black-… *** New Wekby Attacks Use DNS Requests As Command and Control Mechanism *** --------------------------------------------- We have observed an attack led by the APT group Wekby targeting a US-based organization in recent weeks. Wekby is a group that has been active for a number of years, targeting various industries such... --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks… *** SWIFT exec unveils info sharing plan, calls Bangladesh a watershed event *** --------------------------------------------- SWIFT CEO Gottfried Leibbrandt issued details of the messaging service companys information-sharing strategy. --------------------------------------------- http://www.scmagazine.com/swift-exec-unveils-info-sharing-plan-calls-bangla… *** Stop Using "internal" Top Level Domain Names, (Wed, May 25th) *** --------------------------------------------- Cert.org this week warned again that internal top level domain names can be used against you, if one of these domains happens to be registered as a new generic top level domain (gTLD). Currently, there are about 1200 approved gTLDs, and the number will only increase even though the initial gold rush seems to have leveled off somewhat [1] US-Cert just sent out a reminder again regarding the use of internal domain names for automatic proxy configuration via WPAD. If this internal, but not... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21095&rss *** CVE-2015-2545: overview of current threats *** --------------------------------------------- Cyberespionage attacks conducted by different groups across the Asia-Pacific (APAC) and Far East regions share one common feature: in order to infect their victims with malware, the attackers use an exploit for the CVE-2015-2545 vulnerability. --------------------------------------------- http://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of… *** Who's tracking you online, and how? *** --------------------------------------------- Armed with a tool that mimics a consumer browser but is actually bent on discovering all the ways websites are tracking visitors, Princeton University researchers have discovered several device fingerprinting techniques never before seen in the wild. The web privacy measurement tool is called OpenWPM, and has been open sourced. Its creators are the very same researchers who performed this latest study. They crawled and analyzed measurements collected from 1 million of the most popular... --------------------------------------------- https://www.helpnetsecurity.com/2016/05/25/whos-tracking-you-online/ *** The Answer is always the same: Layers of Security *** --------------------------------------------- There is a common misperception that now that containers support seccomp we no longer need SELinux to help protect our systems. WRONG. The big weakness in containers is the container possesses the ability to interact with the host kernel and the host file systems. Securing the container processes is all about shrinking the attack surface on the host OS and more specifically on the host kernel.seccomp does a great job of shrinking the attack surface on the kernel. The idea is to limit the number... --------------------------------------------- https://access.redhat.com/blogs/766093/posts/2334141 *** Skimmers Found at Walmart: A Closer Look *** --------------------------------------------- Recent local news stories about credit card skimmers found in self-checkout lanes at some Walmart locations reminds me of a criminal sales pitch I saw recently for overlay skimmers made specifically for the very same card terminals. --------------------------------------------- http://krebsonsecurity.com/2016/05/skimmers-found-at-walmart-a-closer-look/ *** VMSA-2016-0006 *** --------------------------------------------- VMware vCenter Server updates address an important cross-site scripting issue --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2016-0006.html *** HPE Service Manager Unspecified Flaw Lets Remote Users Obtain Potentially Sensitive Information on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1035954 *** Operation Technology ETAP 14.1.0 Multiple Stack Buffer Overrun Vulnerabilities *** --------------------------------------------- Multiple ETAP binaries are prone to a stack-based buffer overflow vulnerability because the application fails to handle malformed arguments. An attacker can exploit these issues to execute arbitrary code within the context of the application or to trigger a denial-of-service conditions. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5324.php *** Operation Technology ETAP 14.1.0 Local Privilege Escalation *** --------------------------------------------- ETAP suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the C flag (Change) for Authenticated Users group. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5323.php *** ZDI-16-354: (0Day) ActivePDF Toolkit ImageToPDF IAT Overwrite Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ActivePDF Toolkit. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-354/ *** Moxa MiiNePort Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for weak credential management, sensitive information not protected, and cross-site request forgery vulnerabilities in Moxa's MiiNePort serial device server module series. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-145-01 *** Security Advisory: Java vulnerabilities CVE-2013-5802 and CVE-2013-5823 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/53/sol53316849.html?… *** Security Advisory: Multiple Java vulnerabilities *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/95/sol95313044.html?… *** Wartungsarbeiten Dienstag, 31.5.2016 *** --------------------------------------------- Wartungsarbeiten Dienstag, 31. 5. 2016 | 25. Mai 2016 | Am Dienstag, 31. Mai 2016, werden wir Wartungsarbeiten an unserer Infrastruktur vornehmen. Dies wird zu Ausfällen der extern erreichbaren Services (zB Mail, Webserver, Mailinglisten) führen, diese können jeweils mehrere Minuten andauern. Es... --------------------------------------------- http://www.cert.at/services/blog/20160525113745-1748.html Next End-of-Shift report: 2016-05-27

1 0

Tageszusammenfassung - Dienstag 24-05-2016
by Daily end-of-shift report 24 May '16

24 May '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 23-05-2016 18:00 − Dienstag 24-05-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** DMA Locker 4.0 - Known Ransomware Preparing For A Massive Distribution *** --------------------------------------------- We take a look at the step towards maturity of DMA Locker how this will be spreading on a bigger scale.Categories: Malware Threat analysisTags: DMA Lockerransomware(Read more...) --------------------------------------------- https://blog.malwarebytes.org/threat-analysis/2016/05/dma-locker-4-0-known-… *** Beware of keystroke loggers disguised as USB phone chargers, FBI warns *** --------------------------------------------- Private industry notification comes 15 months after debut of KeySweeper. --------------------------------------------- http://arstechnica.com/security/2016/05/beware-of-keystroke-loggers-disguis… *** SWIFT to unveil new security plan after hackers heists *** --------------------------------------------- The SWIFT secure messaging service that underpins international banking said it plans to launch a new security program as it fights to rebuild its reputation in the wake of the Bangladesh Bank heist. [...] Users frequently do not inform SWIFT of breaches of their SWIFT systems and even now, the co-operative has not proposed any sanctions for clients who fail to pass on information, which SWIFT itself says is key to stopping future attacks. --------------------------------------------- http://www.reuters.com/article/us-cyber-banks-swift-idUSKCN0YE2S6 *** Kommentar: Allo, Google? Gehts noch? *** --------------------------------------------- Googles WhatsApp-Alternative Allo verschlüsselt nicht konsequent, sondern liest stattdessen aktiv mit. Was soll das? --------------------------------------------- http://heise.de/-3215729 *** WPAD name collision bug opens door for MitM attackers *** --------------------------------------------- A vulnerability in Web Proxy Auto-Discovery (WPAD), a protocol used to ensure all systems in an organization utilize the same web proxy configuration, can be exploited to mount MitM attacks from anywhere on the Internet, US-CERT warns. "With the New gTLD program, previously undelegated gTLD strings are now being delegated for public domain name registration. These strings may be used by private or enterprise networks, and in certain circumstances, such as when a work computer... --------------------------------------------- https://www.helpnetsecurity.com/2016/05/24/wpad-name-collision-bug/ *** Hacker finds flaw in teleconference tool used by US Army, NASA and CERN *** --------------------------------------------- Like we need another reason to hate videoconferences Sydney security tester Jamieson OReilly has reported a since-patched vulnerability in popular video platform Vidyo - used by the likes of the US Army, NASA and CERN - that could see videos leaked and systems compromised. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/05/19/popular_tel… *** Pastejacking im Browser: Codeausführung per Copy and Paste *** --------------------------------------------- Browser können den Inhalt der Zwischenablage selbstständig verändern. In einem Proof-of-Concept wird gezeigt, wie diese Funktion für Angriffe genutzt werden kann - und Nutzer sich recht einfach schützen können. --------------------------------------------- http://www.golem.de/news/pastejacking-im-browser-codeausfuehrung-per-copy-a… *** Bösartige Apps stellen heimlich teure Telefonverbindungen her *** --------------------------------------------- Warnung der Regulierungsbehörde --------------------------------------------- http://derstandard.at/2000037564561 *** Neben Erpressung nun auch DDoS: Verschlüsselungs-Trojaner Cerber lernt dazu *** --------------------------------------------- Mit einer neuen Version von Cerber wollen die Drahtzieher hinter der Ransomware noch mehr Profit generieren: Der Schädling nimmt persönliche Daten als Geisel und die Kriminellen können infizierte Computer für DDoS-Attacken missbrauchen. --------------------------------------------- http://heise.de/-3217254 *** The Anti-Ransomware Protection Plan You Need to Follow Today *** --------------------------------------------- Technology has made our lives both easier and more complicated - there's no denying that. Fast Internet access opened up a world of wisdom and all the distractions we can image. But the door is also open for cyber criminals with little to no scruples and a big appetite for money. And there's no better... --------------------------------------------- https://heimdalsecurity.com/blog/anti-ransomware-protection-plan/ *** Xen Security Advisory CVE-2014-3672 / XSA-180 *** --------------------------------------------- When the libxl toolstack launches qemu for HVM guests, it pipes the output of stderr to a file in /var/log/xen. This output is not rate-limited in any way. The guest can easily cause qemu to print messages to stderr, causing this file to become arbitrarily large. --------------------------------------------- http://xenbits.xen.org/xsa/advisory-180.html *** Pulse Connect Secure Bugs Let Remote Users Deny Service, Obtain Potentially Sensitive Information, and Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1035932 *** Missing Access Check in TYPO3 CMS *** --------------------------------------------- It has been discovered, that TYPO3 CMS lacks an access check for Extbase actions. --------------------------------------------- https://typo3.org/news/article/missing-access-check-in-typo3-cms/ *** Missing Access Check in extension "Frontend User Registration" (sf_register) *** --------------------------------------------- It has been discovered that the extension "Frontend User Registration" (sf_register) lacks a proper access check. --------------------------------------------- https://typo3.org/news/article/missing-access-check-in-extension-frontend-u… *** Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager JSON Privilege Escalation Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco UCS Invicta Software Default GPG Key Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** F5 Security Advisories *** --------------------------------------------- *** Security Advisory: GNU C Library (glibc) vulnerability CVE-2016-3075 *** https://support.f5.com:443/kb/en-us/solutions/public/k/15/sol15439022.html?… --------------------------------------------- *** Security Advisory: OpenSSH vulnerability CVE-2016-1907 *** https://support.f5.com:443/kb/en-us/solutions/public/k/35/sol35424631.html?… --------------------------------------------- *** Security Advisory: glibc vulnerability CVE-2016-3075 *** https://support.f5.com:443/kb/en-us/solutions/public/k/15/sol15439022.html?… --------------------------------------------- *** Security Advisory: Java vulnerabilities CVE-2013-5782 and CVE-2013-5803 *** https://support.f5.com:443/kb/en-us/solutions/public/k/14/sol14340611.html?… --------------------------------------------- *** Security Advisory: PHP Vulnerability CVE-2016-4539 *** https://support.f5.com:443/kb/en-us/solutions/public/k/35/sol35240323.html?… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Host On-Demand (CVE-2016-0264 ,CVE-2016-3449) *** http://www.ibm.com/support/docview.wss?uid=swg21983578 --------------------------------------------- *** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005812 --------------------------------------------- *** IBM Security Bulletin: IBM Connections Security Update (CVE-2016-0322) *** http://www.ibm.com/support/docview.wss?uid=swg21982611 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Tomcat may affect IBM WebSphere Application Server Community Edition (CVE-2015-5174) *** http://www.ibm.com/support/docview.wss?uid=swg21983128 --------------------------------------------- *** IBM Applicable countries and regions *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099367 --------------------------------------------- *** IBM Security Bulletin: Security vulnerabilities have been identified in the versions of IBM WebSphere Application Server Community Edition bundled with Web Experience Factory 7.0.x and 8.0.x (CVE-2015-5345) (CVE-2016-0706) (CVE-2016-0714) *** http://www.ibm.com/support/docview.wss?uid=swg21981775 --------------------------------------------- *** IBM Security Bulletin: HTTP response splitting has been identified in IBM WebSphere Application Server Liberty Profile shipped with SmartCloud Cost Management and Tivoli Usage Accounting Manager (CVE-2015-2017) *** http://www.ibm.com/support/docview.wss?uid=swg2C1000121 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 23-05-2016
by Daily end-of-shift report 23 May '16

23 May '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 20-05-2016 18:00 − Montag 23-05-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Backdoor in Fake Joomla! Core Files *** --------------------------------------------- We usually write a lot about obfuscation methods on Sucuri Labs and here on the blog. Sometimes we write about free tools to obfuscate your code that aren't that free and we also have an online tool to help decoding the malware you find. But sometimes the malware is not clearly encoded using base64, gzinflate, hex concatenation,... The post Backdoor in Fake Joomla! Core Files appeared first on Sucuri Blog. --------------------------------------------- https://blog.sucuri.net/2016/05/unexpected-backdoor-fake-core-files.html *** 60 percent of enterprise Android phones prone to QSEE vulnerability *** --------------------------------------------- Duo Labs researchers found that 60 percent of enterprise Android phones are affected by a critical QSEE vulnerability. --------------------------------------------- http://www.scmagazine.com/majority-of-enterprise-android-phones-vulnerable-… *** The strange case of WinZip MRU Registry key, (Sun, May 22nd) *** --------------------------------------------- When we want to know if a document (.doc, .pdf, whatever) has been opened by the user, in a Windows environment our information goldmine place is the Registry and particularly its MRUs keys. However, it seems this is not always the case. During the analysis of the Retefe case I wrote about in my previous diary, I came across a Registry behavior I did not expect, or at least I was not aware of, about how to verify if the file contained within the zip archive had been opened or not. Regarding... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21087&rss *** ENISA- Europol issue joint statement *** --------------------------------------------- ENISA and Europol issue joint statement on lawful criminal investigation that respects 21st Century data protection. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/enisa-europol-issue-joint-state… *** Geldautomaten: Kriminelle erbeuten Millionen in zwei Stunden *** --------------------------------------------- Kriminelle Kartenfälscher agieren global: Mit Hilfe von Kreditkarteninformationen einer südafrikanischen Bank erbeutete eine Bande in Japan in nur 2,5 Stunden Bargeld im Wert von mehr als 12 Millionen Euro. --------------------------------------------- http://www.golem.de/news/geldautomaten-kriminelle-erbeuten-millionen-in-zwe… *** National coordinators meet to prepare for ECSM launch *** --------------------------------------------- National coordinators from across Europe gathered in Brussels earlier this month in preparation for the launch of this year's European Cyber Security Month. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/national-coordinators-meet-to-p… *** Organizations unprepared for employee-caused security incidents *** --------------------------------------------- While employee-related security risks are the number-one concern for security professionals, organizations are not taking adequate steps to prevent negligent employee behavior, according to a new Ponemon Institute study. The study, Managing Insider Risk Through Training & Culture, asked more than 600 individuals at companies that currently have a data protection and privacy training program to weigh in on the topic of negligent and malicious employee behaviors, as well as the consequences... --------------------------------------------- https://www.helpnetsecurity.com/2016/05/23/employee-caused-security-inciden… *** When Hashing isn't Hashing *** --------------------------------------------- Anyone working in application security has found themselves saying something like this a thousand times: "always hash passwords with a secure password hashing function." I've said this phrase at nearly all of the developer events I've spoken at, it's become a mantra of sorts for many of us that try to improve the security of applications. We tell developers to hash passwords, then we have to qualify it to explain that it isn't normal hashing. --------------------------------------------- https://adamcaudill.com/2016/05/23/when-hashing-isnt-hashing/ *** Technical Report about the RUAG espionage case *** --------------------------------------------- After several months of Incident Response and Analysis in the RUAG cyber espionage case, we got the assignment from the Federal Council to write and publish a report about the findings. The following is a purely technical report, intending to inform the public about Indicators of Compromise (IOCs) and the Modus Operandi of the attacker group behind this case. We strongly believe in... --------------------------------------------- https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espion… *** Hack von Rüstungskonzern: Schweizer Cert gibt Security-Tipps für Unternehmen *** --------------------------------------------- Daran könnten sich andere Sicherheitsfirmen ein Beispiel nehmen: Das Schweizer Cert hat detailliert die Angriffsmethoden einer APT-Gruppe auf den Technikkonzern Ruag analysiert und gibt Unternehmen Tipps zum Schutz. --------------------------------------------- http://www.golem.de/news/hack-von-ruestungskonzern-schweizer-cert-gibt-secu… *** After trio of hacks, SWIFT addresses information sharing concerns *** --------------------------------------------- Following reports of a cyberattack last year in which hackers stole $9 million from an Ecuadorean bank, SWIFT stated it is taking steps to create more information sharing practices. --------------------------------------------- http://www.scmagazine.com/after-trio-of-hacks-swift-addresses-information-s… *** Student convicted after finding encryption flaws in government network *** --------------------------------------------- He found that the encrypted network often wasnt... but he lost patience when it looked as though nothing was being done about it. --------------------------------------------- https://nakedsecurity.sophos.com/2016/05/23/student-convicted-after-finding… *** A recently patched Flash Player exploit is being used in widespread attacks *** --------------------------------------------- It took hackers less than two weeks to integrate a recently patched Flash Player exploit into widely used Web-based attack tools that are being used to infect computers with malware.The vulnerability, known as CVE-2016-4117, was discovered earlier this month by security researchers FireEye. It was exploited in targeted attacks through malicious Flash content embedded in Microsoft Office documents.When the targeted exploit was discovered, the vulnerability was unpatched, which prompted a... --------------------------------------------- http://www.cio.com/article/3073558/a-recently-patched-flash-player-exploit-… *** Security Update Available for Adobe Connect (APSB16-17) *** --------------------------------------------- A Security Bulletin (APSB16-17) has been published regarding a security update for Adobe Connect. Adobe recommends users update their product installations to the latest version using the instructions referenced in the security bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1355 *** TA16-144A: WPAD Name Collision Vulnerability *** --------------------------------------------- Original release date: May 23, 2016 Systems Affected Windows, OS X, Linux systems, and web browsers with WPAD enabled Overview Web Proxy Auto-Discovery (WPAD) Domain Name System (DNS) queries that are intended for resolution on private or enterprise DNS servers have been observed reaching public DNS servers [1]. In combination with the New generic Top Level Domain (gTLD) program's incorporation of previously undelegated gTLDs for public registration, leaked WPAD queries could result in... --------------------------------------------- https://www.us-cert.gov/ncas/alerts/TA16-144A *** Bugzilla 4.4.11 and 5.0.2 Security Advisory *** --------------------------------------------- A specially crafted bug summary could trigger XSS in dependency graphs. --------------------------------------------- https://www.bugzilla.org/security/4.4.11/ *** DSA-3585 wireshark - security update *** --------------------------------------------- Multiple vulnerabilities were discovered in the dissectors/parsers forPKTC, IAX2, GSM CBCH and NCP which could result in denial of service. --------------------------------------------- https://www.debian.org/security/2016/dsa-3585 *** SECURITY BULLETIN: Trend Micro InterScan Web Security Virtual Appliance (IWSVA) Multiple Remote Code Execution Vulnerabilities *** --------------------------------------------- Trend Micro has released new builds of the Trend Micro InterScan Web Security Virtual Appliance. These updates resolve vulnerabilities in the product that could potentially allow a remote attacker to execute arbitrary code on vulnerable installations. --------------------------------------------- https://esupport.trendmicro.com/solution/en-US/1114185.aspx *** SECURITY BULLETIN: Trend Micro OfficeScan Path Traversal Vulnerability *** --------------------------------------------- Trend Micro has released an update for OfficeScan (OSCE) 11.0 Service Pack (SP) 1 which resolves a vulnerability in the product that when certain conditions are met could be exploited to access files and directories located outside of the core product web root folder. --------------------------------------------- https://esupport.trendmicro.com/solution/en-US/1114097.aspx *** ZDI-16-353: BitTorrent API Cross Site Scripting Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of BitTorrent and uTorrent. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-353/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM WebSphere affect IBM Control Center (CVE-2016-0283, CVE-2015-7417). *** http://www.ibm.com/support/docview.wss?uid=swg21981914 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities affect multiple IBM Rational products based on IBM Jazz technology (CVE-2015-7484, CVE-2015-7474, CVE-2015-7485, CVE-2015-7486, CVE-2016-0219) *** http://www.ibm.com/support/docview.wss?uid=swg21983720 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways (CVE-2015-3193, CVE-2015-3195, CVE-2015-1794) *** http://www.ibm.com/support/docview.wss?uid=swg21982608 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Marketing Platform (CVE-2016-0224, CVE-2016-0229, CVE-2016-0233) *** http://www.ibm.com/support/docview.wss?uid=swg21980989 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in XML processing affect IBM DataPower Gateways *** http://www.ibm.com/support/docview.wss?uid=swg21982607 --------------------------------------------- *** IBM Security Bulletin: Vulnerability identified in IBM Domino Java Console (CVE-2016-0304) *** http://www.ibm.com/support/docview.wss?uid=swg21983328 --------------------------------------------- *** IBM Security Bulletin: OpenSSL vulnerabilities in Node.js found on May 03, 2016 affect Rational Software Architect and Rational Software Architect for WebSphere Software (CVE-2016-2107, CVE-2016-2105) *** http://www.ibm.com/support/docview.wss?uid=swg21983555 --------------------------------------------- *** IBM Security Bulletin: Multiple OpenSSL vulnerabilities in Node.js included in Rational Application Developer for WebSphere Software *** http://www.ibm.com/support/docview.wss?uid=swg21982949 --------------------------------------------- *** IBM Security Bulletin: One vulnerability in IBM Java SDK affect Application Delivery Intelligence 1.0.0 (CVE-2016-3427) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023804 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 6, affects: WebSphere Dashboard Framework (CVE-2016-3427, CVE-2016-3426, CVE-2016-0264) *** http://www.ibm.com/support/docview.wss?uid=swg21982528 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 6, affects: Web Experience Factory (CVE-2016-3427, CVE-2016-3426, CVE-2016-0264) *** http://www.ibm.com/support/docview.wss?uid=swg21982527 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM Integration Designer and WebSphere Integration Developer (CVE-2016-3427) *** http://www.ibm.com/support/docview.wss?uid=swg21983002 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM OS Images for Red Hat Linux Systems, IBM OS Images for AIX, and Windows. (CVE-2016-0363, CVE-2016-0376, CVE-2016-3426, and CVE-2016-0264) *** http://www.ibm.com/support/docview.wss?uid=swg21983647 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Image Construction and Composition Tool. (CVE-2016-0363, CVE-2016-0376, CVE-2016-3426, and CVE-2016-0264) *** http://www.ibm.com/support/docview.wss?uid=swg21983644 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects Tivoli Provisioning Manager for OS Deployment, Tivoli Provisioning Manager for Images (CVE-2016-2842) *** http://www.ibm.com/support/docview.wss?uid=swg21982159 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM InfoSphere Information Server *** http://www.ibm.com/support/docview.wss?uid=swg21981545 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in ApacheTomcat affect IBM Security SiteProtector System (CVE-2015-5174, CVE-2015-5345, CVE-2016-0706 and CVE-2016-0714) *** http://www.ibm.com/support/docview.wss?uid=swg21983242 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways (CVE-2015-3197 ) *** http://www.ibm.com/support/docview.wss?uid=swg21982697 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenStack affect IBM Spectrum Scale V4.2 and V4.1.1 (CVE-2015-8466 and CVE-2016-0738) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005833 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 20-05-2016
by Daily end-of-shift report 20 May '16

20 May '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 19-05-2016 18:00 − Freitag 20-05-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** DSA-3584 librsvg - security update *** --------------------------------------------- Gustavo Grieco discovered several flaws in the way librsvg, a SAX-basedrenderer library for SVG files, parses SVG files with circulardefinitions. A remote attacker can take advantage of these flaws tocause an application using the librsvg library to crash. --------------------------------------------- https://www.debian.org/security/2016/dsa-3584 *** Petya and Mischa - Ransomware Duet (part 1) *** --------------------------------------------- After being defeated about a month ago, Petya comes back with new tricks. Now, not as a single ransomware, but in a bundle with another malicious payload - Mischa. Both are named after the satellites from the GoldenEye movie. They deploy attacks on .. --------------------------------------------- https://blog.malwarebytes.org/threat-analysis/2016/05/petya-and-mischa-rans… *** EITest campaign still going strong, (Fri, May 20th) *** --------------------------------------------- Originally reported by Malwarebytes in October 2014 [1], the EITest campaign has been going strong ever since. Earlier this year, I documented how the campaign has evolved over time [2]. During its run, I had only noticed the EITest campaign use Angler EK to distribute a variety of .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21081 *** TLS/GCM: Gefahr durch doppelte Nonces *** --------------------------------------------- Moderne TLS-Verbindungen nutzen üblicherweise das AES-GCM-Verschlüsselungsverfahren. Das benötigt einen sogenannten Nonce-Wert, der sich nicht wiederholen darf. Ansonsten ist die Sicherheit dahin. --------------------------------------------- http://www.golem.de/news/tls-gcm-gefahr-durch-doppelte-nonces-1605-121005.h… *** Important Security-Bulletin Pre-Announcement *** --------------------------------------------- https://typo3.org/news/article/important-security-bulletin-pre-announcement… *** Resource Data Management Intuitive 650 TDB Controller Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for a privilege escalation vulnerability and a cross-site request forgery vulnerability in Resource Data Management's Intuitive 650 TDB Controller. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-140-01 *** Siemens SIPROTEC Information Disclosure Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for information disclosure vulnerabilities in the Siemens SIPROTEC 4 and SIPROTEC Compact. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-140-02 *** Hacked in a public space? Thanks, HTTPS *** --------------------------------------------- Kali Linux, laptop, coffee - hack on! Have you ever bothered to look at who your browser trusts? The padlock of a HTTPS connection doesnt mean anything if you cant trust the other end of the connection and its upstream signatories. Do you .. --------------------------------------------- www.theregister.co.uk/2016/05/20/https_wifi_trust_in_a_public_place/ *** Wichtiger Sicherheits-Patch für Typo3 voraus *** --------------------------------------------- In vielen Typo3-Versionen klafft offensichtlich eine schwerwiegende Sicherheitslücke. Ein Patch soll Anfang nächster Woche erscheinen. --------------------------------------------- http://heise.de/-3212058 *** l+f: Erpressung für den guten Zweck *** --------------------------------------------- Ein Verschlüsselungs-Trojaner fordert ein horrende Summe und will damit Gutes tun. Wer's glaubt ... --------------------------------------------- http://heise.de/-3212111

1 0

Tageszusammenfassung - Donnerstag 19-05-2016
by Daily end-of-shift report 19 May '16

19 May '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 18-05-2016 18:00 − Donnerstag 19-05-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Website Hacked Trend Report - 2016/Q1 *** --------------------------------------------- Our Remediation group is comprised of two distinct teams, the Incident Response Team (IRT) and Malware Research Team (MRT). These teams work closely with our customers in an effort to identify and remove website infections to include .. --------------------------------------------- https://blog.sucuri.net/2016/05/sucuri-hacked-report-2016q1.html *** Registration Codes - Less Critical - Input Validation Vulnerability - SA-CONTRIB-028 *** --------------------------------------------- https://www.drupal.org/node/2728711 *** Dropbox client - Multiple Vulnerabilities - SA-CONTRIB-2016-027 *** --------------------------------------------- https://www.drupal.org/node/2728693 *** Web Mailing List vulnerable to cross-site scripting *** --------------------------------------------- http://jvn.jp/en/jp/JVN43076390/ *** The 5Ws and 1H of Ransomware *** --------------------------------------------- For the past three months, we have seen ransomware hop its way across globe. Majority of the ransomware incidents are found in the United States, then Italy, and Canada. The prevalence of large-scale ransomware incidents led the United States and Canadian governments to issue a joint statement about .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/05/18/the-5ws-and-1h-of-ranso… *** Hackerangriff auf Linkedin: 100 Millionen Nutzer betroffen *** --------------------------------------------- Attacke fand bereits 2012 statt - Ausmass wurde jedoch erst jetzt in vollem Umfang bekannt --------------------------------------------- http://derstandard.at/2000037231582 *** Erpressungstrojaner: Teslacrypt-Entwickler geben auf *** --------------------------------------------- Master-Key veröffentlicht, Entschlüsselungssoftware verfügbar. --------------------------------------------- http://derstandard.at/2000037236758 *** Ransomware Awareness Tag *** --------------------------------------------- Unsere Kollegen von der Schweizer Melde- und Analysestelle Informationssicherung MELANI veranstalten heute, am 19. Mai 2016, einen Aktionstag zum Thema Ransomware. Das Ziel ist es, die Informationen zu der Bedrohung .. --------------------------------------------- http://www.cert.at/services/blog/20160519095712-1737.html *** Kernel Waiter Exploit from the Hacking Team Leak Still Being Used *** --------------------------------------------- Although the Hacking Team leak took place several months ago, the impact of this data breach - where exploit codes were made public and spurred a chain of attacks - can still be felt until today. We recently spotted malicious Android apps that appear to use an exploit found in the Hacking Team data .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/kernel-waiter-ex… *** FBI muss Mozilla keine Informationen über Sicherheitslücke übergeben *** --------------------------------------------- Der Richter in einem Verfahren gegen einen Nutzer einer Kinderpornographie-Plattform hat es abgelehnt, dass Mozilla sich einmischt, um an Informationen über eine Sicherheitslücke im Tor-Browser zu kommen. --------------------------------------------- http://heise.de/-3211120

1 0

Tageszusammenfassung - Mittwoch 18-05-2016
by Daily end-of-shift report 18 May '16

18 May '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 17-05-2016 18:00 − Mittwoch 18-05-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** That Insane, $81M Bangladesh Bank Heist? Here's What We Know *** --------------------------------------------- Someone stole $81 million from Bangladesh Bank in a matter of hours, and appears to have targeted other banks that use .. --------------------------------------------- http://www.wired.com/2016/05/insane-81m-bangladesh-bank-heist-heres-know/ *** Academics Make Theoretical Breakthrough in Random Number Generation *** --------------------------------------------- Two University of Texas academics have made what some experts believe is a breakthrough in random number generation that could have longstanding implications for cryptography and computer security. --------------------------------------------- http://threatpost.com/academics-make-theoretical-breakthrough-in-random-num… *** XSA-176 *** --------------------------------------------- http://xenbits.xen.org/xsa/advisory-176.html *** First ATM malware is back and badder than ever *** --------------------------------------------- Original gangster Skimer goes global Cybercriminals have retrofitted a strain of ATM malware first discovered in 2009 to create an even more potent threat. --------------------------------------------- www.theregister.co.uk/2016/05/17/skimer_atm_malware/ *** Cisco Adaptive Security Appliance XML Parser Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Adaptive Security Appliance VPN Memory Block Exhaustion Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Unified Computing System Central Cross-Site Scripting Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Identity Services Engine Active Directory Integration Component Remote Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Malicious macro using a sneaky new trick *** --------------------------------------------- We recently came across a file (ORDER-549-6303896-2172940.docm, SHA1: 952d788f0759835553708dbe323fd08b5a33ec66) containing .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/05/17/malicious-macro-using-a… *** Hacker weiden Untergrund-Forum Nulled.IO aus *** --------------------------------------------- Im Hacker-Forum Nulled.IO treffen sich Gleichgesinnte und handeln etwa mit erbeuteten Nutzer-Konten. Ironischerweise wurde Nulled.IO nun selbst Opfer einer verheerenden Hacker-Attacke. --------------------------------------------- http://heise.de/-3209682 *** Windows 10 Device Guard and Credential Guard Demystified *** --------------------------------------------- While helping Windows Enterprise customers deploy and realize the benefits of Windows 10, I've observed there's still a lot of confusion regarding the security features of the operating system. This is a shame since some .. --------------------------------------------- https://blogs.technet.microsoft.com/ash/2016/03/02/windows-10-device-guard-… *** Scammers target cybersecurity brands *** --------------------------------------------- Cybersquatting, typosquatting and phishing now target the largest cybersecurity brands. --------------------------------------------- https://www.htbridge.com/blog/scammers-target-cybersecurity-companies-brand… *** Google to shutter SSLv3, RC4 from SMTP servers, Gmail *** --------------------------------------------- Mark your calendars: Google will disable support for the RC4 stream cipher and the SSLv3 protocol on its SMTP servers and Gmail servers on June 16.After the deadline, Googles SMTP servers will no longer exchange mail with servers .. --------------------------------------------- http://www.cio.com/article/3071866/security/google-to-shutter-sslv3-rc4-fro… *** Magento 2.0.6 Security Update *** --------------------------------------------- Magento Enterprise Edition and Community Edition 2.0.6 contain multiple security and functional enhancements. You can find more details about the vulnerabilities addressed below. --------------------------------------------- https://magento.com/security/patches/magento-206-security-update *** Magento - Unauthenticated Remote Code Execution *** --------------------------------------------- The vulnerability (CVE-2016-4010) allows an attacker to execute PHP code at the vulnerable Magento server unauthenticated. This vulnerability actually consists of many small vulnerabilities, as described further in the blog post. --------------------------------------------- http://netanelrub.in/2016/05/17/magento-unauthenticated-remote-code-executi… *** Sicherheitsrichtlinie: EU-Rat billigt Meldepflicht bei Cyberangriffen *** --------------------------------------------- Die EU-Mitgliedsstaaten haben den Kompromiss zur geplanten Richtlinie über Netz- und Informationssicherheit angenommen, den Verhandlungsführer zuvor mit dem EU-Parlament ausgehandelt hatten. Es geht um Sicherheitsauflagen für Online-Anbieter. --------------------------------------------- http://heise.de/-3210189 *** Ransomware Activity Spikes in March, Steadily increasing throughout 2016 *** --------------------------------------------- https://www.fireeye.com/blog/threat-research/2016/05/ransomware_activity.ht… *** The Ultimate Guide to Angler Exploit Kit for Non-Technical People *** --------------------------------------------- There's been a lot of talk about the Angler exploit kit lately, but, for most people, the warnings don't strike a chord. And they're definitely not to blame. Not everyone .. --------------------------------------------- https://heimdalsecurity.com/blog/ultimate-guide-angler-exploit-kit-non-tech… *** Die Crypto Wars und die Folgen: Wie uns alte Hintertüren weiter verfolgen *** --------------------------------------------- Erneut fordern Politiker, Geheimdienste und Strafverfolger, Krypto-Software absichtlich zu schwächen. Das war schon einmal vorgeschrieben und die Konsequenzen verfolgen uns noch heute: Verheerende Sicherheitslücken haben genau darin ihren Ursprung. --------------------------------------------- http://heise.de/-3210209 *** Bitly partners with Let's Encrypt for HTTPS links *** --------------------------------------------- Bitly processes data associated with more than 12 billion clicks per month, leading to massive troves of intelligence. Now, they're partnering with Let's Encrypt to generate SSL certificates for more than 40,000 Bitly .. --------------------------------------------- https://www.helpnetsecurity.com/2016/05/18/bitly-https-links/ *** IRZ RUH2 3G Firmware Overwrite Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a firmware overwrite vulnerability in iRZ's RUH2 device. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-138-01 *** Moxa EDR-G903 Secure Router Vulnerabilities *** --------------------------------------------- This advisory was originally posted to the US-CERT secure Portal library on February 11, 2016, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for Moxa's ECR G903 secure routers. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-042-01 *** Fixing `marked` XSS vulnerability *** --------------------------------------------- A few weeks ago we added to our DB a Cross-Site Scripting (XSS) vulnerability in the popular marked package. This post explains the vulnerability, shows how to exploit it on a sample app, and explains how to fix the issue in your application. --------------------------------------------- https://snyk.io/blog/marked-xss-vulnerability/

1 0

Tageszusammenfassung - Dienstag 17-05-2016
by Daily end-of-shift report 17 May '16

17 May '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 13-05-2016 18:00 − Dienstag 17-05-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Panama Papers: the result of neglected IT security *** --------------------------------------------- The financial, legal and political world have been turned upside down by the Panama Papers. But how on earth was it possible to steal 2.6 terabytes of data from Mossack Fonseca? --------------------------------------------- https://blog.gdatasoftware.com/2016/05/28239-panama-papers-the-result-of-ne… *** Yahoo-owned Tumblr announces email credential compromise *** --------------------------------------------- Tumblr announced Thursday that a third party accessed a set of Tumblr user email addresses with salted and hashed passwords. --------------------------------------------- http://www.scmagazine.com/tumblr-announces-email-credentials-compromised/ar… *** CVE-2016-4117: Flash Zero-Day Exploited in the Wild *** --------------------------------------------- https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-ze… *** "Bösartiges Design": Wie Webseiten Nutzer reinlegen und betrügen *** --------------------------------------------- Skrupellose Abzock-Praktiken stehen immer mehr unter Kritik, etwa das automatische Anklicken von Abonnements --------------------------------------------- http://derstandard.at/2000037009828 *** Unethische Forschung: Wissenschaftler veröffentlichen 70.000 OKCupid-Profile *** --------------------------------------------- Wissenschaftler aus Dänemark haben Profile von rund 70.000 OKCupid-Nutzern analysiert und veröffentlicht. Den beteiligten Herren ist ein Ethik-Seminar dringend zu empfehlen. --------------------------------------------- http://www.golem.de/news/unethische-forschung-wissenschaftler-veroeffentlic… *** Gatecoin: Mehr als zwei Millionen US-Dollar in Kryptowährungen gestohlen *** --------------------------------------------- Wer seine Bitcoin oder Ether bei dem Anbieter Gatecoin aufbewahrt, sollte seine Accounts checken - rund 15 Prozent der Einlagen wurden gestohlen. Auszahlungen sollen erst ab dem 28. Mai wieder möglich sein, es wird aber an Entschädigungsregeln gearbeitet. --------------------------------------------- http://www.golem.de/news/gatecoin-ueber-zwei-millionen-us-dollar-in-kryptow… *** Swift-Attacke abgewehrt: Millionen-Transaktion im Visier von Cyberdieben *** --------------------------------------------- Ziel der Hacker bei der Tien Phong Bank war eine Transaktion von umgerechnet mehr als einer Million Euro gewesen --------------------------------------------- http://derstandard.at/2000037024022-1231152558333 *** Carding Sites Turn to the 'Dark Cloud' *** --------------------------------------------- Crooks who peddle stolen credit cards on the Internet face a constant challenge: Keeping their shops online and reachable in the face of meddling from law enforcement officials, security firms, researchers and vigilantes. In this .. --------------------------------------------- http://krebsonsecurity.com/2016/05/carding-sites-turn-to-the-dark-cloud/ *** Chrome könnte Flash noch dieses Jahr standardmässig blockieren *** --------------------------------------------- Google plant anscheinend, HTML5 noch stringenter als Standard in seinem Webbrowser Chrome einzusetzen. Flash-Inhalte sollen im Zuge dessen entweder gar nicht mehr oder nur in Ausnahmefällen wiedergegeben werden. --------------------------------------------- http://heise.de/-3208837 *** Android Hacking: Dumping and Analyzing Application's Memory *** --------------------------------------------- In this article, we will discuss how to dump the memory of a specific application using Android Studio's heap dump feature. We will also explore EclipseMemoryAnalyzer(MAT) to analyze the heap dump we acquire. It is possible to create heap dumps of an application�s heap in Android. We can dump .. --------------------------------------------- http://resources.infosecinstitute.com/android-hacking-dumping-and-analyzing… *** Cisco Video Communication Server Session Initiation Protocol Packet Processing Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** OS X El Capitan v10.11.5 and Security Update 2016-003 *** --------------------------------------------- https://support.apple.com/kb/HT206567 *** DSA-3580 imagemagick - security update *** --------------------------------------------- Nikolay Ermishkin from the Mail.Ru Security Team and Stewie discoveredseveral vulnerabilities in ImageMagick, a program suite for imagemanipulation. These vulnerabilities, collectively known as ImageTragick,are the consequence of lack of sanitization of untrusted input. Anattacker with control .. --------------------------------------------- https://www.debian.org/security/2016/dsa-3580 *** Secure Coding: How to Account for Input Sanitization *** --------------------------------------------- On average, a website leverages around 18-20 different plugins in its structure. These plugins enhance the website's functionality and in some instances extend the applications core capabilities. It's great for website owners because they can pick and .. --------------------------------------------- https://blog.sucuri.net/2016/05/secure-coding-account-input-sanitization.ht… *** Symantec Antivirus Engine Malformed PE Header Parser Memory Access Violation *** --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** Zombie crypto still rules smart grids: OSGP vendors need to kill RC4 *** --------------------------------------------- Deprecated almost everywhere, researchers crack open smart grid ancient crypto suite AGAIN The Open Smart Grid Protocols custom RC4 encryption has been cracked - again. --------------------------------------------- www.theregister.co.uk/2016/05/17/zombie_crypto_still_rules_smart_grids/ *** Malicious Android apps slip into Google Play, top third party charts *** --------------------------------------------- Enlist phones in ad fraud, premium SMS, loser DDoS Malicious Android applications have bypassed Googles Play store security checks to enslave infected devices into distributed denial of service attack, advertising fraud, and spam botnets. --------------------------------------------- www.theregister.co.uk/2016/05/17/viking_horde_android_app_malware/ *** VMSA-2016-0005 *** --------------------------------------------- VMware product updates address critical and important security issues --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2016-0005.html *** Kritische Lücke gefährdet Antiviren-Produkte von Symantec und Norton *** --------------------------------------------- Ein gefährlicher Bug in der Scan Engine von Symantect zieht weite Kreise und bedroht alle Symantec- und Norton-Produkte auf allen Plattformen, warnt ein Sicherheitsforscher. --------------------------------------------- http://heise.de/-3208967 *** Security Principles in iOS Architecture *** --------------------------------------------- I strongly suggest readers checkout my two prior blogs on Cryptography, Principle of Least Privilege, and Biometrics. All of these will be explored in depth throughout this blog. --------------------------------------------- https://woumn.wordpress.com/2016/05/02/security-principles-in-ios-architect… *** Killing XSS and CSRF on web server layer *** --------------------------------------------- Existing and new web security technologies based on actively developed RFCs propose new approaches to common web vulnerabilities remediation. --------------------------------------------- https://www.htbridge.com/blog/killing-xss-and-csrf-on-web-server-layer.html *** "Cryptohitman": Erpressungstrojaner ersetzt Sperrbildschirm mit Pornos *** --------------------------------------------- Verschlüsselt Dateien mit Endung ".porno" - kostenloses Tool rettet Userdaten --------------------------------------------- http://derstandard.at/2000037097552 *** Finanzministerium warnt vor falschen BMF-Mails *** --------------------------------------------- Phishing-Attacke - Löschen, löschen, löschen! --------------------------------------------- http://derstandard.at/2000037101098 *** The Sleepy User Agent *** --------------------------------------------- >From time to time a customer writes in and asks about certain requests that have been blocked by the CloudFlare WAF. Recently, a customer couldn't understand why it appeared that some simple GET requests for their homepage were .. --------------------------------------------- https://blog.cloudflare.com/the-sleepy-user-agent/

1 0

Tageszusammenfassung - Freitag 13-05-2016
by Daily end-of-shift report 13 May '16

13 May '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 12-05-2016 18:00 − Freitag 13-05-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Cyber Heist Attribution *** --------------------------------------------- Written by Sergei Shevchenko and Adrian Nish | BACKGROUND | Attributing a single cyber-attack is a hard task and often impossible. However, when multiple attacks are conducted over long periods of time, they leave a trail of digital evidence. Piecing this together into a campaign can help investigators to see the bigger picture, and even hint at who may be behind the attacks. Our research into malware used on SWIFT based systems running in banks has turned up multiple bespoke tools used by a set of... --------------------------------------------- http://baesystemsai.blogspot.com/2016/05/cyber-heist-attribution.html *** Neuer Angriff auf Swift-Netzwerk: Angreifer nutzen manipulierten PDF-Reader *** --------------------------------------------- Eine Bank setzte zur Überprüfung von Transaktionen offenbar keine Hashwerte der einzelnen Vorgänge ein - sondern nimmt eine Sichtprüfung von PDFs vor. Aus diesem Grund konnten Angreifer erneut illegale Transaktionen im Swift-Netzwerk vornehmen. --------------------------------------------- http://www.golem.de/news/neuer-angriff-auf-swift-netzwerk-angreifer-nutzen-… *** EZB plant Meldestelle für Cyber-Angriffe auf Banken *** --------------------------------------------- Auch die Bankenaufseher der Europäischen Zentralbank reagieren auf die wachsende Zahl von Angriffen mit einer Meldepflicht bei schwerwiegenden Bedrohungen. --------------------------------------------- http://heise.de/-3207934 *** MISP - Malware Information Sharing Platform, (Fri, May 13th) *** --------------------------------------------- In a previous diary (Unity Makes Strength), I briefly mentioned MISP(which means Malware Information Sharing Platform). Since this tool is becomingmore and more popular, Id like to give more details about it.Sharing is key could be the slogan of MISP. The ideais to allow different organizations to share IOCs (Indicators of Compromize) like IP addresses, domains, hashes, URLs, filenames, ... Thegoal is to increase their ability to protect themselves against malicious activities. With millions of... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21053&rss *** Open sourcing our NGINX HTTP/2 + SPDY code *** --------------------------------------------- In December, we released HTTP/2 support for all customers and last week we released HTTP/2 Server Push support as well. The release of HTTP/2 by CloudFlare had a huge impact on the number of sites supporting and using the protocol. Today, 50% of sites that use HTTP/... --------------------------------------------- https://blog.cloudflare.com/open-sourcing-our-nginx-http-2-spdy-code/ *** Meteocontrol WEBlog Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for one authentication and two information exposure vulnerabilities in Meteocontrol's WEB'log application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-133-01 *** TrendMicro - Multiple HTTP Problems with CoreServiceShell.exe *** --------------------------------------------- Topic: TrendMicro - Multiple HTTP Problems with CoreServiceShell.exe Risk: Medium Text:Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=775 The main component of Trend Micro Antivirus is CoreSe... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016050051 *** Symantec Messaging Gateway 10.6.x ACE Library Static Link to Vulnerable SSL Version *** --------------------------------------------- Revisions None Severity Severity (CVSS version 2 and CVSS Version 3) CVSS2 ... --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** Bugtraq: May 2016 - HipChat Server - Critical Security Advisory *** --------------------------------------------- http://www.securityfocus.com/archive/1/538378 *** Bugtraq: [security bulletin] HPSBGN03597 rev.1 - HPE Cloud Optimizer (Virtualization Performance Viewer) using glibc Remote Denial of Service (DoS) *** --------------------------------------------- http://www.securityfocus.com/archive/1/538371 *** Bugtraq: [security bulletin] HPSBMU03589 rev.1 - HPE Version Control Repository Manager (VCRM), Remote Denial of Service (DoS) *** --------------------------------------------- http://www.securityfocus.com/archive/1/538377 *** Bugtraq: [security bulletin] HPSBMU03591 rev.1 - HPE Server Migration Pack, Remote Denial of Service (DoS) *** --------------------------------------------- http://www.securityfocus.com/archive/1/538376 *** Bugtraq: [security bulletin] HPSBMU03590 rev.1 - HPE Systems Insight Manager (SIM) on Windows and Linux, Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/538379 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Application Server for Bluemix April 2016 CPU (CVE-2016-3426, CVE-2016-3427) *** http://www.ibm.com/support/docview.wss?uid=swg21983039 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Content Manager Enterprise Edition 8.5.0 (CVE-2016-3449, CVE-2016-0264) *** http://www.ibm.com/support/docview.wss?uid=swg21982262 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Sterling Connect:Express for Unix (CVE-2016-2842). *** http://www.ibm.com/support/docview.wss?uid=swg21982374 --------------------------------------------- *** IBM Security Bulletin: A Security Vulnerability exist in IBM Cognos TM1 *** http://www.ibm.com/support/docview.wss?uid=swg21981936 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Netcool Configuration Manager (ITNCM) (Multiple CVEs) *** http://www.ibm.com/support/docview.wss?uid=swg21973066 --------------------------------------------- Next End-of-Shift Report: 2016-05-17

1 0

Tageszusammenfassung - Donnerstag 12-05-2016
by Daily end-of-shift report 12 May '16

12 May '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 11-05-2016 18:00 − Donnerstag 12-05-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Security Updates Available for Adobe Flash Player (APSB16-15) *** --------------------------------------------- A Security Bulletin (APSB16-15) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities, and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the security bulletin. Adobe... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1352 *** Tips to Prevent Ransomware in Healthcare Environments *** --------------------------------------------- If 2015 was the year of the healthcare breach, 2016 is shaping up to be the year of ransomware. By this time last year, 105 healthcare breaches had been reported to the U.S. Department of... --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/05/tips-to-prevent-ransomwa… *** Entpacker 7-Zip kann zum Ausführen von Schadcode missbraucht werden *** --------------------------------------------- Über eine Lücke im Kompressions-Tool 7-Zip können Angreifer Schadcode ausführen und eventuell auch den Rechner des Opfers kapern. Besonders brisant: Der Open-Source-Code des Tools steckt auch in Sicherheitssoftware. --------------------------------------------- http://heise.de/-3206787 *** US-CERT warnt Betreiber von SAP-Systemen *** --------------------------------------------- Anlass der Sicherheitswarnung des Computer-Notfall-Teams der USA ist ein Bericht, demzufolge mindestens 36 Organisationen in der ganzen Welt über eine SAP-Lücke angegriffen und kompromittiert wurden. --------------------------------------------- http://heise.de/-3207245 *** New Wave of the Test0.com/Test5.xyz Redirect Hack *** --------------------------------------------- Last week we described the hack that randomly redirected site visitors either to a parked test0 .com domain or to malicious sites via the default7 .com domain. This week the default7 .com domain went down but the attackers returned with a new wave of site infections and the new redirecting domain - test5 .xyz (registered just a few... --------------------------------------------- https://blog.sucuri.net/2016/05/test0test5-com-redirect-hack-new-wave.html *** Popular cache Squid skids as hacker pops lid *** --------------------------------------------- Yet another mess we can blame on the combination of Flash and advertising Tsinghua University postgraduate student Jianjun Chen has reported a critical cache poisoning vulnerability in the Squid proxy server, a transparent cache widely deployed by internet service providers. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/05/12/telco_fave_… *** Giving up Your Roots: A Root Remedy Checklist *** --------------------------------------------- As an IT organization, should you be concerned that your sysAdmins login as root, su to root, or sudo su to root?The post Giving up Your Roots: A Root Remedy Checklist appeared first on BeyondTrust. --------------------------------------------- https://www.beyondtrust.com/blog/root-remedy-checklist/ *** Facebook CTF platform is now open source *** --------------------------------------------- Capture the Flag competitions are a good - not to mention legal - way for hackers to build and hone their skills. But, quality CTF environments are difficult and expensive to build and run. This is a burden that Facebook aims to lighten by open sourcing the Facebook CTF platform, devised for the training of their own employees and used around the world by various organizations looking to interest kids in computer security. The now-free... --------------------------------------------- https://www.helpnetsecurity.com/2016/05/12/facebook-ctf-platform-open-sourc… *** From the Netherlands Presidency of the EU Council: Coordinated vulnerability disclosure Manifesto signed *** --------------------------------------------- Approximately 30 organisations have signed the Coordinated Vulnerability Disclosure Manifesto today, in which they declare to support the principle of having a point of contact to report IT vulnerabilities to and already have this set up in their own organisations, or they plan to do so soon. By signing the manifesto, the participating... --------------------------------------------- https://www.enisa.europa.eu/news/member-states/from-the-netherlands-preside… *** DFN-CERT-2016-0770: Jenkins: Mehrere Schwachstellen ermöglichen u.a. das Ausspähen von Informationen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0770/ *** DFN-CERT-2016-0739: OpenVPN: Zwei Schwachstellen ermöglichen Denial-of-Service-Angriffe *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0739/ *** Security Notice - Statement on Bogner Florian Revealing Privilege Escalation Vulnerability in Huawei E5373 LTE Mobile Wi-Fi Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2016/huawei-sn-20160512-01-… *** F5 Security Advisory: Nginx vulnerabilities CVE-2016-0742, CVE-2016-0746, and CVE-2016-0747 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/23/sol23073482.html?… *** BulletProof Security <= .53.3 - Multiple XSS Vulnerabilities *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8492 *** Bugtraq: [security bulletin] HPSBHF03592 rev.1 - HPE VAN SDN Controller OVA using OpenSSL, Multiple Remote Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/538359 *** Bugtraq: [security bulletin] HPSBNS03581 rev.2 - HPE NonStop Servers running Samba (NS-Samba), Multiple Remote Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/538360 *** Bugtraq: [security bulletin] HPSBST03598 rev.1 - HPE 3PAR OS using glibc, Remote Denial of Service (DoS), Arbitrary Code Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/538365 *** Bugtraq: [security bulletin] HPSBST03586 rev.1 - HPE 3PAR OS, Remote Unauthorized Modification *** --------------------------------------------- http://www.securityfocus.com/archive/1/538364 *** Bugtraq: [security bulletin] HPSBST03599 rev.1 - HPE 3PAR OS running OpenSSH, Remote Denial of Service (DoS), Access Restriction Bypass *** --------------------------------------------- http://www.securityfocus.com/archive/1/538366 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin:Vulnerability in IBM Java Runtime affect IBM Host On-Demand (CVE-2016-0363) *** http://www.ibm.com/support/docview.wss?uid=swg21982489 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Web Browser XSS Protection affects IBM Algorithmics Algo Risk Application - CVE-2016-0390 *** http://www.ibm.com/support/docview.wss?uid=swg21981321 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM SDK Java Technology Edition affect WebSphere Application Server shipped with SmartCloud Provisioning *** http://www.ibm.com/support/docview.wss?uid=swg2C1000105 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Image Construction and Composition Tool. (CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794) *** http://www.ibm.com/support/docview.wss?uid=swg21982883 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Workload Deployer. (CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794) *** http://www.ibm.com/support/docview.wss?uid=swg21982877 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect WebSphere Message Broker and IBM Integration Bus *** http://www.ibm.com/support/docview.wss?uid=swg21982172 --------------------------------------------- *** IBM Security Bulletin: The GPFS pattern provided with IBM PureApplication System is affected by a security vulnerability. (CVE-2015-7488) *** http://www.ibm.com/support/docview.wss?uid=swg21982874 --------------------------------------------- *** IBM Security Bulletin: The GPFS pattern provided with IBM PureApplication System is affected by a security vulnerability. (CVE-2015-7456) *** http://www.ibm.com/support/docview.wss?uid=swg21982873 --------------------------------------------- *** IBM Security Bulletin: A potential vulnerability in IBM Java SDK affect InfoSphere Streams (CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21973403 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 11-05-2016
by Daily end-of-shift report 11 May '16

11 May '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 10-05-2016 18:00 − Mittwoch 11-05-2016 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** Security Advisory posted for Adobe Flash Player (APSA16-02) *** --------------------------------------------- A Security Advisory (APSA16-02) has been published regarding a critical vulnerability (CVE-2016-4117) in Adobe Flash Player. Adobe is aware of a report that an exploit .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1346 *** Security Updates for Adobe Acrobat and Reader and Hotfixes for ColdFusion Available *** --------------------------------------------- Security Bulletins for Adobe Acrobat and Reader (APSB16-14) as well as ColdFusion (APSB16-16) have been published. Adobe recommends users update their product installations to the latest versions using the instructions in the relevant security .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1350 *** IBM Security Bulletin: The Elastic Storage Server and the GPFS Storage Server are affected by vulnerabilities in IBM Spectrum Scale (CVE-2016-0263, CVE2016-0361) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1023767 *** MS16-MAY - Microsoft Security Bulletin Summary for May 2016 - Version: 1.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS16-MAY *** May 2016 security update release *** --------------------------------------------- Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released. More information about this month's security .. --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2016/05/10/may-2016-security-updat… *** 5 security experts share their best tips for 'fringe' devices *** --------------------------------------------- What is a 'fringe' device in IT?For some, it's a gadget everyone has forgotten about - a printer in a corner office, an Android tablet in a public area used to schedule conference rooms. A fringe device can also be one that's common enough to be used .. --------------------------------------------- http://www.cio.com/article/3068406/security/5-security-experts-share-their-… *** Panasonic FPWIN Pro Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details concerning buffer overflow vulnerabilities in Panasonic FPWIN Pro software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-131-01 *** DSA-3574 libarchive - security update *** --------------------------------------------- Rock Stevens, Andrew Ruef and Marcin Icewall Noga discovered aheap-based buffer overflow vulnerability in the zip_read_mac_metadatafunction in libarchive, a multi-format archive and compression library,which may .. --------------------------------------------- https://www.debian.org/security/2016/dsa-3574 *** It's time to get serious about ICS cybersecurity *** --------------------------------------------- As recently reported by The Register, a proof-of-concept PLC worm could spell disaster for the critical infrastructure by making attacks exponentially more difficult to detect and stop. Unfortunately, the proof of concept of a PLC worm is a viable scenario which could cause immeasurable .. --------------------------------------------- https://www.helpnetsecurity.com/2016/05/11/time-get-serious-ics-cybersecuri… *** Patchday: Microsoft schliesst Zero-Day-Lücke im Internet Explorer *** --------------------------------------------- Wie jeden Monat heißt es auch im Mai für Windows-Nutzer wieder einmal: Jetzt schnell Patches einspielen! Diesmal ist es besonders dringend, denn eine im Patchday geschlossene Lücke wurde bereits vor ihrer Veröffentlichung aktiv für Angriffe missbraucht. --------------------------------------------- http://heise.de/-3202816 *** Multiple JVC HDRs and Net Cameras - Multiple Vulnerabilities *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016050040 *** The Art of Searching for Open Source Intelligence *** --------------------------------------------- The Internet is a big ocean, and it carries loads of information you might be interested in or looking for, but where and how to find that information? Thanks to search engines like Google that make the searches using a query possible, .. --------------------------------------------- http://resources.infosecinstitute.com/the-art-of-searching-for-open-source-… *** CryptXXX 2.0 foils decryption tool, locks PCs *** --------------------------------------------- CryptXXX ransomware, first spotted in mid-April, has reached version 2.0, and a new level of nastiness. It's also on its way to become one of the top ransomware families in the wild. The malware's first version would encrypt files but leave .. --------------------------------------------- https://www.helpnetsecurity.com/2016/05/11/cryptxxx-2-0-foils-decryption/ *** Adobe lässt sich Zeit mit Patch für ausgenutzte Lücke *** --------------------------------------------- Mit dem Sicherheitsupdate für den Flash-Player lässt Adobe sich mehr Zeit, als Nutzer zum Deinstallieren der Software benötigen. --------------------------------------------- http://www.golem.de/news/kritische-flash-luecke-adobe-laesst-sich-zeit-mit-… *** Hintergrund: Dridex analysiert *** --------------------------------------------- Eine kleine Artikelreihe zeigt, wie man einen Bot-Netz-Client mit dem Debugger auseinander nimmt. --------------------------------------------- http://heise.de/-3204362 *** TA16-132A: Exploitation of SAP Business Applications *** --------------------------------------------- Original release date: May 11, 2016 Systems Affected Outdated or misconfigured SAP systems Overview At least 36 organizations worldwide are affected by an SAP vulnerability [1]. Security researchers from Onapsis discovered .. --------------------------------------------- https://www.us-cert.gov/ncas/alerts/TA16-132A *** Updated factsheets security of ICS/SCADA systems *** --------------------------------------------- Malicious persons and security researchers show interest in the (lack of) security of industrial control systems. This relates not only to 'traditional' ICS/SCADA systems, but also to building management systems (incl. HVAC and CCTV). --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/updated-factsheets-security… *** IBM Security Bulletin: Multiple vulnerabilities in Samba affect IBM SmartCloud Provisioning for IBM Software Virtual Appliance *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg2C1000130 *** IBM Security Bulletin: IBM Emptoris Sourcing is affected by open redirect vulnerability (CVE-2016-0329). *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21982629 *** IBM Security Bulletin: Multiple vulnerabilities in Libxml2 affect IBM SmartCloud Provisioning for IBM Software Virtual Appliance *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg2C1000110

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily