- Daily - CERT.at

Tageszusammenfassung - Montag 7-03-2016
by Daily end-of-shift report 07 Mar '16

07 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 04-03-2016 18:00 − Montag 07-03-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** When a WordPress Plugin Goes Bad *** --------------------------------------------- Last summer we shared a story about the SweetCaptcha WordPress plugin injecting ads and causing malvertising problems for websites that leveraged the plugin. When this plugin was removed from the official WordPress Plugin directory, the authors revived another WordPress account with a long abandoned plugin and uploaded SweetCaptcha as a "new version" of that plugin. --------------------------------------------- https://blog.sucuri.net/2016/03/when-wordpress-plugin-goes-bad.html *** Novel method for slowing down Locky on Samba server using fail2ban, (Sun, Mar 6th) *** --------------------------------------------- One of our loyal readers, Gebhard, pointed out a nice post (in German) on how to slow down Lockyif you are using a Samba server for filesharing in your environment. The technique takes advantage of fail2ban and some additional Samba logging to keep Locky from encrypting all the files on the share. It is worth a look. ">[de]:">[en]:https://translate.google.com/translate?sl=autotl=enjs=yprev=_thl=enie=U… --------------- Jim Clausing, --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20805&rss *** KeRanger: Erste Ransomware-Kampagne bedroht Mac OS X *** --------------------------------------------- Ein Erpressungs-Trojaner verschlüsselt erstmals auch Daten von Mac-Nutzern. Der Schädling versteckt sich im BitTorrent-Client Transmission. Apple und die Entwickler haben bereits reagiert. --------------------------------------------- http://heise.de/-3129346 *** Bundestags-Hack: Angriff mit gängigen Methoden und Open-Source-Tools *** --------------------------------------------- Interne Dokumente bringen neue Details zum Hackerangriff auf den Bundestag im letzten Jahr ans Licht: Die Angreifer bedienten sich gängiger Methoden und setzten frei verfügbare Werkzeuge ein. --------------------------------------------- http://heise.de/-3129862 *** Maintainers of new generic top level domains have a hard time keeping abuse in check *** --------------------------------------------- Generic top-level domains (gTLDs) that have sprung up in recent years have become a magnet for cybercriminals, to the point where some of them host more malicious domains than legitimate ones.Spamhaus, an organization that monitors spam, botnet and malware activity on the Internet, has published a list of the worlds top 10 "worst TLDs" on Saturday. Whats interesting is that the list is not based on the overall number of abusive domains hosted under a TLD, but on the TLDs ratio of... --------------------------------------------- http://www.cio.com/article/3041338/maintainers-of-new-generic-top-level-dom… *** DFN-CERT-2016-0398: Squid: Zwei Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0398/ *** HPE Network Automation Unspecified Flaws Let Remote Users Execute Arbitrary Code and Obtain Potentially Sensitive Information *** --------------------------------------------- http://www.securitytracker.com/id/1035192 *** Filr 2.0 - Security Update 1 *** --------------------------------------------- Abstract: Security Updates for glibc and nscd on the Filr, Search and MySQL 2.0.0 appliances (CVE-2015-7547).Document ID: 5237510Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:MySQL-2.0.0.182.HP.zip (21.71 MB)Filr-2.0.0.422.HP.zip (23.03 MB)Search-2.0.0.400.HP.zip (21.71 MB)Products:Filr 2Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=LqikC-Hosps~ *** Filr 1.2 - Security Update 2 *** --------------------------------------------- Abstract: Security Updates for glibc and nscd on the Filr, Search and MySQL 1.2.0 appliances (CVE-2015-7547).Document ID: 5237480Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:Filr-1.2.0.861.HP.zip (23.03 MB)MySQL-1.2.0.413.HP.zip (21.71 MB)Search-1.2.0.998.HP.zip (21.71 MB)Products:Filr 1.2Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=PQBDzZUKFac~ *** Sentinel 7.4 SP1 (Sentinel 7.4.1.0) Build 2512 *** --------------------------------------------- Abstract: Sentinel 7.4.1 upgrade for Sentinel 7.4Document ID: 5237090Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:sentinel_server-7.4.1.0-2512.x86_64.tar.gz.sha256 (109 bytes)sentinel_server-7.4.1.0-2512.x86_64.tar.gz (1.74 GB)Products:SentinelSentinel 7.3Sentinel 7.3.1Sentinel 7.3.2Sentinel 7.4Sentinel 7.2Sentinel 7.2.1Sentinel 7.2.2Sentinel 7.4.1Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=ZEMvbiAk5k8~ *** innovaphone IP222 / IP232 Denial Of Service *** --------------------------------------------- Topic: innovaphone IP222 / IP232 Denial Of Service Risk: Medium Text: --BEGIN PGP SIGNED MESSAGE -- Hash: SHA512 Advisory ID: SYSS-2015-053 Product: innovaphone IP222/IP232 Manufacturer: inn... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016030035 *** Bugtraq: Apple iOS v9.2.1 - Multiple PassCode Bypass Vulnerabilities (App Store Link, Buy Tones Link & Weather Channel Link) *** --------------------------------------------- http://www.securityfocus.com/archive/1/537708 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in libpng affect PowerKVM (CVE-2015-8126, CVE-2015-8472) *** 2016-03-07T08:14:25-05:00 http://www.ibm.com/support/docview.wss?uid=isg3T1023374 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM MQ Appliance (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=swg21977498 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in the GNU C Library (glibc) affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1023385 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Guardium (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=swg21977444 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in grub2 affect PowerKVM (CVE-2015-5281, CVE-2015-8370) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023376 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in netcf affects PowerKVM (CVE-2014-8119) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023367 --------------------------------------------- *** IBM Security Bulletin: Lotus Protector for Mail affected by libcurl vulnerability (CVE-2016-0755) *** http://www.ibm.com/support/docview.wss?uid=swg21977843 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in libxml2 affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1023350 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in bind affects PowerKVM (CVE-2015-8704) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023372 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in MIT Kerberos 5 (krb5) affect PowerKVM (CVE-2014-5355, CVE-2015-2694) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023354 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in file affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1023349 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in xfsprogs affects PowerKVM (CVE-2012-2150) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023356 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Gnu binutils affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1023355 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 4-03-2016
by Daily end-of-shift report 04 Mar '16

04 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 03-03-2016 18:00 − Freitag 04-03-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Upcoming Security Updates for Adobe Acrobat and Reader (APSB16-09) *** --------------------------------------------- A prenotification Security Advisory has been posted regarding upcoming updates for Adobe Acrobat and Reader scheduled for Tuesday, March 8, 2016. We will continue to provide updates on the upcoming release via the Security Advisory as well as the .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1319 *** Open-Xchange Guard 2.2.0 / 2.0 Private Key Disclosure *** --------------------------------------------- The "getprivkeybyid" API call is used to download a PGP Private Key for a specific user after providing authentication credentials. Clients provide the "id" and "cid" parameter to specify the current user by its user- and context-ID. The "auth" parameter contains .. --------------------------------------------- https://cxsecurity.com/issue/WLB-2016030034 *** Kriminelle setzen oft auf Standard-Passwörter *** --------------------------------------------- Im Projekt Heisenberg haben Honeypots einen RDP-Port angeboten. Sicherheitsforscher werteten im weiteren Verlauf die Login-Daten von Angreifern aus. --------------------------------------------- http://www.heise.de/newsticker/meldung/Kriminelle-setzen-oft-auf-Standard-P… *** NCSC publishes factsheet Disable SSL 2.0 and upgrade OpenSSL *** --------------------------------------------- On 1 March, a group of researchers presented the DROWN attack methods for TLS. An attacker uses DROWN to abuse servers that still support SSL 2.0. Servers that run a vulnerable version of OpenSSL can be abused in the same way, regardless of whether they support SSL 2.0. An attacker who is able to intercept network traffic that is secured with TLS, may attempt to decrypt this traffic .. --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/ncsc-publishes-factsheet-di… *** Mit Sicherheit - BSI-Magazin 2016/01 *** --------------------------------------------- in dieser Ausgabe des BSI-Magazins blicken wir zurück auf ein Vierteljahrhundert deutsche IT-Sicherheitsgeschichte, denn das Bundesamt für Sicherheit in der Informationstechnik feiert in diesem Jahr sein .. --------------------------------------------- https://www.bsi.bund.de/DE/Publikationen/BSI-Magazin/BSI-Magazin_node.html *** Amazon App Store verbreitet Android-Trojaner *** --------------------------------------------- Kann Nutzer umfassend ausspionieren – Lässt sich aber auch einfach deinstallieren .. --------------------------------------------- http://derstandard.at/2000032287420 *** Drown-Angriff: Server4You stellt tausende betroffene Kunden bloss *** --------------------------------------------- In einem Abuse-Ticket von Server4You an Kunden mit vom Drown-Angriff bedrohten Servern tauchen zehntausende IP-Adressen und Ports betroffener Server auf. Zudem stellt der Hoster den Kunden ein Ultimatum - rudert mittlerweile aber wieder zurück. --------------------------------------------- http://heise.de/-3128656 *** Amazon entfernt Verschlüsselungsfunktion aus Fire-Tablets *** --------------------------------------------- Weil die Kunden sie nicht benutzt hätten, hat Amazon die Android-Funktion zur Verschlüsselung des Speichers aus dem Betriebssystem seiner Fire-Tablets entfernt. So zumindest erklärt der Konzern den nun bekannt gewordenen Schritt. --------------------------------------------- http://heise.de/-3128844 *** Chaos Computer Club bekommt Schwesterverein in Wien *** --------------------------------------------- Mitgliederversammlung am Samstag - Hackertreffen Easterhegg findet in Salzburg statt --------------------------------------------- http://derstandard.at/2000032301583

1 0

Tageszusammenfassung - Donnerstag 3-03-2016
by Daily end-of-shift report 03 Mar '16

03 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 02-03-2016 18:00 − Donnerstag 03-03-2016 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** Cisco Unified Communications Domain Manager Cross-Site Scripting Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** LibreSSL Unaffected By DROWN *** --------------------------------------------- The OpenBSD people forked and heavily cleaned up OpenSSL to create LibreSSL due to dissatisfaction with the maintainance of OpenSSL, culminating in the heartbleed bug. The emphasis has been on cleaning up the code and improving security, which includes removing things such as SSL2 which has fundamental security flaws. As a result, LibreSSL is not .. --------------------------------------------- http://it.slashdot.org/story/16/03/02/1620221/libressl-unaffected-by-drown *** Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2016 *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Prime Infrastructure Log File Remote Code Execution Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Schneider Electric Building Operation Automation Server Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a vulnerability in servers programmed with Schneider Electric's StruxureWare Building Operation software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01 *** Rockwell Automation Allen-Bradley CompactLogix Reflective Cross-Site Scripting Vulnerability *** --------------------------------------------- This advisory is a follow-up to the alert titled ICS-ALERT-15-225-01A Rockwell Automation 1766-L32 Series Vulnerability that was published August 13, 2015, on the NCCIC/ICS-CERT web site. This advisory contains mitigation details for a cross-site scripting vulnerability in Rockwell Automation's CompactLogix application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-061-02 *** Windows Built-In PDF Reader Exposes Edge Browser To Hacking *** --------------------------------------------- Edge, Microsofts new browser, uses the WinRT PDF library to automatically embed and present PDF files while navigating the web. This is what Java does with applets, and Flash with SWF files -- it unintentionally allows a hacker to append malicious code to PDF files and trigger drive-by attacks, which exploit WinRT .. --------------------------------------------- http://news.slashdot.org/story/16/03/02/2210256/windows-built-in-pdf-reader… *** Open-Xchange Guard Access Control Flaw Lets Remote Authenticated Users Obtain Private Keys in Certain Cases *** --------------------------------------------- http://www.securitytracker.com/id/1035174 *** Google Analytics Counter - Moderately Critical - CSRF - SA-CONTRIB-2016-011 *** --------------------------------------------- The Google Analytics Counter module provides total pageview counts for each page on a website. In that it is similar to the core Statistics module counter, but it is much lighter and ultimately faster because it draws on .. --------------------------------------------- https://www.drupal.org/node/2679515 *** Register now for the International NCSC One Conference 2016 *** --------------------------------------------- Protecting Bits & Atoms is the theme for our international One Conference 2016. It is especially timely given the increasingly connected physical and digital worlds and how information and communication technologies (ICT) have ingrained themselves into the very fabric of our society. The ONE conference will take place on Tuesday April 5 and Wednesday April 6 at the World Forum in The Hague, The Netherlands. --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/register-now-for-the-intern… *** Wie Betrüger Apple Pay missbrauchen können *** --------------------------------------------- Apple Pay ist praktisch und gilt als sicher. Doch das System lässt sich von Kriminellen missbrauchen, um digitale Kreditkartenkopien zu erstellen. --------------------------------------------- http://www.golem.de/news/security-wie-betrueger-apple-pay-missbrauchen-koen… *** Java Deserialization Attacks with Burp *** --------------------------------------------- This blog is about Java deserialization and the Java Serial Killer Burp extension. If you want to download the extension and skip past all of this, head to the Github page here. The recent Java deserialization attack that was discovered has provided a large window of opportunity for penetration testers to gain access to the underlying systems that Java applications communicate with. --------------------------------------------- https://blog.netspi.com/java-deserialization-attacks-burp/ *** Valve informiert Steam-Nutzer über Weihnachts-Datenpanne *** --------------------------------------------- Fast drei Monate nach der massiven Datenpanne informiert Valve nun die betroffenen Nutzer. Die hatten das Problem in der Zwischenzeit wahrscheinlich längst vergessen. --------------------------------------------- http://heise.de/-3127829

1 0

Tageszusammenfassung - Mittwoch 2-03-2016
by Daily end-of-shift report 02 Mar '16

02 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 01-03-2016 18:00 − Mittwoch 02-03-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Threat Actors Behind "Shrouded Crossbow" Create BIFROSE for UNIX *** --------------------------------------------- We recently came across a variant of the BIFROSE malware that has been rewritten for UNIX and UNIX-like systems. This is the latest tool developed by attackers behind operation Shrouded Crossbow, which have produced other BIFROSE variants such as KIVARS and KIVARS x64. UNIX-based operating systems are widely used in servers, workstations, and even mobile devices. With a lot of highly confidential data found in these servers and devices, a UNIX version of BIFROSE can certainly be classified as a... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/m3eM40z3oI8/ *** Cachebleed-Angriff: CPU-Cache kann private Schlüssel verraten *** --------------------------------------------- Forschern ist es gelungen, RSA-Verschlüsselungsoperationen von OpenSSL mittels eines Cache-Timing-Angriffs zu belauschen und so den privaten Key zu knacken. Der Cachebleed-Angriff nutzt dabei Zugriffskonflikte auf den Cache-Speicher. --------------------------------------------- http://www.golem.de/news/cachebleed-angriff-cpu-cache-kann-private-schluess… *** Let's ride with TeslaCrypt *** --------------------------------------------- TeslaCrypt is a ransomware spread by e-mails or exploit kits. It encrypts your files and asks you to pay in order to retrieve the decryption key. The current version is 3.0. Many analysis are already available on the Internet. In this article we are focusing on two aspects of TeslaCrypt: - The attack vector - The web callback... --------------------------------------------- http://thisissecurity.net/2016/03/02/lets-ride-with-teslacrypt/ *** Security: Angebliche Locky-Warnung vom BKA ist ein Trojaner *** --------------------------------------------- Die Angst vor Locky wird jetzt offenbar von Kriminellen ausgenutzt. In einer angeblich vom Bundeskriminalamt stammenden Mail wird vor dem Kryptotrojaner gewarnt und ein Werkzeug zur Entfernung angeboten - das selbst Malware enthält. --------------------------------------------- http://www.golem.de/news/security-angebliche-locky-warnung-vom-bka-ist-ein-… *** $17 smartwatch sends something to random Chinese IP address *** --------------------------------------------- Samsung Gear 2 also has some problems, researcher says RSA bsides A cheap smart watch often peddled on eBay uses a pairing app for Android or iOS that contains a backdoor that quietly connects to an unknown Chinese IP address. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/03/02/chinese_bac… *** iPhone-Fingerabdruck lässt sich mit Plastilin austricksen *** --------------------------------------------- Ein Hersteller von Fingerabdrucksensoren zeigt, wie einfach Apples Touch-ID mit gefälschten Fingerabdrücken zu umgehen ist. --------------------------------------------- http://futurezone.at/produkte/iphone-fingerabdruck-laesst-sich-mit-plastili… *** Der DROWN Angriff auf SSL/TLS *** --------------------------------------------- Es ist wieder soweit: Es gibt einen Presserummel rund um eine neu entdeckte Schwachstelle in SSL/TLS. Es gibt einen Namen (DROWN = Decrypting RSA with Obsolete and Weakened eNcryption) und ein fancy Logo. Nachzulesen ist alles unter: [...] Wir haben uns das angesehen und beschlossen, dazu keine offizielle Warnung zu publizieren. Das Problem ist nicht so dringend und dramatisch, wie manche... --------------------------------------------- http://www.cert.at/services/blog/20160302151126-1688.html *** Django Bugs Let Remote Users Conduct Redirect and Cross-Site Scripting Attacks and Determine Valid Usernames *** --------------------------------------------- http://www.securitytracker.com/id/1035152 *** DFN-CERT-2016-0366: Perl: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes mit Benutzerrechten *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0366/ *** Intel Security - Security Bulletin: Protected resource access bypass vulnerability resolved in multiple McAfee endpoint products for Microsoft Windows *** --------------------------------------------- Multiple McAfee endpoint products include a private mechanism to access settings and files protected by self-protection rules. This mechanism is not sufficiently secure and may be misused to access registry keys and files that should be protected from tampering. --------------------------------------------- https://kc.mcafee.com/corporate/index?page=content&id=SB10151 *** Schneider Electric Building Operation Application Server Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a vulnerability in servers programmed with Schneider Electric's StruxureWare Building Operation software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01 *** Rockwell Automation Allen-Bradley CompactLogix Reflective Cross-Site Scripiting *** --------------------------------------------- This advisory is a follow-up to the alert titled ICS-ALERT-15-225-01A Rockwell Automation 1766-L32 Series Vulnerability that was published August 13, 2015, on the NCCIC/ICS-CERT web site. This advisory contains mitigation details for a cross-site scripting vulnerability in Rockwell Automation's CompactLogix application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-061-02 *** Cisco Security Advisories *** --------------------------------------------- *** Cisco NX-OS Software TCP Netstack Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Nexus 3000 Series and 3500 Platform Switches Insecure Default Credentials Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Web Security Appliance HTTPS Packet Processing Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco NX-OS Software SNMP Packet Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco FireSIGHT System Software Convert Timing Channel Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco FireSIGHT System Software Device Management UI Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Privileged Identity Manager Virtual Appliance (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=swg21978009 --------------------------------------------- *** IBM Security Bulletin: Lotus Protector for Mail affected by glibc, getaddrinfo stack-based buffer overflow (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=swg21977368 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Marketing Platform, IBM Campaign, IBM Predictive Insight, IBM Contact Optimization, IBM Marketing Operations (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976886 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of IBM Tivoli Storage Manager Fastback for Workstations (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974685 --------------------------------------------- *** Security Bulletin: Vulnerabilities in OpenSSL and MD5 Signature and Hash Algorithm (CVE-2015-7575) affect IBM System Networking RackSwitch products. *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099210 --------------------------------------------- *** Security Bulletin: Multiple vulnerabilities, including MD5 Signature and Hash Algorithm (CVE-2015-7575), affect IBM Flex System Networking Switches *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099200 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in libpng affect IBM Cognos Metrics Manager (CVE-2015-8126, CVE-2015-8472, CVE-2015-8540) *** http://www.ibm.com/support/docview.wss?uid=swg21976924 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Client Application Access (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977618 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 1-03-2016
by Daily end-of-shift report 01 Mar '16

01 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 29-02-2016 18:00 − Dienstag 01-03-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Bleichenbacher-Angriff: Drown entschlüsselt mit uraltem SSL-Protokoll *** --------------------------------------------- Kein moderner Browser unterstützt das alte SSL-Protokoll Version 2. Trotzdem kann es zum Sicherheitsrisiko werden, solange Server es aus Kompatibilitätsgründen unterstützen. Es muss nicht einmal derselbe Server sein. --------------------------------------------- http://www.golem.de/news/bleichenbacher-angriff-drown-entschluesselt-mit-ur… *** The Definitive Guide on Win32 to NT Path Conversion *** --------------------------------------------- Posted by James Forshaw, path'ological reverse engineer. How the Win32 APIs process file paths on Windows NT is a tale filled with backwards compatibility hacks, weird behaviour, and beauty. Incorrect handling of Win32 paths can lead to security vulnerabilities. This blog post is to try and give a definitive* guide on the different types of paths supported by the OS. I'm going to try and avoid discussion of quirks in the underlying filesystem implementations (such as NTFS... --------------------------------------------- http://googleprojectzero.blogspot.com/2016/02/the-definitive-guide-on-win32… *** De-obfuscating malicious Vbscripts *** --------------------------------------------- With the returned popularity of visual basic as a first attack vector in mind, we took a look at de-obfuscating a few recent vbs files starting with a very easy one and progressing to a lot more complex script.Categories: Malware AnalysisTags: bankerclickerde-obfuscatedecryptdroppermalwareobfuscationPieter Arntztrojanvbsvbscriptworm(Read more...) --------------------------------------------- https://blog.malwarebytes.org/intelligence/2016/02/de-obfuscating-malicious… *** Look Into Locky *** --------------------------------------------- Some sources say that Locky is the latest ransomware created and released in the wild by Dridex gang. Our studies indicate that it is well prepared, which means that the threat actor/s behind it has invested for it.Categories: Malware AnalysisTags: Lockyransomware(Read more...) --------------------------------------------- https://blog.malwarebytes.org/intelligence/2016/03/look-into-locky/ *** OpenSSL Security Advisories *** --------------------------------------------- CVE-2016-0800 (OpenSSL advisory) [High severity] CVE-2016-0705 (OpenSSL advisory) [Low severity] CVE-2016-0798 (OpenSSL advisory) [Low severity] CVE-2016-0797 (OpenSSL advisory) [Low severity] CVE-2016-0799 (OpenSSL advisory) [Low severity] CVE-2016-0702 (OpenSSL advisory) [Low severity] CVE-2016-0703 (OpenSSL advisory) [High severity] CVE-2016-0704 (OpenSSL advisory) [Moderate severity] --------------------------------------------- https://openssl.org/news/vulnerabilities.html *** VU#938151: Forwarding Loop Attacks in Content Delivery Networks may result in denial of service *** --------------------------------------------- Vulnerability Note VU#938151 Forwarding Loop Attacks in Content Delivery Networks may result in denial of service Original Release date: 29 Feb 2016 | Last revised: 29 Feb 2016 Overview Content Delivery Networks (CDNs) may in some scenarios be manipulated into a forwarding loop, which consumes server resources and causes a denial of service (DoS) on the network. Description CWE-400: Uncontrolled Resource Consumption (Resource Exhaustion)Content Delivery Networks (CDNs) are used to improve... --------------------------------------------- http://www.kb.cert.org/vuls/id/938151 *** F5 Security Advisory: Multiple NTP vulnerabilities CVE-2015-8139 and CVE-2015-8140 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/00/sol00329831.html?… *** Bugtraq: [security bulletin] HPSBUX03552 SSRT102983 rev.1 - HP-UX BIND running Named, Remote Denial of Service (DoS) *** --------------------------------------------- http://www.securityfocus.com/archive/1/537659 *** DFN-CERT-2016-0355: phpMyAdmin: Mehrere Schwachstellen ermöglichen u.a. das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0355/ *** Bugtraq: [SYSS-2016-009] Sophos UTM 525 Web Application Firewall - Cross-Site Scripting in *** --------------------------------------------- http://www.securityfocus.com/archive/1/537662 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of Tivoli Network Manager IP Edition (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974785 --------------------------------------------- *** IBM Security Bulletin: Multiple Security Vulnerabilities in Apache Tomcat affect IBM RLKS Administration and Reporting Tool *** http://www.ibm.com/support/docview.wss?uid=swg21976103 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Access Manager for Web (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=swg21977374 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Access Manager for Mobile (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=swg21977372 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affect IBM Tivoli Access Manager for e-business and IBM Security Access Manager for Web 7.0 software (CVE-2016-0603) *** http://www.ibm.com/support/docview.wss?uid=swg21978024 --------------------------------------------- *** IBM Security Bulletin: Cross-Site scripting vulnerability in IBM Business Process Manager document list control (CVE-2016-0227) *** http://www.ibm.com/support/docview.wss?uid=swg21978058 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM OS Images for Red Hat Linux Systems, AIX, and Windows. (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977880 --------------------------------------------- *** IBM Security Bulletin:A vulnerability in IBM Java SDK affects IBM Image Construction and Composition Tool. (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977647 --------------------------------------------- *** IBM Security Bulletin:A vulnerability in IBM Java SDK affects IBM Workload Deployer. (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977646 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM SmartCloud Entry (CVE-2016-0475 CVE-2016-0448 CVE-2015-7575 CVE-2016-0466) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023408 --------------------------------------------- *** Security Bulletin: Vulnerability in IBM Java SDK affects IBM System Networking Switch Center (CVE-2015-7575) *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099203 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM PureApplication System. (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21978026 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Access Manager for Mobile *** http://www.ibm.com/support/docview.wss?uid=swg21976765 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Access Manager for Web and IBM Tivoli Access Manager for e-business *** http://www.ibm.com/support/docview.wss?uid=swg21976678 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects Rational Software Architect, Software Architect for WebSphere Software & Rational Software Architect RealTime *** http://www.ibm.com/support/docview.wss?uid=swg21976894 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Apache ActiveMQ affects IBM Tivoli System Automation Application Manager (CVE-2015-5254) *** http://www.ibm.com/support/docview.wss?uid=swg21977546 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 29-02-2016
by Daily end-of-shift report 29 Feb '16

29 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 26-02-2016 18:00 − Montag 29-02-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Fixing the Internets routing security is urgent and requires collaboration *** --------------------------------------------- The Internet is fragile. Many of its protocols were designed at a time when the goal was rapid network expansion based on trust among operators. Today, the Internets open nature is what makes it so great for business, education and communication, but the absence of security mechanisms at its core is something that criminals are eager to exploit.In late January, traffic to many IP (Internet Protocol) addresses of the U.S. Marine Corps was temporarily diverted through an ISP in Venezuela. --------------------------------------------- http://www.cio.com/article/3038752/fixing-the-internets-routing-security-is… *** Angler Exploit Kit Learns New Tricks, Finds Home On Popular Website *** --------------------------------------------- Angler Exploit evaded detection through new technique that bypasses Firefox and Chrome security protection. --------------------------------------------- http://threatpost.com/angler-exploit-kit-learns-new-tricks-finds-home-on-po… *** HackingTeam Reborn; A Brief Analysis of an RCS Implant Installer *** --------------------------------------------- As Im generally quite occupied with my day job as Director of R&D at Synack, the weekend is when I finally have some free time to blog. This weekend I wasnt sure what Id write about until @osxreverser tweeted late Friday afternoon:... --------------------------------------------- https://objective-see.com/blog/blog_0x0D.html *** The rise of polymorphic malware *** --------------------------------------------- 97% of malware is unique to a specific endpoint, rendering signature-based security virtually useless. The data collected by Webroot throughout 2015 shows that today's threats are truly global and highly dynamic. Many attacks are staged, delivered, and terminated within a matter of hours, or even minutes, having harvested user credentials and other sensitive information. Countering these threats requires an innovative approach to attack detection that leverages advanced techniques and... --------------------------------------------- https://www.helpnetsecurity.com/2016/02/29/the-rise-of-polymorphic-malware/ *** ATMZombie: banking trojan in Israeli waters *** --------------------------------------------- On November 2015, Kaspersky Lab researchers identified ATMZombie, a banking Trojan that is considered to be the first malware to ever steal money from Israeli banks. The incident Israeli banks experienced had a very fascinating and innovative method of stealing the money. --------------------------------------------- http://securelist.com/blog/research/73866/atmzombie-banking-trojan-in-israe… *** Increasing the resilience of Europe's telecommunication infrastructures through Incident Reporting *** --------------------------------------------- A recent ENISA report analyses how mandatory incident reporting schemes have improved resilience and security in the EU telecoms sector. Experiences from this scheme can also serve as a model for the implementation of the forthcoming NIS Directive in other sectors. --------------------------------------------- https://www.enisa.europa.eu/media/press-releases/increasing-the-resilience-… *** Security: 85 Prozent der SSL-VPNs haben unsichere Konfigurationen *** --------------------------------------------- Zahlreiche SSL-VPNs sichern den Traffic der Nutzer nur unzureichend ab - das behauptet eine Sicherheitsfirma. Viele Anbieter würden nach wie vor SHA-1 oder MD5 verwenden. Außerdem seien rund 10 Prozent der Dienste für Heartbleed anfällig. --------------------------------------------- http://www.golem.de/news/security-85-prozent-der-ssl-vpns-haben-unsichere-k… *** Klickbetrug: Trojaner-Familie infiltriert immer wieder Google Play *** --------------------------------------------- Android-Nutzer müssen sich derzeit vor kostenlosen Apps in Acht nehmen, die sich als beliebte Spiele ausgeben. Dahinter verbergen sich Klickbetrugs-Apps, mit denen Gauner Kasse machen. --------------------------------------------- http://heise.de/-3120091 *** Cyber-Attack Against Ukrainian Critical Infrastructure *** --------------------------------------------- On December 23, 2015, Ukrainian power companies experienced unscheduled power outages impacting a large number of customers in Ukraine. This report provides an account of the events that took place based on interviews with company personnel. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01 *** OpenSSL CVE-2016-0799: heap corruption via BIO_printf *** --------------------------------------------- There are a couple of issues with OpenSSL's BIO_*printf() functions, defined in crypto/bio/b_print.c, that are set to be fixed in the forthcoming security release. The function that is primarily responsible for interpreting the format string and transforming this string and the functions arguments to a string is _dopr(). --------------------------------------------- https://guidovranken.wordpress.com/2016/02/27/openssl-cve-2016-0799-heap-co… *** VU#419128: IKE/IKEv2 protocol implementations may allow network amplification attacks *** --------------------------------------------- Vulnerability Note VU#419128 IKE/IKEv2 protocol implementations may allow network amplification attacks Original Release date: 29 Feb 2016 | Last revised: 29 Feb 2016 Overview Implementations of the IKEv2 protocol are vulnerable to network amplification attacks. Description CWE-406: Insufficient Control of Network Message Volume (Network Amplification)IKE/IKEv2 and other UDP-based protocols can be used to amplify denial-of-service attacks. In some scenarios, an amplification of up to 900%... --------------------------------------------- http://www.kb.cert.org/vuls/id/419128 *** F5 Security Advisory: libpng out-of-bounds read vulnerability CVE-2015-7981 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/21/sol21057235.html?… *** APPLE-SA-2016-02-25-1 Apple TV 7.2.1 *** --------------------------------------------- APPLE-SA-2016-02-25-1 Apple TV 7.2.1Apple TV 7.2.1 is now available and addresses the following:bootpAvailable for: Apple TV (3rd Generation)Impact: A malicious Wi-Fi network may be able to determine networksa device has previously accessedDescription: Upon connecting to a Wi-Fi network, iOS may havebroadcast MAC addresses of previously accessed networks via the DNAv4protocol. This issue was addressed through disabling DNAv4 onunencrypted Wi-Fi networks.CVE-IDCVE-2015-3778 : Piers... --------------------------------------------- http://prod.lists.apple.com/archives/security-announce/2016/Feb/msg00000.ht… *** Access Governance Suite 6.0-6.4 *** --------------------------------------------- Abstract: README for HTML Fragment Privilege Escalation Vulnerability E-Fix E-Fix Deliverable: AGS-SV-eFix022416.zipDocument ID: 5236850Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:AGS-SV-eFix022416.zip (3.83 kB)AGS-SV-eFix022416-CHECKSUM.txt (99 bytes)Products:Access Governance 6.4Access Governance 6.1Access Governance 6.2Access Governance 6.3Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=Tft9udlb11s~ *** D-Link / Netgear FIRMADYNE Command Injection / Buffer Overflow *** --------------------------------------------- Topic: D-Link / Netgear FIRMADYNE Command Injection / Buffer Overflow Risk: High Text:Hello, We’d like to report several vulnerabilities in embedded devices developed by D-Link and Netgear, which were discove... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020224 *** Bugtraq: [security bulletin] HPSBGN03549 rev.1 - HP IceWall Products using glibc, Remote Denial of Service (DoS), Arbitrary Code Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/537637 *** Cisco Videoscape Distribution Suite for Internet Streaming TCP Session Handling Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Citrix Security Advisory for glibc Vulnerability CVE-2015-7547 *** --------------------------------------------- A vulnerability has been recently disclosed in the glibc getaddrinfo() function. This issue could potentially allow an attacker to inject code into a process that calls the vulnerable function. The issue has been assigned the following CVE identifier:... --------------------------------------------- https://support.citrix.com/article/CTX206991 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects IBM WebSphere MQ Internet Pass-Thru (CVE-2015-7575) *** 2016-02-26T13:23:47-05:00 http://www.ibm.com/support/docview.wss?uid=swg21977517 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects Rational Functional Tester (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976947 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM InfoSphere BigInsights (Applicable CVEs: CVE-2015-7575, CVE-2016-0448, CVE-2016-0466, CVE-2016-0475) *** http://www.ibm.com/support/docview.wss?uid=swg21976080 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting, caused by improper validation of user-supplied input (CVE-2016-0262) *** http://www.ibm.com/support/docview.wss?uid=swg21977828 --------------------------------------------- *** IBM Security Bulletin: Current releases of the IBM SDK, Java Technology Edition are affected by CVE-2016-0603 *** http://www.ibm.com/support/docview.wss?uid=swg21977549 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Cordova affects IBM MobileFirst Platform Foundation (CVE-2015-8320) *** http://www.ibm.com/support/docview.wss?uid=swg2C1000091 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere DataPower XC10 Appliance (CVE-2016-0475, CVE-2015-7575, CVE-2016-0448) *** http://www.ibm.com/support/docview.wss?uid=swg21976366 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere eXtreme Scale (CVE-2016-0475, CVE-2015-7575, CVE-2016-0448) *** http://www.ibm.com/support/docview.wss?uid=swg21976442 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime Version 6 affects IBM Cognos Business Viewpoint (CVE-2015-7575 ) *** http://www.ibm.com/support/docview.wss?uid=swg21977407 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management could allow an authenticated user to view work logs during purchase orders that they should not have access to (CVE-2016-0222) *** http://www.ibm.com/support/docview.wss?uid=swg21976949 --------------------------------------------- *** Security Bulletin: Vulnerabilities in OpenSSL affect IBM BladeCenter Switches (CVE-2015-3194, CVE-2015-3195) *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099199 --------------------------------------------- *** IBM Security Bulletin: Insecure Transmission Vulnerability with IBM InfoSphere Information Server (CVE-2015-7490) *** http://www.ibm.com/support/docview.wss?uid=swg21975827 --------------------------------------------- *** IBM Security Bulletin: libpng related security vulnerabilities identified in IBM Expeditor (CVE-2015-7981, CVE-2015-8126, CVE-2015-8540, CVE-2015-8472) *** http://www.ibm.com/support/docview.wss?uid=swg21975904 --------------------------------------------- *** IBM Security Bulletin: Sensitive data lingers in memory on the WebSphere DataPower XC10 Appliance *** http://www.ibm.com/support/docview.wss?uid=swg21971658 --------------------------------------------- *** IBM Security Bulletin: Sensitive data lingers in memory on the WebSphere eXtreme Scale server *** http://www.ibm.com/support/docview.wss?uid=swg21971657 --------------------------------------------- *** IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Glance denial of service vulnerability (CVE-2015-5286) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021122 --------------------------------------------- *** IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Glance security vulnerability (CVE-2015-5251) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021121 --------------------------------------------- *** IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Nova denial of service vulnerability (CVE-2015-3280) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021120 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 26-02-2016
by Daily end-of-shift report 26 Feb '16

26 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 25-02-2016 18:00 − Freitag 26-02-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** VU#444472: QNAP Signage Station and iArtist Lite contain multiple vulnerabilities *** --------------------------------------------- CVE-2015-6022An authenticated attacker without administrative permissions may upload a malicious file, such as a PHP script, --------------------------------------------- http://www.kb.cert.org/vuls/id/444472 *** DSA-3492 gajim - security update *** --------------------------------------------- Daniel Gultsch discovered a vulnerability in Gajim, an XMPP/jabberclient. Gajim didnt verify the origin of roster update, allowing anattacker to spoof them and potentially allowing her to intercept messages. --------------------------------------------- https://www.debian.org/security/2016/dsa-3492 *** Open Web Analytics 1.5.7 Cross Site Scripting *** --------------------------------------------- Open Web Analytics suffers from a Cross-Site Scripting vulnerability in the owa_site_id parameter because it fails to sanitize input before rendering the content to the user. The vulnerability can be triggered by hitting the ALT+SHIFT+X key after the payload is injected. --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020217 *** Bugtraq: Zimbra Cross-Site Scripting vulnerabilities *** --------------------------------------------- Recently Zimbra Collaboration 8.6 Patch 5 was released. It fixed two Cross-Site Scripting vulnerabilities discovered by Fortinet's FortiGuard Labs. --------------------------------------------- http://www.securityfocus.com/archive/1/537627 *** Sicherheitsupdate für ältere Apple-TV-Geräte *** --------------------------------------------- Apple hat am Donnerstagabend das Betriebssystem älterer Multimediaboxen aktualisiert. Das Update bringt zahlreiche Security-Fixes. --------------------------------------------- http://heise.de/-3118206 *** Quick Audit of *NIX Systems, (Fri, Feb 26th) *** --------------------------------------------- If you think that only computers running Microsoft Windows are targeted by attackers, youre wrong! UNIX (used here as a generic term, not focusing on a specific distribution or brand) is a key operating system on the Internet. Many websites and other public services are relying on it (Netcraftis compiling interesting stats on this topic). Therefore it is mandatory to keep an eye on your servers by using proactive and reactive controls. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20771&rss *** Apache Xerces-C Buffer Overflow Lets Remote Users Deny Service or Potentially Execute Arbitrary Code *** --------------------------------------------- A vulnerability was reported in Apache Xerces-C. A remote user can execute arbitrary code on the target system. A remote user can send specially crafted documents to trigger a buffer overflow in the XML parser library and cause the target application to crash or potentially execute arbitrary code on the target system. --------------------------------------------- http://www.securitytracker.com/id/1035113 *** Krypto-Trojaner Locky: Batch-Dateien infizieren Windows, Tool verspricht Schutz *** --------------------------------------------- Batch-Dateien sind der neueste Schrei, wenn es darum geht, den Krypto-Trojaner Locky am Virenscanner vorbei zu schleusen - und der Plan geht auf. Auf der Suche nach Schutzmaßnahmen haben wir ein Tool ausprobiert, das Locky und Co. stoppen soll. --------------------------------------------- http://heise.de/-3118188 *** Infor CRM 8.2.0.1136 Multiple HTML Script Injection Vulnerabilities *** --------------------------------------------- Infor CRM suffers from multiple stored cross-site scripting vulnerabilities. Input passed to several POST/PUT parameters in JSON format is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020219 *** Serialization Must Die: Act 2: XStream (Jenkins CVE-2016-0792) *** --------------------------------------------- The following new pre-authentication exploit against Jenkins (CVE-2016-0792) works because Groovy is on the classpath. There are probably a million other apps that use XStream and have Groovy on the classpath. I put almost no effort into trying to find this vulnerable pattern in other open source applications -- this Jenkins CVE is just one of many. --------------------------------------------- https://www.contrastsecurity.com/security-influencers/serialization-must-di… *** IKE/IKEv2: Ripe for DDoS Abuse *** --------------------------------------------- This is my latest research into preemptive DDoS trends. This time I looked into IKEv2 and what potential it has in regards to DDoS abuse use cases and amplification measurements. The short answer is, it could be easily weaponized for DDoS campaigns. --------------------------------------------- https://www.reddit.com/r/netsec/comments/47l3zv/ikeikev2_ripe_for_ddos_abus… *** IBM Security Bulletins*** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794 *** http://www.ibm.com/support/docview.wss?uid=swg21977355 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affects IBM Control Center (CVE-2015-4872, CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977686 --------------------------------------------- *** IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Glance information disclosure vulnerability (CVE-2015-5163) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021118 --------------------------------------------- *** Security Bulletin: Vulnerabilities in glibc affect IBM Integrated Management Module II (IMM2) for System x, BladeCenter and Flex Systems (CVE-2015-1472, CVE-2013-7423, CVE-2014-7817, CVE-2014-9402) *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099198 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM QRadar SIEM and Incident Forensics (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=swg21977665 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM SDK Java Technology Edition affects IBM Development Package for Apache Spark (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977538 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM B2B Advanced Communications (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976813 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM QRadar SIEM and Incident Forensics. (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977664 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in IBM Java Runtime affect Watson Explorer, Watson Content Analytics, and OmniFind Enterprise Edition (CVE-2015-7575, CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21976276 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Control Center (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977575 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Initiate Master Data Service (CVE-2015-4872, CVE-2016-0466, CVE-2015-7575, CVE-2016-0448) *** http://www.ibm.com/support/docview.wss?uid=swg21976545 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security AppScan Enterprise (CVE-2016-0466, CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976553 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affect Rational Policy Tester (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976733 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affect IBM Spectrum Scale RAID/IBM GPFS Native RAID (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005673 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affect IBM Spectrum Scale RAID/IBM GPFS Native RAID (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023364 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Tivoli Endpoint Manager for Remote Control. *** http://www.ibm.com/support/docview.wss?uid=swg21976855 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Business Developer (CVE-2015-7575, CVE-2016-0466) *** http://www.ibm.com/support/docview.wss?uid=swg21976768 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for i, Rational Developer for AIX and Linux, Rational Developer for Power Systems Software *** http://www.ibm.com/support/docview.wss?uid=swg21976840 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect WebSphere Cast Iron (CVE-2015-7575, CVE-2016-0448) *** http://www.ibm.com/support/docview.wss?uid=swg21977301 --------------------------------------------- *** IBM Security Bulletin: A security vulnerability has been identified in IBM Business Process Manager and IBM HTTP Server shipped with IBM Cloud Orchestrator (CVE-2015-1932, CVE-2015-4938) *** http://www.ibm.com/support/docview.wss?uid=swg2C1000043 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 25-02-2016
by Daily end-of-shift report 25 Feb '16

25 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 24-02-2016 18:00 − Donnerstag 25-02-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Neue Virenwelle: Krypto-Trojaner Locky tarnt sich als Fax *** --------------------------------------------- Der gefährliche Erpressungs-Trojaner wird seit kurzem über Mails verbreitet, die vorgeben, dass der Empfänger ein Fax erhalten hat. Die Virenscanner können mit der aktuellen Locky-Fassung noch nicht viel anfangen. --------------------------------------------- http://heise.de/-3117249 *** Eavesdropping by the Foscam Security Camera *** --------------------------------------------- Brian Krebs has a really weird story about the build-in eavesdropping by the Chinese-made Foscam security camera: Imagine buying an internet-enabled surveillance camera, network attached storage device, or home automation gizmo, only to find that it secretly and constantly phones home to a vast peer-to-peer (P2P) network run by the Chinese manufacturer of the hardware. --------------------------------------------- https://www.schneier.com/blog/archives/2016/02/eavesdropping_b_1.html *** Behind the Malware - Botnet Analysis *** --------------------------------------------- While analyzing our website firewall logs we discovered an old vulnerability in the RevSlider plugin being retargeted. RevSlider, the plugin whose vulnerability led to massive website compromises in 2015, was being leveraged again in an attempt to infect websites over a year since its initial disclosure. The original hack required sending an AJAX request containing the action revslider_ajax_action to ... --------------------------------------------- https://blog.sucuri.net/2016/02/behind-the-malware-botnet-analysis.html *** Cisco FirePOWER Management Center Unauthenticated Information Disclosure Vulnerability *** --------------------------------------------- A vulnerability in the Cisco FirePOWER Management Center could allow an unauthenticated, remote attacker to obtain information about the Cisco FirePOWER Management Center software version from the device login page. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2016-001 *** --------------------------------------------- Advisory ID: SA-CORE-2016-001 Project: Drupal core Version: 6.x, 7.x, 8.x Date: 2016-February-24 Security risk: 15/25 ( Critical) AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All Vulnerability: Multiple vulnerabilities --------------------------------------------- https://www.drupal.org/SA-CORE-2016-001 *** OpenSSL kündigt Patches für Sicherheitslücken an *** --------------------------------------------- Administratoren, auf dessen Servern die beliebte Kryptobibliothek für SSL/TLS-Verbindungen zum Einsatz kommt, müssen am Dienstag wieder mal patchen. --------------------------------------------- http://heise.de/-3117855 *** Critical Vulnerabilities in Palo Alto Networks PAN-OS , (Thu, Feb 25th) *** --------------------------------------------- Yesterday, Palo Alto Networks released an update to PAN-OS, which addresses five different vulnerabilities [1]. The security researcher who identified the vulnerabilities will publish details about these issues at a conference on March 16th. You MUST patch affected systems before that date. Two of the vulnerabilities appear to be in particular dangerous, and affected devices should be patched immediately. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20767&rss *** Malicious websites exploit Silverlight bug that can pwn Macs and Windows *** --------------------------------------------- Malicious websites are exploiting a recently fixed vulnerability in Microsoft's Silverlight application framework to perform drive-by malware attacks on vulnerable visitor devices, a security researcher has determined. The critical code-execution vulnerability, which Microsoft patched last month, was actively exploited for two years in attack code owned by Italy-based exploit broker Hacking Team. --------------------------------------------- http://arstechnica.com/security/2016/02/malicious-websites-exploit-silverli…

1 0

Tageszusammenfassung - Mittwoch 24-02-2016
by Daily end-of-shift report 24 Feb '16

24 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 23-02-2016 18:00 − Mittwoch 24-02-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Zahlreiche Hersteller patchen dramatische glibc-Lücke *** --------------------------------------------- Linux ist fast überall und dementsprechend verbreitet ist auch die glibc, die in älteren Versionen angreifbar ist. Sicherheits-Updates gibt es unter anderem von Zyxel, VMware und Citrix, andere geben Entwarnung. --------------------------------------------- http://heise.de/-3115787 *** OpenCms 9.5.2 Cross Site Scripting *** --------------------------------------------- Topic: OpenCms 9.5.2 Cross Site Scripting Risk: Low Text: Advisory ID: SYSS-2015-063 Product: OpenCms Official Maintainer: Alkacon Software GmbH Affected Version(s): 9.5.2 Tested ... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020206 *** DFN-CERT-2016-0326/">Bibliothek libssh: Zwei Schwachstellen ermöglichen u.a. das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- Zwei Schwachstellen in der Bibliothek libssh ermöglichen einem entfernten, nicht authentifizierten Angreifer das Durchführen eines Denial-of-Service (DoS)-Angriffs sowie das Umgehen von Sicherheitsvorkehrungen und in der Folge das Ausspähen von Informationen. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0326/ *** Squid: Multiple Denial of Service issues in HTTP Response processing. *** --------------------------------------------- Due to incorrect bounds checking Squid is vulnerable to a denial of service attack when processing HTTP responses. --------------------------------------------- http://www.squid-cache.org/Advisories/SQUID-2016_2.txt *** Exploiting a Kernel Paged Pool Buffer Overflow in Avast Virtualization Driver *** --------------------------------------------- Version(s): 11.1.2245; possibly earlier versions Description: A vulnerability was reported in avast!. A local user can gain system privileges on the target system. Avast Internet Security, Avast Pro Antivirus, Avast Premier, and Avast Free Antivirus are affected. Solution: The vendor has issued a fix (11.1.2253). --------------------------------------------- http://www.securitytracker.com/id/1035093 *** Drupal 6 hits the end of the line *** --------------------------------------------- If you have a Drupal 6 website then you wont be receiving any more official security advisories or patches; from today your site is vulnerable to any new security issues discovered in Drupal 6 core or its modules, forever. --------------------------------------------- https://nakedsecurity.sophos.com/2016/02/24/drupal-6-hits-the-end-of-the-li… *** Admins aufgepasst: Krypto-Trojaner befällt hunderte Webserver *** --------------------------------------------- Der Erpressungs-Trojaner CTB-Locker hat es dieses Mal nicht auf Windows-Nutzer, sondern auf Webserver abgesehen. Er hat bereits Dateien hunderter Websites verschlüsselt, ein Ende ist derzeit nicht absehbar. --------------------------------------------- http://heise.de/-3116470 *** F5: sol13304944: NTP vulnerability CVE-2015-7974 *** --------------------------------------------- NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key." (CVE-2015-7974) --------------------------------------------- https://support.f5.com/kb/en-us/solutions/public/k/13/sol13304944.html *** Analyzis of a Malicious .lnk File with an Embedded Payload, (Wed, Feb 24th) *** --------------------------------------------- We received some feedback today from Nick, aSANS ISC reader who detected an interesting phishing campaign based on an ACE file. I also detected the same kind of fileearlier this morning. ACE is an old compression algorithm developed by a German company called e-merge. This file format was popular around the year2000. Today it almost disappeared and was replaced by more popularformatsbut ACE files can still be handled by popular tools like WinRAR or WinZIP. The fact that the format is quite old --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20763&rss *** Attackers Can Turn Microsofts Exploit Defense Tool EMET Against Itself *** --------------------------------------------- itwbennett writes: FireEye researchers have found a way for exploits to trigger a specific function in EMET that disables all protections it enforces for other applications. The researchers believe that their new technique, which essentially uses EMET against itself, is more reliable and easier to use than any previously published bypasses. It works against all supported versions of EMET - 5.0, 5.1 and 5.2 - but Microsoft patched the issue in EMET 5.5, which was released on Feb. 2. --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/rwo8Nq2dFiw/attackers-can-t… *** Ransomware: Locky kommt jetzt auch über Jscript *** --------------------------------------------- Eine Spam-Kampagne verteilt die Locky-Ransomware jetzt auch über Jscript-Anhänge in E-Mails - die angeblich von einem Wursthersteller kommen. (Trojaner, Virus) --------------------------------------------- http://www.golem.de/news/ransomware-locky-kommt-jetzt-auch-ueber-javascript… *** Mousejacking: What you need to know *** --------------------------------------------- Got a wireless mouse or keyboards that uses a USB dongle? Seems that many of them can be fed fake clicks and keystrokes from a distance... --------------------------------------------- https://nakedsecurity.sophos.com/2016/02/24/mousejacking-what-you-need-to-k… *** Cisco ACE 4710 Application Control Engine Command Injection Vulnerability *** --------------------------------------------- A vulnerability in the Device Manager GUI of the Cisco ACE 4710 Application Control Engine could allow an authenticated, remote attacker to execute any command-line interface (CLI) command on the ACE with admin user privileges. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cleaners ought to be clean (and clear) *** --------------------------------------------- There are many programs that purport to clean up and optimize system performance. While Microsoft does not endorse the use of these tools with Windows, we do not view them as unwanted or malicious. Many programs in this category have a practice of providing a free version of their software that scans your system, ... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/02/24/cleaners-ought-to-be-cl… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in the IBM SDK for Node.js affect the Cordova tools in Rational Application Developer affecting Rational Developer for i and Rational Developer for AIX and Linux (CVE-2016-2086, CVE-2016-2216, *** http://www.ibm.com/support/docview.wss?uid=swg21977146 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect the Cordova tools in Rational Application Developer affecting Rational Developer for i and Rational Developer for AIX and Linux (CVE-2016-0701, CVE-2015-3197) *** http://www.ibm.com/support/docview.wss?uid=swg21977144 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM Explorer for z/OS 3.0 (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976483 --------------------------------------------- *** IBM Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2016-0483, CVE-2016-0475, CVE-2016-0466, CVE-2015-7575, *** http://www.ibm.com/support/docview.wss?uid=swg21977021 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK Version 8 Service Refresh 2 that affect IBM BigFix Compliance Analytics. *** http://www.ibm.com/support/docview.wss?uid=swg21976854 --------------------------------------------- *** IBM Security Bulletin: Java specific SLOTH - Weak MD5 Signature Hash *** http://www.ibm.com/support/docview.wss?uid=swg21975823 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime shipped with WebSphere Partner Gateway Advanced/Enterprise editions (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976925 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Method Composer (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21975877 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects Rational Developer for System z (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976476 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java affect IBM SPSS Modeler (CVE-2016-0466, CVE-2015-7575, CVE-2016-0475) *** http://www.ibm.com/support/docview.wss?uid=swg21977518 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects IBM WebSphere MQ (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977523 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environments Java Technology Edition, Versions 6, 7, 8 affect IBM Transformation Extender Hypervisor Edition for AIX (CVE-2016-0466, CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977061 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environments Java Technology Edition, Versions 6, 7, 8 affect IBM Transformation Extender Hypervisor Edition (CVE-2016-0466, CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976970 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect FileNet Content Manager, IBM Content Foundation and FileNet BPM (CVE-2015-7575, CVE-2016-0475, CVE-2016-0466) *** http://www.ibm.com/support/docview.wss?uid=swg21975820 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Tivoli Netcool/OMNIbus (Multiple CVEs) *** http://www.ibm.com/support/docview.wss?uid=swg21976845 --------------------------------------------- *** IBM Security Bulletin: Fixes available for Security Vulnerabilities in IBM WebSphere Portal *** http://www.ibm.com/support/docview.wss?uid=swg21976358 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 23-02-2016
by Daily end-of-shift report 23 Feb '16

23 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 22-02-2016 18:00 − Dienstag 23-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** CVE-2016-0034 (Silverlight up to 5.1.41105.0) and Exploit Kits *** --------------------------------------------- http://malware.dontneedcoffee.com/2016/02/cve-2016-0034.html *** Incident Handling with Docker Containers *** --------------------------------------------- Honestly, I never really played with Docker but - For a few weeks, I succumbed to the temptation of playing with Docker thanks to a friend who's putting everything in docker containers. If you still don't know Docker, here is a very brief .. --------------------------------------------- https://blog.rootshell.be/2016/02/22/incident-handling-docker-to-the-rescue/ *** Is DNSSEC causing more problems than it solves? *** --------------------------------------------- New paper points to security protocol as vector for DDoS attacks The complex security protocol for the domain name system - DNSSEC - has another black mark against it: it is being used as a way to carry out denial-of-service (DDoS) .. --------------------------------------------- www.theregister.co.uk/2016/02/23/dnssec_more_problem_than_solution/ *** Ecommerce fraud surges 163% *** --------------------------------------------- The worst fears of online retailers has been confirmed with data just released today: in 2015, the number of attacks by fraudsters was up 163 percent - growing two and a half times in a mere three-quartered period. This data is part of the newly .. --------------------------------------------- https://www.helpnetsecurity.com/2016/02/23/ecommerce-fraud-surges-163/ *** Betrüger stahlen Grazer Unternehmen online 147.000 Euro *** --------------------------------------------- Unbekannte brachen in das Firmennetz ein und überwiesen den Betrag auf ein polnisches Konto. Das Geld ist verloren. --------------------------------------------- http://futurezone.at/b2b/betrueger-stahlen-grazer-unternehmen-online-147-00… *** 90% of SSL VPNs use insecure or outdated encryption, putting your data at risk *** --------------------------------------------- Have you ever thought how secure and reliable your SSL VPN? Probably you should. --------------------------------------------- https://www.htbridge.com/blog/90-percent-of-ssl-vpns-use-insecure-or-outdat… *** Mobile malware evolution 2015 *** --------------------------------------------- As the functionality of mobile devices and mobile services grows, the appetite of cybercriminals who profit from mobile malware will grow too. Malware authors will continue to improve their creations, develop new technologies and look for new ways of spreading mobile malware. Their main aim is to make money. --------------------------------------------- http://securelist.com/analysis/kaspersky-security-bulletin/73839/mobile-mal… *** Hackers arent so interested in your credit card data these days. Thats bad news *** --------------------------------------------- World governments now primary sources of breaches Healthcare and government have overtaken the retail sector as most-targeted for data breaches, according to security firm .. --------------------------------------------- www.theregister.co.uk/2016/02/23/breach_trends_gemalto/ *** Sicherheitsforscher: Gefahr durch Android-Banking-Trojaner größer denn je *** --------------------------------------------- Kaspersky sieht in einem Android-Trojaner "eine der größten Gefahren, die wir derzeit kennen“, während Sicherheitsexperten von IBM davon berichten, dass der Quellcode eines bekannten Trojaners veröffentlicht wurde. Ein Tutorial läd zum Ausprobieren ein --------------------------------------------- http://heise.de/-3115424 *** Two Charts That Demonstrate One Of Android's Big Security Problems *** --------------------------------------------- Applying the most recent security updates to your device's operating system is a best practice security fundamental. If you're not running the latest version of an OS, you're opening .. --------------------------------------------- https://labsblog.f-secure.com/2016/02/23/two-charts-that-demonstrate-one-of… *** Flaws in Wireless Mice and Keyboards Let Hackers Type on Your PC *** --------------------------------------------- Security researchers "mousejacking" attack exploits vulnerable wireless devices to type on a target PC from a hundred yards away. --------------------------------------------- http://www.wired.com/2016/02/flaws-in-wireless-mice-and-keyboards-let-hacke… *** Cisco Nexus 2000 Series Fabric Extender Software Default Credential Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** PowerPoint and Custom Actions *** --------------------------------------------- We've recently observed a Phishing attack which uses PowerPoint Custom Actions instead of macros to execute a malicious payload. Although using PowerPoint attachments is not new, these types of attacks are interesting as they generally bypass controls that assert on macro enabled Office attachments. --------------------------------------------- http://phishme.com/powerpoint-and-custom-actions/ *** TYPO3 CMS 6.2.19 and 7.6.4 released *** --------------------------------------------- https://typo3.org/news/article/typo3-cms-6219-and-764-released/

1 0

Tageszusammenfassung - Montag 22-02-2016
by Daily end-of-shift report 22 Feb '16

22 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 19-02-2016 18:00 − Montag 22-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** glibc: Neue Version repariert dramatische Lücke in Linux-Netzwerkfunktionen *** --------------------------------------------- Den kritische Fehler, den Angreifer zur Übernahme von Linux-Systemen nutzen konnten, hat das glibc-Team mit Version 2.23 offenbar behoben. Die anderen Änderungen wie Unicode-8-Support stehen im Schatten des Bugfix. --------------------------------------------- http://heise.de/-3112519 *** Joomla Sites Join WordPress As TeslaCrypt Ransomware Target *** --------------------------------------------- Joomla is the newest prey of attackers behind a campaign that has targeted WordPress websites by injecting JavaScript files with malicious code. --------------------------------------------- http://threatpost.com/joomla-sites-join-wordpress-as-teslacrypt-ransomware-… *** PCI DSS 3.2 slated for early 2016 *** --------------------------------------------- PCI DSS version 3.2, scheduled for release in the first half of 2016, likely March or April, will address the current threat landscape as well as "trending attacks causing compromises" detailed in current breach forensics reports. --------------------------------------------- http://www.scmagazine.com/pci-dss-32-slated-for-early-2016/article/478089/ *** Investigating a Compromised Server with Rootcheck *** --------------------------------------------- What do you do if you suspect your server (VPS or dedicated) has been compromised? If you are a customer, you have the option to leverage our team to perform the incident response on your behalf, but what if you want to do an investigation on your own? In this .. --------------------------------------------- https://blog.sucuri.net/2016/02/investigating-a-compromised-server-with-roo… *** Wie Privatleute von Online-Kriminellen zur Geldwäsche missbraucht werden *** --------------------------------------------- Kriminelle Banden nutzen unscheinbare Privatleute zur Geldwäsche. Neuerdings haben sie auch Flüchtlinge im Visier. An die Hintermänner kommt man kaum ran. --------------------------------------------- http://heise.de/-3112859 *** Security: Rätselhafter Anstieg von Tor-Adressen *** --------------------------------------------- Ein ungewöhnlicher Anstieg von .onion-Adressen im Tor-Netzwerk gibt zurzeit Rätsel auf. Grund für den Anstieg könnte eine neue Messaging-App sein - oder Malware. --------------------------------------------- http://www.golem.de/news/security-sprunghafter-anstieg-von-tor-adressen-160… *** Warning - Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System *** --------------------------------------------- Are you also the one who downloaded Linux Mint on February 20th? You may have been Infected! Linux Mint is one of the best and popular Linux distros available today, but if you have downloaded and installed the operating system recently you .. --------------------------------------------- https://thehackernews.com/2016/02/linux-mint-hack.html *** DSA-3479 graphite2 - security update *** --------------------------------------------- Multiple vulnerabilities have been found in the Graphite font renderingengine which might result in denial of service or the execution ofarbitrary code if a malformed font file is processed. --------------------------------------------- https://www.debian.org/security/2016/dsa-3479 *** Synology NAS DSM 5.2 Remote Code Execution (RCE) *** --------------------------------------------- RCE in Synology NAS DSM 5.2 due to lack of input sanitisation. RCE triggered indirectly via port forwarding mechanism in the NAS UI. --------------------------------------------- http://rileykidd.com/2016/01/12/synology-nas-dsm-5-2-remote-code-execution-… *** A Skeleton Key of Unknown Strength *** --------------------------------------------- TL;DR: The glibc DNS bug (CVE-2015-7547) is unusually bad. Even Shellshock and Heartbleed tended to affect things we knew were on the network and knew we had to defend. This affects a universally used library (glibc) at a universally used protocol (DNS). Generic tools that we didn't even know had network surface (sudo) are thus exposed, as is software written in .. --------------------------------------------- http://dankaminsky.com/2016/02/20/skeleton/ *** Sicherheitsforscher: Piraten-App-Store vorübergehend in Apples App Store *** --------------------------------------------- Über mehrere Monate hat eine in Apples offiziellem Software-Laden erhältliche, als Übersetzungs-Tool getarnte iOS-App ihren Nutzern offenbar gecrackte Apps zum Download angeboten. --------------------------------------------- http://heise.de/-3113988 *** Deutschland: "Bundestrojaner" ist einsatzbereit *** --------------------------------------------- Nach monatelangen Vorbereitungen steht den Ermittlernin Deutschland eine eigene Software für Online-Durchsuchungen zur Verfügung. --------------------------------------------- http://futurezone.at/netzpolitik/deutschland-bundestrojaner-ist-einsatzbere… *** Neue Masche: Krypto-Trojaner Locky über Javascript-Dateien verbreitet *** --------------------------------------------- Nachdem der Verschlüsselungs-Trojaner zunächst vor allem über Office-Dateien verbreitet wurde, verschicken die Täter jetzt Skripte. Dadurch ist ein Ludwigsluster Wursthersteller unfreiwillig zur Anlaufstelle der Locky-Opfer geworden. --------------------------------------------- http://heise.de/-3113689

1 0

Tageszusammenfassung - Freitag 19-02-2016
by Daily end-of-shift report 19 Feb '16

19 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 18-02-2016 18:00 − Freitag 19-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Maimed Ramnit Still Lurking in the Shadow *** --------------------------------------------- https://www.fireeye.com/blog/threat-research/2016/02/maimed_ramnit_still.ht… *** ZDI-16-172: Google Chrome Pdfium JPEG2000 Out-Of-Bounds Read Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Google Chrome. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-172/ *** Mutliple vulnerabilities in SAP 3D Visual Enterprise Viewer SketchUp document *** --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-176/ http://www.zerodayinitiative.com/advisories/ZDI-16-175/ http://www.zerodayinitiative.com/advisories/ZDI-16-174/ http://www.zerodayinitiative.com/advisories/ZDI-16-173/ *** Krypto-Trojaner Locky wütet in Deutschland: Über 5000 Infektionen pro Stunde *** --------------------------------------------- Die neue Ransomware Locky findet hierzulande offenbar massenhaft Opfer, darunter auch ein Fraunhofer-Institut. Inzwischen haben die Täter ihrem Schädling sogar Deutsch beigebracht. --------------------------------------------- http://heise.de/-3111774 *** B+B SmartWorx VESP211 Authentication Bypass Vulnerability *** --------------------------------------------- This advisory contains mitigation details for an authentication bypass vulnerability in B+B SmartWorx's VESP211 serial servers. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-049-01 *** AMX Multiple Products Credential Management Vulnerabilities *** --------------------------------------------- This advisory contains mitigations details for hard-coded passwords in multiple AMX products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-049-02 *** Privilege Escalation: Schon wieder Sicherheitslücke bei Comodo *** --------------------------------------------- Ein unsicheres Standardpasswort in der Comodo-Internet-Security-Suite ermöglicht es Angreifern, ihre Rechte zu erweitern, um beliebige Programme auszuführen. Auf dem Rechner selbst - aber möglicherweise auch aus der Ferne. --------------------------------------------- http://www.golem.de/news/privilege-escalation-schon-wieder-sicherheitslueck… *** Citrix NetScaler Application Delivery Controller and NetScaler Gateway Multiple Security Updates *** --------------------------------------------- http://support.citrix.com/article/CTX206001

1 0

Tageszusammenfassung - Donnerstag 18-02-2016
by Daily end-of-shift report 18 Feb '16

18 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 17-02-2016 18:00 − Donnerstag 18-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** WordPress Sites Leveraged in Layer 7 DDoS Campaigns *** --------------------------------------------- We first disclosed that the WordPress pingback method was being misused to perform massive layer 7 Distributed Denial of Service (DDoS) attacks back on March 2014. The problem, as previously described,was that any WordPress website with the pingback feature enabled (which is on by default) could .. --------------------------------------------- https://blog.sucuri.net/2016/02/wordpress-sites-leveraged-in-ddos-campaigns… *** Angler exploit kit generated by "admedia" gates, (Thu, Feb 18th) *** --------------------------------------------- On 2016-02-01, the Sucuri blog reported a spike in compromised WordPress sites generating hidden iframes with malicious URLs [1]. By 2016-02-02, I started seeing exploit kit (EK) traffic related to this campaign [2]. Sucuri noted that admedia was a common string used in malicious URLs generated by .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20741 *** SimpliSafe home alarms transmit PIN unlock codes in the clear - ideal for lurking burglars *** --------------------------------------------- How to break into hundreds of thousands of homes in America Pics and vid If youve got a SimpliSafe wireless home alarm system, as hundreds of thousands of homes in the US apparently do, then its time to buy a new alarm system because yours is screwed. --------------------------------------------- www.theregister.co.uk/2016/02/17/simplisafe_wireless_home_alarm_system_crac… *** Nodejs - Access bypass - Moderately Critical -- DRUPAL-SA-CONTRIB-2016-007 *** --------------------------------------------- The module doesn't disconnect unauthenticated sockets, allowing those sockets to receive broadcast messages. For sites that only serve authenticated pages, or only allows Node.js connections from authenticated users, the expectation is that only authenticated Drupal users will see broadcast messages. --------------------------------------------- https://www.drupal.org/node/2670636 *** Commerce Authorize.Net SIM/DPM Payment Methods - Access Bypass - DRUPAL-SA-CONTRIB-2016-006 *** --------------------------------------------- The module doesn't sufficiently protect against the premature triggering of order completion without successful payment by the manual entry of a specially-constructed URL which contains the correct payment redirect key. --------------------------------------------- https://www.drupal.org/node/2670632 *** Instagram rolls out two factor authentication *** --------------------------------------------- But SMS still a mess. Hipsters and selfie-lovers will enjoy extra security after Instagram added two-factor authentication to its service. --------------------------------------------- www.theregister.co.uk/2016/02/18/instagram_rolls_out_two_factor_authenticat… *** Funkregulierung: TP-Link muss WLAN-Firmware sperren *** --------------------------------------------- TP-Link sperrt die Firmware aller WLAN-Geräte. Andere Hersteller tun es wohl auch. Damit können User ihre Geräte nicht mehr warten. Das bewirkt die neue Funkregulierung auf beiden Seiten des Atlantik. --------------------------------------------- http://heise.de/-3109847 *** Gerichtlich angeordnete iPhone-Entsperrung: Google-Chef unterstützt Widerstand des Apple-Chefs *** --------------------------------------------- Google-Chef Sundar Pichai meint so wie Apple-Chef Tim Cook, falls sich das FBI durchsetze, dass Apple beim Entsperren eines iPhone zu helfen habe, werde ein riskanter Präzedenzfall geschaffen. --------------------------------------------- http://heise.de/-3109864 *** These were the Top 10 Android Threats in 2015 - Plus, What to Expect in 2016 *** --------------------------------------------- Mobile World Congress is next week and F-Secure is jazzed to be participating again - it promises to be another awesome expo. But while the tech world buzzes about which devices will be unveiled by the top handset makers, leave it to us to interrupt the conversation to remind you about security .. --------------------------------------------- http://safeandsavvy.f-secure.com/2016/02/18/these-were-the-top-10-android-t… *** DSA-3482 libreoffice - security update *** --------------------------------------------- An anonymous contributor working with VeriSign iDefense Labsdiscovered that libreoffice, a full-featured office productivitysuite, did not correctly handle Lotus WordPro files. This would enablean attacker to crash the program, or execute arbitrary code, bysupplying a specially crafted .. --------------------------------------------- https://www.debian.org/security/2016/dsa-3482 *** Ransomware: US-Krankenhaus zahlt 40 Bitcoins Lösegeld *** --------------------------------------------- Bitcoins im Wert von 15.000 Euro blätterte ein Krankenhaus in Los Angeles hin, um seine von einem Erpressungstrojaner verschlüsselten Daten wieder freizukriegen. Das sei der schnellste Weg gewesen, sagte der Krankenhaus-Chef. --------------------------------------------- http://heise.de/-3109956 *** VB2015 paper: Will Android Trojans, Worms or Rootkits Survive in SEAndroid and Containerization? *** --------------------------------------------- Sophos researchers Rowland Yu and William Lee look at whether recent security enhancements to Android, such as SEAndroid and containerization, will be enough to defeat future malware threats. --------------------------------------------- https://www.virusbulletin.com/blog/2016/02/vb2015-paper-will-android-trojan… *** A Letter to the Insiders - Think Twice *** --------------------------------------------- Insider threats come in many forms, from the unwitting to the negligent, and even the downright malicious. For those who may be unwillingly co-opted into cybercrime, either by subterfuge or coercion, we can provide education, technical measures, policies and processes that limit the risk. But what can .. --------------------------------------------- https://blog.team-cymru.org/2016/02/a-letter-to-the-insiders-think-twice/ *** New Ransomware PadCrypt: The first with Live Chat Support *** --------------------------------------------- A new ransomware has been discovered and what sets apart this variant from the rest is its implementation of a chat interface embedded into the product. That link for 'Live Chat' will prompt...read moreThe post New Ransomware PadCrypt: The first with Live Chat Support appeared first on Webroot Threat Blog. --------------------------------------------- http://www.webroot.com/blog/2016/02/18/new-ransomware-padcrypt-first-live-c…

1 0

Tageszusammenfassung - Mittwoch 17-02-2016
by Daily end-of-shift report 17 Feb '16

17 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 16-02-2016 18:00 − Mittwoch 17-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Cisco 1000 Series Connected Grid Routers SNMP BRIDGE MIB Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Stuxnet als erster Akt: USA wollten Iran mit Cyberangriff lahmlegen *** --------------------------------------------- Geheimprojekt "Nitro Zeus" hätte Infrastruktur zerstören sollen – außerdem detaillierte Pläne gegen Nuklearanlage .. --------------------------------------------- http://derstandard.at/2000031233923 *** Machine-Learning: Künstliche neuronale Netzwerke erleichtern Passwortcracking *** --------------------------------------------- Ein Machbarkeitsnachweis zeigt, dass künstliche neuronale Netzwerke mit etwas Training benutzt werden können, um Passwörter zu knacken. Selbst bei recht komplexen klappt das erstaunlich gut. --------------------------------------------- http://www.golem.de/news/machine-learning-kuenstliche-neuronale-netzwerke-e… *** Pwning CCTV cameras *** --------------------------------------------- CCTV is ubiquitous in the UK. A recent study estimates there are about 1.85m cameras across the UK - most in private premises. Most of those cameras will be connected to some kind of recording device, which these days means a Digital Video Recorder or DVR. --------------------------------------------- https://www.pentestpartners.com/blog/pwning-cctv-cameras/ *** Gerichtliche Anordnung zum iPhone-Entsperren: Apple-Chef Tim Cook widersetzt sich *** --------------------------------------------- Tim Cook hat sich ungewöhnlicherweise in einem offenen Brief an die Kunden gewandt. Darin begründet er, warum sich das Unternehmen weigert, dem FBI mit einer Hintertür bei Ermittlungen zu helfen. --------------------------------------------- http://heise.de/-3107769 *** Verheerender Fehler gefährdet fast alle Linux-Systeme *** --------------------------------------------- Fehler in der glibc kann zum Einschmuggeln von Code ausgenutzt werden - Update dringend empfohlen --------------------------------------------- http://derstandard.at/2000031281408 *** Linux Fysbis Trojan, a new weapon in the Pawn Storm's arsenal *** --------------------------------------------- Malware researchers at PaloAlto discovered the Fysbis Trojan, a simple and an effective Linux threat used by the Russian cyberspy group Pawn Storm. Do you remember the Pawn Storm hacking crew? Security experts have identified this group of Russian hackers with several names, including .. --------------------------------------------- http://securityaffairs.co/wordpress/44551/hacking/pawn-storm-linux-fysbis-t… *** Mazar: Forscher warnen vor mächtiger Android-Malware *** --------------------------------------------- Verwendet Tor-Netzwerk um Spuren zu verwischen - Kann volle Kontrolle �bernehmen, braucht aber reichlich Mitarbeit der Nutzer --------------------------------------------- http://derstandard.at/2000031296473 *** OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update *** --------------------------------------------- In May 2015, researchers at Qihoo 360 published a report on OceanLotus that included details about malware targeting Chinese infrastructure. In that report, there is a description about a piece of malware that targets OS X systems. A sample of that malware was uploaded to VirusTotal a few months .. --------------------------------------------- https://www.alienvault.com/open-threat-exchange/blog/oceanlotus-for-os-x-an… *** [HTB23284]: RCE via CSRF in osCommerce *** --------------------------------------------- High-Tech Bridge Security Research Lab discovered vulnerability in popular e-commerce software osCommerce with 280,000 store owners (according to the vendor). The vulnerability can be exploited to execute arbitrary PHP code on the remote system, compromise the vulnerable web application, its database and even the web server and related environment. --------------------------------------------- https://www.htbridge.com/advisory/HTB23284 *** [HTB23291]: SQL Injection in webSPELL *** --------------------------------------------- High-Tech Bridge Security Research Lab discovered two vulnerabilities in a popular CMS webSPELL developed for the needs of esport related communities. The vulnerability allows a remote authenticated attacker with cashbox access privileges to execute arbitrary SQL commands .. --------------------------------------------- https://www.htbridge.com/advisory/HTB23291 *** The Dridex Banking Trojan *** --------------------------------------------- Dridex is a generation of banking trojans, one of the most prominent threats for companies. A banking trojan basically is malicious software (malware) that tries to obtain confidential information from your computer system, targetting specifically online banking and payment systems. The Dridex trojan is equipped to steal all data necessary for fraudulent activities. --------------------------------------------- http://www.techknow.one/forum/index.php?topic=9346

1 0

Tageszusammenfassung - Dienstag 16-02-2016
by Daily end-of-shift report 16 Feb '16

16 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 15-02-2016 18:00 − Dienstag 16-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** More Multi-Architecture IoT Malware, (Mon, Feb 15th) *** --------------------------------------------- Attackers have problems too: Attacks against Internet of Things (IoT) devices are simple (as in log in...), but the attacker never knows what kind of architecture they may hit. IoT devices often go beyond the standard x86 architecture we are used to on our servers and workstations. What I typically see .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20731 *** Password cracking attacks on Bitcoin wallets net $103,000 *** --------------------------------------------- Hackers have siphoned about $103,000 out of Bitcoin accounts that were protected with an alternative security measure, according to research that tracked six years' worth of transactions. Account-holders used easy-to-remember passwords to protect their accounts instead of the long cryptographic keys normally required. --------------------------------------------- http://arstechnica.com/security/2016/02/password-cracking-attacks-on-bitcoi… *** Cisco Emergency Responder Cross-Site Scripting Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IOS Software for Cisco Industrial Ethernet 2000 Series Switches Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Exploiting (pretty) blind SQL injections, (Mon, Feb 15th) *** --------------------------------------------- Although a lot has been written about SQL injection vulnerabilities, they can still be found relatively often. In most of the cases Ive seen in last couple of years, I had to deal with blind SQL injection vulnerabilities. Typically, .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20733 *** VoIP phones can be turned into spying or money-making tools *** --------------------------------------------- A security vulnerability present in many enterprise-grade VoIP phones can easily be exploited by hackers to spy on employees and management, says security consultant Paul Moore. In a less dangerous attack alternative, these compromised devices can also be made to covertly place calls to premium .. --------------------------------------------- https://www.helpnetsecurity.com/2016/02/16/voip-phones-can-turned-spying-mo… *** Ransomware: Neben deutschen Krankenhäusern auch US-Klinik von Virus lahmgelegt *** --------------------------------------------- Nicht nur in Deutschland kämpfen Krankenhäuser immer wieder gegen Verschlüsselungstrojaner. In Los Angeles ist eine Klinik seit mehr als einer Woche lahmgelegt. Die Programmierer fordern angeblich mehr als 3 Millionen US-Dollar Lösegeld. --------------------------------------------- http://heise.de/-3103733 *** "Fake President": E-Mail-Betrüger erleichtern Konzerne um Millionenbeträge *** --------------------------------------------- Vorstands-Accounts und machen ahnungslose Buchhalter zu ihren Komplizen --------------------------------------------- http://derstandard.at/2000031179980 *** Geldautomaten: Skimming an der Netzwerkbuchse *** --------------------------------------------- Skimming ist ein bekanntes Problem - Kriminelle verwenden nachgebaute Tastaturfelder und Magnetkartenleser, um Kundendaten an Geldautomaten zu kopieren. Jetzt warnt der Hersteller NCR vor neuen Gefahren. --------------------------------------------- http://www.golem.de/news/geldautomaten-skimming-an-der-netzwerkbuchse-1602-… *** USN-2855-2: Samba regression *** --------------------------------------------- Ubuntu Security Notice USN-2855-216th February, 2016samba regressionA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryUSN-2855-1 introduced a regression in .. --------------------------------------------- http://www.ubuntu.com/usn/usn-2855-2/ *** Erpressungs-Trojaner Locky schlägt offenbar koordiniert zu *** --------------------------------------------- Locky lauerte vermutlich bereits eine Weile auf den infizierten Systemen, ehe es am vergangenen Montag zeitgleich bei mehreren Opfern mit der Verschlüsselung persönlicher Dateien begonnen hat. --------------------------------------------- http://heise.de/-3104069 *** Stuxnet angeblich Teil eines größeren Angriffs auf kritische Infrastruktur des Iran *** --------------------------------------------- Dass die USA und Israel hinter Stuxnet steckten, um Irans Atomprogramm zu stören, gilt mittlerweile als gesichert. Ein neuer Dokumentarfilm behauptet nun, dass der Cyber-Wurm Teil eines viel größeren Programms war, das den ganzen Iran lahmlegen sollte. --------------------------------------------- http://heise.de/-3104957 *** TYPO3 CMS 6.2.18 and 7.6.3 released *** --------------------------------------------- Both versions are maintenance releases and contain bug and security fixes. In case the extension compatibility6 is used, please make sure to upgrade to version 7.6.2. --------------------------------------------- https://typo3.org/news/article/typo3-cms-6218-and-763-released/ *** Glibc: Sicherheitslücke gefährdet fast alle Linux-Systeme *** --------------------------------------------- Eine schwerwiegende Sicherheitslücke klafft in der Glibc-Bibliothek, die in fast allen Linux-Systemen genutzt wird: Eine DNS-Funktion erlaubt die Ausführung von bösartigem Code. Nutzer sollten schnellstmöglich Updates installieren. --------------------------------------------- http://www.golem.de/news/glibc-sicherheitsluecke-gefaehrdet-fast-alle-linux… *** CVE-2015-7547 --- glibc getaddrinfo() stack-based buffer overflow *** --------------------------------------------- The glibc project thanks the Google Security Team and Red Hat for reporting the security impact of this issue, and Robert Holiday of Ciena for reporting the related bug 18665. --------------------------------------------- https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html

1 0

Tageszusammenfassung - Montag 15-02-2016
by Daily end-of-shift report 15 Feb '16

15 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 12-02-2016 18:00 − Montag 15-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** A Look Behind The Skype Malvertising Campaign *** --------------------------------------------- As reported by F-Secure, a recent malvertising campaign has been hitting several top publishers to push the Angler exploit kit and install the TeslaCrypt ransomware, according to the Finnish company. Some of these infections happened via Skype, which displays ad banners within its product. --------------------------------------------- https://blog.malwarebytes.org/malvertising-2/2016/02/a-look-behind-the-skyp… *** Fake SUPEE-5344 Patch Steals Payment Details *** --------------------------------------------- In case you don't know, SUPEE-5344 is an official security patch to the infamous Magento shoplift bug. That bug allows bad actors to obtain admin access to vulnerable Magento sites. While the patch was released February 2015 many sites unfortunately did .. --------------------------------------------- https://blog.sucuri.net/2016/02/fake-supee-5344-patch-steals-payment-detail… *** VMware VMSA-2015-0007.3 has been Re-released, (Sat, Feb 13th) *** --------------------------------------------- VMware has re-issue VMSA-2015-0007.3 today after they found an earlier fix for CVE-2016-2342 was incomplete. Affected ESXi versions are: 5.0, 5.1 and 5.5. Advisory can be .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20727 *** Critical Fixes Issued for Windows, Java, Flash *** --------------------------------------------- Microsoft Windows users and those with Adobe Flash Player or Java installed, its time to update again! Microsoft released 13 updates to address some three dozen unique security vulnerabilities. Adobe issued security updates for its Flash Player software that plugs at least 22 security holes in the widely-used browser plugin. Meanwhile, Oracle issued an unscheduled security fix for Java, its second security update for Java in as many weeks. --------------------------------------------- http://krebsonsecurity.com/2016/02/criticial-fixes-issued-for-windows-java-… *** Verschlüsselungs-Trojaner: mp3-Variante von TeslaCrypt *** --------------------------------------------- Leser gaben der Redaktion Hinweise auf verschlüsselte Dateien mit der Endung .mp3. Die scheint eine neue Variante des Verschlüsselungs-Trojaners TeslaCrypt zu erzeugen. --------------------------------------------- http://heise.de/-3101992 *** DSA-3477 iceweasel - security update *** --------------------------------------------- Holger Fuhrmannek discovered that missing input sanitising in theGraphite font rendering engine could result in the execution of arbitrarycode. --------------------------------------------- https://www.debian.org/security/2016/dsa-3477 *** Nigerianischer Astronaut im All verloren: Spam begeistert Netz *** --------------------------------------------- Nutzer können angeblich ein Investment von drei Millionen Dollar verdoppeln --------------------------------------------- http://derstandard.at/2000031110981 *** IT-Sicherheit: Immer mehr komplexe Angriffe auf Firmen *** --------------------------------------------- Neuer Cybersicherheits-Bericht zeigt erhöhte Gefahrenlage im Internet --------------------------------------------- http://derstandard.at/2000031119634 *** Mazar Bot Actively Targeting Android Devices *** --------------------------------------------- Researchers at Heimdal Security report public attacks against Android devices using the Mazar bot, which was advertised months ago in a Russian cybercrime forum. --------------------------------------------- http://threatpost.com/mazar-bot-actively-targeting-android-devices/116240/ *** Update auf Version 1.17: Veracrypt soll jetzt doppelt so schnell sein *** --------------------------------------------- Veracrypt ist einer der beliebtesten Nachfolger des eingestellten Truecrypt - ein Update bringt jetzt neue Funktionen. Ausserdem soll das Laden von Containern deutlich schneller vonstattengehen - bislang einer der grössten Kritikpunkte .. --------------------------------------------- http://www.golem.de/news/update-auf-version-1-17-veracrypt-soll-jetzt-doppe… *** Virus legte Krankenhaus in Deutschland lahm *** --------------------------------------------- "Befunde mussten persönlich, per Telefon oder Fax übermittelt werden" --------------------------------------------- http://derstandard.at/2000031136914 *** [R1] Nessus < 6.5.5 Multiple Vulnerabilities *** --------------------------------------------- http://www.tenable.com/security/tns-2016-02 *** Reflecting on Recent iOS and Android Security Updates *** --------------------------------------------- The last thirty days proven to be yet another exciting time for the mobile security ecosystem. Apple and Google released updates for their respective mobile operating systems that fix several critical issues - including some in the kernel that may be exploited remotely. --------------------------------------------- https://blog.zimperium.com/reflecting-on-recent-ios-and-android-security-up…

1 0

Tageszusammenfassung - Freitag 12-02-2016
by Daily end-of-shift report 12 Feb '16

12 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 11-02-2016 18:00 − Freitag 12-02-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** SC Congress: "flakey kettles and dolls that swear at you" *** --------------------------------------------- Ken Munro, managing director of Pen Test Partners, showed the SC Congress just how easy it is to crack a whole range of IoT nonsense --------------------------------------------- http://www.scmagazine.com/sc-congress-flakey-kettles-and-dolls-that-swear-a… *** Determining Physical Location on the Internet *** --------------------------------------------- Interesting research: "CPV: Delay-based Location Verification for the Internet": Abstract: The number of location-aware services over the Internet continues growing. Some of these require the clients geographic location for security-sensitive applications. Examples include location-aware authentication, location-aware access policies, fraud prevention, complying with media licensing, and regulating online gambling/voting. An adversary can evade existing geolocation techniques, e.g.,... --------------------------------------------- https://www.schneier.com/blog/archives/2016/02/determining_phy.html *** New Trojan threatens users' bank accounts *** --------------------------------------------- February 12, 2016 Banking Trojans are considered to be one of the most dangerous threats. Not only they have a complex architecture but they are also capable to perform a wide variety of functions. Yet, some attackers do not disdain to contrive rather primitive malicious programs such as, for example, Trojan.Proxy2.102, which was examined by Doctor Web specialists. Trojan.Proxy2.102 steals money from victims' bank accounts using the following method. Once launched, it installs a root... --------------------------------------------- http://news.drweb.com/show/?i=9840&lng=en&c=9 *** Vermehrte Scans und Workarounds zu Ciscos ASA-Lücke *** --------------------------------------------- Die Angreifer sammeln offenbar bereits aktiv Informationen zu möglicherweise verwundbaren Systemen, während die Verteidiger noch mit den Tücken des Updates kämpfen. --------------------------------------------- http://heise.de/-3100443 *** Download.com and Others Bundle Superfish-Style HTTPS Breaking Adware *** --------------------------------------------- It's a scary time to be a Windows user. Lenovo was bundling HTTPS-hijacking Superfish adware, Comodo ships with an even worse security hole called PrivDog, and dozens of other apps like LavaSoft are doing the same. It's really bad, but if you want your encrypted web sessions to be hijacked just head to CNET Downloads or any freeware site, because they are all bundling HTTPS-breaking adware now. --------------------------------------------- http://www.howtogeek.com/210265/download.com-and-others-bundle-superfish-st… *** How to Avoid Potentially Unwanted Programs *** --------------------------------------------- We've come up with a PUPs cheat sheet that businesses can use to train IT staff and users. A little PUPs awareness, if you will. Read on to learn more about how you get PUPs, Categories: Online SecurityTags: avoidpotentially unwanted programsPUP(Read more...) --------------------------------------------- https://blog.malwarebytes.org/online-security/2016/02/how-to-avoid-potentia… *** How to use the traffic light protocol - TLP *** --------------------------------------------- The TLP or Traffic Light Protocol is a set of designations designed to help sharing of sensitive information. It has been widely adopted in the CSIRT and security community. The originator of the information labels the information with one of four colours. These colours indicate what further dissemination, if any, can be undertaken by the recipient. Note that the colours only mark the level of dissemination, not the sensitivity level (although they often align). --------------------------------------------- https://www.vanimpe.eu/2015/08/21/use-traffic-light-protocol-tlp/ *** D-Link DSL-2750B Remote Command Execution *** --------------------------------------------- Topic: D-Link DSL-2750B Remote Command Execution Risk: High Text:After some playing around Ive noticed something interesting during login phase: by sending wrong credentials, user is redirec... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020128 *** Sophos UTM 9 Cross Site Scripting *** --------------------------------------------- Topic: Sophos UTM 9 Cross Site Scripting Risk: Low Text: -- Vendor: -- Sophos (https://www.sophos.com) -- Affected Products/Versions: -- Produc... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020117 *** ASUS Router Administrative Interface Exposure *** --------------------------------------------- Topic: ASUS Router Administrative Interface Exposure Risk: Low Text:Asus wireless routers running ASUSWRT firmware (in other words, anything with an RT- in the model name) have a design flaw in w... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020116 *** ZCM 11.3.x - Fix for CVE-2015-5970 ZCM ZENworks ChangePassword XPath Injection Information Disclosure Vulnerability - See TID 7017240 *** --------------------------------------------- Abstract: Vulnerability overview: CVE-2015-5970 An XPath injection exists in the ChangePassword RPC method implementation. By combining this with an entity reference to a file on the appliance, an attacker can exfiltrate arbitrary text files from the vulnerable device.This issue has been found and reported by cpnrodzc7 working with HPs Zero Day Initiative (ZDI-CAN-3136). Patch overview: This patch contains the necessary files and installation information to correct the below issue on ZCM 11.3.x --------------------------------------------- https://download.novell.com/Download?buildid=vt0EO0DgaX8~ *** ZCM 11.4.x - Fix for CVE-2015-5970 ZCM ZENworks ChangePassword XPath Injection Information Disclosure Vulnerability - See TID 7017240 *** --------------------------------------------- Abstract: Vulnerability overview: CVE-2015-5970 An XPath injection exists in the ChangePassword RPC method implementation. By combining this with an entity reference to a file on the appliance, an attacker can exfiltrate arbitrary text files from the vulnerable device.This issue has been found and reported by cpnrodzc7 working with HPs Zero Day Initiative (ZDI-CAN-3136). Patch overview: This patch contains the necessary files and installation information to correct the below issue on ZCM 11.4.x --------------------------------------------- https://download.novell.com/Download?buildid=SOM6P0NdZ5U~ *** PostgreSQL Bugs Let Remote Users Deny Service and Let Remote Authenticated Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1035005 *** DFN-CERT-2016-0260: Mozilla Firefox, Firefox ESR: Zwei Schwachstellen ermöglichen u.a. das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0260/ *** DFN-CERT-2016-0263: Cacti: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0263/

1 0

Tageszusammenfassung - Donnerstag 11-02-2016
by Daily end-of-shift report 11 Feb '16

11 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 10-02-2016 18:00 − Donnerstag 11-02-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Critical bug found in Cisco ASA products, attackers are scanning for affected devices *** --------------------------------------------- Several Cisco Adaptive Security Appliance (ASA) products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code exec... --------------------------------------------- http://www.net-security.org/secworld.php?id=19427 *** Some notes on VirusTotal. *** --------------------------------------------- Many of you are probably familiar with VirusTotal, a service that allows you to scan a file or URL using multiple antivirus and URL scanners. VirusTotal results are often used in write-ups about...read moreThe post Some notes on VirusTotal. appeared first on Webroot Threat Blog. --------------------------------------------- http://www.webroot.com/blog/2016/02/09/some-notes-on-virustotal/ *** Seo-moz.com SEO Spam Campaign *** --------------------------------------------- Here at Sucuri we handle countless cases of SEO spam. This malware involves a website being compromised in order to spread (mostly pharmaceutical) advertisements by linking visitors to unwanted websites and stuffing spam keywords into the site. These links and keywords help the spam websites to rank higher in search engines like Google, sending evenRead More The post Seo-moz.com SEO Spam Campaign appeared first on Sucuri Blog. --------------------------------------------- https://blog.sucuri.net/2016/02/seo-moz-com-seo-spam-campaign.html *** Malvertising Via Skype Delivers Angler *** --------------------------------------------- A recent malvertising campaign shows that platforms that display ads, even when they are not necessarily the browser, are not immune to the attack. An example of a popular non-browser application that shows ads is Skype. These images would be familiar to avid Skype users. This did not really bother us much until last night, when we... --------------------------------------------- https://labsblog.f-secure.com/2016/02/10/malvertising-via-skype-delivers-an… *** Tomcat IR with XOR.DDoS, (Thu, Feb 11th) *** --------------------------------------------- Apache Tomcat is a java based web service that is used for different applications. While you may have it running in your environment, you may not be familiar with its workings to provide adequate incident response "> "> ">0 S root 31847 1 0 80 0 - 1124641 futex_ 2015 ? 02:36:33 /usr/bin/java -classpath /usr/share/apache-tomcat-7.0.65/bin/bootstrap.jar ">Here you can see that it is running from /usr/share/apache-tomcat-7.0.65. ">The Tomcat configurations --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20721&rss *** Building automation systems are so bad IBM hacked one for free *** --------------------------------------------- Remote sites owned as router, controller and server all fall to pen-test team An IBM-led penetration testing team has thoroughly owned an enterprise building management network in a free assessment designed to publicise the horrid state of embedded device security. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/02/11/building_au… *** How Malware Detects Virtualized Environment, and its Countermeasures - An Overview *** --------------------------------------------- Virtual Machines are usually considered a good way to analyze malware as they can provide an isolated environment for the malware to trigger but their actions can be controlled and intercepted. However, modern age malware detects their environment in which they are running, and if they detect they are running in VM, they sustain their... --------------------------------------------- http://resources.infosecinstitute.com/how-malware-detects-virtualized-envir… *** DFN-CERT-2016-0252: Cisco Adaptive Security Appliance Software: Eine Schwachstelle ermöglicht die Übernahme der Systemkontrolle *** --------------------------------------------- Eine Schwachstelle in der Cisco Adaptive Security Appliances Software ermöglicht einem entfernten, nicht authentifizierten Angreifer beliebigen Programmcode auszuführen und so die Kontrolle über ein betroffenes System zu übernehmen, auch ist die Durchführung eines Denial-of-Service-Angriffs möglich. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0252/ *** ZDI-16-163: Dell SonicWALL GMS Virtual Appliance Deserialization of Untrusted Data Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Dell SonicWALL GMS Virtual Appliance. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-163/ *** ZDI-16-164: Dell SonicWALL GMS Virtual Appliance Multiple Remote Code Execution Vulnerabilities *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Dell SonicWALL GMS Virtual Appliance. Authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-164/ *** Cisco Spark Representational State Transfer Interface Information Disclosure Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Spark Representational State Transfer Interface Unauthorized Access Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Spark Representational State Transfer Interface Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Advanced Malware Protection and Email Security Appliance Proxy Engine Security Bypass Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Citrix NetScaler Application Delivery Controller and NetScaler Gateway Multiple Security Updates *** --------------------------------------------- A number of vulnerabilities have been identified in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway that could allow a malicious, unprivileged user to perform privileged operations or execute commands. --------------------------------------------- https://support.citrix.com/article/CTX206001 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in libssh2 affects PowerKVM (CVE-2015-1782) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023318 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in curl affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1023307 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects Tivoli Storage Manager Operations Center and Tivoli Storage Manager Client Management Service (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976362 --------------------------------------------- *** IBM Security Bulletin:Security Bulletin: Vulnerability in IBM Java Runtime affect AppScan Source (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976569 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in cpio affects PowerKVM (CVE-2014-9112) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023298 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Linux Kernel affects PowerKVM (CVE-2016-0728) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023279 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in OpenSSL affects IBM Netezza Platform Software clients (CVE-2015-3194) *** http://www.ibm.com/support/docview.wss?uid=swg21976419 --------------------------------------------- *** IBM Security Bulletin: IBM Sterling Order Management is affected by Apache Commons Collections security vulnerabilities (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21975793 --------------------------------------------- *** IBM Security Bulletin: Cross-site scripting vulnerability in Liberty for Java for IBM Bluemix (CVE-2015-7417) *** http://www.ibm.com/support/docview.wss?uid=swg21976218 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM JAVA Runtime affect AppScan Source (CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21976159 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 10-02-2016
by Daily end-of-shift report 10 Feb '16

10 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 09-02-2016 18:00 − Mittwoch 10-02-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Fast Flux Bot Nets and Fluxer - Part 1 *** --------------------------------------------- This time well start a two-parter on fast flux bot nets including the concept of domain generation algorithms. --------------------------------------------- http://www.scmagazine.com/fast-flux-bot-nets-and-fluxer--part-1/article/473… *** DMA Locker Strikes Back *** --------------------------------------------- A few days ago we published a post about a new ransomware - DMA Locker (read more here). At that time, it was using a pretty simple way of storing keys. Having the original sample was enough to recover files. Unfortunately, the latest version (discovered February 8th) comes with several improvements and RSA key. Let's... --------------------------------------------- https://blog.malwarebytes.org/news/2016/02/dma-locker-strikes-back/ *** Linode SSH key blunder left virtual servers open to man-in-the-middle fiddles for months *** --------------------------------------------- Regen your keys ASAP Web hosting biz Linode broke the security in its customers virtual machines, allowing attackers to eavesdrop on SSH connections and hijack them. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/02/09/linode_ssh_… *** Skimmers Hijack ATM Network Cables *** --------------------------------------------- If you have ever walked up to an ATM to withdraw cash only to decide against it after noticing a telephone or ethernet cord snaking from behind the machine to a jack in the wall, your paranoia may not have been misplaced: ATM maker NCR is warning about skimming attacks that involve keypad overlays, hidden cameras and skimming devices plugged into the ATM network cables to intercept customer card data. --------------------------------------------- http://krebsonsecurity.com/2016/02/skimmers-hijack-atm-network-cables/ *** Patchday: Microsoft stopft 6 kritische Lücken, lässt alte Internet-Explorer-Versionen im Regen stehen *** --------------------------------------------- Es ist wieder einmal Zeit zum Updaten für Microsoft-Anwender. Wer noch ältere Versionen des Internet Explorer im Einsatz hat, muss jetzt schleunigst handeln. --------------------------------------------- http://heise.de/-3098499 *** The history of Cryptowall: a large scale cryptographic ransomware threat *** --------------------------------------------- This tracker focusses on tracking the development changes in the CryptoWall ransomware, it does not attempt to track every single CryptoWall sample that exists. It simply exists to track the family in a more higher level fashion, a few samples will be listed next to specific versions just for reference rather than bulk collection. The timeline below shows the development track of CryptoWall when new versions were first seen. Below the timeline you will find an overview. --------------------------------------------- https://www.cryptowalltracker.org/ *** Sparkle-Installer: Gatekeeper-Sicherung für Macs lässt sich umgehen *** --------------------------------------------- Viele App-Entwickler für Mac nutzen das Sparkle-Framwork für praktische Auto-Updates - und machen damit zahlreiche Mac-Programme angreifbar. Betroffen sind nicht nur VLC und uTorrent. --------------------------------------------- http://www.golem.de/news/man-in-the-middle-angriff-sparkle-installer-macht-… *** Cracking Damn Insecure and Vulnerable App (DIVA) - part 5: *** --------------------------------------------- In the first four articles, we have discussed solutions for the first eleven challenges in DIVA. In this last article of this series, we will discuss the remaining two challenges that are related to native code. In case if you missed the previous articles in this series, here are the links. http://resources.infosecinstitute.com/cracking-damn-insecure-and-vulnerable… http://resources.infosecinstitute.com/cracking-damn-insecure-and-vulnerable… --------------------------------------------- http://resources.infosecinstitute.com/cracking-damn-insecure-and-vulnerable… *** Hijacking forgotten & misconfigured subdomains *** --------------------------------------------- Its been a while since my last blog post, so I decided to release a new tool. I think that we need more articles about "DNS hacking", I hope that you will learn something new here. --------------------------------------------- http://www.xexexe.cz/2016/02/hijacking-forgotten-misconfigured.html *** Network forensic analysis tool NetworkMiner 2.0 released *** --------------------------------------------- NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. ... --------------------------------------------- http://www.net-security.org/secworld.php?id=19421 *** MSRT February 2016 *** --------------------------------------------- The February release of the Microsoft Malicious Software Removal Tool (MSRT) includes updated detections for the following malware families: Bladabindi Gamarue Sality Kelihos Diplugem The updates include detections for the latest variants from these malware families. There were no new malware families added to the MSRT this month. The MSRT works in tandem with real-time... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/02/09/msrt-february-2016/ *** MS16-FEB - Microsoft Security Bulletin Summary for February 2016 - Version: 1.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS16-FEB *** Deception: Shine Bright Like a Diamond *** --------------------------------------------- ***German Summary: Projektpläne, Designs, Kundendaten: Die Kronjuwelen eines jeden Unternehmens gehören vor Cyberkriminellen unter allen Umständen versteckt - oder? Werfen Sie den Ködern aus, denn jetzt täuschen die Guten! Deception ("Täuschung") lautet der neue Cyber-Security-Ansatz, der nach Schätzungen des renommierten Marktforschungsunternehmens Gartner bereits 2018 in rund 10 % aller Unternehmen zum Einsatz kommen wird. Virtuelle Fallen... --------------------------------------------- http://blog.sec-consult.com/2016/02/deception-shine-bright-like-diamond.html *** Tollgrade SmartGrid Sensor Management System Software Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for vulnerabilities in Tollgrade Communications, Inc.'s SmartGrid LightHouse Sensor Management System (SMS) Software EMS. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-040-01 *** Bugtraq: Safebreach adsivory: Node.js HTTP Response Splitting (CVE-2016-2216) *** --------------------------------------------- http://www.securityfocus.com/archive/1/537490 *** Bugtraq: ESA-2016-010 EMC Documentum xCP Security Update for Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/537489 *** Bugtraq: dotDefender Firewall CSRF *** --------------------------------------------- http://www.securityfocus.com/archive/1/537491 *** [2016-02-10] Yeager CMS multiple vulnerabilities *** --------------------------------------------- Yeager CMS suffers from multiple critical security issues including multiple SQL injections, arbitrary file upload, server-side request forgery and non-permanent cross-site scripting vulnerabilities. Unauthenticated attackers are able to compromise Yeager CMS in both application and database levels. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016… *** DFN-CERT-2016-0237: Horde Application Framework: Zwei Schwachstellen ermöglichen einen Cross-Site-Scripting-Angriff *** --------------------------------------------- 09.02.2016 --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0237/ *** Cisco Security Advisories *** --------------------------------------------- *** Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Prime Collaboration Provisioning Local Privilege Escalation Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Application Policy Infrastructure Controller Enterprise Module Web Framework Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Video Communications Server Information Disclosure Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Unified Products Information Disclosure Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Unified Communications Manager Information Disclosure Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM SDK Java Technology Edition affect Liberty for Java for IBM Bluemix January 2016 CPU (CVE-2016-0475, CVE-2016-0466, CVE-2015-7575, CVE-2016-0448) *** http://www.ibm.com/support/docview.wss?uid=swg21976217 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Security SiteProtector System (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976042 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSH affect IBM Flex System Manager (FSM) (CVE-2016-0777, CVE-2016-0778) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023319 --------------------------------------------- *** IBM Security Bulletin: IBM Pure Power Integrated Manager (PPIM) is affected by vulnerabilities in ntp (CVE-2014-9750, CVE-2014-9751) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023291 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Pure Power Integrated Manager (PPIM) (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023292 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects Watson Explorer (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21974808 --------------------------------------------- *** IBM Security Bulletin: IBM Netezza SQL Extensions is vulnerable to an OpenSource PCRE Vulnerability (CVE-2015-8380, CVE-2015-8382, CVE-2015-8391) *** http://www.ibm.com/support/docview.wss?uid=swg21976124 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities identified in IBM Java SDK affect WebSphere Service Registry and Repository Studio (CVE-2015-4872, CVE-2015-4911, CVE-2015-4893, CVE-2015-4803) *** http://www.ibm.com/support/docview.wss?uid=swg21971058 --------------------------------------------- *** IBM Security Bulletin: A libxml vulnerability affects IBM Security Access Manager for Mobile (CVE-2015-1819) *** http://www.ibm.com/support/docview.wss?uid=swg21976393 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Access Manager for Mobile (CVE-2014-8121) *** http://www.ibm.com/support/docview.wss?uid=swg21976290 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in nss-softokn affects IBM Security Access Manager for Mobile (CVE-2015-2730) *** http://www.ibm.com/support/docview.wss?uid=swg21976295 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by an OpenSSH vulnerability (CVE-2008-5161) *** http://www.ibm.com/support/docview.wss?uid=swg21976082 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by multiple NTP vulnerabilities *** http://www.ibm.com/support/docview.wss?uid=swg21975967 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM MQ Light (CVE-2015-3197) *** http://www.ibm.com/support/docview.wss?uid=swg21976345 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVS-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21975832 --------------------------------------------- *** IBM Security Bulletin: A Security Vulnerability has been identified in Apache Solr shipped with IBM Operations Analytics - Log Analysis *** http://www.ibm.com/support/docview.wss?uid=swg21975544 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in cURL and libcURL affect IBM Security Access Manager (CVE-2014-3613, CVE-2014-8150) *** http://www.ibm.com/support/docview.wss?uid=swg21974736 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects IBM MQ Light (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976341 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 9-02-2016
by Daily end-of-shift report 09 Feb '16

09 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 08-02-2016 18:00 − Dienstag 09-02-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Gate To Nuclear EK Uses Fake CloudFlare DDoS Check *** --------------------------------------------- This rogue CloudFlare page hides a malicious payload. Categories: ExploitKits Tags: cloudflareEKNuclear(Read more...) --------------------------------------------- https://blog.malwarebytes.org/exploitkits/2016/02/gate-to-nuclear-ek-uses-f… *** Patching Complex Web Vulnerabilities Using ModSecurity WAF *** --------------------------------------------- In this blog post we will demonstrate complicated examples of common web application vulnerabilities, and see how they can be mitigated with ModSecurity WAF. --------------------------------------------- https://www.htbridge.com/blog/patching-complex-web-vulnerabilities-using-mo… *** Its 2016 and a font file can own your computer *** --------------------------------------------- Libgraphite font library buggy and vulnerable in Firefox, Thunderbird, WordPad and more says Talos Cisco-owned Talos has announced a bunch of font library bugs present in apps running on Windows and Linux, affecting client and-server-side machines. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/02/09/libgraphite… *** Power Grid Honeypot Puts Face on Attacks *** --------------------------------------------- Researchers from MalCrawler built a honeypot mimicking an electronic management system at the heart of a power grid, exposing attackers' behavior once they have access to critical infrastructure systems. --------------------------------------------- http://threatpost.com/power-grid-honeypot-puts-face-on-attacks/116217/ *** Russian hackers used malware to manipulate the Dollar/Ruble exchange rate *** --------------------------------------------- Russian-language hackers have managed to break into Russian regional bank Energobank, infect its systems, and gain unsanctioned access to its trading system terminals, which allowed them to manipulat... --------------------------------------------- http://www.net-security.org/malware_news.php?id=3201 *** How to Hack the Power Grid Through Home Air Conditioners *** --------------------------------------------- Researchers show how hackers can manipulate the remote on-off device installed on some air conditioners to cause a blackout. --------------------------------------------- http://www.wired.com/2016/02/how-to-hack-the-power-grid-through-home-air-co… *** (Not only) Oracle Java Windows installer vulnerable *** --------------------------------------------- Oracle hat einen Out-of-Band Patch für Java 6, 7 und 8 für Windows veröffentlicht, mit dem eine Sicherheitslücke im Installationsprozess geschlossen wird. Es sind dazu bereits zahlreiche Medienberichte erschienen, in denen allerdings häufig die Tatsache ausser acht gelassen wird, dass es sich hier nicht um eine Java-spezifische Schwachstelle handelt. Das Problem - Stichwort "Binary Planting" -... --------------------------------------------- http://www.cert.at/services/blog/20160209102305-1678.html *** Security Bulletins Posted *** --------------------------------------------- Security Bulletins for Adobe Photoshop and Bridge (APSB16-03), Flash Player (APSB16-04), Adobe Experience Manager (APSB16-05) and Adobe Connect (APSB16-07) have been published. Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant security bulletin. This... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1315 *** DSA-3472 wordpress - security update *** --------------------------------------------- Two vulnerabilities were discovered in wordpress, a web blogging tool.The Common Vulnerabilities and Exposures project identifies thefollowing problems: --------------------------------------------- https://www.debian.org/security/2016/dsa-3472 *** DSA-3471 qemu - security update *** --------------------------------------------- Several vulnerabilities were discovered in qemu, a full virtualizationsolution on x86 hardware. --------------------------------------------- https://www.debian.org/security/2016/dsa-3471 *** DSA-3470 qemu-kvm - security update *** --------------------------------------------- Several vulnerabilities were discovered in qemu-kvm, a fullvirtualization solution on x86 hardware. --------------------------------------------- https://www.debian.org/security/2016/dsa-3470 *** DSA-3469 qemu - security update *** --------------------------------------------- Several vulnerabilities were discovered in qemu, a full virtualizationsolution on x86 hardware. --------------------------------------------- https://www.debian.org/security/2016/dsa-3469 *** USN-2880-2: Firefox regression *** --------------------------------------------- Ubuntu Security Notice USN-2880-28th February, 2016firefox regressionA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryUSN-2880-1 introduced a regression in Firefox.Software description firefox - Mozilla Open Source web browser DetailsUSN-2880-1 fixed vulnerabilities in Firefox. This update introduced aregression which caused Firefox to crash on startup with some configurations.This update fixes the problem.We apologize --------------------------------------------- http://www.ubuntu.com/usn/usn-2880-2/

1 0

Tageszusammenfassung - Montag 8-02-2016
by Daily end-of-shift report 08 Feb '16

08 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 05-02-2016 18:00 − Montag 08-02-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Magento PCI Compliance Issues and Theft Over TLS *** --------------------------------------------- With about 30% of the market share, Magento is gradually becoming a "WordPress" of the ecommerce world. Like WordPress, it becomes a major target for hackers due to its popularity. However, in the case of Magento, the main goal that hackers pursue is to steal money, either from shop customers or the shop owners. During... --------------------------------------------- https://blog.sucuri.net/2016/02/theft-over-tls-or-illusion-of-pci-complianc… *** Extracting and distributing information on incidents, or what is PROKI *** --------------------------------------------- In the last blogpost, I promised to write something about our new project PROKI. PROKI is the abbreviation of the Czech phrase for "prediction and protection against cyber incidents" and in this project, our team set two goals for itself. --------------------------------------------- http://en.blog.nic.cz/2016/02/05/extracting-and-distributing-information-on… *** GitHub bug bounty hunting *** --------------------------------------------- Last month, I went hunting for security bugs in GitHub, a popular platform for sharing and collaborating on code. After spending many hours mapping out GitHub's infrastructure, and testing for weaknesses without any significant results or leads, I shifted my focus to the service providers. This is a write-up about two of the issues I found, which both have since been addressed. --------------------------------------------- https://medium.com/@ircbot/github-bug-bounty-hunting-741de324be1c *** Netgear-Router-Software: Schwachstelle ermöglicht Dateiupload und Download *** --------------------------------------------- Die Router-Verwaltungssoftware Netgear Management System hat ein Sicherheitsproblem. Angreifer können zwischen einer Remote-Code-Execution und einer Directory-Traversal-Schwachstelle wählen. Einen Patch gibt es bislang nicht. --------------------------------------------- http://www.golem.de/news/netgear-router-software-schwachstelle-ermoeglicht-… *** Bankomat-Trick: Geld abheben, Kontostand bleibt gleich *** --------------------------------------------- Die Angriffe auf Finanzinstitute werden immer erfinderischer. Eine neue Schadsoftware bucht Finanzbeträge aufs Konto zurück, nachdem diese bei Bankomaten abgehoben wurden. --------------------------------------------- http://futurezone.at/digital-life/bankomat-trick-geld-abheben-kontostand-bl… *** T9000 backdoor steals documents, records Skype conversations, victims actions *** --------------------------------------------- A new backdoor Trojan with spyware capabilities is being used in targeted attacks against organizations based in the United States. It has been dubbed T9000, since its a newer, improved version of th... --------------------------------------------- http://www.net-security.org/malware_news.php?id=3199 *** Avast SafeZone Browser Lets Attackers Access Your Filesystem *** --------------------------------------------- Just two days after Comodos Chromodo browser was publicly shamed by Google Project Zero security researcher Tavis Ormandy, its now Avasts turn to be scorned for failing to provide a "secure" browser for its users. --------------------------------------------- http://news.softpedia.com/news/avast-safezone-browser-lets-attackers-access… *** Adwind: FAQ *** --------------------------------------------- Adwind - a cross-platform RAT, multifunctional malware program which is distributed through a single malware-as-a-service platform. Different versions of the Adwind malware have been used in attacks against at least 443,000 private users, commercial and non-commercial organizations around the world. --------------------------------------------- http://securelist.com/blog/research/73660/adwind-faq/ *** Java installer flaw shows why you should clear your Downloads folder *** --------------------------------------------- On most computers, the default download folder quickly becomes a repository of old and unorganized files that were opened once and then forgotten about. A recently fixed flaw in the Java installer highlights why keeping this folder clean is important.On Friday, Oracle published a security advisory recommending that users delete all the Java installers they might have laying around on their computers and use new ones for versions 6u113, 7u97, 8u73 or later. The reason is that older Java... --------------------------------------------- http://www.cio.com/article/3030707/security/java-installer-flaw-shows-why-y… *** Netgear Pro NMS 300 Code Execution / File Download *** --------------------------------------------- Topic: Netgear Pro NMS 300 Code Execution / File Download Risk: High Text:>> Remote code execution / arbitrary file download in NETGEAR ProSafe Network Management System NMS300 >> Discovered by Pedro ... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020070 *** Oracle Security Alert for CVE-2016-0603 - 5 February 2016 *** --------------------------------------------- To be successfully exploited, this vulnerability requires that an unsuspecting user be tricked into visiting a malicious web site and download files into the user's system before installing Java SE 6, 7 or 8. Though relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user’s system. --------------------------------------------- http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0603-28743… *** Bugtraq: [security bulletin] HPSBGN03434 rev.1 - HP Continuous Delivery Automation using Java Deserialization, Remote Arbitrary Code Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/537461 *** Bugtraq: [security bulletin] HPSBHF03431 rev.2 - HPE Network Switches, local Bypass of Security Restrictions, Indirect Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/537460 *** 0Day Vulnerabilities in Advantech WebAccess *** --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-146/ http://www.zerodayinitiative.com/advisories/ZDI-16-147/ http://www.zerodayinitiative.com/advisories/ZDI-16-148/ http://www.zerodayinitiative.com/advisories/ZDI-16-149/ http://www.zerodayinitiative.com/advisories/ZDI-16-150/ http://www.zerodayinitiative.com/advisories/ZDI-16-151/ http://www.zerodayinitiative.com/advisories/ZDI-16-152/ http://www.zerodayinitiative.com/advisories/ZDI-16-153/ http://www.zerodayinitiative.com/advisories/ZDI-16-154/ http://www.zerodayinitiative.com/advisories/ZDI-16-155/ --------------------------------------------- *** SSA-253230 (Last Update 2016-02-08): Vulnerabilities in SIMATIC S7-1500 CPU *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-253230… *** Bugtraq: Local Microsoft Windows 7 / 8 / 10 Buffer Overflow via Third-Party USB-Driver (ser2co64.sys) *** --------------------------------------------- http://www.securityfocus.com/archive/1/537471 *** WooCommerce - Store Toolkit Plugin Privilege Escalation <= 1.5.6 *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8385 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: A vulnerability in net-snmp affects IBM DataPower Gateways (CVE-2015-5621) *** http://www.ibm.com/support/docview.wss?uid=swg21975340 --------------------------------------------- *** IBM Security Bulletin: A cross-site scripting vulnerability has been identified in IBM Security Access Manager for Web (CVE-2015-8531) *** http://www.ibm.com/support/docview.wss?uid=swg21974651 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Web is affected by multiple NTP vulnerabilities *** http://www.ibm.com/support/docview.wss?uid=swg21974652 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Net-SNMP affect IBM Security Access Manager for Web (CVE-2014-3565, CVE-2015-5621) *** http://www.ibm.com/support/docview.wss?uid=swg21974644 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM QRadar SIEM, and QRadar Incident Forensics (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976113 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM DataPower Gateways (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21974965 --------------------------------------------- *** IBM Security Bulletin: Information disclosure vulnerability found in IBM WebSphere Commerce (CVE-2015-7444) *** http://www.ibm.com/support/docview.wss?uid=swg21974307 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Web is affected by Network Security Services (NSS) vulnerabilities (CVE-2015-7181, CVE-2015-7182, CVE-2015-7183) *** http://www.ibm.com/support/docview.wss?uid=swg21974648 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by Network Security Services (NSS) vulnerabilities (CVE-2015-7181, CVE-2015-7182, CVE-2015-7183) *** http://www.ibm.com/support/docview.wss?uid=swg21974650 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in GSKit affect IBM Security Access Manager for Web (CVE-2015-7421, CVE-2015-7420) *** http://www.ibm.com/support/docview.wss?uid=swg21974750 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in GSKit affect IBM Security Access Manager for Mobile (CVE-2015-7421, CVE-2015-7420) *** http://www.ibm.com/support/docview.wss?uid=swg21974747 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Access Manager for Mobile *** http://www.ibm.com/support/docview.wss?uid=swg21973139 --------------------------------------------- *** IBM Security Bulletin: A libxml vulnerability affects IBM Security Access Manager for Web (CVE-2015-1819) *** http://www.ibm.com/support/docview.wss?uid=swg21974737 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in XML processing affects IBM DataPower Gateways (CVE-2015-1819) *** http://www.ibm.com/support/docview.wss?uid=swg21975341 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Storage Manager ASNODENAME Vulnerability (CVE-2015-7408) *** http://www.ibm.com/support/docview.wss?uid=swg21975957 --------------------------------------------- *** IBM Security Bulletin: A Linux-PAM vulnerability affects IBM Security Access Manager for Web (CVE-2015-3238) *** http://www.ibm.com/support/docview.wss?uid=swg21974738 --------------------------------------------- *** IBM Security Bulletin: A Linux-PAM vulnerability affects IBM Security Access Manager for Mobile (CVE-2015-3238) *** http://www.ibm.com/support/docview.wss?uid=swg21975882 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Access Manager for Web (CVE-2014-8121) *** http://www.ibm.com/support/docview.wss?uid=swg21974653 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in nss-softokn affects IBM Security Access Manager for Web (CVE-2015-2730) *** http://www.ibm.com/support/docview.wss?uid=swg21974657 --------------------------------------------- *** IBM Security Bulletin: OpenSSL as used in IBM QRadar SIEM is vulnerable to a Denial of Service attack, and Sensitive Information Exposure. (CVE-2015-3194, CVE-2015-3195, CVE-2015-3196) *** http://www.ibm.com/support/docview.wss?uid=swg21976148 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 5-02-2016
by Daily end-of-shift report 05 Feb '16

05 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 04-02-2016 18:00 − Freitag 05-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** WP-Invoice <= 4.1.0 - Multiple Vulnerabilities *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8378 *** User Meta Manager <= 3.4.6 - Authenticated Blind SQL Injection *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8380 *** User Meta Manager <= 3.4.6 - Privilege Escalation *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8379 *** Racing MIDI messages in Chrome *** --------------------------------------------- This is a guest blog post by Oliver Chang from the Chrome Security team.This post is about an exceptionally bad use after free bug in Chrome's browser process that affected Linux, Chrome OS and OS X. What makes this bug interesting is the fact that it could be directly triggered from the web without .. --------------------------------------------- http://googleprojectzero.blogspot.com/2016/02/racing-midi-messages-in-chrom… *** DSA-3466 krb5 - security update *** --------------------------------------------- Several vulnerabilities were discovered in krb5, the MIT implementation of Kerberos. The Common Vulnerabilities and Exposures project identifies the following .. --------------------------------------------- https://www.debian.org/security/2016/dsa-3466 *** Neutrino Exploit Kit Not Responding - Bug or Feature? *** --------------------------------------------- A couple of weeks ago we were looking at some exploit kits in one of our lab environments and noticed a decline in the number of Neutrino instances were seeing. This sent us on yet another journey to investigate Neutrino .. --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/Neutrino-Exploit-Kit-Not-Res… *** Chrome picks up bonus security features on Windows 10 *** --------------------------------------------- The Windows 10 November update (version 1511, build 10586) included a handful of new security features to provide protection against some security issues that have kept on popping up in Windows for a number of years. Google yesterday added source .. --------------------------------------------- http://arstechnica.com/information-technology/2016/02/chrome-picks-up-bonus… *** A trip through the spam filters: more malspam with zip attachments containing .js files *** --------------------------------------------- I was discussing malicious spam (malspam) with a fellow security professional earlier this week. He was examining malspam with zip attachments containing .js files. This is something Ive covered previously in ISC .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20697 *** Verschlüsselungs-Trojaner TeslaCrypt 2 geknackt; Kriminelle rüsten nach *** --------------------------------------------- Opfer des berüchtigten Verschlüsselungs-Trojaners TeslaCrypt können aufatmen: Das kostenlose Tool TeslaDecoder kann zumindest die Dateien der Version 2 entschlüsseln. Doch die Betrüger schlafen nicht: Aktuell kursiert schon Version 3. --------------------------------------------- http://heise.de/-3092667 *** Eset NOD32 Antivirus 9 gefährdet https-Verschlüsselung *** --------------------------------------------- Eset NOD32 Antivirus 9 installiert einen SSL-Filter, der sich in die Verschlüsselung einklinkt. Wie heise Security entdeckte, akzeptiert er dabei unter Umständen gefälschte Zertifikate; ein Update des Herstellers beseitigt den Fehler. --------------------------------------------- http://heise.de/-3095024 *** Dridex: Botnet verteilt Virenscanner *** --------------------------------------------- Gelingt es Cyberkriminellen, ihre Malware auf fremden Rechnern einzuschleusen, nutzen sie dies mitunter aus, um sie zum Teil eines Botnets zu machen. Über ihre Server steuern sie die kompromittierten Computer und nutzen ihre .. --------------------------------------------- http://derstandard.at/2000030450321 *** The Malware Museum @ Internet Archive *** --------------------------------------------- Here's what submitting a virus sample looked like back in the days of 5" floppy disks. And now you can see classic viruses in action at The Malware Museum. Do you feel like emulating old malware inside a MS-DOS Virtual Machine inside .. --------------------------------------------- https://labsblog.f-secure.com/2016/02/05/the-malware-museum-internet-archiv… *** Positive Research Center *** --------------------------------------------- In December 2015, I found a critical vulnerability in one of PayPal business websites (manager.paypal.com). It allowed me to execute arbitrary shell commands on PayPal web servers via unsafe Java object deserialization and to access production databases. I immediately reported this bug to PayPal security team, and it was fixed promptly. --------------------------------------------- http://blog.ptsecurity.com/2016/02/paypal-remote-code-execution.html

1 0

Tageszusammenfassung - Donnerstag 4-02-2016
by Daily end-of-shift report 04 Feb '16

04 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 03-02-2016 18:00 − Donnerstag 04-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Weiterhin etliche IP-Kameras von Aldi unzureichend geschützt *** --------------------------------------------- Nach wie vor ist mindestens eine dreistellige Zahl der bei Aldi verkauften Maginon-Kameras ohne Passwort über das Internet steuerbar. Unterdessen hat sich herausgestellt, dass der Hersteller bereits im Juni 2015 informiert wurde. --------------------------------------------- http://heise.de/-3092642 *** Cisco Unified Communications Manager SQL Injection Vulnerability *** --------------------------------------------- A vulnerability in the Cisco Unified Communications Manager SQL database interface could allow an authenticated, remote attacker to impact the confidentiality of the system by executing arbitrary SQL queries. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** CERT: Poor password policy leaves OpenELEC operating system vulnerable to hackers *** --------------------------------------------- The CERT Division at Carnegie Mellon University yesterday issued an alert detailing a password vulnerability in the Open Embedded Linux Entertainment Center operating system. --------------------------------------------- http://www.scmagazine.com/cert-poor-password-policy-leaves-openelec-operati… *** Macro Redux: the Premium Package *** --------------------------------------------- Earlier this week we came across an interesting spam email. It was targeted at one of our customers in the retail industry. It contained a Microsoft Word document (MD5 = b74604d0081e68e91d64b361601d79c4) with a rather small macro in it. All that macro did was save a copy of the document as RTF, open it and then .. --------------------------------------------- http://labs.bromium.com/2016/02/03/macro-redux-the-premium-package/ *** Cisco Jabber Guest Server HTTP Web-Based Management Interface Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability in the HTTP web-based management interface of the Cisco Jabber Guest application could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Unity Connection Web Framework Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to execute a cross-site scripting (XSS) attack. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Fake Adobe Flash Update OS X Malware *** --------------------------------------------- Yesterday, while investigating some Facebook click-bait, I came across a fake Flash update that is targeting OS X users. Fake flash updates have been very common to infect OS X. They do not rely on a vulnerability in the operating system. Instead, the user is asked to willingly install them, by making .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20693 *** No More Deceptive Download Buttons *** --------------------------------------------- In November, we announced that Safe Browsing would protect you from social engineering attacks - deceptive tactics that try to trick you into doing something dangerous, like installing unwanted software or revealing your personal information (for example, passwords, phone numbers, or credit cards). You may .. --------------------------------------------- https://googleonlinesecurity.blogspot.co.uk/2016/02/no-more-deceptive-downl… *** l+f: Web-Dienst prüft Präsenz sicherheitsrelevanter HTTP-Header *** --------------------------------------------- Mit securityheaders.io kann man herausfinden, welche Schutzfunktionen ein Server über die HTTP-Header scharf schaltet. --------------------------------------------- http://heise.de/-3095001

1 0

Tageszusammenfassung - Mittwoch 3-02-2016
by Daily end-of-shift report 03 Feb '16

03 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 02-02-2016 18:00 − Mittwoch 03-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** WordPress 4.4.2 Security and Maintenance Release *** --------------------------------------------- https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance… *** Cisco WebEx Meetings Server Multiple Cross-Site Scripting Vulnerabilities *** --------------------------------------------- A vulnerability in the web framework code of Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of the affected system. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Sauter moduWeb Vision Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for three vulnerabilities in Sauter's moduWeb Vision application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-033-01 *** GE SNMP/Web Interface Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for two vulnerabilities in the GE SNMP/Web Interface adapter. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-033-02 *** DMA Locker: New Ransomware, But No Reason To Panic *** --------------------------------------------- A new piece of ransomware which looks a little clumsy. --------------------------------------------- https://blog.malwarebytes.org/news/2016/02/draft-dma-locker-a-new-ransomwar… *** Enhanced Mitigation Experience Toolkit (EMET) version 5.5 is now available *** --------------------------------------------- The Enhanced Mitigation Experience Toolkit (EMET) benefits enterprises and all computer users by helping to protect against security threats and breaches that can disrupt businesses and daily lives. It does this by anticipating, diverting, .. --------------------------------------------- http://blogs.technet.com/b/srd/archive/2016/02/02/enhanced-mitigation-exper… *** DSA-3465 openjdk-6 - security update *** --------------------------------------------- Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in breakouts of the Java sandbox, information disclosure, denial of service and insecure cryptography. --------------------------------------------- https://www.debian.org/security/2016/dsa-3465 *** Bypassing Bitrix WAF via tiny regexp error *** --------------------------------------------- Bitrix24 is one of the first and most secure cross-platform corporate software with integrated WAF and RASP. Lets see how we can bypass them. --------------------------------------------- https://www.htbridge.com/blog/bypassing-bitrix-web-application-firewall-via… *** Smartphone-Security: Root-Backdoor macht Mediatek-Smartphones angreifbar *** --------------------------------------------- Eine Debug-Funktion für Vergleichstests im chinesischen Markt führt dazu, dass zahlreiche Smartphones mit Mediatek-Chipsatz verwundbar sind. Angreifer können eine lokale Root-Shell aktivieren. Auch Geräte auf dem deutschen Markt könnten betroffen sein. --------------------------------------------- http://www.golem.de/news/smartphone-security-root-backdoor-macht-mediatek-s… *** l+f: Neuland, USA *** --------------------------------------------- Das Milliardenprojekt F-35 verzögert sich um mindestens ein Jahr, weil Techniker aus Sicherheitsgründen nicht auf eine Datenbank zugreifen können. --------------------------------------------- http://heise.de/-3092005 *** MMD-0051-2016 - Debunking a tiny ELF remote backdoor (shellcode shellshock part 2) *** --------------------------------------------- In September 2014 during the shellshock exploitation was in the rush I analyzed a case (MMD-0027-2014) of an ELF dropped payload via shellshock attack, with the details can be read in-->[here] Today I found an interesting ELF x32 sample that was reported several hours back, the infection vector is also ShellShock, the .. --------------------------------------------- http://blog.malwaremustdie.org/2016/02/mmd-0051-2016-debungking-tiny-elf.ht… *** Comodo: "Sicherer" Browser mit groben Sicherheitsdefiziten *** --------------------------------------------- Google warnt vor der Verwendung - Hebelt Same Origin Policy des Browsers --------------------------------------------- http://derstandard.at/2000030313692 *** Thunderstrike 2: Sicherheitsforscher arbeiten inzwischen für Apple *** --------------------------------------------- Der Mac-Hersteller hat eine Sicherheitsfirma übernommen, die an der Entwicklung von "Thunderstrike 2" beteiligt war. Die Forscher zeigten Schwachstellen, die das Einschleusen eines Schädlings auf Firmware-Ebene ermöglichen – nicht nur auf Macs. --------------------------------------------- http://heise.de/-3092644 *** Phishing-Angriff: Nutzer sollen Amazon-Zertifikat installieren *** --------------------------------------------- Phishing-Angriffe gehören zu den nervigen Alltäglichkeiten von Internetnutzern. Eine spezielle Masche versucht jetzt, Android-Nutzer zur Installation eines angeblichen Sicherheitszertifikates zu bewegen. Komisch, dass das Zertifikat die Endung .apk aufweist. --------------------------------------------- http://www.golem.de/news/phishing-angriff-nutzer-sollen-amazon-zertifikat-i… *** Cisco Nexus 9000 Series ACI Mode Switch ICMP Record Route Vulnerability *** --------------------------------------------- A vulnerability in the ICMP implementation in the Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch could allow an unauthenticated, remote attacker to cause the switch to reload, resulting in a denial of service (DoS) condition. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Application Policy Infrastructure Controller Access Control Vulnerability *** --------------------------------------------- A vulnerability in the role-based access control (RBAC) of the Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated remote user to make configuration changes outside of their configured access privileges. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco ASA-CX and Cisco Prime Security Manager Privilege Escalation Vulnerability *** --------------------------------------------- A vulnerability in the role-based access control of Cisco ASA-CX and Cisco Prime Security Manager (PRSM) could allow an authenticated, remote attacker to change the password of any user on the system. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Bypass Windows AppLocker *** --------------------------------------------- AppLocker is a new feature in Windows 7 and Windows Server 2008 R2 that allows you to specify which users or groups can run particular applications in your organization based on unique identities of files. If you use AppLocker, you can create rules to allow or deny applications from running. --------------------------------------------- http://en.wooyun.io/2016/01/28/Bypass-Windows-AppLocker.html

1 0

Tageszusammenfassung - Dienstag 2-02-2016
by Daily end-of-shift report 02 Feb '16

02 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 01-02-2016 18:00 − Dienstag 02-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Cyberangriff auf A1 verursacht Ausfall des mobilen Netzes *** --------------------------------------------- Attacken seit Samstag - Zeitpunkt der Fehlerbehebung noch nicht in Sicht --------------------------------------------- http://derstandard.at/2000030190051 *** red|blue: A Soft-ish Introduction to Malware Analysis for Incident Responders *** --------------------------------------------- One of my resolutions for the New Year is to spend more time conducting behavioral and static analysis of malicious PE files. I recently spent time watching some of the Cybrary Malware Reverse Engineering material and wanted to document my efforts here and share my notes and additional thoughts with you. --------------------------------------------- http://www.redblue.team/2016/02/a-soft-introduction-to-malware-analysis.html *** Malwarebytes Anti-Malware Vulnerability Disclosure *** --------------------------------------------- In early November, a well-known and respected security researcher by the name of Tavis Ormandy alerted us to several security vulnerabilities in the consumer version of Malwarebytes Anti-Malware. Within days, we were able to fix several of the vulnerabilities server-side and are now internally .. --------------------------------------------- https://blog.malwarebytes.org/news/2016/02/malwarebytes-anti-malware-vulner… *** Massive Admedia/Adverting iFrame Infection *** --------------------------------------------- This past weekend we registered a spike in WordPress infections where hackers injected encrypted code at the end of all legitimate .js files. The distinguishing features of this malware are: 32 hex digit comments at the beginning and end of the malicious .. --------------------------------------------- https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection… *** Google plugs Android vulns *** --------------------------------------------- Happy days if you own a Nexus Five "critical," four "high" severity and one merely "moderate" bug make up the menu of Android security patches, which are now available for Nexus devices and .. --------------------------------------------- www.theregister.co.uk/2016/02/02/google_plugs_android_vulns/ *** Autonics DAQMaster 1.7.3 DQP Parsing Buffer Overflow Code Execution *** --------------------------------------------- The vulnerability is caused due to a boundary error in the processing of a project file, which can be exploited to cause a buffer overflow when a user opens e.g. a specially crafted .DQP project file with a large array of bytes inserted in the Description element. Successful exploitation could allow execution of arbitrary code on the affected machine. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5302.php *** Austrian Mobile Phone Signature is vulnerable against phishing and MitM attacks *** --------------------------------------------- Talking with various people about the Two Factor Authentication (2FA) which is used in Austria to access public services led to my impression that most people think that the system is really secure. While it is more secure than a simple user/password combination its by far not that secure. In this .. --------------------------------------------- http://robert.penz.name/1224/austrian-mobile-phone-signature-is-vulnerable-… *** Aktuelle Spamwelle (Dridex) *** --------------------------------------------- In den letzten Tagen gibt es vermehrt Berichte darüber, dass die Malware Dridex nach einer kurzen Winterpause wieder verstärkt aktiv ist. --------------------------------------------- http://www.cert.at/services/blog/20160202110607-1661.html *** Cyberbetrug bei FACC: Aktionäre fordern Konsequenzen *** --------------------------------------------- Rasinger: "Das schließt auch personelle Konsequenzen mit ein" – Zeitung: Ablöse von Finanzchefin zu erwarten --------------------------------------------- http://derstandard.at/2000030230502-375 *** Apache verpetzt möglicherweise Tor Hidden Services *** --------------------------------------------- In seiner Standard-Konfiguration liefert der beliebte Web-Server-Dienst Informationen, die die Anonymitäts-Versprechen eines Tor Hidden Services gefährden. Diese anonymen Tor-Dienste sind der Kern des oft zitierten "Dark Net". --------------------------------------------- http://heise.de/-3090218 *** Crash Safari Follow-Up *** --------------------------------------------- It's been a week since short links to crashsafari.com went viral, and Google has finally killed the most prevalent link (goo.gl/78uQHK). More than three-quarters of a million clicks were made before the short link was disabled for violating .. --------------------------------------------- https://labsblog.f-secure.com/2016/02/02/crash-safari-follow-up/ *** A1 kämpft seit Samstag gegen Hackerangriffe *** --------------------------------------------- Ausfälle nach DDoS-Attacken zuerst im mobilen Netz, danach im Festnetz-Internet --------------------------------------------- http://derstandard.at/2000030190051 *** Targeted IPv6 Scans Using pool.ntp.org *** --------------------------------------------- IPv6 poses a problem for systems like Shodan, who try to enumerate vulnerabilities Internet-wide. Tools like zmap can scan the IPv4 internet in minutes (or maybe hours), but for IPv6, the same approach will still fail. The smallest IPv6 subnet is a /64, or 18.4 Quintillion addresses. A tool like zmap would .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20681 *** Socat Warns Weak Prime Number Could Mean It's Backdoored *** --------------------------------------------- Socat published a security advisory warning users that a hard-coded 1024 Diffie-Hellman prime number was not prime, and that an attacker could listen and recover secrets from a key exchange. --------------------------------------------- http://threatpost.com/socat-warns-weak-prime-number-could-mean-its-backdoor… *** VU#719736: Fisher-Price Smart Toy platform allows some unauthenticated web API commands *** --------------------------------------------- The Fisher-Price Smart Toy bear is a new WiFi-connected Internet of Things (IoT) toy. The device utilizes network connectivity to provide more interactivity with children. --------------------------------------------- http://www.kb.cert.org/vuls/id/719736 *** Top Exploit Kits Round Up January Edition *** --------------------------------------------- A look at the top exploit kits.Categories: ExploitKits(Read more...) --------------------------------------------- https://blog.malwarebytes.org/exploitkits/2016/02/top-exploit-kits-round-up… *** MailPoet Newsletters <= 2.6.19 - Cross-Site Scripting (XSS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8373 *** Hacker wollen bei Nasa eingebrochen sein, um Chemtrails zu beweisen *** --------------------------------------------- Gruppierung "Anonsec" will 250 GB an Daten erbeutet und Kontrolle über eine Drohne übernommen haben --------------------------------------------- http://derstandard.at/2000030242744

1 0

Tageszusammenfassung - Montag 1-02-2016
by Daily end-of-shift report 01 Feb '16

01 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 29-01-2016 18:00 − Montag 01-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** FreeBSD Linux Support issetugid(2) Error Lets Local Users Gain Elevated Privileges *** --------------------------------------------- The Linux compatibility layer issetugid(2) system call may return incorrect information. A local user may be able to exploit an application that uses this system call to gain elevated privileges. --------------------------------------------- http://www.securitytracker.com/id/1034872 *** QEMU Firmware Configuration Processing Access Flaw Lets Local Users on a Guest System Gain Elevated Privileges on the Host System *** --------------------------------------------- A privileged local user with CAP_SYS_RAWIO capabilities on the guest system can trigger an out-of-bounds read/write access error when processing firmware configurations and cause denial of service conditions or gain elevated privileges on the host system. --------------------------------------------- http://www.securitytracker.com/id/1034858 *** HP integrated Lights Out (iLO) TLS Diffie-Hellman Export Cipher Downgrade Attack Lets Remote Users Decrypt Connections *** --------------------------------------------- A remote user that can conduct a man-in-the-middle attack can cause the target system to downgrade the Diffie-Hellman algorithm to 512-bit export-grade cryptography. The remote user may then be able to decrypt the connection. --------------------------------------------- http://www.securitytracker.com/id/1034884 *** Hippo CMS 10.1 XML External Entity Information Disclosure Vulnerability *** --------------------------------------------- XXE (XML External Entity) processing through upload of SVG images in the CMS, and through XML import in the CMS Console application. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5301.php *** Hippo CMS 10.1 Stored Cross-Site Scripting Vulnerability *** --------------------------------------------- Hippo CMS suffers from a stored XSS vulnerability. Input passed thru the POST parameters groupname and description is not sanitized allowing the attacker to execute HTML code into users browser session on the affected site. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5300.php *** HP Client Security Manager 8.3.4 Cross-Site Scripting Vulnerability *** --------------------------------------------- HP Client Security Manager is prone to XSS attacks because of lacking sanitization of data from HTML forms. It makes any site vulnerable even without XSS presence on the site. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5299.php *** Now VirusTotal can scan your firmware image for bad executables *** --------------------------------------------- VirusTotal presented a new malware scanning engine that allows users to analyze their firmware images searching for malicious codes. VirusTotal has recently announced the launch of a new malware scanning service for firmware .. --------------------------------------------- http://securityaffairs.co/wordpress/44097/malware/virustotal-firmware-scan.… *** 6 Millionen US-Dollar für Sicherheitslücken in Google-Produkten *** --------------------------------------------- Google zeigt sicher weiterhin spendabel, wenn Sicherheitsforscher neue Lücken in Chrome, Android & Co. an den Konzern melden. --------------------------------------------- http://heise.de/-3088182 *** DSA-3460 privoxy - security update *** --------------------------------------------- It was discovered that privoxy, a web proxy with advanced filteringcapabilities, contained invalid reads that could enable a remoteattacker to crash the application, thus causing a Denial of Service. --------------------------------------------- https://www.debian.org/security/2016/dsa-3460 *** Is security outfit Norse Corp dead or just temporarily TITSUP? *** --------------------------------------------- Imploding says Brian Krebs Security startup Norse Corp has gone ominously dark. --------------------------------------------- www.theregister.co.uk/2016/02/01/is_norse_corp_dead_or_just_temporarily_tit… *** LibreSSL emits new versions, says not vulnerable to OpenSSL bug *** --------------------------------------------- Ciscos pedalling hard to prepare patches too Corrected LibreSSL sysadmins should keep an eye on their mirrors for a soon-to-land update. --------------------------------------------- www.theregister.co.uk/2016/02/01/openbsd_rolls_in_libressl_bug_fixes/ *** DSA-3463 prosody - security update *** --------------------------------------------- It was discovered that insecure handling of dialback keys may allowa malicious XMPP server to impersonate another server. --------------------------------------------- https://www.debian.org/security/2016/dsa-3463 *** Schluss mit "123456": 1. Februar ist "Change your password"-Tag *** --------------------------------------------- Zahlreiche Nutzer verwenden noch immer haarsträubend unsichere Passwörter --------------------------------------------- http://derstandard.at/2000030144886 *** Aktuell im Umlauf: Trojaner-Mail im Namen des Kopierers verschickt *** --------------------------------------------- Kriminelle versenden dieser Tage gehäuft E-Mails mit Schadcode im Anhang über gefälschte Absenderadressen von Netzwerk-Kopierern. --------------------------------------------- http://heise.de/-3088536 *** GAME OVER: HOW A COLOURFUL GAME TURNED INTO A SUBSCRIPTION TRAP - App from the Google Play store automatically set up two subscriptions in the Netherlands *** --------------------------------------------- Premium SMS messages were the first attacks on Android users - almost six years ago, malware with this functionality was the primary risk. Since then of course, the malware landscape for mobile devices has moved on significantly. For this very .. --------------------------------------------- https://blog.gdatasoftware.com/blog/article/game-over-how-a-colourful-game-… *** Theres a lot of vulnerable OS X applications out there. *** --------------------------------------------- Lately, I was doing research connected with different updating strategies, and I tested a few applications working under Mac OS X. This short weekend research revealed that we have many insecure applications in the wild. As a result, I have found a vulnerability which allows an attacker take control of another computer on the same network (via MITM). --------------------------------------------- https://vulnsec.com/2016/osx-apps-vulnerabilities/ *** Illegaler Bezahldienst Liberty Reserve: Gründer bekennt sich der Geldwäsche schuldig *** --------------------------------------------- US-Behörden bezeichnen den 2013 abgestellten Onlinedienst Liberty Reserve als "die Bank der Wahl für die kriminelle Unterwelt". Der Gründer hat sich nun schuldig bekannt, über 250 Millionen US-Dollar gewaschen zu haben. --------------------------------------------- http://heise.de/-3088621

1 0

Tageszusammenfassung - Freitag 29-01-2016
by Daily end-of-shift report 29 Jan '16

29 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 28-01-2016 18:00 − Freitag 29-01-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Elaborate iCloud Phish Used To Activate Stolen iPhones *** --------------------------------------------- Lost your iphone? Beware of messages claiming it was found.Categories: Phishing(Read more...) --------------------------------------------- https://blog.malwarebytes.org/phishing/2016/01/elaborate-icloud-phish-used-… *** New Attacks Linked to C0d0so0 Group *** --------------------------------------------- While recently researching unknown malware and attack campaigns using the AutoFocus threat intelligence platform, Unit 42 discovered new activity that appears related to an adversary group previously called "C0d0so0" or "Codoso". This group is well... --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0… *** Ein Schlüssel fürs ungesicherte Smart Home *** --------------------------------------------- Experten warnen vor unsicheren Eigenheim-Lösungen, die mit dem Internet verbunden sind. Konsumenten sollten von den Herstellern mehr Sicherheit einfordern. --------------------------------------------- http://futurezone.at/digital-life/ein-schluessel-fuers-ungesicherte-smart-h… *** Trojan targeted dozens of games on Google Play *** --------------------------------------------- January 28, 2016 Doctor Web security researchers detected the Android.Xiny.19.origin Trojan that targeted dozens of games published on the Google Play store. The Trojan is designed to download, install, and run programs upon receiving a command from cybercriminals. Besides, it can display annoying advertisements. The Trojan was incorporated into more than 60 games that were then distributed via Google Play in the names of more than 30 game developers, including Conexagon Studio, Fun Color... --------------------------------------------- http://news.drweb.com/show/?i=9803&lng=en&c=9 *** OpenSSL-Lücke: Die Sache mit den sicheren Primzahlen *** --------------------------------------------- OpenSSL hat mit einem Sicherheitsupdate eine Sicherheitslücke im Diffie-Hellman-Schlüsselaustausch behoben, deren Risiko als "hoch" eingestuft wird. Allerdings dürfte kaum jemand von der Lücke praktisch betroffen sein. --------------------------------------------- http://www.golem.de/news/openssl-luecke-die-sache-mit-den-sicheren-primzahl… *** Auto mit bösartigem Lied gekapert *** --------------------------------------------- Ein Sicherheitsforscher, der bereits 2010 eine kritische Lücke in einem Automobil-System entdeckte, hat nun erklärt, wie sie funktioniert: mit Schadcode, der in einem Song versteckt wurde. Auch heute sind ähnliche Angriffe noch immer denkbar. --------------------------------------------- http://heise.de/-3087160 *** 27% of all malware variants in history were created in 2015 *** --------------------------------------------- Last year was a record year for malware, according to a new report from Panda Security, with more than 84 million new malware samples collected over the course of the year.That averages out to around 230,000 new malware samples a day, said Luis Corrons, technical director of Pandas PandaLabs unit. Or 27 percent of all malware ever created.Trojans continued to account for the main bulk of malware, at 51.45 percent, followed by viruses at 22.79 percent, worms at 13.22 percent, potentially... --------------------------------------------- http://www.cio.com/article/3027621/cyber-attacks-espionage/27-of-all-malwar… *** From Linux to Windows - New Family of Cross-Platform Desktop Backdoors Discovered *** --------------------------------------------- Background Recently we came across a new family of cross-platform backdoors for desktop environments. First we got the Linux variant, and with information extracted from its binary, we were able to find the variant for Windows desktops, too. Not only... --------------------------------------------- http://securelist.com/blog/research/73503/from-linux-to-windows-new-family-… *** Guest talk: "Hidden GEMs: Automated Discovery of Access Control Vulnerabilities in Graphical User Interfaces" *** --------------------------------------------- February 02, 2016 - 11:00 am - 12:00 pm SBA Research Favoritenstraße 16 1040 Wien --------------------------------------------- https://www.sba-research.org/events/guest-talk-hidden-gems-automated-discov… *** Security Advisory: Linux kernel vulnerability CVE-2015-7509 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/73/sol73189318.html?… *** DSA-3459 mysql-5.5 - security update *** --------------------------------------------- Several issues have been discovered in the MySQL database server. Thevulnerabilities are addressed by upgrading MySQL to the new upstreamversion 5.5.47. Please see the MySQL 5.5 Release Notes and OraclesCritical Patch Update advisory for further details: --------------------------------------------- https://www.debian.org/security/2016/dsa-3459 *** Westermo Industrial Switch Hard-coded Certificate Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a hard-coded certificate vulnerability in Westermo's industrial switches. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-028-01 *** JBoss Data Virtualization Object Deserialization FlawLets Remote Users Execute Arbitrary Code on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1034815 *** Cisco Small Business 500 Series Switches Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Unity Connection User Search Cross-Site Scripting Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Multiple Vulnerabilities in OpenSSL (January 2016) Affecting Cisco Products *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** nginx DNS Processing Flaws Let Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1034869 *** Bugtraq: ProjectSend multiple vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/537402 *** Telegram (API) Cross Site Request Forgery *** --------------------------------------------- Topic: Telegram (API) Cross Site Request Forgery Risk: Medium Text:Document Title: Telegram (API) - Cross Site Request Forgery Vulnerabilities References (Source): == http:/... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016010208 *** HP Security Bulletins *** --------------------------------------------- *** HPSBGN03542 rev.1 - HPE Operations Manager for Windows using Java Deserialization, Remote Arbitrary Code Execution *** https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04953244 --------------------------------------------- *** HPSBHF03539 rev.1 - HPE VCX running OpenSSH or BIND, Remote Denial of Service (DoS) *** https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04952480 --------------------------------------------- *** HPSBOV03540 rev.1 - HPE OpenVMS TCPIP Bind Services and OpenVMS TCPIP IPC Services for OpenVMS, Remote Disclosure of Information, Execution of Code, Denial of Service (DoS) *** https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04952488 --------------------------------------------- *** HPSBHF03510 rev.1 - HP Integrated Lights-Out 2/3/4, Remote Unauthorized Modification *** https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04949778 --------------------------------------------- *** Bugtraq: [security bulletin] HPSBHF03538 rev.1 - HPE iMC Service Health Manager (SHM) and iMC PLAT running Adobe Flash, Remote Code Execution, Denial of Service (DoS) *** http://www.securityfocus.com/archive/1/537401 --------------------------------------------- *** Bugtraq: [security bulletin] HPSBHF03535 rev.3 - HPE iMC Service Health Manager (SHM) and iMC PLAT running Adobe Flash, Multiple Remote Vulnerabilities *** http://www.securityfocus.com/archive/1/537400 --------------------------------------------- *** Novell Patches *** --------------------------------------------- *** IDM 4.5 Engine & Remote Loader Service Pack 3 4.5.3 *** https://download.novell.com/Download?buildid=Rjs_0SapjGg~ --------------------------------------------- *** IDM 4.5 Identity Applications 4.5.3 *** https://download.novell.com/Download?buildid=N63wVOwZf_s~ --------------------------------------------- *** NetIQ Identity Manager Service Pack 3 - Designer 4.5.3 *** https://download.novell.com/Download?buildid=QgHXVOxv310~ --------------------------------------------- *** iManager 2.7 Support Pack 7 - Patch 6 for Windows *** https://download.novell.com/Download?buildid=RYH_EkORvU4~ --------------------------------------------- *** eDirectory 8.8 SP8 Patch 7 for Linux *** https://download.novell.com/Download?buildid=l6ulyqWxDv8~ --------------------------------------------- *** eDirectory 8.8 SP8 Patch 7 for Windows *** https://download.novell.com/Download?buildid=HTund35qCFk~ --------------------------------------------- *** eDirectory 8.8 SP8 Patch 7 (non-root) for Linux *** https://download.novell.com/Download?buildid=Drw3BqUXIo4~ --------------------------------------------- *** iManager 2.7 Support Pack 7 - Patch 6 for Linux *** https://download.novell.com/Download?buildid=E9m024HXLHw~ ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 28-01-2016
by Daily end-of-shift report 28 Jan '16

28 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 27-01-2016 18:00 − Donnerstag 28-01-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Googles VirusTotal now picks out suspicious firmware *** --------------------------------------------- Googles VirusTotal service has added a new tool that analyzes firmware, the low-level code that bridges a computers hardware and operating system at startup.Advanced attackers, including the U.S. National Security Agency, have targeted firmware as a place to embed malware since its a great place to hide. Since antivirus programs "are not scanning this layer, the compromise can fly under the radar," wrote Francisco Santos, an IT security engineer with VirusTotal, in a blog post on... --------------------------------------------- http://www.cio.com/article/3027050/googles-virustotal-now-picks-out-suspici… *** Critical Israel power grid attack was just boring ransomware *** --------------------------------------------- Minister puts nation on alert, SANS Institute says move along, nothing to see here ... The SANS Institute has moved to quell reports that Israels energy grid has been hit by malware, revealing instead that the attacks were ransomware infecting the nations utility regulatory authority. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/01/28/israel_powe… *** ENISA Threat Landscape 2015, a must reading *** --------------------------------------------- ENISA has issued the annual ENISA Threat Landscape 2015 a document that synthesizes the emerging trends in cyber security I'm very happy to announce the publication of the annual ENISA Threat Landscape 2015 (ETL 2015), this is the fifth report issued by the European Agency. The ENISA Threat Landscape 2015 summarizes top cyber threats, experts have identified... --------------------------------------------- http://securityaffairs.co/wordpress/43998/cyber-crime/enisa-threat-landscap… *** Techie on the ground disputes BlackEnergy Ukraine power outage story *** --------------------------------------------- And Russia? Thats too convenient A Ukrainian telecoms engineer has raised doubts about the widely reported link between BlackEnergy attacks and power outages in his country. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/01/27/ukraine_bla… *** BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents *** --------------------------------------------- Few days ago, we came by a new document that appears to be part of the ongoing attacks BlackEnergy against Ukraine. Unlike previous Office files used in the recent attacks, this is not an Excel workbook, but a Microsoft Word document. --------------------------------------------- http://securelist.com/blog/research/73440/blackenergy-apt-attacks-in-ukrain… *** Java Serialization Bug Crops Up At PayPal *** --------------------------------------------- PayPal has rewarded two researchers with bug bounties for the discovery of a Java serialization vulnerability in manager.paypal.com --------------------------------------------- http://threatpost.com/java-serialization-bug-crops-up-at-paypal/116054/ *** LG closes data-theft hole affecting millions of G3 smartphones *** --------------------------------------------- Bug allows attackers to embed malicious code in data fed to phone. --------------------------------------------- http://arstechnica.com/security/2016/01/lg-closes-data-theft-hole-affecting… *** Oracle announces Java plugin deprecation, death *** --------------------------------------------- With a short post by a member of the Java strategy team, Oracle has announced the approaching death of the hated Java plugin. "Oracle plans to deprecate the Java browser plugin in JDK 9. This techn... --------------------------------------------- http://www.net-security.org/secworld.php?id=19385 *** DFN-CERT-2016-0166: OpenSSL: Zwei Schwachstellen ermöglichen das Umgehen von Sicherheitsmechanismen und das Ausspähen von Informationen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0166/ *** Bugtraq: Netgear GS105Ev2 - Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/537389 *** Cisco Unity Connection Web Framework Cross-Site Scripting Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products - January 2016 *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Security Advisory: IPSec vulnerability CVE-2015-4047 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/05/sol05013313.html?… *** Filr 1.2 - Security Update 1 *** --------------------------------------------- Abstract: Security Updates for openSSH on the Filr, Search and MySQL 1.2.0 appliances.Document ID: 5233830Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:MySQL-1.2.0.412.HP.zip (763.81 kB)Filr-1.2.0.857.HP.zip (763.86 kB)Search-1.2.0.996.HP.zip (763.83 kB)Products:Filr 1.2Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=Sww_cAfKic0~ *** Filr 1.1 - Security Update 5 *** --------------------------------------------- Abstract: Security Updates for openSSH on the Filr, Search and MySQL 1.1.0 appliances.Document ID: 5233810Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:MySQL-1.1.0.386.HP.zip (763.82 kB)Search-1.1.0.823.HP.zip (763.83 kB)Filr-1.1.0.677.HP.zip (763.91 kB)Products:Filr 1.1Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=GGjGx_IhcY4~ *** phpMyAdmin 4.5.4, 4.4.15.3, and 4.0.10.13 are released *** --------------------------------------------- Welcome to phpMyAdmin 4.5.4, which contains regular bug fixes and a number of security fixes. The phpMyAdmin project also announces the release of versions 4.4.15.3 (a security release compatible with PHP versions as old as 5.3.7 and MySQL 5.5), and 4.0.10.13 (a security release compatible with PHP versions as old as 5.2 and MySQL 5). The security incidents will be documented in the upcoming PMASA-2016-1 through PMASA-2016-9, which will be available shortly at --------------------------------------------- https://www.phpmyadmin.net/news/2016/1/28/phpmyadmin-454-44153-and-401013-a… *** Bugtraq: HCA0005 - Liberty Global - Horizon HD STB - predictable WiFi passphrase *** --------------------------------------------- http://www.securityfocus.com/archive/1/537395 *** Bugtraq: Trend Micro Direct Pass - Filter Bypass & Persistent Web Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/537396

1 0

Tageszusammenfassung - Mittwoch 27-01-2016
by Daily end-of-shift report 27 Jan '16

27 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 26-01-2016 18:00 − Mittwoch 27-01-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** BGP Route Hijacking - An Overview *** --------------------------------------------- BGP is the mechanism by which autonomous networks exchange "reachability" information between each other. A network with an assigned or allocated prefix of addresses "advertises" the block of addresses to a neighboring BGP speaking router, this is known as BGP peering. There is little hiding what BGP peering networks announce between each other. When two networks are reasonably small, and their assigned prefixes are limited and well known, enforcement of announcements... --------------------------------------------- https://blog.team-cymru.org/2016/01/bgp-route-hijacking-an-overview/ *** More Fake Facebook "Security System Page" Scams *** --------------------------------------------- We take a look at some variations on the same kind of Facebook scam currently doing the rounds.Categories: Fraud/Scam AlertTags: facebookphishphishingscam(Read more...) --------------------------------------------- https://blog.malwarebytes.org/fraud-scam/2016/01/more-fake-facebook-securit… *** If youre one of millions using Magento - stop whatever youre doing and patch now *** --------------------------------------------- Ecommerce websites can be hijacked via critical flaw A huge security hole has been found in popular ecommerce platform Magento, requiring an immediate update. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/01/26/urgent_mage… *** New Magic ransomware abuses open-source educational code *** --------------------------------------------- Malware based on open-source code, created for educational purposes only, has been spotted in the wild by Bleeping Computers Lawrence Abrams. --------------------------------------------- http://www.scmagazine.com/new-magic-ransomware-abuses-open-source-education… *** Verschlüsselung: IETF standardisiert zwei weitere elliptische Kurven *** --------------------------------------------- Die IETF hat die beiden elliptischen Kurven Curve25519 und Curve448 als RFC für Krypto-Funktionen offiziell abgesegnet. Eine Standardisierung der Kurven für den Schlüsselaustausch bei TLS wird ebenfalls erwartet. --------------------------------------------- http://heise.de/-3084830 *** Security: Wenn der Drucker zum anonymen Fileserver wird *** --------------------------------------------- Sicherheitsprobleme liegen oft bei den Anwendern von IT-Produkten. In einem aktuellen Fall zeigt ein Sicherheitsforscher, dass Angreifer auf ungeschützten Netzwerkdruckern von Hewlett-Packard anonym Dateien ablegen können. --------------------------------------------- http://www.golem.de/news/security-wenn-der-drucker-zum-anonymen-fileserver-… *** The Rising Sophistication of Network Scanning *** --------------------------------------------- In this article I would like to show you a hidden system that is hard at work scanning thousands, maybe millions, of unsuspecting devices. And Ill show how this system efficiently harvests each devices personal IP address and hands it off to a scanner, which proceeds to run a port/security scan against each unsuspecting victim for vulnerabilities. --------------------------------------------- http://netpatterns.blogspot.co.uk/2016/01/the-rising-sophistication-of-netw… *** SQL Injection Analysis *** --------------------------------------------- It is one thing to be able to execute a simple SQL injection attack; it is another to do a proper investigation of such an attack. Unfortunately, there is not much information on SQL Injection analysis. This article will assist in providing some tools for basic Incident Response. It can be fairly easily translated to... --------------------------------------------- http://resources.infosecinstitute.com/sql-injection-analysis/ *** RuhrSec 2016 - supported by SBA Research *** --------------------------------------------- April 28, 2016 - April 29, 2016 - All Day Veranstaltungszentrum, Ruhr-Universität Bochum Universitätsstraße 150 Bochum --------------------------------------------- https://www.sba-research.org/events/ruhrsec-2016/ *** TP-Link-Router mit vorhersehbarem Standard-WLAN-Passwort *** --------------------------------------------- Angreifer können das werkseitige WLAN-Passwort von einer TP-Link-Router-Serie vergleichsweise einfach herausfinden und sich so Zugang zum Netzwerk verschaffen. Weitere Serien könnten ebenfalls betroffen sein. --------------------------------------------- http://heise.de/-3085482 *** Apple can read your iMessages despite them being encrypted *** --------------------------------------------- Despite Apple taking a pro-encryption stance, with its CEO Tim Cook insisting that iMessages are safely encrypted, it turns out that if users backup data using iCloud Backup, they need to be aware that although Apple stores the backup in encrypted form, it uses its own key. --------------------------------------------- http://www.scmagazine.com/apple-can-read-your-imessages-despite-them-being-… *** Bugtraq: [security bulletin] HPSBGN03537 rev.1 - HPE IceWall Federation Agent and IceWall File Manager running libXML2, Remote or Local Denial of Service (DoS) *** --------------------------------------------- http://www.securityfocus.com/archive/1/537368 *** Bugtraq: [security bulletin] HPSBGN03536 rev.1 - HP IceWall Products running OpenSSL, Remote and Local Denial of Service (DoS) *** --------------------------------------------- http://www.securityfocus.com/archive/1/537367 *** pfSense Firewall 2.2.5 Cross Site Request Forgery *** --------------------------------------------- Topic: pfSense Firewall 2.2.5 Cross Site Request Forgery Risk: Low Text:<!-- # Exploit Title: pfSense Firewall 2.2.5 Cross-Site Request Forgery # Date: 23-01-2016 # Software Link: http://mirror.a... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016010178 *** Cisco Small Business SG300 Managed Switch Web Framework GUI Function Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco RV220W Management Authentication Bypass Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Wide Area Application Service CIFS Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** MICROSYS PROMOTIC Memory Corruption Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a memory corruption vulnerability in the MICROSYS, spol. s r.o. PROMOTIC application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-026-01 *** Rockwell Automation MicroLogix 1100 PLC Overflow Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a stack-based buffer overflow vulnerability in Rockwell Automation's Allen-Bradley MicroLogix 1100 programmable logic controller systems. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-026-02 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSH affect IBM MQ Appliance (CVE-2016-0777) *** http://www.ibm.com/support/docview.wss?uid=swg21975158 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of Communications Server for Data Center Deployment, AIX, Linux, System z, and Windows (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974589 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of Content Manager Enterprise Edition (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974700 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of IBM Content Collector for SAP Applications (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974333 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of IBM Sterling Connect:Direct for Microsoft Windows (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974407 --------------------------------------------- *** IBM Security Bulletin: A vulnerability has been addressed in the GSKit component of IBM Security Directory Server (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21975404 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of IBM Personal Communications (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974947 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in openssl affect Power Hardware Management Console (CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021091 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Commons affects IBM Kenexa LMS along with IBM Kenexa Participate, IBM Kenexa LCMS on Cloud (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21972995 --------------------------------------------- *** IBM Security Bulletin: Security Bulletin: Vulnerabilities in Java affect Power Hardware Management Console (CVE-2015-4843 CVE-2015-4868 CVE-2015-4806 CVE-2015-4872 CVE-2015-4911 CVE-2015-4893 CVE-2015-4842 CVE-2015-4803) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021090 --------------------------------------------- *** IBM Security Bulletin: Two vulnerabilities exist in IBM Case Foundation and FileNet Business Process Manager (CVE-2012-5784 and CVE-2014-3596) *** http://www.ibm.com/support/docview.wss?uid=swg21965451 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM MQ Appliance (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21974599 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects RIT and RTCP in Rational Test Workbench, RTCP and RIT Agent in Rational Test Virtualization Server, and RIT Agent in Rational Performance Test Server (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21974922 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM i (CVE-2015-7575). *** http://www.ibm.com/support/docview.wss?uid=nas8N1021096 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of IBM MQ Appliance (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974598 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of IBM Security SiteProtector System (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974980 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of Content Manager OnDemand for Multiplatforms (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974698 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of IBM Sterling Connect:Direct for UNIX (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974884 --------------------------------------------- *** IBM Security Bulletin: IBM Platform Application Center Standard Edition is affected by a security vulnerability (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023269 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in the GSKit component of Transformation Extender (CVE-2016-0201, CVE-2015-7421, CVE-2015-7420) *** http://www.ibm.com/support/docview.wss?uid=swg21972246 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium *** http://www.ibm.com/support/docview.wss?uid=swg21973723 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 26-01-2016
by Daily end-of-shift report 26 Jan '16

26 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 25-01-2016 18:00 − Dienstag 26-01-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Cisco Unified Contact Center Express Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability in the HTTP web-based management interface of the Cisco Unified Contact Center Express could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of the affected system. This vulnerability applies to all Permanent Web Links .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Application Policy Infrastructure Controller Enterprise Module SNMP Hostname Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability in the Simple Network Management Protocol (SNMP) query process of the Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) could allow an unauthenticated, remote attacker to perform a cross-site scripting (XSS) attack. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** DSA-3453 mariadb-10.0 - security update *** --------------------------------------------- https://www.debian.org/security/2016/dsa-3453 *** Symantec partner caught running tech support scam *** --------------------------------------------- Tech support scammers are known for their cheek -- making unfounded claims that PCs are infected to scare consumers into parting with their money -- but a Symantec partner took nerve to a new level, a security company claimed last week.According to San Jose, Calif.-based Malwarebytes, Silurian .. --------------------------------------------- http://www.cio.com/article/3026356/security/symantec-partner-caught-running… *** Pentest Time Machine: NMAP + Powershell + whatever tool is next *** --------------------------------------------- Early on in many penetration test or security assessment, you will often find yourself wading through what seems like hundreds or thousands of text files, each seemingly hundreds or thousands of pages long (likely because they are). One .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20653& *** Appointment Booking Calendar <= 1.1.23 - Unauthenticated SQL Injection *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8366 *** PDF-Reader Foxit Reader für Schadcode anfällig *** --------------------------------------------- Neue Versionen sichern Foxit PhantomPDF und Foxit Reader ab. Beide Anwendungen lassen sich aus der Ferne attackieren und Angreifer können eigenen Code auf Computer schleusen. --------------------------------------------- http://heise.de/-3084161 *** Carsharing-Anbieter: Phishing-Angriff auf Car2go-Nutzer *** --------------------------------------------- Wer von einem Onlinedienst zur 'Verifizierung' von Daten aufgerufen wird, sollte immer vorsichtig sein. Aktuell läuft eine Phishing-Kampagne gegen Nutzer des Carsharing-Angebots von Daimler. --------------------------------------------- http://www.golem.de/news/carsharing-anbieter-phishing-angriff-auf-car2go-nu… *** Sicherheitsupdate für OpenSSL steht an *** --------------------------------------------- Neue OpenSSL-Versionen sollen zwei Sicherheitslücken schließen. Den Schweregrad einer Schwachstelle stuft das OpenSSL-Team mit hoch ein. --------------------------------------------- http://heise.de/-3084227 *** WP Easy Gallery <= 4.1.4 - Reflected Cross-Site Scripting (XSS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8367 *** Curve25519/Curve447: Neue elliptische Kurven von der IETF *** --------------------------------------------- Die Krypto-Arbeitsgruppe der IETF hat RFC 7748 veröffentlicht. Darin spezifiziert sind die zwei elliptischen Kurven Curve25519 und Curve447. Die Einigung ist das Ergebnis einer langen Diskussion. --------------------------------------------- http://www.golem.de/news/curve25519-curve447-neue-elliptische-kurven-von-de… *** Battling Business Email Compromise Fraud: How Do You Start? *** --------------------------------------------- In May 2014, an accountant to a Texas manufacturing firm received an email from a familiar correspondent, his company's CEO. The email instructed him to wait for a call from a partner company and warned against sharing the email to anyone .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/battling-busines… *** Oracle Pushes Java Fix: Patch It or Pitch It *** --------------------------------------------- Oracle has shipped an update for its Java software that fixes at least eight critical security holes. If you have an affirmative use for Java, please update to the latest version; if youre not sure why you have Java installed, its high time to remove the program once and for all. --------------------------------------------- http://krebsonsecurity.com/2016/01/oracle-pushes-java-fix-patch-it-or-pitch… *** Symantec detects 3,500 servers infected with a malicious script *** --------------------------------------------- Symantec reported the worldwide infection of 3,500 public servers with a malicious script that redirects its victims to other compromised websites and said it believes could be part of a recon effort for future attacks. --------------------------------------------- http://www.scmagazine.com/symantec-detects-3500-servers-infected-with-a-mal… *** Nach dem Hack: Vtech geht wieder ein bisschen online *** --------------------------------------------- Der Spielzeughersteller Vtech wurde Ende vergangenen Jahres wegen großer Sicherheitsmängel kritisiert und nahm daraufhin viele seiner Dienste vom Netz. Jetzt gehen einige Produkte wieder online - bei der Security will das Unternehmen dazugelernt haben. --------------------------------------------- http://www.golem.de/news/nach-dem-hack-vtech-geht-wieder-ein-bisschen-onlin…

1 0

Tageszusammenfassung - Montag 25-01-2016
by Daily end-of-shift report 25 Jan '16

25 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 22-01-2016 18:00 − Montag 25-01-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** ZDI-16-023: Oracle GoldenGate Veridata File Upload Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle GoldenGate. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-023/ *** Hospira Multiple Products Buffer Overflow Vulnerability *** --------------------------------------------- Jeremy Richards of SAINT Corporation has identified a buffer overflow vulnerability in Hospira's LifeCare PCA Infusion System. Hospira has determined that LifeCare PCA Infusion Systems released prior to July 2009 that are running Communication Engine (CE) Version 1.0 or earlier are vulnerable. In response to Jeremy .. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-337-02 *** Security Advisory: Stored XSS in Magento *** --------------------------------------------- During our regular research audits for our Cloud-based WAF, we discovered a Stored XSS vulnerability affecting the Magento platform that can be easily exploited remotely. We notified the Magento team and worked with them to get it fixed. --------------------------------------------- https://blog.sucuri.net/2016/01/security-advisory-stored-xss-in-magento.html *** 'Deliberate' Backdoor Removed From Secure Conferencing Gear *** --------------------------------------------- AMX, a provider of audio-visual conferencing gear used in sensitive government and military locations, has removed a 'deliberate' backdoor in one of its central controller system products. --------------------------------------------- http://threatpost.com/deliberate-backdoor-removed-from-secure-conferencing-… *** Rsync Symlink Path Validation Flaw Lets Remote Users Write Files on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1034786 *** JavaScript Backdoor *** --------------------------------------------- Casey Smith recently shared his research on twitter, which is to reverse HTTP Shell by using JavaScript. I found it rather interesting and further analyzed this technique. --------------------------------------------- http://en.wooyun.io/2016/01/18/JavaScript-Backdoor.html *** Snowden enttarnt falsche "Krypto-Mail" in IS-Video *** --------------------------------------------- Terrororganisation hatte in Botschaft mit weiteren Angriffen gedroht --------------------------------------------- http://derstandard.at/2000029688150 *** Fortinet: Mehr Hintertüren, mehr Patches *** --------------------------------------------- Erst in der vergangenen Woche war bekanntgeworden, dass einige Fortinet-Firewall-Produkte einen Zugang mit Standardpasswörtern ermöglichen. Jetzt hat das Unternehmen seine eigenen Produkte analysiert - und weitere verwundbare Geräte gefunden. --------------------------------------------- http://www.golem.de/news/fortinet-mehr-hintertueren-mehr-patches-1601-11872… *** CVE-2015-8651 (Flash up to 20.0.0.228/235) and Exploit Kits *** --------------------------------------------- http://malware.dontneedcoffee.com/2016/01/cve-2015-8651.html *** Multi-Faktor-Authentifizierung: Neue vPro-Generation bringt Intel Authenticate *** --------------------------------------------- Mit der sechsten Generation des Core i (Skylake) und dem Start der entsprechenden Geschäftskundenplattform will Intel nun verstärkt auch Sicherheitslösungen in vPro anbieten. Eine betriebssystemunabhängige Firmware und direktes Ansprechen der Grafikkarte sollen Keylogger chancenlos lassen. --------------------------------------------- http://www.golem.de/news/multi-faktor-authentifizierung-neue-vpro-generatio… *** RSA Conference disables Twitter password-collecting form *** --------------------------------------------- After a storm of criticism and shaming over the blurb-tweeting feature, the organizers said that they had used OAuth and hadnt collected passwords. --------------------------------------------- https://nakedsecurity.sophos.com/2016/01/25/rsa-conference-disables-twitter… *** Linux kernel : Denial of service with specially crafted key file. *** --------------------------------------------- An issue with ASN1.1 DER decoder was reported that a specially created key can lead to a kernel panic via x509 certificate DER signature parsing. --------------------------------------------- http://www.openwall.com/lists/oss-security/2016/01/25/2 *** Sicherheitspatches: Angreifer können Webseiten mit Magento-Shop kapern *** --------------------------------------------- Magento sichert sein Shop-System ab. Dabei schließt der Anbieter zwei als kritisch eingestufte Lücken, über die Angreifer Admin-Sessions übernehmen können. --------------------------------------------- http://heise.de/-3083645 *** Hard-Coded Password Found in Lenovo File-Sharing App *** --------------------------------------------- Lenovos SHAREit file-sharing app for Windows and Android has been patched against vulnerabilities that put private data at risk. --------------------------------------------- http://threatpost.com/hard-coded-password-found-in-lenovo-file-sharing-app/… *** Hack Brief: Don't Be Trolled by This iPhone-Crashing Link Meme *** --------------------------------------------- Pranksters are passing a link to "crashsafari.com" around social media, which immediately crashes iPhones and iPads. --------------------------------------------- http://www.wired.com/2016/01/hack-brief-dont-be-trolled-by-this-iphone-cras…

1 0

Tageszusammenfassung - Freitag 22-01-2016
by Daily end-of-shift report 22 Jan '16

22 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 21-01-2016 18:00 − Freitag 22-01-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Scanning for Fortinet ssh backdoor, (Thu, Jan 21st) *** --------------------------------------------- On 11 Jan, a Python script was posted on the full-disclosure mailing list that took advantage of a hardcoded ssh password in some older versions of various products from Fortinet (see complete list in Ref [1] below). Looking at our collected ssh data, weve seen an increase in scanning for those devices in the days since the revelation of the vulnerability. Nearly all of this scanning has come from two IPs in China (124.160.116.194 and 183.131.19.18). So if you... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20635&rss *** Unknown attackers are infecting home routers via dating sites *** --------------------------------------------- Damballa researchers have spotted an active campaign aimed at infecting as many home routers possible with a worm. A variant of the TheMoon worm, it works by taking advantage of a weakness in the H... --------------------------------------------- http://www.net-security.org/malware_news.php?id=3192 *** Security: Auch Kreditkarten mit Chip und PIN können kopiert werden *** --------------------------------------------- Bislang war bekannt, dass Kreditkarten mit Magnetstreifen mit trivialen Mitteln kopierbar sind. Aktuelle Recherchen zeigen, dass auch Karten mit dem besser gesicherten Chip-und-PIN-Verfahren kopiert werden können - weil einige Banken schlampen. --------------------------------------------- http://www.golem.de/news/security-auch-kreditkarten-mit-chip-und-pin-koenne… *** Fraunhofer ESK: Skype ist Sicherheitsrisiko für Firmen *** --------------------------------------------- Wissenschaftler des Fraunhofer-ESK-Instituts haben Microsofts Instant-Messaging-Dienst Skype untersucht und raten Firmen vom Einsatz ab. Vor allem wegen der Netzarchitektur und der Verschlüsselung haben sie Sicherheitsbedenken. --------------------------------------------- http://www.heise.de/newsticker/meldung/Fraunhofer-ESK-Skype-ist-Sicherheits… *** Extracting pcap from memory , (Fri, Jan 22nd) *** --------------------------------------------- I have talked many times about memory forensics and how useful its. In this diary I am going to talk about how to extract a pcap file from a memory image using bulk_extractor. Of course when we are extracting a pcap file from a memory image we are going to not have everything but there will be some remanence that can help in our investigation bulk_extractor is a computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20639&rss *** Trojan.DNSChanger circumvents Powershell restrictions *** --------------------------------------------- We take a close look at the functionality of a new variant of the DNS-changer adware family. Especially the use of encoded scripts as a way to bypass the Powershell execution protection.Categories: Security ThreatTags: adwarechangerdnsPieter Arntzpowershellrestrictedrestrictionstrojan(Read more...) --------------------------------------------- https://blog.malwarebytes.org/security-threat/2016/01/trojan-dnschanger-cir… *** Citrix XenServer Security Update for CVE-2016-1571 *** --------------------------------------------- A security vulnerability has been identified in Citrix XenServer that could, if exploited, allow a malicious administrator of a guest VM to crash the host in certain deployments. This vulnerability affects all currently supported versions of Citrix XenServer up to and including Citrix XenServer 6.5 Service Pack 1. --------------------------------------------- https://support.citrix.com/article/CTX205496 *** Multiple Buffalo network devices vulnerable to cross-site scripting *** --------------------------------------------- Multiple network devices provided by BUFFALO INC. contain a cross-site scripting vulnerability. --------------------------------------------- http://jvn.jp/en/jp/JVN49225722/ *** Multiple Buffalo network devices vulnerable to cross-site request forgery *** --------------------------------------------- Multiple network devices provided by BUFFALO INC. contain a cross-site request forgery vulnerability. --------------------------------------------- http://jvn.jp/en/jp/JVN09268287/ *** DSA-3451 fuse - security update *** --------------------------------------------- Jann Horn discovered a vulnerability in the fuse (Filesystem inUserspace) package in Debian. The fuse package ships an udev ruleadjusting permissions on the related /dev/cuse character device, makingit world writable. --------------------------------------------- https://www.debian.org/security/2016/dsa-3451 *** DFN-CERT-2016-0129: NTP: Eine Schwachstelle ermöglicht das Erlangen von Administratorrechten *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0129/ *** DFN-CERT-2016-0125: Red Hat JBoss Web Server: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe und das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0125/ *** USN-2879-1: rsync vulnerability *** --------------------------------------------- Ubuntu Security Notice USN-2879-121st January, 2016rsync vulnerabilityA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Ubuntu 15.04 Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryrsync could be made to write files outside of the expected directory.Software description rsync - fast, versatile, remote (and local) file-copying tool DetailsIt was discovered that rsync incorrectly handled invalid filenames. Amalicious server could use this issue to write files outside of... --------------------------------------------- http://www.ubuntu.com/usn/usn-2879-1/ *** CAREL PlantVisor Enhanced Authentication Bypass Vulnerability *** --------------------------------------------- This advisory contains mitigation details for an authorization bypass vulnerability in CAREL's PlantVisor application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-021-01 *** Security Advisory: NTP vulnerabilities CVE-2015-5194 and CVE-2015-5195 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/02/sol02360853.html?… *** Bugtraq: January 2016 - Bamboo - Critical Security Advisory *** --------------------------------------------- http://www.securityfocus.com/archive/1/537347

1 0

Tageszusammenfassung - Donnerstag 21-01-2016
by Daily end-of-shift report 21 Jan '16

21 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 20-01-2016 18:00 − Donnerstag 21-01-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Asacub Android Trojan: Financial fraud and information stealing *** --------------------------------------------- Asacub is a new malware that targets Android users for financial gain. When first identified, Asacub displayed all the signs of an information stealing malware; however, some versions of the Trojan ar... --------------------------------------------- http://www.net-security.org/malware_news.php?id=3190 *** TeslaCrypt Decrypted: Flaw in TeslaCrypt allows Victims to Recover their Files *** --------------------------------------------- For a little over a month, researchers and previous victims have been quietly helping TeslaCrypt victims get their files back using a flaw in the TeslaCrypts encryption key storage algorithm. The information that the ransomware could be decrypted was being kept quiet so that that the malware developer would not learn about it and fix the flaw. Since the recently released TeslaCrypt 3.0 has fixed this flaw, we have decided to publish the information on how a victim could... --------------------------------------------- http://www.bleepingcomputer.com/news/security/teslacrypt-decrypted-flaw-in-… *** El Chapos Opsec *** --------------------------------------------- Ive already written about Sean Penns opsec while communicating with El Chapo. Heres the technique of mirroring, explained: El chapo then switched to a complex system of using BBM (Blackberrys Instant Messaging) and Proxies. The way it worked was if you needed to contact The Boss, you would send a BBM text to an intermediary (who would spend his days... --------------------------------------------- https://www.schneier.com/blog/archives/2016/01/el_chapos_opsec.html *** Cyber fraudsters steal over $50 million from airplane systems manufacturer *** --------------------------------------------- Austrian company FACC, which develops and produces components and systems made of composite materials for aircraft and aircraft engine manufacturers such as Boeing and Airbus, has been hit by hackers who managed to steal approximately 50 million euros (around $54,5 million). --------------------------------------------- http://www.net-security.org/secworld.php?id=19356 http://www.net-security.org/secworld.php?id=18808 (An emerging global threat: BEC scams hitting more and more businesses) *** Linux-Root-Exploit: Android-Bedrohung überschaubar *** --------------------------------------------- Ein Mitglied des Android-Sicherheitsteams geht davon aus, dass nur wenige Android-Versionen durch die lokale Rechtausweitungslücke im Linux-Kernel verwundbar sind. Ein Patch ist in Arbeit. --------------------------------------------- http://heise.de/-3080760 *** Captive-Portals: Das iPhone verrät Cookies *** --------------------------------------------- Die Nutzung von WLANs mit Captive-Portals kann für iPhone-Nutzer zur Sicherheitsgefahr werden. Einen entsprechenden Bug haben israelische Sicherheitsforscher gefunden. Apple hat die Sicherheitslücke mittlerweile behoben. --------------------------------------------- http://www.golem.de/news/captive-portals-das-iphone-verraet-cookies-1601-11… *** Deliberately hidden backdoor account in several AMX (HARMAN Professional) devices *** --------------------------------------------- Your conference room, a watchful protector."AMX (www.amx.com) is part of the HARMAN Professional Division, and the leading brand for the business, education, and government markets for the company. As such, AMX is dedicated to integrating AV solutions for an IT World. AMX solves the complexity of managing technology with reliable, consistent and scalable systems comprising control and automation, system-wide switching and AV signal distribution, digital signage and technology management. --------------------------------------------- http://blog.sec-consult.com/2016/01/deliberately-hidden-backdoor-account-in… *** "Ermittlungen" *** --------------------------------------------- "Ermittlungen" | 21. Jänner 2016 | Wir (mit Hut GovCERT) sind mal wieder vor Ort im Einsatz und helfen einer Organisation bei der Ursachenforschung und bei der Wiederherstellung der Services nach einem Sicherheitsvorfall. So weit so gut, dafür sind wir da, das ist unsere Aufgabe. Die Strafverfolgung ist aber definitiv nicht unsere Aufgabe. Das ist ganz klar und da behauptet auch keiner was anderes. Problematisch wird es dann, wenn Begriffe verwendet werden, die im normalen... --------------------------------------------- http://www.cert.at/services/blog/20160121173915-1656.html *** OpenVAS Greenbone Security Assistant Cross Site Scripting *** --------------------------------------------- Topic: OpenVAS Greenbone Security Assistant Cross Site Scripting Risk: Low Text:Vulnerability information Date: 13th January 2016 Product: Greenbone Security Assistant ≥ 6.0.0 and < 6.0.8 Vendor:... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016010133 *** Security Advisory: BIG-IP file validation vulnerability CVE-2015-8021 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/49/sol49580002.html?… *** Security Advisory: SNTP vulnerability CVE-2015-5219 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/60/sol60352002.html?… *** LiteSpeed Web Server Input Validation Flaw Lets Remote Users Inject HTTP Headers *** --------------------------------------------- http://www.securitytracker.com/id/1034746 *** DFN-CERT-2016-0118: Moodle: Zwei Schwachstellen ermöglichen u.a. einen Cross-Site-Scripting-Angriff *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0118/

1 0

Tageszusammenfassung - Mittwoch 20-01-2016
by Daily end-of-shift report 20 Jan '16

20 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 19-01-2016 18:00 − Mittwoch 20-01-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Survey shows many businesses aren't encrypting private employee data *** --------------------------------------------- Many companies arent encrypting their own employees private data, according to a Sophos survey of IT decision makers in six countries. --------------------------------------------- https://nakedsecurity.sophos.com/2016/01/19/survey-shows-many-businesses-ar… *** Android Malware Steals Voice-Based Two-Factor Authentication Codes (January 13 and 18, 2016) *** --------------------------------------------- Symantec has detected malware created for Android devices that steals single-use passcodes generated to add a layer of security to online banking authentication procedures... --------------------------------------------- http://www.sans.org/newsletters/newsbites/r/18/5/201 *** Dridex banking malware adds a new trick *** --------------------------------------------- Dridex, the banking malware that wont go away, has been improved upon once again.IBMs X-Force researchers have found that the latest version of Dridex uses a DNS (Domain Name System) trick to direct victims to fake banking websites.The technique, known as DNS cache poisoning, involves changing DNS settings to direct someone asking for a legitimate banking website to a fake site.DNS cache poisoning is a powerful attack. Even if a person types in the correct domain name for a bank, the fake... --------------------------------------------- http://www.cio.com/article/3024244/dridex-banking-malware-adds-a-new-trick.… *** /tmp, %TEMP%, ~/Desktop, T:\, ... A goldmine for pentesters!, (Wed, Jan 20th) *** --------------------------------------------- When you are performing a penetration test, you need to learn how your target is working: What kind of technologies and tools are used, how internal usernames are generated, email addresses format, ... Grabbing for such information is called the reconnaissance phase. Once you collected enough details, you can prepare your different scenarios to attack the target.All pentesters have their personal toolbox that has been enhanced day after day. In many cases, there is no real magic: to abuse or... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20631&rss *** Critical Patch Update: Oracle stellt 248 Sicherheitspatches bereit *** --------------------------------------------- Die bislang größte Sicherheitsptach-Sammlung von Oracle ist da und fixt Lücken in Database, Java, MySQL und Co. Dieses Mal steht Oracles E-Business Suite im Mittelpunkt. --------------------------------------------- http://heise.de/-3077692 *** Apple Releases Patches for iOS, OS X and Safari *** --------------------------------------------- Apple released security updates for iOS, OS X and Safari, patching a number of kernel-level code-execution vulnerabilities. --------------------------------------------- http://threatpost.com/apple-releases-patches-for-ios-os-x-and-safari/115946/ *** Trojan for Android preinstalled on Phillips s307 firmware *** --------------------------------------------- January 20, 2016 The past year was marked by a big number of firmware Trojans for Android capable to covertly download and install various software and display annoying advertisements. Android.Cooee.1 incorporated into the graphical shell of some cheap Chinese smartphones was one of them. Virus makers obviously continued to preinstall Android.Cooee.1 into mobile devices. This time, however, Doctor Web security researchers detected the Trojan on firmware of a well-known electronics manufacturer. --------------------------------------------- http://news.drweb.com/show/?i=9792&lng=en&c=9 *** Primes, parameters and moduli *** --------------------------------------------- First a brief history of Diffie-Hellman for those not familiar with it The short version of Diffie-Hellman is that two parties (Alice and Bob) want to share a secret so they can encrypt their communications and talk securely without an... --------------------------------------------- https://securityblog.redhat.com/2016/01/20/primes-parameters-and-moduli/ *** Serious flaw patched in Intel Driver Update Utility *** --------------------------------------------- A software utility that helps users download the latest drivers for their Intel hardware components contained a vulnerability that could have allowed man-in-the-middle attackers to execute malicious code on computers.The tool, known as the Intel Driver Update Utility, can be downloaded from Intels support website. It provides an easy way to find the latest drivers for various Intel chipsets, graphics cards, wireless cards, desktop boards, Intel NUC mini PCs or the Intel Compute Stick. --------------------------------------------- http://www.cio.com/article/3024345/serious-flaw-patched-in-intel-driver-upd… *** Cisco Guide to Harden Cisco IOS Devices *** --------------------------------------------- This document contains information to help you secure your Cisco IOS system devices, which increases the overall security of your network. Structured around the three planes into which functions of a network device can be categorized, this document provides an overview of each included feature and references to related documentation. --------------------------------------------- http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html *** Security Advisory: BIND vulnerability CVE-2015-8704 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/53/sol53445000.html?… *** Intel Driver Update Utility 2.2.0.5 Man-In-The-Middle *** --------------------------------------------- Topic: Intel Driver Update Utility 2.2.0.5 Man-In-The-Middle Risk: Medium Text:1. Advisory Information Title: Intel Driver Update Utility MiTM Advisory ID: CORE-2016-0001 Advisory URL: http://www.cores... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016010119 *** Oracle Critical Patch Update Advisory - January 2016 *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html *** Oracle Linux Bulletin - January 2016 *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867… *** HPSBGN03534 rev.1 - HPE Performance Center using Microsoft Report Viewer, Remote Disclosure of Information, Cross-Site Scripting (XSS) *** --------------------------------------------- A vulnerability in Microsoft Report Viewer was addressed by HPE Performance Center. This is a Cross-Site scripting (XSS) vulnerability that could allow remote information disclosure. --------------------------------------------- https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr… *** Xen Security Advisory CVE-2016-1571 / XSA-168 *** --------------------------------------------- VMX: intercept issue with INVLPG on non-canonical address --------------------------------------------- http://xenbits.xen.org/xsa/advisory-168.html *** Xen Security Advisory CVE-2016-1570 / XSA-167 *** --------------------------------------------- PV superpage functionality missing sanity checks --------------------------------------------- http://xenbits.xen.org/xsa/advisory-167.html *** Cisco Modular Encoding Platform D9036 Software Default Credentials Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Unified Computing System Manager and Cisco Firepower 9000 Remote Command Execution Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** DFN-CERT-2016-0109: Foxit Reader, Foxit PhantomPDF: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe und das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0109/ *** DFN-CERT-2016-0106: NTP: Mehrere Schwachstellen ermöglichen u.a. das Darstellen falscher Informationen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0106/ *** APPLE-SA-2016-01-19-3 Safari 9.0.3 *** --------------------------------------------- APPLE-SA-2016-01-19-3 Safari 9.0.3Safari 9.0.3 is now available and addresses the following:WebKitAvailable for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,OS X El Capitan v10.11 to v10.11.2Impact: Visiting a maliciously crafted website may lead to arbitrarycode execution [...] --------------------------------------------- http://prod.lists.apple.com/archives/security-announce/2016/Jan/msg00004.ht… *** APPLE-SA-2016-01-19-2 OS X El Capitan 10.11.3 and Security Update 2016-001 *** --------------------------------------------- APPLE-SA-2016-01-19-2 OS X El Capitan 10.11.3 and Security Update2016-001OS X El Capitan 10.11.3 and Security Update 2016-001 is now availableand addresses the following:AppleGraphicsPowerManagementAvailable for: OS X El Capitan v10.11 to v10.11. [...] --------------------------------------------- http://prod.lists.apple.com/archives/security-announce/2016/Jan/msg00003.ht… *** APPLE-SA-2016-01-19-1 iOS 9.2.1 *** --------------------------------------------- APPLE-SA-2016-01-19-1 iOS 9.2.1iOS 9.2.1 is now available and addresses the following:Disk ImagesAvailable for: iPhone 4s and later,iPod touch (5th generation) and later, iPad 2 and laterImpact: A local user may be able to execute arbitrary code withkernel privileges [...] --------------------------------------------- http://prod.lists.apple.com/archives/security-announce/2016/Jan/msg00002.ht… *** DSA-3449 bind9 - security update *** --------------------------------------------- It was discovered that specific APL RR data could trigger an INSISTfailure in apl_42.c and cause the BIND DNS server to exit, leading to adenial-of-service. --------------------------------------------- https://www.debian.org/security/2016/dsa-3449 *** Siemens OZW672 and OZW772 XSS Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a cross-site scripting vulnerability in Siemens OZW672 and OZW772 devices. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-019-01 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM FlashSystem model V840 (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005584 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM FlashSystem model 840 (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005585 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSH affect IBM SmartCloud Provisioning for IBM Software Virtual Appliance (CVE-2016-0777, CVE-2016-0778) *** http://www.ibm.com/support/docview.wss?uid=swg2C1000044 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM SAN Volume Controller and Storwize Family (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005583 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Sterling Connect:Express for UNIX (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21974473 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Sterling Connect:Direct for UNIX (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21974888 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of IBM WebSphere MQ (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974466 --------------------------------------------- *** IBM Security Bulletin: IBM Spectrum Scale is affected by a security vulnerability (CVE-2015-7488) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005580 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in IBM SDK for Node.js affect IBM Business Process Manager Configuration Editor (CVE-2015-8027, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196) *** http://www.ibm.com/support/docview.wss?uid=swg21974459 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Scale (CVE-2015-4843, CVE-2015-4805, CVE-2015-4810, CVE-2015-4806, CVE-2015-4871, CVE-2015-4902) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005579 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM API Management (CVE-2015-4872 CVE-2015-4911 CVE-2015-4893 CVE-2015-4803) *** http://www.ibm.com/support/docview.wss?uid=swg21974673 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SD affect Guardium Data Reduction *** http://www.ibm.com/support/docview.wss?uid=swg21973724 --------------------------------------------- *** IBM Security Bulletin:Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Composite Application Manager for Transactions (Multiple CVEs) *** http://www.ibm.com/support/docview.wss?uid=swg21971951 --------------------------------------------- *** IBM Security Bulletin: Multiple Security Vulnerabilities exist in IBM Cognos Express. *** http://www.ibm.com/support/docview.wss?uid=swg21972376 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 19-01-2016
by Daily end-of-shift report 19 Jan '16

19 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 18-01-2016 18:00 − Dienstag 19-01-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** FDA Issues Guidelines on Medical Device Cybersecurity *** --------------------------------------------- The Food and Drug Administration (FDA) issued a new set of draft guidelines on Friday in hopes medical device manufacturers address cybersecurity risks in their products. --------------------------------------------- http://threatpost.com/fda-issues-guidelines-on-medical-device-cybersecurity… *** Good practice guide on disclosing vulnerabilities *** --------------------------------------------- ENISA published a good practice guide on vulnerability disclosure, aiming to provide a picture of the challenges the security researchers, the vendors and other involved stakeholders are confronted wi... --------------------------------------------- http://www.net-security.org/secworld.php?id=19342 *** Microsoft asks: We've taken down botnets for you. How about a kill switch? *** --------------------------------------------- Its like pulling a smoking car off the road... Oh, hang on Last December, Microsoft intercepted traffic on users' PCs and helped break up a botnet. And nobody complained. So the company very tentatively asked at a session on ethics and policy in Brussels this week whether it should do more. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/01/19/microsoft_b… *** Security: XSS-Lücke in Yahoo-Mail gefixt *** --------------------------------------------- Eine XSS-Lücke in Yahoo-Mail ermöglichte es Angreifern, fremde Accounts zu übernehmen. Sie hätten alle E-Mails der Nutzer weiterleiten und ausgehende E-Mails mit Viren infizieren können, schreibt ein Sicherheitsforscher. Yahoo hat bereits reagiert. --------------------------------------------- http://www.golem.de/news/security-xss-luecke-in-yahoo-mail-gefixt-1601-1186… *** Angler Exploit Kit's January Vacation *** --------------------------------------------- Since last year, we've been monitoring various redirectors which lead to exploit kits (EK). One of the redirectors in question routes to either Angler EK or Neutrino EK. SANS ISC has also observed this particular redirector switching between these two kits. At the beginning of this year, we noticed a sudden significant drop in our... --------------------------------------------- https://labsblog.f-secure.com/2016/01/19/angler-exploit-kits-january-vacati… *** Root-Exploit: Android und Linux anfällig für Rechte-Trickserei *** --------------------------------------------- Der Schlüsselbund des Kernels stattet mit einem Trick seit 2012 jeden Nutzer mit Root-Rechten aus. Allerdings muss der Nutzer dafür bereits angemeldet sein. --------------------------------------------- http://heise.de/-3076663 *** MSN Home Page Drops More Malware Via Malvertising *** --------------------------------------------- Visitors to the MSN homepage may have been exposed to malvertising.Categories: MalvertisingTags: ad spiritappnexusmalvertisingmsn(Read more...) --------------------------------------------- https://blog.malwarebytes.org/malvertising-2/2016/01/msn-home-page-drops-mo… *** Cisco Web Security Appliance Security Bypass Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Moodle Bugs Let Remote Users Access Hidden Course and Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1034694

1 0

Tageszusammenfassung - Montag 18-01-2016
by Daily end-of-shift report 18 Jan '16

18 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 15-01-2016 18:00 − Montag 18-01-2016 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** Cisco FireSIGHT Management Center Stored Cross-Site Scripting Vulnerabilities *** --------------------------------------------- Multiple vulnerabilities in the web framework of Cisco FireSIGHT Management Center could allow an unauthenticated, remote attacker to execute a stored cross-site scripting (XSS) attack against a user of the Cisco FireSIGHT Management Center web interface. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Easily Exploitable Vulnerability Could Cause Physical Damage to Industrial Motors *** --------------------------------------------- http://www.sans.org/newsletters/newsbites/r/18/4/307 *** Cisco FireSIGHT Management Center DOM-Based Cross-Site Scripting Vulnerability *** --------------------------------------------- Cisco FireSIGHT Management Center (MC) contains a DOM-based cross-site scripting vulnerability (XSS) in the management page. An unauthenticated, remote attacker could persuade a user to perform a malicious action, allowing the attacker to perform a XSS attack. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** IBM Security Bulletin: Vulnerabilities in GNU grep utility affect IBM Security Network Protection (CVE-2012-5667, and CVE-2015-1345) *** --------------------------------------------- The grep utility searches through textual input for lines that contain a match to a specified pattern and then prints the matching lines. Security vulnerabilities have been discovered in grep utility used with IBM Security Network Protection. --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21972209 *** IBM Security Bulletin: IBM WebSphere Application Server Liberty Profile vulnerability affects IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2015-2017) *** --------------------------------------------- WebSphere Application Server Liberty Profile that is embedded in TADDM could allow a remote attacker to has access to the customer app or a form which sends the contents in a header will be able to split the response and add headers to the response. The customer application will allow cross-site scripting, web cache poisoning, and other similar exploits. --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21974782 *** Cisco Adaptive Security Appliance Information Disclosure Vulnerability *** --------------------------------------------- A vulnerability in the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to access sensitive data. The attacker could use this information to conduct additional attacks. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** The SLOTH attack and IKE/IPsec *** --------------------------------------------- The IKE daemons in RHEL7 (libreswan) and RHEL6 (openswan) are not vulnerable to the SLOTH attack. But the attack is still interesting to look at . The SLOTH attack released today is a new transcript collision attack against .. --------------------------------------------- https://securityblog.redhat.com/2016/01/15/the-sloth-attack-and-ikeipsec/ *** Schwere Lücke bei Überwachungskameras von Hofer und Aldi *** --------------------------------------------- Sicherheitsexperten warnen vor Überwachungskameras der Marke Maginon. Diese erlauben den ungeschützten Zugriff auf Bild und Ton, aber auch WLAN- und E-Mail-Passwörter. --------------------------------------------- http://futurezone.at/produkte/schwere-luecke-bei-ueberwachungskameras-von-h… *** LostPass *** --------------------------------------------- I have discovered a phishing attack against LastPass that allows an attacker to steal a LastPass users email, password, and even two-factor auth code, giving full access to all passwords and documents stored in LastPass. --------------------------------------------- https://www.seancassidy.me/lostpass.html *** Privilege Escalation on Windows 7,8,10, Server 2008, Server 2012 - and a new network attack *** --------------------------------------------- Hot Potato (aka: Potato) takes advantage of known issues in Windows to gain local privilege escalation in default configurations, namely NTLM relay (specifically HTTP->SMB relay) and NBNS spoofing. --------------------------------------------- http://foxglovesecurity.com/2016/01/16/hot-potato/ *** HTTP Evasions Explained - Part 10 - Lazy Browsers *** --------------------------------------------- The previous parts of this series looked at firewalls and browsers as black boxes which just behave that way for unknown reason. For this part I took a closer look at the source code of Chromium and Firefox. This way Ive found even more ways to construct HTTP which is insanely broken but still gets accepted by the .. --------------------------------------------- http://noxxi.de/research/http-evader-explained-10-lazy-browsers.html *** nic.at bringt "Security-Lock" für Domains *** --------------------------------------------- Schutz soll verhindern, dass eine Domain irrtümlich unerreichbar oder manipuliert wird --------------------------------------------- http://derstandard.at/2000029286062

1 0

Tageszusammenfassung - Freitag 15-01-2016
by Daily end-of-shift report 15 Jan '16

15 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 14-01-2016 18:00 − Freitag 15-01-2016 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** NCCIC/ICS-CERT Monitor for November-December 2015 *** --------------------------------------------- The NCCIC/ICS-CERT Monitor for November-December 2015 is a summary of ICS-CERT activities for that period of time. --------------------------------------------- https://ics-cert.us-cert.gov/monitors/ICS-MM201512 Download: https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT%20Monito… *** Oracle Critical Patch Update - January 2016 - Pre-Release Announcement *** --------------------------------------------- [...] This Critical Patch Update contains 248 new security vulnerability fixes across hundreds of Oracle products. Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible. --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html *** Creator of MegalodonHTTP DDoS Botnet Arrested *** --------------------------------------------- Last month, the Norway police arrested five hackers accused of running the MegalodonHTTP Remote Access Trojan (RAT). The arrests came as part of the joint operation between Norway's Kripos National Criminal Investigation Service and Europol, codenamed "OP Falling sTAR." According to the United States security firm, all the five men, aged between 16 and 24 years and located in Romania,... --------------------------------------------- https://thehackernews.com/2016/01/MegalodonHTTP-DDoS-Botnet.html *** Kreditkartenhack bei VISA: Unter anderem A1-Kunden betroffen *** --------------------------------------------- Ein Drittanbieter in Island wurde angegriffen - rund 2.000 A1 Visa-Kunden erhalten neue Karte --------------------------------------------- http://derstandard.at/2000029114201 *** Updated BlackEnergy Trojan Grows More Powerful *** --------------------------------------------- In late December, a cyberattack caused a power outage in the Ukraine, plunging hundreds of thousands of citizens into darkness for hours. Threat researchers soon confirmed that the BlackEnergy malware package, first developed in 2007, was the culprit. They also discovered that the malware has been significantly upgraded since its first release. --------------------------------------------- https://blogs.mcafee.com/mcafee-labs/updated-blackenergy-trojan-grows-more-… *** Wieder sicher: Authentifizierungsprotokoll OAuth *** --------------------------------------------- Angreifer sollen abermals Log-in-Daten von Nutzern abgreifen können, wenn diese sich mittels OAuth bei Online-Services anmelden. Die Schwachstellen wurden bereits geschlossen. Sicherheitsforscher attestieren dem Protokoll insgesamt eine hohe Sicherheit. --------------------------------------------- http://heise.de/-3071639 *** Spamming Someone from PayPal *** --------------------------------------------- Troy Hunt has identified a new spam vector. PayPal allows someone to send someone else a $0 invoice. The spam is in the notes field. But its a legitimate e-mail from PayPal, so it evades many of the traditional spam filters. Presumably it doesnt cost anything to send a $0 invoice via PayPal. Hopefully, the company will close this loophole... --------------------------------------------- https://www.schneier.com/blog/archives/2016/01/spamming_someon.html *** OS Xs Gatekeeper bypassed again *** --------------------------------------------- Do you remember when, last October, Synack director of research Patrick Wardle found a simple way to evade OS Xs Gatekeeper defense mechanism by bundling up a legitimate Apple-signed app with a malic... --------------------------------------------- http://www.net-security.org/secworld.php?id=19336 *** Advantech WebAccess Vulnerabilities *** --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01 *** Manage Engine Applications Manager 12 Multiple Vulnerabilities *** --------------------------------------------- Applications Manager suffers from multiple vulnerabilities including XSS, CSRF and Privilege Escalation. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5292.php

1 0

Tageszusammenfassung - Donnerstag 14-01-2016
by Daily end-of-shift report 14 Jan '16

14 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 13-01-2016 18:00 − Donnerstag 14-01-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** SlemBunk Part II: Prolonged Attack Chain and Better-Organized Campaign *** --------------------------------------------- Our follow-up investigation of a nasty Android banking malware we identified at the tail end of last year has not only revealed that the trojan is more persistent than we initially realized - thus making for a much more dangerous threat - but that it is also being used as part of an ongoing and evolving campaign. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2016/01/slembunk-part-two.html *** Faulty ransomware renders files unrecoverable, even by the attacker *** --------------------------------------------- A cybercriminal has built a ransomware program based on proof-of-concept code released online, but messed up the implementation, resulting in victims files being completely unrecoverable.Researchers from antivirus vendor Trend Micro recently .. --------------------------------------------- http://www.cio.com/article/3022159/faulty-ransomware-renders-files-unrecove… *** As easy as Citrix123 - hacker claims he popped Citrixs CMS *** --------------------------------------------- And once he was in, it became possible to pour malware onto all customers, allegedly A Russian hacker claims he broke into systems run by Citrix, and gained access to potentially a huge number of customers. --------------------------------------------- www.theregister.co.uk/2016/01/13/ruskie_hacker_pops_citrix/ *** Ex-NSA-Chef: Hintertüren für Verschlüsselung sind eine furchtbare Idee *** --------------------------------------------- Michael Hayden widerspricht den Forderungen von FBI-Boss James Comey --------------------------------------------- http://derstandard.at/2000029033330 *** RedHen CRM - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-002 *** --------------------------------------------- The Redhen set of modules allows you to build a CRM features in a Drupal site.When rendering individual Contacts, this module does not properly filter the certain data prior to display. When rendering listing of notes or engagement scores, .. --------------------------------------------- https://www.drupal.org/node/2649800 *** Cisco kämpft mit statischem Passwort und fixt kritische Lücken *** --------------------------------------------- In Ciscos Identity Services Engine klafft eine als kritisch und eine als hoch eingestufte Schwachstelle. Neben der Wireless-LAN-Controller-Software sind auch noch Aironet-Basisstationen der 1800-Serie verwundbar. Sicherheitsupdates stehen bereit. --------------------------------------------- http://heise.de/-3070756 *** Angriff der Cyber-Eichhörnchen *** --------------------------------------------- Eichhörnchen sind eine größere Gefahr für Internet- und Stromleitungen als Hacker. Das zeigt die Webseite CyberSquirrel1 auf augenzwinkernde Art und Weise. --------------------------------------------- http://www.golem.de/news/internet-und-stromausfaelle-angriff-der-cyber-eich… *** OpenSSL version 1.1.0 pre release 2 published *** --------------------------------------------- OpenSSL 1.1.0 is currently in alpha. OpenSSL 1.1.0 pre release 2 has now been made available. For details of changes and known issues see the release .. --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2016-January/000057.html *** Triple-Seven: OpenSSH-Schwachstelle leakt geheime Schlüssel *** --------------------------------------------- Eine unfertige Option, die bei OpenSSH seit 2010 standardmäßig aktiviert ist, führt dazu, dass gekaperte Server die geheimen Schlüssel der sich verbindenden Nutzer auslesen können. Updates, welche die Lücke schließen, stehen bereit. --------------------------------------------- http://heise.de/-3071372 *** Ransomware a Threat to Cloud Services, Too *** --------------------------------------------- Ransomware -- malicious software that encrypts the victims files and holds them hostage unless and until the victim pays a ransom in Bitcoin -- has emerged as a potent and increasingly common threat online. But many Internet users are unaware that ransomware also can just as easily seize control over files stored on cloud services. --------------------------------------------- http://krebsonsecurity.com/2016/01/ransomware-a-threat-to-cloud-services-to…

1 0

Tageszusammenfassung - Mittwoch 13-01-2016
by Daily end-of-shift report 13 Jan '16

13 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 12-01-2016 18:00 − Mittwoch 13-01-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Security Bulletins Posted for Adobe Acrobat and Reader *** --------------------------------------------- Security Bulletins for Adobe Acrobat and Reader (APSB16-02) have been published. These updates address critical vulnerabilities, and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant security bulletin. This posting .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1311 *** There Goes The Neighborhood - Bad Actors on GMHOST Alexander Mulgin Serginovic *** --------------------------------------------- Whether they encourage it or not, some network operators become known and favored by criminals such as those that operate exploit kit (EK) and malware infrastructure. After .. --------------------------------------------- http://research.zscaler.com/2016/01/there-goes-neighborhood-bad-actors-on.h… *** MS16-JAN - Microsoft Security Bulletin Summary for January 2016 - Version: 1.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS16-JAN *** Raising the Dead *** --------------------------------------------- It's a bit late for Halloween but the ability to resurrect the dead (processes that is) is an interesting type of security issue when dealing with multi-user Windows systems such as Terminal Servers. Specifically this blog is about this issue which I reported to Microsoft and was fixed in bulletin .. --------------------------------------------- http://googleprojectzero.blogspot.com/2016/01/raising-dead.html *** FortiOS SSH Undocumented Interactive Login Vulnerability *** --------------------------------------------- http://www.fortiguard.com/advisory/fortios-ssh-undocumented-interactive-log… *** Ransomware Strikes Websites *** --------------------------------------------- Ransomware is one of the most insidious types of malware that one can come across. These infections will encrypt all files on the target computer as well as any hard drives connected to the machine - pictures, videos, text files - you .. --------------------------------------------- https://blog.sucuri.net/2016/01/ransomware-strikes-websites.html *** Triaging the exploitability of IE/EDGE crashes *** --------------------------------------------- Both Internet Explorer (IE) and Edge have seen significant changes in order to help protect customers from security threats. This work has featured a number of mitigations that together have not only rendered classes of vulnerabilities not-exploitable, but also dramatically raised the cost .. --------------------------------------------- http://blogs.technet.com/b/srd/archive/2016/01/12/triaging-the-exploitabili… *** Die smarte Türklingel verrät das WLAN-Passwort *** --------------------------------------------- Eine Gegensprechanlage, die mit dem Smartphone zusammenarbeitet. Klingt eigentlich praktisch, doch leider weist das Gerät Sicherheitsmängel auf, wie Hacker jetzt herausfanden. --------------------------------------------- http://www.golem.de/news/internet-of-things-die-smarte-tuerklingel-verraet-… *** Backdoor bei Fortinet vermutet: Firma spricht von Lücke *** --------------------------------------------- Alternative Login-Methode in Software entdeckt – Patch bereits 2014 veröffentlicht --------------------------------------------- http://derstandard.at/2000028972976 *** A Case of Too Much Information: Ransomware Code Shared Publicly for 'Educational Purposes', Used Maliciously Anyway *** --------------------------------------------- Researchers, whether independent or from security vendors, have a responsibility to properly disseminate the information they gathered to help the industry as well as users. Even with the best intentions, improper disclosure of sensitive information .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/a-case-of-too-mu… *** Security: Verizon routet 4 Millionen Spammer-IPs *** --------------------------------------------- IPv4-Adressen sind ein knappes Gut. Doch der US-Anbieter Verizon reagiere trotzdem nicht auf Missbrauchsmitteilungen, kritisiert eine Sicherheitsfirma. --------------------------------------------- http://www.golem.de/news/security-verizon-routet-4-millionen-spammer-ips-16… *** [HTB23279]: Multiple SQL Injection Vulnerabilities in mcart.xls Bitrix Module *** --------------------------------------------- High-Tech Bridge Security Research Lab discovered multiple SQL Injection vulnerabilities in mcart.xls Bitrix module, which can be exploited to execute arbitrary SQL queries and obtain potentially sensitive data, modify information in database and gain complete control over the vulnerable website. --------------------------------------------- https://www.htbridge.com/advisory/HTB23279 *** [HTB23283]: Remote Code Execution in Roundcube *** --------------------------------------------- High-Tech Bridge Security Research Lab discovered a path traversal vulnerability in a popular webmail client Roundcube. Vulnerability can be exploited to gain access to sensitive information and under certain circumstances to execute arbitrary code and totally compromise the vulnerable server. --------------------------------------------- https://www.htbridge.com/advisory/HTB23283 *** Hacking Team's Leak Helped Researchers Hunt Down a Zero-Day *** --------------------------------------------- Researchers at Kaspersky Lab have, for the first time, discovered a valuable zero-day exploit after intentionally going on the hunt for it. --------------------------------------------- http://www.wired.com/2016/01/hacking-team-leak-helps-kaspersky-researchers-… *** Denial-of-Service Flaw Patched in DHCP *** --------------------------------------------- The Internet Systems Consortium (ISC) on Tuesday patched a denial-of-service vulnerability in numerous versions of DHCP. --------------------------------------------- http://threatpost.com/denial-of-service-flaw-patched-in-dhcp/115875/ *** The SLOTH attack and IKE/IPsec *** --------------------------------------------- Executive Summary: The IKE daemons in RHEL7 (libreswan) and RHEL6 (openswan) are not vulnerable to the SLOTH attack. But the attack is still interesting to look at . The SLOTH attack released today is a new transcript collision attack against .. --------------------------------------------- https://securityblog.redhat.com/2016/01/13/the-sloth-attack-and-ikeipsec/

1 0

Tageszusammenfassung - Dienstag 12-01-2016
by Daily end-of-shift report 12 Jan '16

12 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 11-01-2016 18:00 − Dienstag 12-01-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Angler Exploit Kit Continues to Evade Detection: Over 90,000 Websites Compromised *** --------------------------------------------- Exploit Kits (EK), arguably the most impactful malicious infrastructure on the Internet, constantly evolve to evade detection by security technology. Tremendous effort has been spent on tracking new variations of different EK families. In .. --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/01/angler-exploit-kit-conti… *** Mac OS X, iOS, and Flash Had the Most Discovered Vulnerabilities in 2015 *** --------------------------------------------- Interesting analysis: Which software had the most publicly disclosed vulnerabilities this year? The winner is none other than Apples Mac OS X, with 384 vulnerabilities. The runner-up? Apples iOS, with 375 vulnerabilities. Rounding out the top five are Adobes Flash Player, with 314 vulnerabilities; Adobes AIR .. --------------------------------------------- https://www.schneier.com/blog/archives/2016/01/mac_os_x_ios_an.html *** DSA-3440 sudo - security update *** --------------------------------------------- When sudo is configured to allow a user to edit files under a directory that they can already write to without using sudo, they can actuallyedit (read and write) arbitrary files. Daniel Svartman reported that aconfiguration like this might .. --------------------------------------------- https://www.debian.org/security/2016/dsa-3440 *** Ransom32 - look at the malicious package *** --------------------------------------------- Ransom32 is a new ransomware implemented in a very atypical style. In our post, we will focus on some implementation details of the malicious package. --------------------------------------------- https://blog.malwarebytes.org/intelligence/2016/01/ransom32-look-at-the-mal… *** Say 'Cyber' again - Ars cringes through CSI: Cyber *** --------------------------------------------- CBS endangered cyber-procedural: Plane hacking! Software defined radio! White noise! OMG! --------------------------------------------- http://arstechnica.com/the-multiverse/2016/01/say-cyber-again-ars-cringes-t… *** McAfee Application Control - The dinosaurs want their vuln back *** --------------------------------------------- The experts of the SEC Consult Vulnerability Lab conducted research in the field of the security of application whitelisting in critical infrastructures. In the course of that research the security of McAfee Application Control was checked.The experts developed several methods to bypass the provided protections .. --------------------------------------------- http://blog.sec-consult.com/2016/01/mcafee-application-control-dinosaurs.ht… *** (ISC)2 SecureAustria *** --------------------------------------------- How can we know what we are protecting if we struggle to understand and keep up with how we and our organizations are changing? It�s time to get a grip on the far-reaching and fundamental changes that are occurring in business today. --------------------------------------------- https://www.sba-research.org/events/isc2-secureaustria/ *** Sicherheit: Aus für alte IE-Versionen trifft jeden fünften Webnutzer *** --------------------------------------------- Über die Jahre hat Microsoft eine Fülle unterschiedlicher Versionen des Internet Explorers veröffentlicht. Nun entledigt man sich der Support-Pflichten für einen großen Teil derselben: Ab sofort liefert Microsoft keinerlei Updates mehr für Internet Explorer 8 bis 10. --------------------------------------------- http://derstandard.at/2000028882047 *** Cops Say They Can Access Encrypted Emails on So-Called PGP BlackBerrys *** --------------------------------------------- Dutch investigators have confirmed to Motherboard that they are able to read encrypted messages sent on PGP BlackBerry phones�custom, security-focused BlackBerry devices that come complete with an encrypted email feature, and which reportedly may be used by organized criminal groups. --------------------------------------------- https://motherboard.vice.com/read/cops-say-they-can-access-encrypted-emails… *** Ongoing Sophisticated Malware Campaign Compromising ICS (Update C) *** --------------------------------------------- This alert update is a follow-up to the updated NCCIC/ICS-CERT Alert titled ICS-ALERT-14-281-01B Ongoing Sophisticated Malware Campaign Compromising ICS that was published December 10, 2014, on the ICS-CERT web site. | ICS-CERT has identified a sophisticated malware campaign that has compromised numerous .. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01B *** Experts warn Neutrino and RIG exploit kit activity spike *** --------------------------------------------- Security experts at Heimdal Security are warning a spike in cyber attacks leveraging the popular Neutrino and RIG exploit kit. Cyber criminals always exploit new opportunities and users' bad habits, now crooks behind the recent campaigns relying on Neutrino and RIG exploit kits are ramping up attacks .. --------------------------------------------- http://securityaffairs.co/wordpress/43482/cyber-crime/neutrino-rig-exploit-… *** Group using DDoS attacks to extort business gets hit by European law enforcement *** --------------------------------------------- On 15 and 16 December, law enforcement agencies from Austria, Bosnia and Herzegovina, Germany and the United Kingdom joined forces with Europol in the framework of an operation against the ... --------------------------------------------- http://www.net-security.org/secworld.php?id=19314 *** Schwere Sicherheitslücken im Passwort-Manager von Trend Micro *** --------------------------------------------- Google-Forscher Tavis Ormandy deckt wieder einmal Schwachstellen in Anti-Viren-Software auf. Bei Trend Micro stellt er konsterniert fest: "Das Lächerlichste, was ich je gesehen habe." --------------------------------------------- http://heise.de/-3069140 *** UPC: Standard-WLAN-Passwörter kinderleicht zu knacken *** --------------------------------------------- Neuer Hack erlaubt Berechnung basierend auf der ESSID – UPC prüft Klage gegen Sicherheitsforscher. --------------------------------------------- http://derstandard.at/2000028921659 *** An Easy Way for Hackers to Remotely Burn Industrial Motors *** --------------------------------------------- Devices that control the speed of industrial motors operating water plant pumps and other equipment can be remotely hacked and destroyed. --------------------------------------------- http://www.wired.com/2016/01/an-easy-way-for-hackers-to-remotely-burn-indus…

1 0

Tageszusammenfassung - Montag 11-01-2016
by Daily end-of-shift report 11 Jan '16

11 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 08-01-2016 18:00 − Montag 11-01-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** GM Asks Friendly Hackers to Report Its Cars' Security Flaws *** --------------------------------------------- The auto giant becomes the first in Detroit to extend an olive branch to car hackers. --------------------------------------------- http://www.wired.com/2016/01/gm-asks-friendly-hackers-to-report-its-cars-se… *** STIX - Looking at a Campaign, Part 1 *** --------------------------------------------- Now we come to a useful application of STIX: characterizing a campaign. --------------------------------------------- http://www.scmagazine.com/stix--looking-at-a-campaign-part-1/article/464093/ *** ZDI-16-007: McAfee Application Control Kernel Driver Memory Corruption Privilege Escalation Vulnerability *** --------------------------------------------- This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of McAfee Application Control. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-007/ *** Advancing the Security of Juniper Products *** --------------------------------------------- BOB WORRALL, SVP CHIEF INFORMATION OFFICER makes provides more detail on the ScreenOS investigation and security steps being taken with Junos and across Juniper. --------------------------------------------- http://forums.juniper.net/t5/Security-Incident-Response/Advancing-the-Secur… *** Virtual Bitlocker Containers, (Sat, Jan 9th) *** --------------------------------------------- This week, I gotan interestingquestion from a customer: What do you recommend to safely store files in a directoryon my laptop?. They are plenty of ways to achievethis, the right choice depending on the encryption reliability, the ease of use and .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20593 *** MMD-0049-2016 - A case of java trojan (downloader/RCE) for remote minerd hack *** --------------------------------------------- This is a short post for supporting the takedown purpose. Warning: Sorry, theres nothing fancy nor "in-depth analysis" in here :-) The scheme is so bad, so I think its best for all to know for mitigation and hardening purpose. In this case, a bad actor was .. --------------------------------------------- http://blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.ht… *** Studie: Mittelstand unterschätzt Gefahr durch Cyber-Kriminalität *** --------------------------------------------- Die Schäden steigen, das Bewusstsein für IT-Sicherheit nicht: Laut einer Studie schützen sich Mittelständler nur unzureichend gegen IT-Angriffe. Dabei zwingt sie der Gesetzgeber längst zum Handeln. --------------------------------------------- http://heise.de/-3067640 *** Jänner-Update: Google schließt kritische Lücken in Android *** --------------------------------------------- Google scheint seinen Sicherheits-Update-Rhythmus gefunden zu haben – zumindest wenn es um die eigenen Geräte geht. Aktuell liefert Google das Jänner-Update für Android an die Smartphones und Tablets der Nexus-Linie aus. --------------------------------------------- http://derstandard.at/2000028786638 *** NSA-Spionagevorwürfe: Juniper verspricht weitere Updates *** --------------------------------------------- Vom US-Geheimdienst eingebrachter Zufallszahlengenerator wird aus Netzwerk-Betriebssystem entfernt --------------------------------------------- http://derstandard.at/2000028789875 *** A Look Inside Cybercriminal Call Centers *** --------------------------------------------- Crooks who make a living via identity theft schemes, dating scams and other con games often run into trouble when presented with a phone-based challenge that requires them to demonstrate mastery of a language they dont speak fluently. Enter the .. --------------------------------------------- http://krebsonsecurity.com/2016/01/a-look-inside-cybercriminal-call-centers/ *** Android: Schadsoftware aus Play Store hunderttausendfach installiert *** --------------------------------------------- Geht es um Android-Malware fällt der Ratschlag für die Nutzer meist recht simpel aus: Wer auf die Installation von Apps aus unsicheren Quellen verzichtet, ist üblicherweise auch nicht gefährdet. Doch in einem aktuellen Fall ist es Angreifern nun gelungen, die Sicherheitschecks des Play Store auszutricksen. --------------------------------------------- http://derstandard.at/2000028774967 *** Hackerangriff auf Rechenzentrumsbetreiber Interxion *** --------------------------------------------- Im Dezember kam es zu einem Einbruch auf das eigene CRM-System --------------------------------------------- http://derstandard.at/2000028816801 *** Klickbetrug: Unter dem Deckmantel der Cookie-Warnung *** --------------------------------------------- Online-Gauner verstecken sich im wahrsten Sinne des Wortes hinter Cookie-Warnungen und sammeln so Klicks auf Werbeanzeigen ein. --------------------------------------------- http://heise.de/-3067995 *** OAuth2 & OpenID - HTTPS Bicycle Attack *** --------------------------------------------- The OAuth 2.0 protocol allows users to grant relying parties access to resources at identity providers. In addition to being used for this kind of authorization, OAuth is also often employed for authentication in single sign-on (SSO) systems. OAuth 2.0 is, in fact, one of the most widely used .. --------------------------------------------- https://cxsecurity.com/issue/WLB-2016010064 *** PHP-Updates über alle Versionen beheben einige Sicherheitsprobleme *** --------------------------------------------- Die Macher der Skriptsprache empfehlen den Nutzern von PHP 7.0, 5.5 und 5.6 die Installation der aktuellen Security-Releases. Gleichzeitig gibt ein Blick auf GitHub und das PHP-Wiki eine Vorschau auf kommende Funktionen in PHP 7.1. --------------------------------------------- http://heise.de/-3068170 *** DSA-3438 xscreensaver - security update *** --------------------------------------------- It was discovered that unplugging one of the monitors in a multi-monitorsetup can cause xscreensaver to crash. Someone with physical access toa machine could use this problem to bypass a locked session. --------------------------------------------- https://www.debian.org/security/2016/dsa-3438 *** Unverschlüsselte CMS-Updates: Drupal gelobt Besserung *** --------------------------------------------- Das Update-Verfahren des beliebten Content Management Systems Drupal liefert Aktualisierungen unverschlüsselt aus. Ein Problem, das seit Jahren bekannt ist und von Angreifern missbraucht werden kann, um Seiten zu kapern. --------------------------------------------- http://heise.de/-3068105 *** About CVE-2015-8518: SAP Adaptive Server Enterprise Extended Stored Procedure Unauthorized Invocation *** --------------------------------------------- SAP released an update for SAP ASE 16.0 and 15.7 that addresses a serious security flaw discovered by Martin Rakhmanov, lead security researcher at Trustwave, that has been around for a long time. Suppose there is a user joe in... --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/About-CVE-2015-8518--SAP-Ada… *** How Nvidia breaks Chrome Incognito *** --------------------------------------------- When I launched Diablo III, I didn't expect the pornography I had been looking at hours previously to be splashed on the screen. But that's exactly what replaced the black loading screen. Like a scene from hollywood, the game temporarily froze as it launched, preventing any attempt to clear the screen. The game unfroze just before clearing the screen, and I was able to grab a screenshot (censored with bright red): --------------------------------------------- https://charliehorse55.wordpress.com/2016/01/09/how-nvidia-breaks-chrome-in…

1 0

Tageszusammenfassung - Freitag 8-01-2016
by Daily end-of-shift report 08 Jan '16

08 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 07-01-2016 18:00 − Freitag 08-01-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Upcoming Security Updates for Adobe Acrobat and Reader (APSB16-02) *** --------------------------------------------- A prenotification Security Advisory (APSB16-02) has been posted regarding upcoming updates for Adobe Acrobat and Reader scheduled for Tuesday, January 12, 2016. We will continue to provide updates on the upcoming release via the Security Advisory as well as the... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1308 *** Android-powered smart TVs targeted by malicious apps *** --------------------------------------------- Smart TVs running older versions of Android are being targeted by several websites offering apps containing malware, according to Trend Micro.The security vendor wrote on Thursday that it found a handful of app websites targeting people in the U.S. and Canada by offering the malicious apps.The apps are exploiting a flaw in Android that dates to 2014, showing that many smart TVs do not have the latest patches."Most smart TVs today use older versions of Android, which still contain this... --------------------------------------------- http://www.cio.com/article/3020357/android-powered-smart-tvs-targeted-by-ma… *** Good news, OAuth is almost secure *** --------------------------------------------- Boffins turn up a couple of protocol vulns in Facebooks login stanard German boffins believe there are protocol flaws in Facebooks ubiquitous OAuth protocol that render it vulnerable to attack. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/01/08/good_news_o… *** Anschlussmissbrauch durch schwerwiegende Lücke bei o2 *** --------------------------------------------- Seit über einem Jahr versucht o2 eine Schwachstelle im DSL-Netz zu schließen, durch die man fremde VoIP-Anschlüsse kapern kann. Bisher ist das nur zum Teil gelungen. --------------------------------------------- http://heise.de/-3066225 *** Checkpoint chaps hack whacks air-gaps flat *** --------------------------------------------- Bought a shiny IP KVM? Uh-oh 32c3 Checkpoint malware men Yaniv Balmas and Lior Oppenheim have developed an air gap-hopping malware system that can quietly infect, plunder, and maintain persistence on networked and physically separated computers. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/01/08/checkpoint_… *** Streaming-Dongle EZCast öffnet Hintertür ins Heimnetzwerk *** --------------------------------------------- Sicherheitsforscher haben Schwachstellen im HDMI-Dongle EZCast entdeckt. Über die können sich Angreifer Zugang zum Heimnetzwerk des Anwenders verschaffen - unabhängig davon, wie gut das Netz sonst geschützt ist. --------------------------------------------- http://heise.de/-3066210 *** Sicherheitspatches: VMware unterbindet Rechteausweitung *** --------------------------------------------- VMware dichtet seine Anwendungen ESXi, Fusion, Player und Workstation ab. Die abgesicherten Versionen stehen für Linux, OS X und Windows bereit. Von der Lücke scheint aber nur Windows bedroht zu sein. --------------------------------------------- http://www.heise.de/newsticker/meldung/Sicherheitspatches-VMware-unterbinde… *** Blocking Shodan isnt some sort of magical fix that will protect your data *** --------------------------------------------- Earlier this week, a threat alert from Check Point singled out Shodan as a risk to enterprise operations. The advisory warns Check Point customers about the service, highlighting some of the instances where sensitive data was exposed to the public because Shodan indexed it. When asked about the advisory [archive], Ron Davidson, Head of Threat Intelligence and Research at Check Point, said the company was seeing an increase in the variety and frequency of suspect scans, "including scanners... --------------------------------------------- http://www.csoonline.com/article/3020108/techology-business/blocking-shodan… *** Apple beseitigt gravierende QuickTime-Sicherheitslücken für Windows *** --------------------------------------------- Angreifer können mit Hilfe einer manipulierten Videodatei Schadcode einschleusen, erklärt Apple. Das Update beseitigt die Schwachstellen in Windows 7 und Vista. --------------------------------------------- http://heise.de/-3067145 *** Cracking Damn Insecure and Vulnerable App (DIVA) - Part 2: *** --------------------------------------------- In the previous article, we have seen the solutions for the first two challenges. In this article we will discuss the insecure data storage vulnerabilities in DIVA. --------------------------------------------- http://resources.infosecinstitute.com/cracking-damn-insecure-and-vulnerable… *** rt-sa-2015-005 *** --------------------------------------------- o2/Telefonica Germany: ACS Discloses VoIP/SIP Credentials --------------------------------------------- https://www.redteam-pentesting.de/advisories/rt-sa-2015-005.txt *** VMSA-2016-0001 *** --------------------------------------------- VMware ESXi, Fusion, Player, and Workstation updates address important guest privilege escalation vulnerability --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2016-0001.html *** PHP Bugs May Let Remote Users Obtain Potentially Sensitive Information, Gain Elevated Privileges, or Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1034608 *** APPLE-SA-2016-01-07-1 QuickTime 7.7.9 *** --------------------------------------------- APPLE-SA-2016-01-07-1 QuickTime 7.7.9[Re-sending with a valid signature]QuickTime 7.7.9 is now available and addresses the following:QuickTimeAvailable for: Windows 7 and Windows VistaImpact: Viewing a maliciously crafted movie file may lead to an [...] --------------------------------------------- http://prod.lists.apple.com/archives/security-announce/2016/Jan/msg00001.ht… *** DFN-CERT-2016-0001: Mozilla Firefox, Network Security Services, OpenSSL, GnuTLS: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0001/ *** USN-2865-1: GnuTLS vulnerability *** --------------------------------------------- Ubuntu Security Notice USN-2865-18th January, 2016gnutls26, gnutls28 vulnerabilityA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.04 Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryGnuTLS could be made to expose sensitive information over the network.Software description gnutls26 - GNU TLS library gnutls28 - GNU TLS library DetailsKarthikeyan Bhargavan and Gaetan Leurent discovered that GnuTLS incorrectlyallowed MD5 to be used for TLS 1.2 connections. If a remote... --------------------------------------------- http://www.ubuntu.com/usn/usn-2865-1/ *** Bugtraq: [security bulletin] HPSBUX03435 SSRT102977 rev.1 - HP-UX Web Server Suite running Apache, Remote Denial of Service (DoS) *** --------------------------------------------- http://www.securityfocus.com/archive/1/537254 *** Security Advisory: Privilege escalation vulnerability CVE-2015-7393 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/75/sol75136237.html?… *** Security Advisory: BIG-IP AOM password sync vulnerability CVE-2015-8611 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/05/sol05272632.html?… *** Security Advisory: F5 Path MTU Discovery vulnerability CVE-2015-7759 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/22/sol22843911.html?…

1 0

Tageszusammenfassung - Donnerstag 7-01-2016
by Daily end-of-shift report 07 Jan '16

07 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 05-01-2016 18:00 − Donnerstag 07-01-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Ab Dienstag: Aus für Internet Explorer 8, 9 und 10 *** --------------------------------------------- Microsoft stellt ab dem 12. Jänner den Support für die veralteten Internet-Explorer-Versionen 8,9 und 10 ein. Diese erhalten künftig keine Updates mehr. --------------------------------------------- http://futurezone.at/produkte/ab-dienstag-aus-fuer-internet-explorer-8-9-un… https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support *** Site Updates: ISC/DShield API and ipinfo_ascii.html Page, (Wed, Jan 6th) *** --------------------------------------------- We are planning a couple of updates to the ways data can be retrieved automatically from this site. The main reason for this is to make it easier for us to maintain and support some of these features. The main idea will be that we focus automatic data retrieval to our API (isc.sans.edu/api or dshield.org/api). It should be the only place that is used to have scripts retrieve data. In the past, we had a couple of other pages that supported automatic data retrieval. For example, ipinfo_ascii.html... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20577&rss *** How long is your password? HTTPS Bicycle attack reveals that and more *** --------------------------------------------- Get your 2FA on, slackers A new attack on supposedly secure communication streams raises questions over the resilience of passwords, security researchers warn. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/01/06/https_bicyc… *** Mozilla warns Firefox fans its SHA-1 ban could bork their security *** --------------------------------------------- Protection mechanism screws other protection mechanisms. What a tangled web we weave Mozilla has warned Firefox users they may be cut off from more of the web than expected - now that the browser rejects new HTTPS certificates that use the weak SHA-1 algorithm. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/01/07/mozilla_war… https://blog.mozilla.org/security/2016/01/06/man-in-the-middle-interfering-… *** MD5/SHA1: Sloth-Angriffe nutzen alte Hash-Algorithmen aus *** --------------------------------------------- Neue Angriffe gegen TLS: Krypto-Forscher präsentieren mit Sloth mehrere Schwächen in TLS-Implementierungen und im Protokoll selbst. Am kritischsten ist ein Angriff auf Client-Authentifizierungen mit RSA und MD5. --------------------------------------------- http://www.golem.de/news/md5-sha1-sloth-angriffe-nutzen-alte-hash-algorithm… *** Encrypted Blackphone Patches Serious Modem Flaw *** --------------------------------------------- msm1267 writes: Silent Circle, makers of the security and privacy focused Blackphone, have patched a vulnerability that could allow a malicious mobile application or remote attacker to access the devices modem and perform any number of actions. Researchers at SentinelOne discovered an open socket on the Blackphone that an attacker could abuse to intercept calls, set call forwarding, read SMS messages, mute the phone and more. Blackphone is marketed toward privacy-conscious users; it includes... --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/ocmLGjQf8XY/encrypted-black… *** OS-X-Security-and-Privacy-Guide *** --------------------------------------------- This is a collection of thoughts on securing a modern Apple Mac computer using OS X 10.11 "El Capitan", as well as steps to improving online privacy. This guide is targeted to "power users" who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac. --------------------------------------------- https://github.com/drduh/OS-X-Security-and-Privacy-Guide *** Drupal - Insecure Update Process *** --------------------------------------------- Just a few days after installing Drupal v7.39, I noticed there was a security update available: Drupal v7.41. This new version fixes an open redirect in the Drupal core. In spite of my Drupal update process checking for updates, according to my local instance, everything was up to date: Issue #1: Whenever the Drupal update process fails, Drupal states that everything is up to date instead of giving a warning. --------------------------------------------- http://blog.ioactive.com/2016/01/drupal-insecure-update-process.html *** Jetzt Update installieren: WordPress behebt XSS-Lücke *** --------------------------------------------- Über eine Cross-Site-Scripting-Schwachstelle können Angreifer WordPress-Installationen kompromittieren. Betroffen sind alle Versionen bis einschließlich WordPress 4.4. --------------------------------------------- http://heise.de/-3065193 https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance… *** AVM-Router: Fritzbox-Lücke erlaubt Telefonate auf fremde Kosten *** --------------------------------------------- Durch eine kritische Lücke in den Fritzboxen können Angreifer etwa Telefonate auf fremde Rechnung führen und Code als Root ausführen. Die Lücke hat AVM bereits geschlossen, die Details wurden jedoch bis heute unter Verschluss gehalten. --------------------------------------------- http://heise.de/-3065588 *** A new, open source tool proves: Even after patching, deserializing will still kill you *** --------------------------------------------- Whats the problem here? ... When deserializing most objects, the code calls ObjectInputStream#resolveClass() as part of the process. This method is where all the patches and hardening against recent exploits take place. Because that method is never involved in deserializing Strings, anyone can use this to attack an application thats "fully patched" against the recent spate of attacks. --------------------------------------------- https://www.contrastsecurity.com/security-influencers/java-deserializing-op… *** rt-sa-2015-001 *** --------------------------------------------- AVM FRITZ!Box: Remote Code Execution via Buffer Overflow --------------------------------------------- https://www.redteam-pentesting.de/advisories/rt-sa-2015-001.txt *** rt-sa-2014-014 *** --------------------------------------------- AVM FRITZ!Box: Arbitrary Code Execution Through Manipulated Firmware Images --------------------------------------------- https://www.redteam-pentesting.de/advisories/rt-sa-2014-014.txt *** Bugtraq: [SYSS-2015-062] ownCloud Information Exposure Through Directory Listing (CVE-2016-1499) *** --------------------------------------------- [SYSS-2015-062] ownCloud Information Exposure Through Directory Listing (CVE-2016-1499) --------------------------------------------- http://www.securityfocus.com/archive/1/537244 *** DFN-CERT-2016-0023: Node.js-WS: Eine Schwachstelle ermöglicht das Ausspähen von Informationen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0023/ *** DFN-CERT-2016-0028: Shotwell: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0028/ *** DFN-CERT-2016-0004: Mozilla Thunderbird, Debian Icedove: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- Version 3 (2016-01-05 17:52) | Debian stellt für die Distributionen Wheezy (old stable), Jessie (stable) und Stretch (testing) Sicherheitsupdates auf die Icedove Version 38.5.0 bereit. Die Schwachstellen CVE-2015-7210 und CVE-2015-7222 werden von diesen nicht adressiert. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0004/ *** Security Advisory: QEMU vulnerability CVE-2012-3515 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/13/sol13405416.html?… *** Security Advisory: Out-of-bounds memory vulnerability with the BIG-IP APM system CVE-2015-8098 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/43/sol43552605.html?… *** DSA-3435 git - security update *** --------------------------------------------- Blake Burkhart discovered that the Git git-remote-ext helper incorrectlyhandled recursive clones of git repositories. A remote attacker couldpossibly use this issue to execute arbitary code by injecting commandsvia crafted URLs. --------------------------------------------- https://www.debian.org/security/2016/dsa-3435 *** Advantech EKI Vulnerabilities (Update B) *** --------------------------------------------- This updated advisory is a follow-up to the updated advisory titled ICSA-15-344-01A Advantech EKI Vulnerabilities that was published December 15, 2015, on the NCCIC/ICS-CERT web site. This advisory provides information regarding several vulnerabilities in Advantech's EKI devices. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-344-01 *** D-Link DCS-931L Arbitrary File Upload *** --------------------------------------------- Topic: D-Link DCS-931L Arbitrary File Upload Risk: High Text:## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-f... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016010028

1 0

Tageszusammenfassung - Dienstag 5-01-2016
by Daily end-of-shift report 05 Jan '16

05 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 04-01-2016 18:00 − Dienstag 05-01-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** ProxieBack sneakily uses the victims server to bypass its own security *** --------------------------------------------- Palo Alto Networks has come across a new family of proxy-creating malware, called ProxyBack, that the company believes has been in the wild since 2014 and may have more than 20 versions now running. --------------------------------------------- http://www.scmagazine.com/proxieback-sneakily-uses-the-victims-server-to-by… *** Hocus-pocus! The stupidity of cybersecurity predictions *** --------------------------------------------- Every year, some publication asks me to come up with a list of my top 10 predictions for the security field, and every year I tell them they might as well just dust off an article I wrote a year earlier, with maybe a couple of buzzwords and a new technology added on. What you can generally expect in any given year is more of the same, with some slight variations.That doesn't stop people from making predictions, though. Vendors and supposed experts can't seem to control the urge, but... --------------------------------------------- http://www.cio.com/article/3019071/security/hocus-pocus-the-stupidity-of-cy… *** Matthew Garrett: Apple-Rechner eignen sich nicht für vertrauliche Arbeiten *** --------------------------------------------- Zwar kann mit UEFI Secure Boot und TPMs der Startprozess von Windows- und Linux-Rechnern einigermaßen abgesichert werden - dies ließe sich aber verbessern, sagt Security-Experte Matthew Garrett. Katastrophal sei die Lage dagegen bei Apple. --------------------------------------------- http://www.golem.de/news/matthew-garrett-apple-rechner-eignen-sich-nicht-fu… *** Comcast Home Security System Vulnerable to Attack *** --------------------------------------------- Comcast's Xfinity Home Security System is vulnerable to attacks that interfere with its ability to detect and alert to home intrusions. --------------------------------------------- http://threatpost.com/comcast-home-security-system-vulnerable-to-attack/115… *** Using IDAPython to Make Your Life Easier: Part 3 *** --------------------------------------------- In the first two posts of this series (Part 1 and Part 2), we discussed using IDAPython to make your life as a reverse engineer easier. Now let's look at conditional breakpoints. While debugging in... --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/01/using-idapython-to-make-… *** HTML5 Security Cheat Sheet *** --------------------------------------------- This OWASP cheat sheet serves as a guide for implementing HTML5 in a secure fashion. Contents include:Communication APIsStorage APIsGeolocationWeb WorkersSandboxed FramesOffline ApplicationsAnd... --------------------------------------------- http://www.net-security.org/secworld.php?id=19279 *** Nexus Security Bulletin - January 2016 *** --------------------------------------------- We have released a security update to Nexus devices through an over-the-air (OTA) update as part of our Android Security Bulletin Monthly Release process. [...] The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files. --------------------------------------------- https://source.android.com/security/bulletin/2016-01-01.html *** DSA-3432 icedove - security update *** --------------------------------------------- Multiple security issues have been found in Icedove, Debians version ofthe Mozilla Thunderbird mail client: Multiple memory safety errors,integer overflows, buffer overflows and other implementation errors maylead to the execution of arbitrary code or denial of service. --------------------------------------------- https://www.debian.org/security/2016/dsa-3432 *** Puppet Enterprise Configuration Error Lets Remote Non-Whitelisted Users Access the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1034550 *** Cisco Security Advisories *** --------------------------------------------- *** Cisco Jabber STARTTLS Downgrade Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS XR Software OSPF Link State Advertisement PCE Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Prime Infrastructure Frame Injection Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Unified Communications Manager SQL Injection Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** IBM Security Bulleins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects Rational Tau (CVE-2015-3194) *** http://www.ibm.com/support/docview.wss?uid=swg21973108 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Commons affects IBM Kenexa LCMS Premier on Cloud (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21972649 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSource Dojo ToolKit affects IBM InfoSphere Master Data Management ( CVE-2015-5654) *** http://www.ibm.com/support/docview.wss?uid=swg21972787 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Partner Gateway Advanced/Enterprise editions(CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21973241 --------------------------------------------- *** IBM Security Bulletin: The Elastic Storage Server and the GPFS Storage Server are affected by a vulnerability in IBM Spectrum Scale (CVE-2015-7456) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005574 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM TRIRIGA Application Platform (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21972369 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Access Manager for Web and IBM Tivoli Access Manager for e-business *** http://www.ibm.com/support/docview.wss?uid=swg21973135 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVE-2015-5006, CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21972446 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in the IBM Java SDK affects IBM Rational Application Developer for WebSphere Software (CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21973785 --------------------------------------------- *** IBM Security Bulletin: IBM Tealeaf Customer Experience allows unauthorized access to system files (CVE-2015-4988) *** http://www.ibm.com/support/docview.wss?uid=swg21968868 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in the IBM Java SDK affects IBM Rational Application Developer for WebSphere Software (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931) *** http://www.ibm.com/support/docview.wss?uid=swg21972455 --------------------------------------------- *** IBM Security Bulletin:Vulnerability in OpenSSL affects IBM PureApplication System. (CVE-2015-1788) *** http://www.ibm.com/support/docview.wss?uid=swg21974116 --------------------------------------------- *** IBM Security Bulletin: IBM Tealeaf Customer Experience PCA Web UI PHP security issues *** http://www.ibm.com/support/docview.wss?uid=swg21972384 --------------------------------------------- Next End-of-Shift report on 2016-01-07

1 0

Tageszusammenfassung - Montag 4-01-2016
by Daily end-of-shift report 04 Jan '16

04 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 31-12-2015 18:00 − Montag 04-01-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Identische SSH-Schlüssel auf Hetzner-Servern *** --------------------------------------------- Aufgrund identischer SSH-Schlüssel können Angreifer verschlüsselte Verbindungen von Servern von Hetzner belauschen. --------------------------------------------- http://heise.de/-3057777 *** Difficult to block JavaScript-based ransomware can hit all operating systems *** --------------------------------------------- A new type of ransomware that still goes undetected by the great majority of AV solutions has been spotted and analyzed by Emsisoft researchers (via Google Translate). Ransom32 is delivered on the ... --------------------------------------------- http://www.net-security.org/malware_news.php?id=3184 http://blog.emsisoft.com/de/2016/01/01/meet-ransom32-the-first-javascript-r… *** Apple had more CVEs than any single MS product in 2015, but it doesnt really matter *** --------------------------------------------- Meaningless league table sparks silly schadenfreude A count of the number of CVEs issues on different platforms in 2015 has concluded that Apple was the most-advisoried operating system of the year, leading to gloating headlines that OS X is the "most vulnerable" of the lot. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/01/04/apple_had_m… *** Cisco Jabbers in the clear due to STARTTLS bug *** --------------------------------------------- Sysadmins get a belated Christmas present Twas the night before Christmas, when sysadmins probably werent watching their advisory feeds, that Cisco announced a vulnerability in its Jabber for Windows. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/01/04/cisco_jabbe… *** BlackEnergy cyberespionage group adds disk wiper and SSH backdoor to its arsenal *** --------------------------------------------- A cyberespionage group focused on companies and organizations in the energy sector has recently updated its arsenal with a destructive data-wiping component and a backdoored SSH server.The group is known in the security community as Sandworm or BlackEnergy, after its primary malware tool, and has been active for several years. It has primarily targeted companies that operate industrial control systems, especially in the energy sector, but has also gone after high-level government organizations,... --------------------------------------------- http://www.cio.com/article/3018790/blackenergy-cyberespionage-group-adds-di… *** The current state of boot security *** --------------------------------------------- I gave a presentation at 32C3 this week. One of the things I said was "If any of you are doing seriously confidential work on Apple laptops, stop. For the love of god, please stop." I didnt really have time to go into the details of that at the time, but right now Im sitting on a plane with a ridiculous sinus headache and the pseudoephedrine hasnt kicked in yet so here we go.The basic premise of my presentation was that its very difficult to determine whether your system is in a... --------------------------------------------- http://mjg59.dreamwidth.org/39339.html *** A Tip For The Analysis Of MIME Files, (Sat, Jan 2nd) *** --------------------------------------------- Ive written a diary entry about malicious MS Office documents stored as MIME files. A few days ago a reader contacted me for a problem he had analyzing such a maldoc MIME file. When he used emldump to analyze his sample (f67aa5a3ede3d31c5a68494c0678e2ee), it was not a multipart: $ ./emldump.py f67aa5a3ede3d31c5a68494c0678e2ee.vir 1: boundary=----=_NextPart_Jm9Ovypy.uUh6MCk charset=us-ascii $ You can make emldump skip this first line with option -H: $ ./emldump.py -H... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20561&rss *** More Internet of Things irony: a security alarm with alarming security *** --------------------------------------------- Imagine that a crook could change the text ALARM STATUS RED in your intruder alarm alerts to say ALARM STATUS GREEN... --------------------------------------------- https://nakedsecurity.sophos.com/2016/01/03/more-internet-of-things-irony-a… *** DFN-CERT-2016-0001: Mozilla Firefox, Network Security Services: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- Bitte beachten Sie: Zur Behebung der hier genannten Schwachstelle hat Mozilla am 28. Dezember 2015 das Security Advisory MFSA2015-150 veröffentlicht, dieses aber kurze Zeit später, ohne Angaben von Gründen, wieder zurückgezogen. Zeitgleich wurde die Firefox Version 43.0.3 bereitgestellt. Ob die hier genannte Schwachstelle in der Version also tatsächlich behoben ist, ist unklar. In den Release Notes zur Firefox Version 43.0.3 wird die Schwachstelle nicht genannt. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0001/ *** Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1034541 *** DFN-CERT-2016-0004: Mozilla Thunderbird: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0004/ *** Bugtraq: OSS-2016-03: Insufficient Integrity Protection in Winkhaus Bluesmart locking systems using Hitag S *** --------------------------------------------- http://www.securityfocus.com/archive/1/537223 *** Bugtraq: OSS-2016-02: Weak authentication in NXP Hitag S transponder allows an attacker to read, write and clone any tag *** --------------------------------------------- http://www.securityfocus.com/archive/1/537224 *** Bugtraq: Confluence Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/537232 *** DSA-3433 samba - security update *** --------------------------------------------- Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,print, and login server for Unix. The Common Vulnerabilities andExposures project identifies the following issues: --------------------------------------------- https://www.debian.org/security/2016/dsa-3433 *** PCRE Heap Overflow in pcre_compile2() in Processing Certain Regex Patterns May Let Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1034555 *** #2015-012 Ganeti multiple issues *** --------------------------------------------- Ganeti, an open source virtualization manager, suffers from multiple issues in its RESTful control interface (RAPI). --------------------------------------------- http://www.ocert.org/advisories/ocert-2015-012.html

1 0

Tageszusammenfassung - Mittwoch 30-12-2015
by Daily end-of-shift report 30 Dec '15

30 Dec '15

======================= = End-of-Shift Report = ======================= Timeframe: Dienstag 29-12-2015 18:00 − Mittwoch 30-12-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** Microsoft may have your encryption key; here's how to take it back *** --------------------------------------------- It doesnt require you to buy a new copy of Windows. --------------------------------------------- http://arstechnica.com/information-technology/2015/12/microsoft-may-have-yo… *** Actor using Rig EK to deliver Qbot - update, (Wed, Dec 30th) *** --------------------------------------------- Introduction This diary is a follow-up to my previous diary on the actor using Rig exploit kit (EK) to deliver Qbot [1]. For this diary, Ive infected more Windows hosts from other compromised websites, so we have additional data on this actor. As previously noted, this actor has been delivering Qbot (also known as Qakbot) malware. The actor uses a gate to route traffic from the compromised website to the EK landing page. In this case, the gate returns a variable that is translated to a URL for... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20551&rss *** The Truth is in Your Logs! *** --------------------------------------------- [The post The Truth is in Your Logs! has been first published on /dev/random]Keeping an eye on logs is boring... but mandatory! Hopefully, sometimes it can reveal funny stuffs! It looks like people at the CCC are having some fun too while their annual conference is ongoing... Here is what I got in my Apache logs this morning: 151.217.177.200 - - [30/Dec/2015:06:51:22 +0100] "DELETE your logs. \ Delete your installations. Wipe everything clean. Walk out into the... --------------------------------------------- https://blog.rootshell.be/2015/12/30/the-truth-is-in-your-logs/ *** Killed by Proxy: Analyzing Client-end TLS Interception Software *** --------------------------------------------- Topic: Killed by Proxy: Analyzing Client-end TLS Interception Software Risk: Medium Text:Abstract—To filter SSL/TLS-protected traffic, some antivirus and parental-control applications interpose a TLS proxy in the... --------------------------------------------- https://cxsecurity.com/issue/WLB-2015120310 *** 32C3: Automatisierte Sicherheitstests für das Internet der Dinge *** --------------------------------------------- Ein französisch-deutsches Forscherteam hat eine Emulationsumgebung entwickelt, mit der sich dynamische Penetrationstests von Firmware vernetzter Elektronikgeräte maschinell durchführen lassen. Erste Ergebnisse sprechen für sich. --------------------------------------------- http://heise.de/-3056880 *** Cloud Computing: Attacks Vectors and Counter Measures *** --------------------------------------------- I can bet that some of you might have missed the news about Star Wars, but there will be hardly any who do not know what Cloud computing is, as this has been the buzz for last several years. In this article, we will learn about various types of attacks that are possible in a... --------------------------------------------- http://resources.infosecinstitute.com/cloud-computing-attacks-vectors-and-c… *** Chrome: Google-Entwickler zerpflückt Antiviren-Addon *** --------------------------------------------- Eine Chrome-Erweiterung des Antiviren-Herstellers AVG habe so viele Sicherheitslücken gehabt, dass es auch Malware hätte sein können, schreibt ein Google-Entwickler. Die Fehler sind zwar behoben, das Addon könnte aber trotzdem aus dem Chrome-Store verbannt werden. --------------------------------------------- http://www.golem.de/news/chrome-google-entwickler-zerpflueckt-antiviren-add… *** Misconfigured databases, a growing threat *** --------------------------------------------- It has become commonplace to find misconfigured databases exposed to the public Internet. Last summer alone - 1,175 terabytes (approximately 1.1 petabytes) of data was left wide open for the amusement of inquiring minds and malicious hackers alike - ranging from SMBs to Fortune 500 companies. --------------------------------------------- http://darkmatters.norsecorp.com/2015/12/29/misconfigured-databases-a-growi… *** Mobile malware review for 2015 *** --------------------------------------------- December 30, 2015 The last year proved to be another challenging period for the smartphones and tablets owners. Cybercriminals continued to target users of Android devices - thus, the majority of "mobile" threats and unwanted software discovered in 2015 were intended for this platform. In particular, banking Trojans, Android ransomware, advertising modules, and SMS Trojans expanded their activity. Besides, this year witnessed a growing number of malware pre-installed into... --------------------------------------------- http://news.drweb.com/show/?i=9779&lng=en&c=9 *** Using IDAPython to Make Your Life Easier: Part 1 *** --------------------------------------------- As a malware reverse engineer, I often find myself using IDA Pro in my day-to-day activities. It should come as no surprise, seeing as IDA Pro is the industry standard (although alternatives such as radare2... --------------------------------------------- http://researchcenter.paloaltonetworks.com/2015/12/using-idapython-to-make-… *** The weird and wacky of 2015: strange security and privacy stories *** --------------------------------------------- These wacky stories remind us how important cybersecurity and online privacy have become in all areas of our lives. --------------------------------------------- https://nakedsecurity.sophos.com/2015/12/29/the-weird-and-wacky-of-2015-str… *** Steam blows as games websites security collapse *** --------------------------------------------- Christmas hiccup on gaming platform exposed user information to others --------------------------------------------- http://www.scmagazine.com/steam-blows-as-games-websites-security-collapse/a… *** 2755801 - Update for Vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge - Version: 52.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/2755801 *** PHP Class Name Format String Flaw Lets Remote Users Execute Arbitrary C ode *** --------------------------------------------- http://www.securitytracker.com/id/1034543 *** Security Advisory: Apache HTTPD vulnerability CVE-2010-2791 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/23/sol23332326.html?… *** Security Advisory: Apache vulnerability CVE-2011-3639 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/20/sol20979231.html?… *** AVG Anti-Virus Flaws in Web TuneUp Chrome Extension Lets Remote Users Obtain Potentially Sensitive Information on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1034547 Next End-of-Shift Report on 2016-01-04.

1 0

Tageszusammenfassung - Dienstag 29-12-2015
by Daily end-of-shift report 29 Dec '15

29 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Montag 28-12-2015 18:00 − Dienstag 29-12-2015 18:00 Handler: L. Aaron Kaplan Co-Handler: Stephan Richter *** Security Updates Available for Adobe Flash Player (APSB16-01) *** --------------------------------------------- A security bulletin (APSB16-01) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1305 *** Quick Tips to Protect Your New (and old) Apple Devices *** --------------------------------------------- Apple has projected yet another record holiday for sales, but this should come as no surprise to fellow "Macheads". I myself, am a huge fan of Apple and have been for a quite...read moreThe post Quick Tips to Protect Your New (and old) Apple Devices appeared first on Webroot Threat Blog. --------------------------------------------- http://www.webroot.com/blog/2015/12/28/18251/ *** 2016 Reality: Lazy Authentication Still the Norm *** --------------------------------------------- My PayPal account was hacked on Christmas Eve. The perpetrator tried to further stir up trouble by sending my PayPal funds to a hacker gang that recruits for the terrorist group ISIS. Although the intruder failed to siphon any funds, the successful takeover of the account speaks volumes about why most organizations -- including many financial institutions -- remain woefully behind the times in authenticating their customers and staying ahead of identity thieves. --------------------------------------------- http://krebsonsecurity.com/2015/12/2016-reality-lazy-authentication-still-t… *** An Overview of the Upcoming libModSecurity *** --------------------------------------------- libModSecurity is a major rewrite of ModSecurity. It preserves the rich syntax and feature set of ModSecurity while delivering improved performance, stability, and a new experience in easy integration on different. libModSecurity - Motivations While ModSecurity version 2.9.0 is available... --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/An-Overview-of-the-Upcoming-… *** Forscher: Herzschrittmacher für Hackerangriffe und Softwarefehler anfällig *** --------------------------------------------- Forscherin und Patientin Marie Moe sprach auf dem Hackerkongress 32C3 über das Thema --------------------------------------------- http://derstandard.at/2000028215506 *** Lets Encrypt: Ein kostenfreies Zertifikat, alle zwei Sekunden *** --------------------------------------------- Der Start der neuen Certificate Authority Lets Encrypt hat offenbar recht gut funktioniert. Nach nur rund einem Monat im Betabetrieb ist das Projekt schon die fünftgrößte CA der Welt. Doch es gibt noch einige Aufgaben zu bewältigen. --------------------------------------------- http://www.golem.de/news/let-s-encrypt-ein-kostenfreies-zertifikat-alle-zwe… *** 32C3: pushTAN-App der Sparkasse nach wie vor angreifbar *** --------------------------------------------- Zwischen Erlanger Sicherheitsforschern und dem Sparkassenverband hat sich ein Katz-und-Maus-Spiel um die Online-Banking-App "pushTAN" entwickelt. Die jüngste Version ließe sich weiter recht einfach angreifen, sagen Experten. --------------------------------------------- http://heise.de/-3056667 *** 32C3: Verschlüsselung gängiger RFID-Schließanlagen geknackt *** --------------------------------------------- RFID-Transponderkarten, die für die elektronische Zutrittskontrolle genutzt werden, lassen sich Sicherheitsexperten zufolge oft "trivial einfach" klonen. --------------------------------------------- http://heise.de/-3056646 *** Geldautomaten-Skimming auf dem Rückzug *** --------------------------------------------- Die Milliardeninvestitionen von Banken und Handel in mehr Sicherheit zeigen Wirkung: Datendiebe kommen am Geldautomat in Deutschland immer seltener zum Zug. Doch noch finden die Kriminellen Löcher im System. --------------------------------------------- http://heise.de/-3056638 *** Microsoft Has Your Encryption Key If You Use Windows 10 *** --------------------------------------------- An anonymous reader writes with this bit of news from the Intercept. If you login to Windows 10 using your Microsoft account, your computer automatically uploads a copy of your recovery key to a Microsoft servers. From the article: "The fact that new Windows devices require users to backup their recovery key on Microsofts servers is remarkably similar to a key escrow system, but with an important difference. Users can choose to delete recovery keys from their Microsoft accounts... --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/YfNKeGMMq1o/microsoft-has-y… *** Voice over LTE: Angriffe auf mobile IP-Telefonie vorgestellt *** --------------------------------------------- Talks, die Albträume über mobile Kommunikation auslösen, haben beim CCC Tradition. Dieses Mal haben zwei koreanische Studenten Angriffe auf Voice over LTE vorgeführt. In Deutschland soll das angeblich nicht möglich sein. --------------------------------------------- http://www.golem.de/news/voice-over-lte-mobile-ip-telefonie-kann-abgehoert-… *** Fixing JavaScripts Broken Random Number Generator *** --------------------------------------------- szczys writes: It is surprising to learn how broken the JavaScript Random Number Generator has been for the past six years. The problem is compounded by the fact that Node.js uses the same broken Math.random() module. Learning about why this is broken is interesting, but perhaps even more interesting is how the bad code got there in the first place. It seems that a forum thread from way back in 1999 shared two versions of the code. If you read to the end of the thread you got the working --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/GG87DY0k6I4/fixing-javascri… *** DFN-CERT-2015-2002: Roundcubemail: Zwei Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2015-2002/ *** libtiff bmp file Heap Overflow *** --------------------------------------------- Topic: libtiff bmp file Heap Overflow Risk: High Text:Details = Product: libtiff Affected Versions: <= 4.0.6 Vulnerability Type: Heap Overflow Security Risk: High Vendor U... --------------------------------------------- https://cxsecurity.com/issue/WLB-2015120304

1 0

Tageszusammenfassung - Montag 28-12-2015
by Daily end-of-shift report 28 Dec '15

28 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 23-12-2015 18:00 − Montag 28-12-2015 18:00 Handler: L. Aaron Kaplan Co-Handler: Stephan Richter *** Malware-Driven Card Breach at Hyatt Hotels *** --------------------------------------------- Hyatt Hotels Corporation said today it recently discovered malicious software designed to steal credit card data on computers that operate the payment processing systems for Hyatt-managed locations. --------------------------------------------- http://krebsonsecurity.com/2015/12/malware-driven-card-breach-at-hyatt-hote… *** Using WPScan: Finding WordPress Vulnerabilities *** --------------------------------------------- When using WPScan you can scan your WordPress website for known vulnerabilities within the core version, plugins, and themes. You can also find out if any weak passwords, users, and security configuration issues are present. The database at wpvulndb.com is used to check for vulnerable software and the WPScan team maintains the ever-growing list ofRead More The post Using WPScan: Finding WordPress Vulnerabilities appeared first on Sucuri Blog. --------------------------------------------- https://blog.sucuri.net/2015/12/using-wpscan-finding-wordpress-vulnerabilit… *** NSA und GCHQ nutzen seit Jahren Hintertüren in Juniper-Firewalls *** --------------------------------------------- Geheimes Dokument aus 2011 zeigt Zusammenarbeit der zwei Geheimdienste --------------------------------------------- http://derstandard.at/2000028055853 *** Victims of the Gomasom Ransomware can now decrypt their files for free *** --------------------------------------------- Fabian Wosar, security researcher at Emsisoft, created a tool for decrypting files locked by the Gomasom Ransomware. Ransomware are the most threatening cyber threats for end-users, but today I have a good news for victims of the Gomasom ransomware, victims can rescue their locked files. The news was spread by the security researcher Fabian Wosar that developed a... --------------------------------------------- http://securityaffairs.co/wordpress/43074/malware/decrypt-gomasom-ransomwar… *** Hacker zeigen massive Lücken bei Bankomatkarten *** --------------------------------------------- Vor Publikum PIN ausgelesen, Prepaid-Karte aufgeladen und Zahlungen umgeleitet --------------------------------------------- http://derstandard.at/2000028162750 *** 32C3: Hardware-Trojaner als unterschätzte Gefahr *** --------------------------------------------- Fest in IT-Geräte und Chips eingebaute Hintertüren stellten eine "ernste Bedrohung" dar, warnten Sicherheitsexperten auf der Hackerkonferenz. Sie seien zwar nur mit großem Einwand einzubauen, aber auch schwer zu finden. --------------------------------------------- http://heise.de/-3056452 *** 32C3: Dieselgate und die omninöse Akustik-Funktion *** --------------------------------------------- Kann die Manipulation der Abgaswerte bei Volkswagen wirklich das Werk einzelner Ingenieure sein? Auf dem CCC-Congress erteilten ein Insider und ein Hacker dieser Legende eine Absage. --------------------------------------------- http://heise.de/-3056438 *** 32C3: Automatische Zugsicherung und vernetzte Bahntechnik im Hackervisier *** --------------------------------------------- Eine Hackergruppe, die sich auf Industrieanlagen konzentriert, hat diverse Angriffsflächen rund um vernetzte Systeme zur Zugkontrolle ausgemacht. Veraltete Software sowie unsichere Passwörter seien dort "überall" zu finden. --------------------------------------------- http://heise.de/-3056484 *** DSA-3430 libxml2 - security update *** --------------------------------------------- Several vulnerabilities were discovered in libxml2, a library providingsupport to read, modify and write XML and HTML files. A remote attackercould provide a specially crafted XML or HTML file that, when processedby an application using libxml2, would cause that application to use anexcessive amount of CPU, leak potentially sensitive information, orcrash the application. --------------------------------------------- https://www.debian.org/security/2015/dsa-3430 *** GIT git-remote-ext Helper URL Processing Lets Remote Users Execute Arbitrary Commands on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1034501 *** F5 Security Advisory: Apache vulnerability CVE-2010-0434 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/40/sol40284849.html?… *** EMC Secure Remote Services Virtual Edition Directory Traversal Flaw Lets Remote Authenticated Users View Files on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1034530 *** Cisco Jabber for Windows STARTTLS Downgrade Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Vuln: Dnsmasq CVE-2015-3294 Remote Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/74452 *** IDM 4.5 - 4.0.2 Midrange Driver Patch 4.0.2 *** --------------------------------------------- Abstract: Identity Manager Midrange: IBM i (i5/OS and OS/400) driver patch for the Identity Manager versions 4.0.2 or higher. Driver version will show i5os Driver Version 4.0.2 IDM 4.0.2 Build Date 20151207_1437IDM 4.5.x Build Date 201512071006 To see the version run I5OSDRV/I5OSDRV OPTION(*VERSION)Document ID: 5230811Security Alert: YesDistribution Type: Field Test FileEntitlement Required: NoFiles:idm45-402midrangepatch2.tar.gz (96.31 MB)Products:Identity Manager 4.0.2Identity Manager... --------------------------------------------- https://download.novell.com/Download?buildid=HsE3grsz-TU~ *** DFN-CERT-2015-1999: libvirt: Eine Schwachstelle ermöglicht die Manipulation von Dateien *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2015-1999/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Websphere Liberty Profile (WLP) affect Power Management Console (CVE-2015-2017, CVE-2015-1927, CVE-2015-4938) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021040 --------------------------------------------- *** IBM Security Bulletin: Information disclosure vulnerability affects IBM Sterling B2B Integrator (CVE-2015-7410) *** http://www.ibm.com/support/docview.wss?uid=swg21972676 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Linux-PAM affects PowerKVM (CVE-2015-3238) *** http://www.ibm.com/support/docview.wss?uid=isg3T1022880 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in pam affect Power Management Console (CVE-2015-3238) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021041 --------------------------------------------- *** IBM Security Bulletin: A denial of service vulnerability affects IBM Sterling B2B Integrator (CVE-2014-0050) *** http://www.ibm.com/support/docview.wss?uid=swg21972944 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK including Logjam affect IBM PureApplication System. (CVE-2015-4000, CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, and CVE-2015-1931) *** http://www.ibm.com/support/docview.wss?uid=swg21973591 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Synergy (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931 and CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21973439 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM Integration Designer and WebSphere Integration Developer (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21972087 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities affects multiple IBM Rational products based on IBM Jazz technology (CVE-2015-4962, CVE-2015-4946) *** http://www.ibm.com/support/docview.wss?uid=swg21973404 --------------------------------------------- *** IBM Security Bulletin: Malformed ECParameters causes infinite loop (CVE-2015-1788) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023038 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities affect AppScan Enterprise *** http://www.ibm.com/support/docview.wss?uid=swg21972830 --------------------------------------------- *** IBM Security Bulletin: Clickjack vulnerability affects multiple IBM Rational products based on IBM Jazz technology (CVE-2015-1928) *** http://www.ibm.com/support/docview.wss?uid=swg21973200 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Content Manager Enterprise Edition (CVE-2015-1788) *** http://www.ibm.com/support/docview.wss?uid=swg21973416 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect the IBM Tivoli Storage Manager Client and IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware (CVE-2014-3569, CVE-2014-3570, CVE-2014-3572, CVE-2014-8275, *** http://www.ibm.com/support/docview.wss?uid=swg21973383 --------------------------------------------- *** IBM Security Bulletin: Privilege escalation coverage gap in IBM SPSS Statistics (CVE-2015-7489) *** http://www.ibm.com/support/docview.wss?uid=swg21973502 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Scale RAID/IBM GPFS Native RAID (CVE-2015-4843, CVE-2015-4805, CVE-2015-4810, CVE-2015-4806, CVE-2015-4871, CVE-2015-4902) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023034 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Scale RAID/IBM GPFS Native RAID (CVE-2015-4843, CVE-2015-4805, CVE-2015-4810, CVE-2015-4806, CVE-2015-4871, CVE-2015-4902) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005474 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM i. *** http://www.ibm.com/support/docview.wss?uid=nas8N1021047 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Monitoring clients (CVE-2015-2590 plus additional CVEs.) *** http://www.ibm.com/support/docview.wss?uid=swg21964027 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 23-12-2015
by Daily end-of-shift report 23 Dec '15

23 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 22-12-2015 18:00 − Mittwoch 23-12-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** 2015 Ransomware Wrap-Up *** --------------------------------------------- Heres a rundown of the innovative ransomware that frightened users and earned attackers big bucks this year. --------------------------------------------- http://www.darkreading.com/endpoint/2015-ransomware-wrap-up/d/d-id/1323424 *** 3-in-1 Malware Infection through Spammed JavaScript Attachments *** --------------------------------------------- Recently weve observed a massive uptick of malicious spam with JavaScript attachments with an intention to spread and infect Windows systems with variety of malicious executables. The spam usually contains a ZIP file attachment containing only one JavaScript file. The .. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/3-in-1-Malware-Infectio… *** IT bloke: Crooks stole my bikes after cycling app blabbed my address *** --------------------------------------------- Brit suffers from GPS accuracy An IT manager in Manchester, England, says thieves stole his bikes after a smartphone cycling app pinpointed the location of his garage .. --------------------------------------------- www.theregister.co.uk/2015/12/22/it_manager_loses_bikes_after_cycling_app_p… *** Xen Project blunder blows own embargo with premature bug report *** --------------------------------------------- Malicious guest could eat your virtual rigs from the inside The Xen Project has reported a new bug, XSA-169, that means 'A malicious guest could cause repeated logging to the hypervisor console, leading to a Denial of Service attack.' .. --------------------------------------------- www.theregister.co.uk/2015/12/23/xen_blunder_blows_own_embargo_with_prematu… *** Expect Phishers to Up Their Game in 2016 *** --------------------------------------------- Expect phishers and other password thieves to up their game in 2016: Both Google and Yahoo! are taking steps to kill off the password as we know it.New authentication methods now offered by Yahoo! and to a beta group of Google users let customers log in just by supplying their email address, and then responding to a notification sent to their mobile device. --------------------------------------------- http://krebsonsecurity.com/2015/12/expect-phishers-to-up-their-game-in-2016 *** Why it's harder to forge a SHA-1 certificate than it is to find a SHA-1 collision *** --------------------------------------------- It's well known that SHA-1 is no longer considered a secure cryptographic hash function. Researchers now believe that finding a hash collision (two values that result in the same value when SHA-1 is applied) is inevitable and likely to happen in a matter of months. This poses a potential threat to trust on the web, as many websites use certificates that are digitally signed with algorithms that rely on SHA-1. Luckily for everyone, finding a hash collision is not enough to forge a digital --------------------------------------------- https://blog.cloudflare.com/why-its-harder-to-forge-a-sha-1-certificate-tha… *** Cyberangriffe auf türkische Internetserver *** --------------------------------------------- Unklare Hintergründe - Steckt Russland dahinter? Oder Anonymous? --------------------------------------------- http://derstandard.at/2000028013290 *** Hacker: Filmstars mit Problemen im Netz *** --------------------------------------------- Brandneue Spielfilme wie der jüngste Western von Quentin Tarantino sind im Internet aufgetaucht. Eine Reihe weiterer Stars hat ganz andere Probleme: Ein Hacker ist an Sexvideos und persönliche Daten von ihnen gelangt - er wurde allerdings nun verhaftet. --------------------------------------------- http://www.golem.de/news/hacker-filmstars-mit-problemen-im-netz-1512-118179… *** How a security director used a rootkit to rig the lottery and steal millions of dollars *** --------------------------------------------- Not too long ago, Eddie Tipton was convicted of hacking into the Multi-State Lottery Association's computer system in order to rig a nearly $17 million jackpot in Iowa. Now comes word that an investigation into Tipton's hacking activities is expanding to include a number of other states. Thus far, lottery officials from Colorado, Wisconsin and Oklahoma have indicated that Tipton may have also gamed lottery jackpots in their respective states. --------------------------------------------- https://bgr.com/2015/12/23/lottery-hacker-rootkit-stolen-numbers-investigat… *** Siemens RUGGEDCOM ROX-based Devices NTP Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for NTP daemon vulnerabilities in the Siemens RUGGEDCOM ROX-based devices. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-356-01 Aufgrund der Weihnachtsfeiertage erscheint der nächste End-of-Shift Report erst am 28.12.2015.

1 0

Tageszusammenfassung - Dienstag 22-12-2015
by Daily end-of-shift report 22 Dec '15

22 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Montag 21-12-2015 18:00 − Dienstag 22-12-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** IBM Security Bulletin: Blind SQL injection vulnerability in IBM OpenPages GRC Platform API (CVE-2015-5049) *** --------------------------------------------- A blind SQL injection vulnerability has been found in the OpenPages GRC Platform API that could allow retrival or manipulation of information in the database. --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21970590 *** Cisco IOS XE Software Packet Processing Denial of Service Vulnerability *** --------------------------------------------- The vulnerability is due to incorrect processing of packets that have a source MAC address of 0000:0000:0000. An attacker could exploit this vulnerability by sending a frame that has a source MAC address of all zeros to an affected device. A successful exploit could allow the attacker to cause the device to reload. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** [20151207] - Core - SQL Injection *** --------------------------------------------- Inadequate filtering of request data leads to a SQL Injection vulnerability. --------------------------------------------- https://developer.joomla.org/security-centre/640-20151207-core-sql-injectio… *** [20151206] - Core - Session Hardening *** --------------------------------------------- The Joomla Security Strike team has been following up on the critical security vulnerability patched last week. Since the recent update it has become clear that the root cause is a bug in PHP itself. This was fixed by PHP in September of 2015 with the releases of PHP 5.4.45, 5.5.29, 5.6.13 (Note that this is fixed in all versions of PHP 7 and has been back-ported in some specific Linux LTS versions of PHP 5.3). This fixes the bug across all supported PHP versions. --------------------------------------------- https://developer.joomla.org/security-centre/639-20151206-core-session-hard… *** First Exploit Attempts For Juniper Backdoor Against Honeypot *** --------------------------------------------- We are detecting numerous login attempts against our ssh honeypots using the ScreenOSbackdoor password. Our honeypot doesnt emulate ScreenOS beyond the login banner, so we do not know what the attackers are up to, but some of the attacks appear to be manual in that we do see the attacker trying different .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20525 *** Protecting Your Sites from Apache.Commons Vulnerabilities *** --------------------------------------------- A few weeks ago, FoxGlove Security released this important blog post that includes several Proof-of-Concepts for exploiting Java unserialize vulnerabilities. A remote attacker can gain Remote Code Execution by sending specially crafted payload to any endpoint expecting a serialized .. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Protecting-Your-Sites-f… *** Oracle muss Java-Updates nachbessern *** --------------------------------------------- Alte Java-Versionen müssen restlos von Computern verschwinden. Dafür muss Oracle sorgen. --------------------------------------------- http://heise.de/-3052761 *** Shopshifting: Sicherheitsforscher decken Lücken im elektronischen Zahlungsverkehr auf *** --------------------------------------------- Bezahl-Terminals sprechen übers Netz mit ihrer Kasse und dem Bezahldienstleister. Beide Kommunikationskanäle weisen Schwächen auf, die ein Angreifer nutzen kann, um Kunden oder Ladeninhaber auszuplündern. --------------------------------------------- http://heise.de/-3052165 *** rt-sa-2015-013 *** --------------------------------------------- https://www.redteam-pentesting.de/advisories/rt-sa-2015-013.txt *** Juniper backdoors *** --------------------------------------------- Juniper hat in einem Advisory (hier unsere unsere Warnung dazu) der Welt gesagt, dass sie bei einem Code-Audit zwei Hintertüren in ScreenOS gefunden haben.Die eine ist eine technisch ziemlich triviale Sache: ein konstantes Passwort erlaubt den Login per ssh oder telnet. Angeblich hat es nur 6 Stunden gebraucht, um dieses .. --------------------------------------------- http://www.cert.at/services/blog/20151222153859-1646.html *** IBM Security Bulletin: Multiple XSS Vulnerabilities in IBM UrbanCode Deploy (CVE-2015-7415) *** --------------------------------------------- IBM UrbanCode Deploy is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker .. --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21970811 *** Bericht: Hacker haben Teile des US-Stromnetzes infiltriert *** --------------------------------------------- In rund zwölf Fällen sollen Cyberangriffe auf Kontrollzentren von Energieversorgern in den USA während der vergangenen zehn Jahre erfolgreich gewesen sein. Der Hack des Anbieters Calpine ging wohl vom Iran aus. --------------------------------------------- http://heise.de/-3054887 *** Call for Papers: VB2016 Prague *** --------------------------------------------- VB seeks submissions for the 26th Virus Bulletin Conference.Virus Bulletin is seeking submissions from those wishing to present papers at VB2016, which will take place 5 to 7 October 2016 at the Hyatt Regency Denver Hotel in Denver, Colorado, USA.Originally started as an annual gathering of anti-virus experts, the .. --------------------------------------------- http://www.virusbtn.com/blog/2015/12_22.xml

1 0

Tageszusammenfassung - Montag 21-12-2015
by Daily end-of-shift report 21 Dec '15

21 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Freitag 18-12-2015 18:00 − Montag 21-12-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Update für Crimeware Kit Microsoft Word Intruder *** --------------------------------------------- Über Sicherheitslücken in Microsoft Word kann ein Dateianhang schon beim Öffnen Windows-Systeme infizieren. Der Autor des im Untergrund beliebten Crimeware Kits MWI legt jetzt mit neuen Exploits nach. --------------------------------------------- http://heise.de/-3049547 *** VMSA-2015-0009 *** --------------------------------------------- VMware product updates address a critical deserialization vulnerability --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2015-0009.html *** VMSA-2015-0003.15 *** --------------------------------------------- VMware product updates address critical information disclosure issue in JRE --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2015-0003.html *** Avira Registry Cleaner DLL Hijacking *** --------------------------------------------- avira_registry_cleaner_en.exe, available from <https://www.avira.com/en/download/product/avira-registry-cleaner> to clean up remnants the uninstallers of their snakeoil products fail to remove, is vulnerable: it loads and executes WTSAPI32.dll, UXTheme.dll and RichEd20.dll from its application directory (tested and verified under Windows XP SP3 and Windows 7 SP1). --------------------------------------------- https://cxsecurity.com/issue/WLB-2015120223 *** PUPs Masquerade as Installer for Antivirus and Anti-Adware *** --------------------------------------------- If youre looking for download sites of programs you wish to install onto your machine or simply try out, you, dear Reader, would be better off dropping by their official websites. --------------------------------------------- https://blog.malwarebytes.org/online-security/2015/12/pups-masquerade-as-in… *** Joomla 0-Day Exploited In the Wild (CVE-2015-8562) *** --------------------------------------------- A recent new 0-day in Joomla discovered by Sucuri (Sucuri Blog) has drawn a lot of attention from the Joomla community, as well as attackers. Using knowledge gained from our recent research on Joomla (CVE-2015-7857, SpiderLabs Blog Post) and information .. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-0-Day-Exploited-… *** Google Chrome: Abschied von SHA-1-siginierten SSL-Zertifikaten *** --------------------------------------------- Ab Anfang nächsten Jahres wird Google Chrome keine neu ausgestellten SHA-1-signierten SSL-Zertifikate von öffentlichen CAs mehr akzeptieren. SHA-1 gilt seit zehn Jahren als unsicher, wird aber immer noch von HTTPS-Sites verwendet. --------------------------------------------- http://heise.de/-3049749 *** The EPS Awakens - Part 2 *** --------------------------------------------- https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-t… *** Facebook hammers another nail into Flashs coffin *** --------------------------------------------- The Social NetworkTM bins Adobes malware-magnet for video, adopts HTML5 Facebook has hammered puts another nail in to the coffin of Adobe Flash, by switching from the bug-ridden plug-in to HTML5 for all videos on the site. --------------------------------------------- www.theregister.co.uk/2015/12/21/facebook_dumps_flash_for_video/ *** Hello Kitty: Kinderdaten ungeschützt im Netz *** --------------------------------------------- Eine MongoDB-Datenbank mit den privaten Informationen zahlreicher Hello-Kitty-Fans wurde veröffentlicht. Vor allem Kinder dürften davon betroffen sein - und sollten ihre Passwörter bei anderen Diensten überprüfen. --------------------------------------------- http://www.golem.de/news/security-hello-kitty-gehackt-1512-118123.html *** XXX is Angler EK *** --------------------------------------------- http://malware.dontneedcoffee.com/2015/12/xxx-is-angler-ek.html *** Schnüffelcode in Juniper-Netzgeräten: Weitere Erkenntnisse und Spekulationen *** --------------------------------------------- Die Analysen der ScreenOS-Updates fördern vogelwilde Dinge zu Tage. So gab es zwei unabhängige Hintertüren. Die SSH-Backdoor kann dank des veröffentlichten Passworts jeder ausnutzen; die komplexere VPN-Lücke beruht wohl auf einer bekannten NSA-Backdoor. --------------------------------------------- http://heise.de/-3051260 *** The many attacks on Zengge WiFi lightbulbs *** --------------------------------------------- In August I decided to check out the cool new Internet Of Things. I bought a WiFi-enabled colorful LED lightbulb. It was a cheap Chinese one that costs almost nothing on Alibaba, but I paid probably around $50 on Amazon. It's built by a company called Zengge. It turned out that my new lightbulb was a router, an HTTP server, an HTTP proxy, and a lot more. --------------------------------------------- http://blog.viktorstanchev.com/2015/12/20/the-many-attacks-on-zengge-wifi-l…

1 0

Tageszusammenfassung - Freitag 18-12-2015
by Daily end-of-shift report 18 Dec '15

18 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 17-12-2015 18:00 − Freitag 18-12-2015 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** JSA10713 - 2015-12 Out of Cycle Security Bulletin: ScreenOS: Multiple Security issues with ScreenOS (CVE-2015-7755) *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10713 *** JSA10712 - 2015-12 Out of Cycle Security Bulletin: ScreenOS: Crafted SSH negotiation may trigger system crash (CVE-2015-7754) *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10712 *** Cisco Model DPQ3925 Wireless Residential Gateway Information Disclosure Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Schneider Electric Modicon M340 Buffer Overflow Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a buffer overflow vulnerability in Schneider Electric's Modicon M340 PLC product line. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-351-01 *** Motorola MOSCAD SCADA IP Gateway Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for Remote File Inclusion and Cross-Site Request Forgery vulnerabilities in Motorola Solutions MOSCAD IP Gateway. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-351-02 *** eWON Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for several vulnerabilities in the eWON sa industrial router. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-351-03 *** Microsoft will stop trusting certificates from 20 Certificate Authorities *** --------------------------------------------- Starting on January 2016, Microsofts Trusted Root Certificate Program will no longer include twenty currently trusted CAs and will remove their root certificates removed from the Trusted .. --------------------------------------------- http://www.net-security.org/secworld.php?id=19252 *** Docker and Enterprise Security: Establishing Best Practices *** --------------------------------------------- Virtualization containers, with their extraordinarily efficient hardware utilization, can be like a dream come true for development teams. While containerization will probably .. --------------------------------------------- http://resources.infosecinstitute.com/docker-and-enterprise-security-establ… *** IBM Security Bulletins *** --------------------------------------------- *** Infosphere BigInsights is affected by a vulnerability in DB2 (CVE-2015-1947) *** http://www.ibm.com/support/docview.wss?uid=swg21967131 --------------------------------------------- *** IBM InfoSphere Balanced Warehouse C3000, C4000, IBM Smart Analytics System 1050, 2050 and 5710 are affected by multiple vulnerabilities in OpenSSL *** http://www.ibm.com/support/docview.wss?uid=swg21971298 --------------------------------------------- *** Multiple vulnerabilities in current releases of IBM SDK for Node.js in IBM Bluemix *** http://www.ibm.com/support/docview.wss?uid=swg21973447 --------------------------------------------- *** Multiple Security Vulnerabilities affect IBM Security Privileged Identity Manager Virtual Appliance *** http://www.ibm.com/support/docview.wss?uid=swg21972496 --------------------------------------------- *** Multiple vulnerabilities in IBM Java SDK affect Rational Functional Tester (CVE-2015-4872, CVE-2015-4734, CVE-2015-5006) *** http://www.ibm.com/support/docview.wss?uid=swg21972844 --------------------------------------------- *** A vulnerability in lighttpd affects IBM Security Virtual Server Protection for VMware (CVE-2015-3200) *** http://www.ibm.com/support/docview.wss?uid=swg21973291 --------------------------------------------- *** IBM Multiple vulnerabilities in IBM Java SDK affect IBM API Management *** http://www.ibm.com/support/docview.wss?uid=swg21972828 --------------------------------------------- *** Citrix XenServer Multiple Security Updates *** --------------------------------------------- A number of security vulnerabilities have been identified in Citrix XenServer that could, in certain configurations, allow a malicious administrator of a guest VM to compromise the host or obtain potentially sensitive information from other guest VMs. In addition, a vulnerability has been identified that would allow certain applications running on a guest to cause that guest to crash. --------------------------------------------- https://support.citrix.com/article/CTX203879 *** Vuln: Microsoft Windows Environment Variable Expansion in PATH Security Bypass Weakness *** --------------------------------------------- http://www.securityfocus.com/bid/44484 *** Cisco IOS and IOS XE Software IKEv1 State Machine Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** SSA-472334 (Last Update 2015-12-18): NTP Vulnerabilities in RUGGEDCOM ROX-based Devices *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-472334… *** SSA-396873 (Last Update 2015-12-18): TLS Vulnerability in Ruggedcom ROS- and ROX-based Devices *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-396873… *** iOS banking apps security still not good enough, says researcher *** --------------------------------------------- Repeat test throws up improved results from 2013 but problems remain The security of mobile banking apps has improved over the .. --------------------------------------------- www.theregister.co.uk/2015/12/18/ios_banking_app_audit/

1 0

Tageszusammenfassung - Donnerstag 17-12-2015
by Daily end-of-shift report 17 Dec '15

17 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 16-12-2015 18:00 − Donnerstag 17-12-2015 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Press Backspace 28 times to own unlucky Grub-by Linux boxes *** --------------------------------------------- Integer underflow fault means you can get into rescue mode and rummage around A pair of researchers from the University of Valencias Cybersecurity research group have found that if you press backspace 28 times, its possible to bypass authentication during boot-up on some Linux machines. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/12/17/press_backs… *** Checklist - How to Secure Your WordPress Website *** --------------------------------------------- We know that you care about what you build and protecting it is incredibly important. Hacks happen, and it's your job to reduce their likelihood to the lowest probability possible. We built this checklist of best practices to help you harden your website and protect you and your users from hacks. --------------------------------------------- https://www.wordfence.com/learn/checklist-how-to-secure-your-wordpress-webs… *** Privileged Access Workstations *** --------------------------------------------- Privileged Access Workstations (PAWs) provide a dedicated operating system for sensitive tasks that is protected from Internet attacks and threat vectors. Separating these sensitive tasks and accounts from the daily use workstations and devices provides very strong protection from phishing attacks, application and OS vulnerabilities, various impersonation attacks, and credential theft attacks such as keystroke logging, Pass-the-Hash, and Pass-The-Ticket. --------------------------------------------- https://technet.microsoft.com/en-US/library/mt634654.aspx *** F-Secure: Sandboxed Execution Environment *** --------------------------------------------- Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments. The Sandboxes, provided via libvirt, are customizable allowing high degree of flexibility. Different type of Hypervisors (Qemu, VirtualBox, LXC) can be employed to run the Test Environments. Plugins can be added to a Test Environment which provides an Event mechanism synchronisation for their interaction. Users can enable and configure the plugins through a JSON configuration file. --------------------------------------------- https://github.com/F-Secure/see *** How do you know if your smartphone has been compromised? *** --------------------------------------------- Signs that may indicate a mobile infection: Has your phone been compromised? #1: You notice the system or apps behaving strangely #2: Your call or message history includes some unknown entries ... --------------------------------------------- http://www.welivesecurity.com/2015/12/16/know-smartphone-compromised/ *** XSS, SQLi bugs found in several Network Management Systems *** --------------------------------------------- Network Management System (NMS) offerings by Spiceworks, Ipswitch, Opsview and Castle Rock Computing have been found sporting several cross-site scripting and SQL injection flaws that could be exploit... --------------------------------------------- http://feedproxy.google.com/~r/HelpNetSecurity/~3/hQ6oQHF5luA/secworld.php *** POS Malware Families: An insight into the Behavior of POS Malware *** --------------------------------------------- In a previous blog, we discussed why Point of Sale (POS) devices remain such an attractive target and described some different attack methods. As you can see from the infographic below, retail and POS have been (pardon the pun) "Targets" on an ongoing basis for the past few years, and the trend doesn't appear to be reversing, even with technologies such as EMV and P2PE. In this blog, we describe some of the different families of POS malware. POS Malware Common Features... --------------------------------------------- https://feeds.feedblitz.com/~/128665939/0/alienvault-blogs~POS-Malware-Fami… *** Xen Security Advisories *** --------------------------------------------- XSA-155 - paravirtualized drivers incautious about shared memory contents http://xenbits.xen.org/xsa/advisory-155.html --------------------------------------------- XSA-157 - Linux pciback missing sanity checks leading to crash http://xenbits.xen.org/xsa/advisory-157.html --------------------------------------------- XSA-164 - qemu-dm buffer overrun in MSI-X handling http://xenbits.xen.org/xsa/advisory-164.html --------------------------------------------- XSA-165 - information leak in legacy x86 FPU/XMM initialization http://xenbits.xen.org/xsa/advisory-165.html --------------------------------------------- XSA-166 - ioreq handling possibly susceptible to multiple read issue http://xenbits.xen.org/xsa/advisory-166.html --------------------------------------------- *** DFN-CERT-2015-1948: Samba: Mehrere Schwachstellen ermöglichen u.a. das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2015-1948/ *** Cisco FireSIGHT Management Center SSL HTTP Attack Detection Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Security Advisory: BIND vulnerability CVE-2015-8000 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/34/sol34250741.html?… *** Multiple SQL Injection Vulnerabilities in Citrix Command Center Web User Interface Java Servlets *** --------------------------------------------- A number of SQL Injection vulnerabilities have been identified in the Administration Web UI servlets used by Citrix Command Center. These vulnerabilities, if exploited, could allow an authenticated user to insert malicious SQL queries into the application, potentially causing the alteration or deletion of system data. --------------------------------------------- http://support.citrix.com/article/CTX203787 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM API Management (CVE-2015-1788) *** http://www.ibm.com/support/docview.wss?uid=swg21965259 --------------------------------------------- *** IBM Security Bulletin: Fix available for Information Disclosure Vulnerability in IBM WebSphere Portal (CVE-2015-7447) *** http://www.ibm.com/support/docview.wss?uid=swg21973152 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Commons affects IBM Content Manager Services for Lotus Quickr (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21973096 --------------------------------------------- *** IBM Security Bulletin: Tivoli Storage Manager for Virtual Environments: Data Protection for VMware and Tivoli Storage FlashCopy Manager for VMware affected by privilege escalation vulnerability (CVE-2015-7429) *** http://www.ibm.com/support/docview.wss?uid=swg21973087 --------------------------------------------- *** IBM Security Bulletin: Tivoli Storage Manager for Virtual Environments: Data Protection for VMware and Tivoli Storage FlashCopy Manager for VMware affected by unauthorized access vulnerability (CVE-2015-7420) *** http://www.ibm.com/support/docview.wss?uid=swg21973086 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Application Dependency Discovery Manager (TADDM) - IBM Java SDK updates October 2015 *** http://www.ibm.com/support/docview.wss?uid=swg21973355 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM HTTP Server (IHS) affect IBM Security SiteProtector System (CVE-2015-1283, CVE-2015-3183 and CVE-2015-4947) *** http://www.ibm.com/support/docview.wss?uid=swg21972470 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Content Collector for SAP Applications (CVE-2015-1788) *** http://www.ibm.com/support/docview.wss?uid=swg21973147 --------------------------------------------- *** IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Cinder information disclosure vulneraility (CVE-2015-1851) *** http://www.ibm.com/support/docview.wss?uid=nas8N1020980 --------------------------------------------- *** IBM Security Bulletin: Infosphere BigInsights is affected by a vulnerability in DB2 that allows users to truncate any table even though the owner of the table has not granted any privilege to any user/role/group (CVE-2015-5020) *** http://www.ibm.com/support/docview.wss?uid=swg21967923 --------------------------------------------- *** IBM Security Bulletin: Infosphere BigInsights is affected by a vulnerability in DB2 (CVE-2015-1788) *** http://www.ibm.com/support/docview.wss?uid=swg21970400 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Commons affects OpenPages GRC Platform with Application Server (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21972345 --------------------------------------------- *** IBM Security Bulletin: IBM Curam Social Program Management is Vulnerable to Reflected Cross-Site Scripting (CVE-2015-7402) *** http://www.ibm.com/support/docview.wss?uid=swg21970661 --------------------------------------------- *** ZDI-15-641: Foxit Reader Forms Out-Of-Bounds Read Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/LfsseiLCccs/ *** ZDI-15-643: Foxit Reader Will Print Action Use-After-Free Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/28dKwkM6_5M/ *** ZDI-15-642: Foxit Reader Will Save Document Action Use-After-Free Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/uY-c98zZjQI/ *** ZDI-15-644: Foxit Reader FlateDecode Heap Buffer Overflow Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/s3waojIPu0E/

1 0

Tageszusammenfassung - Mittwoch 16-12-2015
by Daily end-of-shift report 16 Dec '15

16 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 15-12-2015 18:00 − Mittwoch 16-12-2015 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** IBM Security Bulletin *** --------------------------------------------- *** Multiple vulnerabilities in IBM Java SDK affect IBM Rational Connector for SAP Solution Manager *** http://www.ibm.com/support/docview.wss?uid=swg21967447 --------------------------------------------- *** IBM Security Bulletin: Security Vulnerability in IBM WebSphere Application Server shipped with IBM Tivoli Netcool Configuration Manager *** http://www.ibm.com/support/docview.wss?uid=swg21972884 --------------------------------------------- *** IBM Security Bulletin: Openstack Cinder and Horizon vulnerabilities affect IBM Cloud Manager with OpenStack *** http://www.ibm.com/support/docview.wss?uid=isg3T1023146 --------------------------------------------- *** IBM Security Bulletin: IBM QRadar SIEM is vulnerable to path traversal attack. *** http://www.ibm.com/support/docview.wss?uid=swg21967647 --------------------------------------------- *** IBM Security Bulletin: A security vulnerability exist in the IBM SDK, Java Technology Edition provided with WebSphere DataPower XC10 Appliance *** http://www.ibm.com/support/docview.wss?uid=swg21972660 --------------------------------------------- *** IBM Security Bulletin: IBM QRadar SIEM is vulnerable to Stored cross-site scripting. *** http://www.ibm.com/support/docview.wss?uid=swg21973175 --------------------------------------------- *** FireEye Exploitation: Project Zero's Vulnerability of the Beast *** --------------------------------------------- FireEye sell security appliances to enterprise and government customers. FireEye's flagship products are monitoring devices designed to be installed at egress points of large networks, i.e. where traffic flows from the intranet to the internet.To give a .. --------------------------------------------- http://googleprojectzero.blogspot.com/2015/12/fireeye-exploitation-project-… *** Security Management vs Chaos: Understanding the Butterfly Effect to Manage Outcomes & Reduce Chaos *** --------------------------------------------- And now for something completely different.">Python">Subtitle: Captain Obvious Applies Chaos Theory Introduction This diary breaks a bit from our expected norms todiscussmanaging possible outcomes originating froma data breach .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20495 *** Security Advisory: Multiple MySQL vulnerabilities *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/59/sol59010802.html?… *** VB2015 video: Making a dent in Russian mobile banking phishing *** --------------------------------------------- Sebastian Porst explains what Google has done to protect users from phishing apps targeting Russian banks.In the last few years, mobile malware has evolved from a mostly theoretical threat to a very serious one that affects many users. Indeed, several talks at VB2015 dealt with various aspects of mobile .. --------------------------------------------- http://www.virusbtn.com/blog/2015/12_16.xml *** Adcon Telemetry A840 Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for vulnerabilities in Adcon Telemetry's A840 Telemetry Gateway Base Station. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-349-01 *** Advantech EKI Vulnerabilities (Update A) *** --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-15-344-01 Advantech EKI Vulnerabilities that was published December 10, 2015, on the NCCIC/ICS-CERT web site. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-344-01 *** Sicherheitspaket UTM von Sophos löchrig *** --------------------------------------------- Das Unified-Threat-Management-Paket von Sophos ist bedroht und einem Sicherheitsforscher zufolge können Angreifer etwa die Firewall deaktivieren. Die Lücken sollen bereits gefixt sein; Patches sind aber noch nicht verfügbar. --------------------------------------------- http://heise.de/-3044717 *** DFN-CERT-2015-1937/">ISC BIND9: Zwei Schwachstellen ermöglichen einen Denial-of-Service-Angriff *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2015-1937/ *** Driving an industry towards secure code *** --------------------------------------------- The German government made an unprecedented move this week by issuing requirements for all new vehicles' software to be made accessible to country regulators to ensure that emissions loopholes aren't ... --------------------------------------------- http://www.net-security.org/article.php?id=2431 *** Playing With Sandboxes Like a Boss *** --------------------------------------------- Last week, Guy wrote a nice diary to explain how to easily deploy IRMA to analyze suspicious files. Having a good tool to work on files locally is always interesting for multiple reasons. You are doing some independent research, you .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20501 *** Attacking WPA2 Enterprise *** --------------------------------------------- The widespread use of mobile and portable devices in the enterprise environment requires a proper implementation of the wireless network infrastructure to provide them connectivity and ensure the business functionality. WPA-Enterprise is .. --------------------------------------------- http://resources.infosecinstitute.com/attacking-wpa2-enterprise/ *** Open Source Network Security Tools for Newbies *** --------------------------------------------- With so many open source tools available to help with network security, it can be tricky to figure out where to start, especially if you are an IT generalist who has been tasked with security. We all have to start somewhere. The question is, where? The sheer number of open source tools available can make .. --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/open-source-network-se… *** [HTB23282]: RCE in Zen Cart via Arbitrary File Inclusion *** --------------------------------------------- High-Tech Bridge Security Research Lab discovered critical vulnerability in a popular e-commerce software Zen Cart, which can be exploited by remote non-authenticated attackers to compromise vulnerable system. A remote .. --------------------------------------------- https://www.htbridge.com/advisory/HTB23282 *** Crimeware / APT Malware Masquerade as Santa Claus and Christmas Apps *** --------------------------------------------- CloudSek was monitoring an underground hacking team, that was selling a Desktop malware in various underground forums. The desktop malware is specifically designed for jumping air-gapped systems , and given the type of documents the attackers are seeking , it was collecting classified data from software companies and government organisations. --------------------------------------------- https://www.cloudsek.com/announcements/blog/apt-malware-masquerade-as-chris…

1 0

Tageszusammenfassung - Dienstag 15-12-2015
by Daily end-of-shift report 15 Dec '15

15 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Montag 14-12-2015 18:00 − Dienstag 15-12-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** 13 million MacKeeper users exposed after MongoDB door was left open *** --------------------------------------------- Expect more breaches in the future as 35,000 MongoDB installs are misconfigured. --------------------------------------------- http://arstechnica.com/security/2015/12/13-million-mackeeper-users-exposed-… *** Hack: Esa-Nutzer haben kurze Passwörter *** --------------------------------------------- Zahlreiche interne Datensätze der Europäischen Raumfahrtagentur Esa sind gehackt worden und jetzt im Internet einsehbar. Offenbar benutzen viele der Esa-Nutzer kurze und unsichere Passwörter. --------------------------------------------- http://www.golem.de/news/rocket-science-esa-nutzer-haben-kurze-passwoerter-… *** Vulnerability Details: Joomla! Remote Code Execution *** --------------------------------------------- The Joomla! team released a new version of Joomla! CMS yesterday to patch a serious and easy to exploit remote code execution vulnerability that affected pretty much all versions of the platform up to 3.4.5. As soon as the patch was released, we were able to start our investigation and found that it was alreadyRead More The post Vulnerability Details: Joomla! Remote Code Execution appeared first on Sucuri Blog. --------------------------------------------- https://blog.sucuri.net/2015/12/joomla-remote-code-execution-the-details.ht… *** 4 Things to Consider When Assessing Device Posture for Effective Network Access Control *** --------------------------------------------- Guest blogger Benny Czarny explains one of the main reasons to have a NAC system in place is to keep risky devices from connecting to your organization's network. Unfortunately, simply purchasing a NAC solution is not going to guarantee your protection.Categories: Online SecurityTags: Anti-Malwareanti-virusencryptionendpointvulnerability(Read more...) --------------------------------------------- https://blog.malwarebytes.org/online-security/2015/12/4-things-to-consider-… *** Protecting Windows Networks - Kerberos Attacks *** --------------------------------------------- MEDIA NOTE: This is not a new flaw, just a good write-up! I don't know why media reporting this as a new flaw. | Kerberos is an authentication protocol that is used by default in Windows networks and provide mutual authentication and authorization for clients and servers. It does not require you to send a password or a hash on the wire, it is instead rely on a trusted third party for handling all the details. | Although, it is considered a secure protocol, it has some flaws in Windows... --------------------------------------------- http://dfir-blog.com/2015/12/13/protecting-windows-networks-kerberos-attack… *** Kaspersky Security Bulletin 2015. Overall statistics for 2015 *** --------------------------------------------- In 2015, virus writers demonstrated a particular interest in exploits for Adobe Flash Player. The proportion of relatively simple programs used in mass attacks was growing. Attackers have mastered non-Windows platforms - Android and Linux: almost all types of malicious programs are created and used for these platforms. --------------------------------------------- http://securelist.com/analysis/kaspersky-security-bulletin/73038/kaspersky-… *** Oil and Gas Cyber Security - Interview *** --------------------------------------------- In the recent presentation at BlackHat, you mentioned that oil and gas is one of the industries most plagued by cyber-attacks. What makes oil and gas an attractive target? It's a juicy target for Cyberattacks as oil and gas companies are responsible for a great part of some countries' economies. Any interference in their work... --------------------------------------------- http://resources.infosecinstitute.com/oil-and-gas-cyber-security-interview/ *** Android.ZBot banking Trojan uses "web injections" to steal confidential data *** --------------------------------------------- December 15, 2015 The Trojans designed to steal money from bank accounts pose a serious threat to Android users. The Android.ZBot Trojan is one of these malicious programs. Its different modifications target mobile devices of Russian users from February 2015. This Trojan is interesting due to its ability to steal logins, passwords, and other confidential data by displaying fraudulent authentication forms on top of any applications. The appearance of such forms is generated on --------------------------------------------- http://news.drweb.com/show/?i=9754&lng=en&c=9 *** Security Afterworks: Wie man TLS-Hipster wird & Best of CCC *** --------------------------------------------- January 21, 2016 - 5:00 pm - 6:00 pm SBA Research Favoritenstraße 16 1040 Wien --------------------------------------------- https://www.sba-research.org/events/security-afterworks-wie-man-tls-hipster… *** ZDI-15-639: (0Day) Microsoft Office Excel Binary Worksheet Use-After-Free Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office Excel. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-15-639/ *** ZDI-15-638: (0Day) Apache TomEE Deserialization of Untrusted Data Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apache TomEE. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-15-638/ *** Security Advisory: RSA-CRT key leak vulnerability CVE-2015-5738 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/91/sol91245485.html?… *** Cisco Unified Communications Manager Web Management Interface Cross-Site Scripting Filter Bypass Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IOS XE Software IPv6 Neighbor Discovery Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Unified Communications Manager Web Applications Identity Management Subsystem Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Security Notice - Statement on NTP.org and CERT/CC Revealing Security Vulnerabilities in NTPd *** --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices… *** TYPO3 CMS 6.2.16 and 7.6.1 released *** --------------------------------------------- The TYPO3 Community announces the versions 6.2.16 LTS and 7.6.1 LTS of the TYPO3 Enterprise Content Management System. Both versions are maintenance releases and contain bug and security fixes. In case the extension mediace is used, please make sure to upgrade to version 7.6.1. --------------------------------------------- http://www.typo3.org/news/article/typo3-cms-6216-and-761-released/ --------------------------------------------- *** Cross-Site Scripting in TYPO3 component Indexed Search *** http://www.typo3.org/news/article/cross-site-scripting-in-typo3-component-i… --------------------------------------------- *** TYPO3 is susceptible to Cross-Site Flashing *** http://www.typo3.org/news/article/typo3-is-susceptible-to-cross-site-flashi… --------------------------------------------- *** Multiple Cross-Site Scripting vulnerabilities in frontend *** http://www.typo3.org/news/article/multiple-cross-site-scripting-vulnerabili… --------------------------------------------- *** Cross-Site Scripting vulnerability in typolinks *** http://www.typo3.org/news/article/cross-site-scripting-vulnerability-in-typ… --------------------------------------------- *** Multiple Cross-Site Scripting vulnerabilities in TYPO3 backend *** http://www.typo3.org/news/article/multiple-cross-site-scripting-vulnerabili… --------------------------------------------- *** Cross-Site Scripting in TYPO3 component Extension Manager *** http://www.typo3.org/news/article/cross-site-scripting-in-typo3-component-e… ---------------------------------------------

1 0

Tageszusammenfassung - Montag 14-12-2015
by Daily end-of-shift report 14 Dec '15

14 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Freitag 11-12-2015 18:00 − Montag 14-12-2015 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** IBM Security Bulletin *** --------------------------------------------- *** Vulnerability in Apache Commons affects WebSphere Message Broker and IBM Integration Bus (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21972391 --------------------------------------------- ***Vulnerability in Apache Commons affects Tivoli Network Manager Transmission Edition (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21971891 --------------------------------------------- ***Vulnerability in Apache Commons affects Rational Developer for System z (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21971643 --------------------------------------------- ***Vulnerability in the IBM Installation Manager script (CVE-2015-7442) *** http://www.ibm.com/support/docview.wss?uid=swg21971295 --------------------------------------------- ***Vulnerability in Apache Commons affects Rational Software Architect, Rational Software Architect for WebSphere Software and Rational Software Architect RealTime (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21972753 --------------------------------------------- ***Vulnerabilities in OpenSSL affect IBM Rational Application Developer for WebSphere Software (CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794) *** http://www.ibm.com/support/docview.wss?uid=swg21972951 --------------------------------------------- ***A security vulnerability has been identified in IBM Maximo Asset Management which could allow an attacker to obtain sensitive information via REST API (CVE-2015-7452) *** http://www.ibm.com/support/docview.wss?uid=swg21972463 --------------------------------------------- ***IBM Maximo Asset Management is vulnerable to cross-site scripting, caused by improper validation of user-supplied input (CVE-2015-7451) *** http://www.ibm.com/support/docview.wss?uid=swg21972423 --------------------------------------------- ***IBM Security Network Intrusion Prevention System is affected by krb5 vulnerabilities (CVE-2014-4341, CVE-2013-1418 ) *** http://www.ibm.com/support/docview.wss?uid=swg21970321 --------------------------------------------- ***A vulnerability in OpenSSH affects IBM Security Network Intrusion Prevention System (CVE-2015-5600) *** http://www.ibm.com/support/docview.wss?uid=swg21969673 --------------------------------------------- ***A vulnerability in net-snmp affects IBM Security Network Intrusion Prevention System (CVE-2014-3565) *** http://www.ibm.com/support/docview.wss?uid=swg21972208 --------------------------------------------- ***Vulnerabilities in curl affect IBM Security Network Intrusion Prevention System *** http://www.ibm.com/support/docview.wss?uid=swg21968978 --------------------------------------------- ***A security vulnerability has been identified in IBM Rational ClearQuest (CVE-2015-4996) *** http://www.ibm.com/support/docview.wss?uid=swg21972331 --------------------------------------------- ***Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Provisioning Manager (CVE-2015-2601, CVE-2015-1931, CVE-2015-2625) *** http://www.ibm.com/support/docview.wss?uid=swg21972941 --------------------------------------------- ***Vulnerabilities in OpenSSL affect IBM Cognos Planning(CVE-2015-1789, CVE-2015-1790, CVE-2015-1792) *** http://www.ibm.com/support/docview.wss?uid=swg21971729 --------------------------------------------- *** Website Malware - Evolution of Pseudo Darkleech *** --------------------------------------------- Last March we described a WordPress attack that was responsible for hidden iframe injections that resembled Darkleech injections: declarations of styles with random names and coordinates, iframes with No-IP host names, and random dimensions where the .. --------------------------------------------- https://blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html *** iTunes 12.3.2 *** --------------------------------------------- https://support.apple.com/kb/HT205636 *** Security Advisory: Apache Groovy vulnerability CVE-2015-3253 *** --------------------------------------------- The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object. (CVE-2015-3253) --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/49/sol49233165.html *** Security Update 2015-006 Yosemite *** --------------------------------------------- https://support.apple.com/kb/HT205653 *** OS X El Capitan 10.11.2, Security Update 2015-005 Yosemite, and Security Update 2015-008 Mavericks *** --------------------------------------------- https://support.apple.com/kb/HT205637 *** OS X El Capitan 10.11.1, Security Update 2015-004 Yosemite, and Security Update 2015-007 Mavericks *** --------------------------------------------- https://support.apple.com/kb/HT205375 *** What Signs Are You Missing? *** --------------------------------------------- While recently listening to a presentation, I found my attention drawn to a metal water container at the center of the conference room table. Condensation was all around it and without ever having to interact with the container, I found .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20481 *** Google Bans Symantec Root Certificates *** --------------------------------------------- An anonymous reader writes: After in September Google discovered SSL certificates issued in its name by Symantec, and after in October the company discovered over 2,500 .. --------------------------------------------- http://tech.slashdot.org/story/15/12/12/2255212/google-bans-symantec-root-c… *** DSA-3416 libphp-phpmailer - security update *** --------------------------------------------- Takeshi Terada discovered a vulnerability in PHPMailer, a PHP library foremail transfer, used by many CMSs. The library accepted email addressesand SMTP commands containing line breaks, which can be abused by anattacker to inject messages. --------------------------------------------- https://www.debian.org/security/2015/dsa-3416 *** Memory-resident modular malware menaces moneymen *** --------------------------------------------- Latentbot avoids your HDD - and its been off the radar for two years A stealthy strain of malware resident only in memory has been quietly pwning victims around the world for two years. --------------------------------------------- www.theregister.co.uk/2015/12/14/latentbot_memory_resident_malware/ *** Lenovo/CSR: Bluetooth-Treiber installiert Root-Zertifikat *** --------------------------------------------- Ein Bluetooth-Treiber für Chips der Firma CSR installiert zwei Root-Zertifikate, mit denen der Besitzer des privaten Schlüssels HTTPS-Verbindungen angreifen könnte. Offenbar handelt es sich um Testzertifikate zur Treibersignierung während der Entwicklung. --------------------------------------------- http://www.golem.de/news/lenovo-csr-bluetooth-treiber-installiert-root-zert… *** Inside the German cybercriminal underground *** --------------------------------------------- Trend Micro investigated on German crime forums and concluded that Germany possesses the most advanced cybercrime ecosystem in the European Union. We have reported several times the news related to various criminal cybercriminal .. --------------------------------------------- http://securityaffairs.co/wordpress/42802/cyber-crime/german-cybercriminal-… *** [20151214] - Core - Remote Code Execution Vulnerability *** --------------------------------------------- Browser information are not filtered properly while saving the session values into the database what leads to a Remote Code Execution vulnerability. --------------------------------------------- https://developer.joomla.org/security-centre/630-20151214-core-remote-code-… *** [20151214] - Core - CSRF Hardening *** --------------------------------------------- Add additional CSRF hardening in com_templates. --------------------------------------------- https://developer.joomla.org/security-centre/633-20151214-core-csrf-hardeni… *** [20151214] - Core - Directory Traversal *** --------------------------------------------- Fails to properly sanitise input data from the XML install file located within the package archive. --------------------------------------------- https://developer.joomla.org/security-centre/634-20151214-core-directory-tr… *** Bugtraq: ERPSCAN Research Advisory [ERPSCAN-15-022] SAP NetWeaver 7.4 - XSS *** --------------------------------------------- http://www.securityfocus.com/archive/1/537111 *** Bugtraq: [ERPSCAN-15-021] SAP NetWeaver 7.4 - SQL Injection vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/537109 *** Sicherheitsforscher: Datenleck bei Mackeeper erlaubt freien Zugriff auf Nutzerdaten *** --------------------------------------------- Die Datenbank der umstrittetenen Mac-Software Mackeeper sei frei zugänglich, erklärt ein Sicherheitsforscher. Er habe 13 Millionen Datensätze mit Nutzerinformationen ungehindert heruntergeladen. --------------------------------------------- http://heise.de/-3043720

1 0

Tageszusammenfassung - Freitag 11-12-2015
by Daily end-of-shift report 11 Dec '15

11 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 10-12-2015 18:00 − Freitag 11-12-2015 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** NIST will Feedback zur Absicherung von kritischer Infrastruktur *** --------------------------------------------- Die US-Standardisierungsbehörde möchte ihr Richtlinienpapier zur IT-Sicherheit von Kraftwerken und Industrieanlagen verbessern und bittet um Mithilfe. Allerdings ist das NIST bei Sicherheitsexperten momentan nicht gerade unumstritten. --------------------------------------------- http://heise.de/-3042666 *** New Spy Banker Trojan Telax abusing Google Cloud Servers *** --------------------------------------------- Introduction Zscaler ThreatLabZ has been closely monitoring a new Spy Banker Trojan campaign that has been targeting Portuguese-speaking users in Brazil. The malware authors are leveraging Google Cloud Servers to host the initial Spy Banker Downloader Trojan, which is responsible for downloading and installing Spy Banker Trojan Telax. --------------------------------------------- http://research.zscaler.com/2015/12/new-spy-banker-trojan-telax-abusing.html *** Open Automation Software OPC Systems NET DLL Hijacking Vulnerability *** --------------------------------------------- This advisory provides mitigation details for a DLL Hijacking vulnerability in Open Automation Software's OPC Systems.NET application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-344-02 *** XZERES 442SR Wind Turbine Cross-site Scripting Vulnerability (Update A) *** --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-15-342-01 XZERES 442SR Wind Turbine Cross-site Scripting Vulnerability that was published December 8, 2015, on the NCCIC/ICS-CERT web site. This advisory provides mitigations details for a cross-site scripting vulnerability in XZERES's 442SR turbine generator operating system. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-342-01 *** Everything old is new again - Blackhole exploit kit since November 2015, (Fri, Dec 11th) *** --------------------------------------------- Last month, the Malwarebytes blog posted an article about Blackhole exploit kit (EK) resurfacing in active drive-by campaigns from compromised websites. At the time, I hadnt noticed this trend, because the Windows hosts I was using to generate EK traffic were a bit too up-to-date. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20477&rss *** New SWITCH Security Report available - Invitation to take part in a Reader Survey *** --------------------------------------------- A new issue of our monthly SWITCH Security Report has just been released. --------------------------------------------- http://securityblog.switch.ch/2015/12/09/new-switch-security-report-availab… *** Zend Framework vulnerable to SQL injection *** --------------------------------------------- Zend Framework contains an SQL injection vulnerability (CWE-89) due to the argument of the ORDER BY clause. An attacker who can access the product may execute SQL commands. --------------------------------------------- http://jvn.jp/en/jp/JVN71730320/ *** Totgesagte leben länger: Facebook und Cloudflare setzen weiter auf SHA-1 *** --------------------------------------------- Mit SHA-1 signierte SSL/TLS-Zertifikate gelten schon lange als unsicher und es gibt seit einiger Zeit erste praktische Angriffe. Trotzdem wollen wichtige Dienstanbieter wie Facebook und Cloudflare auf unbestimmte Zeit an SHA-1 festhalten. --------------------------------------------- http://heise.de/-3041665 *** Advantech EKI Vulnerabilities *** --------------------------------------------- This advisory provides information regarding several vulnerabilities in Advantech's EKI devices. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-344-01 *** Cisco Security Advisories *** --------------------------------------------- *** Cisco Unified Email Interaction Manager and Cisco Unified Web Interaction Manager XSS Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Small Business RV Series and SA500 Series Dual WAN VPN Router Generated Key Pair Information Disclosure Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Emergency Responder Web Framework Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** Tivoli Provisioning Manager for OS Deployment and Tivoli Provisioning Manager for Images - OpenSSL vulnerabilities (CVE-2015-1791, CVE-2015-1792, CVE-2015-1788, CVE-2015-1789,CVE-2015-1790) *** http://www.ibm.com/support/docview.wss?uid=swg21971248 --------------------------------------------- *** Infosphere BigInsights is affected by a vulnerability in DB2 (CVE-2014-0919) *** http://www.ibm.com/support/docview.wss?uid=swg21970398 --------------------------------------------- *** Multiple vulnerabilities in IBM Java Runtime affect IBM Rational ClearQuest (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931) *** http://www.ibm.com/support/docview.wss?uid=swg21972650 --------------------------------------------- *** Multiple vulnerabilities in IBM Java Runtime affect IBM Rational ClearCase (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931) *** http://www.ibm.com/support/docview.wss?uid=swg21963120 --------------------------------------------- *** Vulnerabilities in OpenSSL affect IBM MessageSight (CVE-2015-1788) *** http://www.ibm.com/support/docview.wss?uid=swg21971177 --------------------------------------------- *** Multiple vulnerabilities in OpenSSH, GNU C Library (glibc), and OpenSSL, including Logjam, affect Integrated Management Module II (IMM2) *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099032 --------------------------------------------- *** Vulnerabilities in openssh affect Power Hardware Management Console (CVE-2015-5600) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021006 --------------------------------------------- *** A vulnerability in Libxml affects IBM Security Network Protection (CVE-2015-1819) *** http://www.ibm.com/support/docview.wss?uid=swg21969664 --------------------------------------------- *** A vulnerability in GNU glibc affects IBM Security Network Protection (CVE-2014-8121) *** http://www.ibm.com/support/docview.wss?uid=swg21967169 --------------------------------------------- *** Multiple vulnerability fixes for Rational Lifecycle Integration Adapter for HP ALM (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931) *** http://www.ibm.com/support/docview.wss?uid=swg21972785 --------------------------------------------- *** Multiple vulnerabilities in IBM Java SDK affect the IBM Installation Manager and IBM Packaging Utility (CVE-2015-2625 and CVE-2015-1931 ) *** http://www.ibm.com/support/docview.wss?uid=swg21972707 --------------------------------------------- *** Vulnerability in spice affects IBM SmartCloud Provisioning for IBM Software Virtual Appliance (CVE-2015-5261, CVE-2015-5260) *** http://www.ibm.com/support/docview.wss?uid=swg2C1000009 --------------------------------------------- *** Vulnerability in IBM Java Runtime affects IBM Content Classification CVE-2015-4844 *** http://www.ibm.com/support/docview.wss?uid=swg21971760 --------------------------------------------- *** Vulnerability in Apache Commons affects Rational Developer for i, Rational Developer for AIX and Linux and Rational Developer for Power Systems Software (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21971814 --------------------------------------------- *** ´Vulnerability in Apache Commons affects IBM Rational Application Developer for WebSphere Software (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21972565 --------------------------------------------- *** Multiple vulnerability in Product IBM Tivoli Common Reporting (CVE-2015-7436,CVE-2015-7435,CVE-2012-6153,CVE-2014-3577,CVE-2015-7450,CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21972799 --------------------------------------------- *** Vulnerability in Apache Commons affects IBM Web Interface for Content Management (WEBi) (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21972903 --------------------------------------------- *** Vulnerability in Apache Commons affects FileNet Collaboration Services/IBM FileNet Services for Lotus Quickr (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21972902 --------------------------------------------- *** Vulnerability in Apache Commons affects IBM Integration Designer (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21971371 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 10-12-2015
by Daily end-of-shift report 10 Dec '15

10 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 09-12-2015 18:00 − Donnerstag 10-12-2015 18:00 Handler: Taranis Admin Co-Handler: n/a *** Server Security: OSSEC Updated With GeoIP Support *** --------------------------------------------- We leverage OSSEC extensively to help monitor and protect our servers. If you are not familiar with OSSEC, it is an open source Host-Based Intrusion Detection System (HIDS); it has a powerful correlation and analysis engine that integrates .. --------------------------------------------- https://blog.sucuri.net/2015/12/ossec-with-geoip.html *** Cisco Unity Connection Cross-Site Request Forgery Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco TelePresence Video Communication Server Expressway Web Framework Code Unauthorized Access Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cybercrime News Results In Cybercrime Blues *** --------------------------------------------- FireEye Labs recently spotted a 2011 article on cybercrime from the news site theguardian[.]com that redirects users to the Angler Exploit Kit. Successful exploitation by Angler resulted in a malware infection for readers of the article. A spokesperson for the guardian[.]com responded that they "are aware of FireEye's claims and are working to rectify the issue in question as soon as possible." --------------------------------------------- https://www.fireeye.com/blog/threat-research/2015/12/cybercrime-news.html *** Inside Chimera Ransomware - the first 'doxingware' in wild *** --------------------------------------------- Ransomware have proven to be a good source of money for cybercriminals. The Chimera ransomware comes with several ideas that are novel and may slowly become a new trend. --------------------------------------------- https://blog.malwarebytes.org/intelligence/2015/12/inside-chimera-ransomwar… *** PuTTY ECH Integer Overflow Lets Remote Users Execute Arbitrary Code on the Target Users System *** --------------------------------------------- http://www.securitytracker.com/id/1034308 *** MS15-DEC - Microsoft Security Bulletin Summary for December 2015 - Version: 1.1 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS15-DEC *** American hacker duo throws pwns on IoT BBQs, grills open admin *** --------------------------------------------- Half-baked code a feast for attackers because Thing-builders are hopeless Kiwicon American hardware hackers have ruined Christmas cooks ups across Australia, revealing gaping .. --------------------------------------------- www.theregister.co.uk/2015/12/10/american_hacker_duo_throws_pwns_on_iot_bbq… *** Valve Software: 77.000 Nutzerkonten pro Monat auf Steam ausgeplündert *** --------------------------------------------- Um Nutzer vor dem Diebstahl virtueller Güter auf Steam zu schützen, führt Valve neue Regeln für den Verkauf ein. Das scheint nötig: Seitdem der Handel etwa mit Gegenständen aus Dota 2 möglich ist, sind immer mehr Nutzer ins Visier von Hackern geraten. --------------------------------------------- http://www.golem.de/news/valve-software-77-000-nutzerkonten-pro-monat-auf-s… *** Kaspersky Security Bulletin 2015. Evolution of cyber threats in the corporate sector *** --------------------------------------------- The data collected from Kaspersky Lab products shows that the tools used to attack businesses differ from those used against home users. Let's have a look back at the major incidents of 2015 and at the new trends we have observed in information security within the business environment. --------------------------------------------- http://securelist.com/analysis/kaspersky-security-bulletin/72969/kaspersky-… *** Finale Version vom Passwortmanager KeePassX 2.0 erschienen *** --------------------------------------------- KeePassX ist nach rund dreieinhalb Jahren Entwicklungszeit in der finalen Version 2.0 angekommen. --------------------------------------------- http://heise.de/-3038771 *** HTTPS: Cloudflare und Facebook wollen SHA1 weiternutzen *** --------------------------------------------- Eigentlich sollen mit SHA1 signierte TLS-Zertifikate bald der Vergangenheit angehören. Doch in Entwicklungsländern sind noch viele Geräte in Benutzung, die den besseren SHA256-Algorithmus nicht unterstützen. Facebook und Cloudflare wollen daher alten Browsern ein anderes Zertifikat ausliefern. --------------------------------------------- http://www.golem.de/news/https-cloudflare-und-facebook-wollen-sha1-weiternu… *** Cisco untersucht eigenes Portfolio auf gefährliche Java-Lücke *** --------------------------------------------- Die weit verbreitete Java-Bibliothek Apache Common Collections ist verwundbar. Cisco untersucht nun, ob die Lücken in seinen Anwendungen und Geräten klafft. Außerdem wurden weitere potentiell angreifbare Java-Bibliotheken entdeckt. --------------------------------------------- http://heise.de/-3039533 *** [2015-12-10] Skybox Platform Multiple Vulnerabilities *** --------------------------------------------- The Skybox platform contains multiple security vulnerabilities which can be exploited by an attacker to execute arbitrary code and to read arbitrary files from the file system. Moreover a SQL injection and various Cross-Site scripting vulnerabilities have been identified. Attackers can exploit these issues to completely compromise affected Skybox appliances. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2015… *** WordPress hosting biz confesses to breach, urgently contacts 30,000 users *** --------------------------------------------- We're 'proactively taking security measures' - WP Engine WordPress hosting outfit WP Engine has confessed to a security breach, prompting it to reset 30,000 customers passwords. --------------------------------------------- www.theregister.co.uk/2015/12/10/wordpress_hosting_biz_confesses_to_hack/

1 0

Tageszusammenfassung - Mittwoch 9-12-2015
by Daily end-of-shift report 09 Dec '15

09 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Montag 07-12-2015 18:00 − Mittwoch 09-12-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Email Tracking for Dummies *** --------------------------------------------- Recently, I was involved in an incident handling mission to find how some confidential emails were being tracked. Let's imagine a first scenario: Alice sends a mail to Bob. Bob reads Alice's email and Alice gets notified. Nothing special, this is a standard feature offered by most commercial messaging .. --------------------------------------------- https://blog.rootshell.be/2015/12/07/email-tracking-for-dummies/ *** Another Brick in the FrameworkPoS *** --------------------------------------------- FrameworkPoS is a well-documented family of malware that targets Point of Sale (PoS) systems and has been attributed to at least one high profile retail breach. The malware author(s) have continued to improve upon the original malware, releasing .. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Another-Brick-in-the-Fr… *** EU verschärft Regeln zur Cybersicherheit *** --------------------------------------------- Internetkonzerne müssen schwere Hackerangriffe künftig den Behörden melden - derstandard.at/2000027140552/EU-verschaerft-Regeln-zur-Cybersicherheit --------------------------------------------- http://derstandard.at/2000027140552 *** Bitcoin Extortionist Copycats on the Rise, Experts Say *** --------------------------------------------- Experts believe that the success tied to a recent spate of DDoS for hire groups may be because many are copycat collectives operating with a shorter lifespan. --------------------------------------------- http://threatpost.com/bitcoin-extortionist-copycats-on-the-rise-experts-say… *** Citrix NetScaler Service Delivery Appliance Multiple Security Updates *** --------------------------------------------- http://support.citrix.com/article/CTX202482 *** Day 2: UK research network Janet still being slapped by DDoS attack *** --------------------------------------------- DNS services appear to be targeted, switching may work Members of UKs academic community from freshers to senior academics are facing more connection issues today as a persistent and continuous DDoS attack against the academic computer network Janet continues to stretch resources. --------------------------------------------- www.theregister.co.uk/2015/12/08/uk_research_network_janet_ddos/ *** The German Underground: Buying and Selling Goods via Droppers *** --------------------------------------------- We have frequently talked about how the Deep Web is used as a venue for the illegal trade in weapons and drugs. This part of the cybercrime underground includes a German-speaking community. Our new research examines these sites in some detail. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/the-german-under… *** Authentifikation von McAfees Enterprise Security Manager löchrig *** --------------------------------------------- Angreifer können sich mit einem speziellen Nutzernamen und einem beliebigen Passwort beim Enterprise Security Manager von McAfee anmelden. Gefixte Versionen stehen bereit. --------------------------------------------- http://heise.de/-3036068 *** Security Updates Available for Adobe Flash Player (APSB15-32) *** --------------------------------------------- A security bulletin (APSB15-32) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1302 *** MS15-DEC - Microsoft Security Bulletin Summary for December 2015 - Version: 1.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS15-DEC *** Apple Patches Everything, (Tue, Dec 8th) *** --------------------------------------------- And to not be outdone by Microsoft and Adobe, Apple just released patches for: iOS 9.2 A total of 50 vulnerabilities (CVE IDs) are addressed. About 10 of them affect WebKit and may lead to arbitrary code execution by visiting a malicious .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20465 *** Cisco Wireless Residential Gateway Stored Cross-Site Scripting Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** ZDI-15-624: Wireshark PCAPNG if_filter Arbitrary Free Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Wireshark. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-15-624/ *** Adobe, Microsoft Each Plug 70+ Security Holes *** --------------------------------------------- Adobe and Microsoft today independently issued software updates to plug critical security holes in their software. Adobe released a patch that fixes a whopping 78 security vulnerabilities in its Flash Player software. Microsoft pushed a dozen patch bundles to address at least 71 flaws in various versions of the Windows operating system and associated software. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/RuUekEfVS0g/ *** XZERES 442SR Wind Turbine Cross-site Scripting Vulnerability *** --------------------------------------------- This advisory provides mitigations details for a cross-site scripting vulnerability in XZERES's 442SR turbine generator operating system. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-342-01 *** LOYTEC Router Information Exposure Vulnerability *** --------------------------------------------- This advisory provides mitigations details for a password file vulnerability in LOYTEC's LIP-3ECTB routers. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-342-02 *** Pacom 1000 CCU GMS System Cryptographic Implementation Vulnerabilities *** --------------------------------------------- This advisory was originally posted to the US-CERT secure Portal library on December 3, 2015, and is being released to the ICS-CERT web site. This advisory provides mitigation details for crypto implementation flaws in the Pacom GMS system. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-337-03 *** Rockwell Automation Micrologix 1100 and 1400 PLC Systems Vulnerabilities (Update A) *** --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-15-300-03 Rockwell Automation MicroLogix 1100 and 1400 PLC Systems Vulnerabilities that was published October 27, 2015, on the NCCIC/ICS-CERT web site. This advisory provides mitigation details for vulnerabilities in the Rockwell Automation Allen-Bradley MicroLogix 1100 and 1400 programmable logic controller (PLC) systems. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-300-03A *** Analyzing Bartalex - A Prolific Malware Distributor *** --------------------------------------------- Bartalex is a name that continues to appear in a cyberthief�s arsenal as one of the most popular mechanisms for distributing banking Trojans, ransomware, RATs, and other malware. The SANS ISC recently published a very interesting technical analysis of Bartalex. With this post, we hope to add a little more color and supplement what you already know about this prolific malware distributor. --------------------------------------------- https://blog.phishlabs.com/bartalex *** Blog of News Site 'The Independent' Hacked, Leads to TeslaCrypt Ransomware *** --------------------------------------------- The blog page of one of the leading media sites in the United Kingdom, 'The Independent' has been compromised, which may put its millions of readers at risk of getting infected with ransomware. We have already informed The Independent about this security incident and are working with them to contain the .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/blog-of-news-sit… *** Enforcing USB Storage Policy with PowerShell, (Wed, Dec 9th) *** --------------------------------------------- In a previous diary, I presented the CIRCLean (USB sanitizer) developed by the Luxembourg CERT (circl.lu). This tool is very useful to sanitize suspicious USBsticks but it lacks of control and enforcement. Nevertheless, .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20469 *** Epic failure of Phone House & Dutch telecom providers to protect personal data: How I could access 12+ million records #phonehousegate *** --------------------------------------------- On September 11, 2015 I visited Media Markt in Utrecht Hoog Catherijne, a well-known electronics shop in The Netherlands. Since summer 2014, the biggest independent Dutch phone retail company Phone House also operates (white labeled) from within Media Markt locations as a store-in-a-store .. --------------------------------------------- http://sijmen.ruwhof.net/weblog/608-personal-data-of-dutch-telecom-provider… *** Verschlüsselungstrojaner: Neue TeslaCrypt-Version grassiert *** --------------------------------------------- Ransomware ist der absolute Renner in der Crimeware-Szene. Seit einigen Tagen gibt es vermehrt Hinweise auf Infektionen durch eine neue Version des Verschlüsselungstrojaners TeslaCrypt, der Dateien verschlüsselt und mit der Endung .vvv versieht. --------------------------------------------- http://heise.de/-3037099 *** Audit und Web-Client: Kritik an SSL/TLS-Zertifizierungsstelle Lets Encrypt *** --------------------------------------------- Die Tätigkeit von Let's Encrypt als Zertifizierungsstelle wurde noch nicht der vorgeschriebenen Sicherheitsprüfung unterzogen. Trotzdem stellt die CA schon Zertifikate aus. --------------------------------------------- http://heise.de/-3031849 *** POS Security: What You Need To Know *** --------------------------------------------- October 1, 2015 marked the deadline set by credit card issuers to shift liability for fraudulent activity from card issuers or payment processors to the party that is the least Europay-Mastercard-Visa (EMV) compliant during a fraudulent .. --------------------------------------------- https://www.alienvault.com/open-threat-exchange/blog/pos-security-what-you-… *** Cisco Prime Collaboration Assurance Default Account Credential Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…

1 0

Tageszusammenfassung - Montag 7-12-2015
by Daily end-of-shift report 07 Dec '15

07 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Freitag 04-12-2015 18:00 − Montag 07-12-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** OpenSSL-Sicherheits-Update und Abschied von Altlasten *** --------------------------------------------- Im Rahmen eines Sicherheits-Updates verkündet das OpenSSL-Team, dass die Versionen 0.9.8 und 1.0.0 keine weiteren Updates mehr erhalten werden. Deren Nutzer sollten dringend auf neuere Versionen umsteigen. --------------------------------------------- http://heise.de/-3032678 *** Bundestags-Hacker greifen weitere Nato-Staaten an *** --------------------------------------------- Die professionellen Cyberattacken wurden mit hohem personellen und finanziellen Aufwand durchgeführt --------------------------------------------- http://derstandard.at/2000026983302 *** Multiple Vulnerabilities in OpenSSL (December 2015) Affecting Cisco Products *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Botconf 2015 Wrap-Up Day #3 *** --------------------------------------------- And here is my wrap-up for the third day of the conference. Again a bunch of interesting talks. The first to join the floor was Yonathan Klijnsma who presented a nice history of the famous ransomware: Cryptowall. This ransomware has already .. --------------------------------------------- https://blog.rootshell.be/2015/12/04/botconf-2015-wrap-up-day-3/ *** Between a Rock and a Hard Link *** --------------------------------------------- In a previous blog post I described some of the changes that Microsoft has made to the handling of symbolic links from a sandboxed process. This has an impact on the exploitation of privileged file .. --------------------------------------------- http://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.ht… *** Microsoft assists law enforcement to help disrupt Dorkbot botnets *** --------------------------------------------- Law enforcement agencies from around the globe, aided by Microsoft security researchers, have today announced the disruption of one of the most widely distributed malware families - Win32/Dorkbot. This malware family has infected more than .. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2015/12/03/microsoft-assists-law-en… *** Variety Jones, Alleged Silk Road Mentor, Arrested in Thailand *** --------------------------------------------- Variety Jones, the alleged mentor and adviser to the Silk Roads creator, has finally been arrested in Thailand. --------------------------------------------- http://www.wired.com/2015/12/variety-jones-alleged-silk-road-mentor-arreste… *** A Micro-view of Macro Malware *** --------------------------------------------- Dridex is a botnet with multiple features, it is most known for stealing people's credentials on finance-related web sites. Despite the arrest of the gang behind the .. --------------------------------------------- http://labs.bromium.com/2015/12/03/a-micro-view-of-macro-malware/ *** Augen auf beim Weihnachts-Phish *** --------------------------------------------- In der Hoffnung auf satte Gewinne haben Kriminelle kräftig in ein möglichst authentisches Erscheinungsbild ihrer Phishing-Kampagnen investiert. Es wird immer schwieriger, nicht auf die zum Teil fast perfekten Fälschungen hereinzufallen. --------------------------------------------- http://heise.de/-3032829 *** Hello Barbie: Sicherheitsalbtraum im Kinderzimmer *** --------------------------------------------- Interaktive Puppe für Kinder nun auch mit Lücken im Server und in der App --------------------------------------------- http://derstandard.at/2000027045918 *** Netzwerk-Tools: Wireshark 2.0 und Nmap 7 veröffentlicht *** --------------------------------------------- Passwort-Cracker hashcat nun Open-Source --------------------------------------------- http://derstandard.at/2000027085336 *** GEOVAP Reliance 4 Control Server Unquoted Service Path Elevation Of Privilege *** --------------------------------------------- The application suffers from an unquoted search path issue impacting the service RelianceOpcDaWrapper for Windows deployed as part of Reliance 4 SCADA/HMI system installer including Reliance OPC Server. This could potentially allow an authorized .. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5285.php *** Web Analytics Service vulnerable to cross-site scripting *** --------------------------------------------- The JavaScript module for using Web Analytics Service which was provided by NTT DATA Smart Sourcing Corporation contains a cross-site scripting vulnerability. --------------------------------------------- http://jvn.jp/en/jp/JVN70083512/ *** Thriving Beyond The Operating System: Financial Threat Group TargetsVolume Boot Record *** --------------------------------------------- https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-reco… *** Yahoo Mail: Webbrowser führten beliebigen Code in E-Mails aus *** --------------------------------------------- Nutzer, die mobil E-Mails von ihrem Yahoo-Konto abrufen, waren bedroht und Angreifer hätten ihnen ohne viel Aufwand Schadcode unterschieben können. --------------------------------------------- http://heise.de/-3033689 *** UK research network Janet under ongoing and persistent DDoS attack *** --------------------------------------------- Attackers seem to be adjusting methods in response to Tweets Publicly-funded academic computer network Janet has come under a persistent DDoS attack today, which hobbled multiple .. --------------------------------------------- www.theregister.co.uk/2015/12/07/janet_under_persistent_ddos_attack/ *** Security Advisory: AOL Desktop MiTM Remote File Write and Code Execution *** --------------------------------------------- AOL Desktop is "the all-in-one experience with mail, instant messaging, browsing, search, content, and dial-up connectivity". It is the direct successor of the old Windows AOL clients from the 1990s. Issues in AOL Desktop, version .. --------------------------------------------- http://lizardhq.org/2015/12/05/aol-desktop.html Aufgrund des Feiertages am morgigen Dienstag, den 08.12.2015, erscheint der nächste End-of-Shift Report erst am 09.12.2015.

1 0

Tageszusammenfassung - Freitag 4-12-2015
by Daily end-of-shift report 04 Dec '15

04 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 03-12-2015 18:00 − Freitag 04-12-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** No more security fixes for older OpenSSL branches *** --------------------------------------------- The OpenSSL Software Foundation has released new patches for the popular open-source cryptographic library, but for two of its older branches they will likely be the last security updates.This could spell trouble for some enterprise applications that bundle the 0.9.8 or 1.0.0 versions of OpenSSL and for older systems -- embedded devices in particular -- where updates are rare.OpenSSL 1.0.0t and 0.9.8zh, which were released Thursday, are expected to be the last updates because support for these... --------------------------------------------- http://www.cio.com/article/3011882/no-more-security-fixes-for-older-openssl… *** Automatic MIME Attachments Triage *** --------------------------------------------- [The post Automatic MIME Attachments Triage has been first published on /dev/random]A few weeks ago I posted a diary on the ISC SANS website about a script to automate the extraction and analyze of MIME attachments in emails. Being the happy owner of an old domain (15y), this domain is present in all spammer's mailing lists. I'm receiving a lot of spam and I like it. It helps me to collect interesting files and URLs. But... --------------------------------------------- https://blog.rootshell.be/2015/12/04/automatic-mime-attachments-triage/ *** Automating Phishing Analysis using BRO, (Fri, Dec 4th) *** --------------------------------------------- Determining the effectiveness of Phishing campaigns using metrics is great to be able to target awareness training for users and determining the effectiveness of your technical controls. The main questions you are trying to answer are : How many people were targeted by the phish? How many people replied? (If applicable) How many people visited the website in the email? How many people submitted credentials to the website? --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20441&rss *** "Bau keine eigenen Protokolle": Vodafone verletzt mit Secure E-Mail die erste Kryptoregel *** --------------------------------------------- Vodafones neuer E-Mail-Dienst Secure E-Mail soll den Austausch verschlüsselter E-Mails kinderleicht machen. Das Unternehmen macht jedoch in seiner Ankündigung kaum Angaben zur Sicherheit der verwendeten Verfahren. Deshalb haben wir nachgefragt - und sind verwirrt. --------------------------------------------- http://www.golem.de/news/bau-keine-eigenen-protokolle-vodafone-verletzt-mit… *** New edition of Windows 10 turns security nightmares into reality *** --------------------------------------------- Windows 10 IoT Core Pro lets thing-makers opt-out of security updates Microsofts released a new edition of Windows 10. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/12/04/new_version… *** An Introduction to Image File Execution Options *** --------------------------------------------- Image File Execution Options are used to intercept calls to an executable. Its in use for debugging, replacing and stopping specific executables.Categories: All Things DevTags: IFEOImage File Execution OptionsPieter ArntzregistrySecurity.hijack(Read more...) --------------------------------------------- https://blog.malwarebytes.org/development/2015/12/an-introduction-to-image-… *** Can you keep Linux-based ransomware from attacking your servers? *** --------------------------------------------- According to SophosLabs, Linux/Ransm-C ransomware is one example of the new Linux-based ransomware attacks, which in this case is built into a small command line program and designed to help crooks extort money through Linux servers. These Linux ransomware attacks are moving away from targeting end users and gravitating toward targeting Linux servers, web servers specifically, with a piece of software that encrypts data and is similar to what we've seen in previous years such as... --------------------------------------------- http://www.csoonline.com/article/3010996/application-security/can-you-keep-… *** Serverseitiges JavaScript: Node.js-Patch nun verfügbar *** --------------------------------------------- Das Update adressiert die letzte Woche gemeldete DoS-Schwachstelle und den Zugriffsfehler bei der JavaScript-Engine V8. Gleichzeitig umfasst es die ebenfalls diese Woche aktualisierten OpenSSL-Bibliotheken. --------------------------------------------- http://heise.de/-3031934 *** XML Secure Coding *** --------------------------------------------- ABSTRACT The XML (Extensible markup language) is a buzzword over the internet, rapidly maturing technology with powerful real world application, especially for management, organization, and exhibition of data. XML technology is solely concerned with the structure and description of data that are typically transported across the network in a bid for easily sharing between diverse... --------------------------------------------- http://resources.infosecinstitute.com/xml-secure-coding/ *** White hats, FBI and cops team up for Dorkbot botnet takedown *** --------------------------------------------- Your four-year reign of terror is (temporarily) over Operations of the Dorkbot botnet have been disrupted following an operation that brought together law enforcement agencies led by the FBI, Interpol and Europol, and various infosec firms. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/12/04/dorkbot_bot… *** Millions of smart TVs, phones and routers at risk from old vulnerability *** --------------------------------------------- A three-year-old vulnerability in a software component used in millions of smart TVs, routers and phones still hasnt been patched by many vendors, thus posing a risk, according to Trend Micro.Although a patch was issued for the component in December 2012, Trend Micro found 547 apps that use an older unpatched version of it, wrote Veo Zhang, a mobile threats analyst."These are very popular apps that put millions of users in danger; aside from mobile devices, routers, and smart TVs are all... --------------------------------------------- http://www.cio.com/article/3012073/security/millions-of-smart-tvs-phones-an… *** hashcat and oclHashcat have gone open source *** --------------------------------------------- https://hashcat.net/forum/thread-4880.html https://github.com/hashcat/ *** DSA-3413 openssl - security update *** --------------------------------------------- Multiple vulnerabilities have been discovered in OpenSSL, a SecureSockets Layer toolkit. The Common Vulnerabilities and Exposures projectidentifies the following issues: --------------------------------------------- https://www.debian.org/security/2015/dsa-3413 *** DFN-CERT-2015-1868: Redis: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2015-1868/ *** Cisco Nexus 5000 Series USB Driver Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** IBM Security Bulletin: Vulnerability in Apache Commons affects IBM Standards Processing Engine (CVE-2015-7450) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21972329 *** IBM Security Bulletin: Vulnerability in Apache Commons affects Watson Explorer and Watson Content Analytics (CVE-2015-7450) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21971733 *** IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by multiple vulnerabilities in OpenSSL including Logjam *** --------------------------------------------- http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098960 *** IBM Security Bulletin: Vulnerability in Apache Commons affects IBM Tivoli Composite Application Manager for Application Diagnostics (CVE-2015-7450) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21972215 *** VU#294607: Lenovo Solution Center LSCTaskService privilege escalation, directory traversal, and CSRF *** --------------------------------------------- Vulnerability Note VU#294607 Lenovo Solution Center LSCTaskService privilege escalation, directory traversal, and CSRF Original Release date: 04 Dec 2015 | Last revised: 04 Dec 2015 Overview The Lenovo Solution Center application contains multiple vulnerabilities that can allow an attacker to execute arbitrary code with SYSTEM privileges. Description CWE-732: Incorrect Permission Assignment for Critical ResourceLenovo Solution Center creates a service called LSCTaskService, which runs with... --------------------------------------------- http://www.kb.cert.org/vuls/id/294607 *** SearchBlox File Exfiltration Vulnerability *** --------------------------------------------- This advisory provides mitigations details for a file exfiltration vulnerability in SearchBlox's web-based proprietary search engine application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-337-01 *** Honeywell Midas Gas Detector Vulnerabilities *** --------------------------------------------- This advisory was originally posted to the US-CERT secure Portal library on November 5, 2015, and is being released to the ICS-CERT web site. This advisory provides mitigation details for two vulnerabilities in Honeywell's Midas gas detector. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-309-02 *** WordPress Cool Video Gallery 1.9 Command Injection *** --------------------------------------------- Topic: WordPress Cool Video Gallery 1.9 Command Injection Risk: Low Text:Title: Command Injection in cool-video-gallery v1.9 Wordpress plugin Author: Larry W. Cashdollar, @_larry0 Date: 2015-11-29 ... --------------------------------------------- https://cxsecurity.com/issue/WLB-2015120031

1 0

Tageszusammenfassung - Donnerstag 3-12-2015
by Daily end-of-shift report 03 Dec '15

03 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 02-12-2015 18:00 − Donnerstag 03-12-2015 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner *** Botconf 2015 Wrap-Up Day #1 *** --------------------------------------------- [The post Botconf 2015 Wrap-Up Day #1 has been first published on /dev/random]Here we go for a new edition of the Botconf edition. Already the third one. This conference is moving every year across France and, after Nantes and Nancy, the organizers chose Paris and more precisely the Google France venue! --------------------------------------------- https://blog.rootshell.be/2015/12/02/botconf-2015-wrap-up-day-1/ *** ElasticZombie Botnet - Exploiting Elasticsearch Vulnerabilities *** --------------------------------------------- With the rise of inexpensive Virtual Servers and popular services that install insecurely by default, coupled with some juicy vulnerabilities (read: RCE - Remote Code Execution), like CVE-2015-5377 and CVE-2015-1427, this year will be an interesting one for Elasticsearch. --------------------------------------------- https://www.alienvault.com/open-threat-exchange/blog/elasticzombie-botnet-e… *** Industrial control system gateway fix opens Heartbleed, Shellshock *** --------------------------------------------- Metasploit module released to make 0day pwnage easy Rapid 7 security man Todd Beardsley says new firmware released to patch hardcoded SSH keys in Advantech EKI industrial control system gateways contains known brutal flaws including Shellshock, Heartbleed, and buffer overflows. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/12/03/industrial_… *** DSA-3411 cups-filters - security update *** --------------------------------------------- Michal Kowalczyk discovered that missing input sanitising in thefoomatic-rip print filter might result in the execution of arbitrarycommands. --------------------------------------------- https://www.debian.org/security/2015/dsa-3411 *** DFN-CERT-2015-1857/">Red Hat JBoss Enterprise Application Platform: Zwei Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2015-1857/ *** 3G/4G cellural USB modems are full of critical security flaws, many 0-days *** --------------------------------------------- An analysis of popular 3G and 4G cellural USB modems and routers used around the world revealed a myriad of serious vulnerabilities in each of them. --------------------------------------------- http://www.net-security.org/secworld.php?id=19182 *** Kaspersky Security Bulletin 2015. Top security stories *** --------------------------------------------- The end of the year is traditionally a time for reflection - for taking stock of our lives before considering what lies ahead. We'd like to offer our customary retrospective of the key events that have shaped the threat landscape in 2015. --------------------------------------------- http://securelist.com/analysis/kaspersky-security-bulletin/72886/kaspersky-… *** A Case Study of Information Stealers: Part I *** --------------------------------------------- Introduction: A stealer is a type of malware that looks for passwords stored on the machine and sends them remotely (e.g. mail, HTTP) to an attacker. Most stealers use a web interface to facilitate browsing the data, especially if the targeted number of victims is important. --------------------------------------------- http://resources.infosecinstitute.com/a-case-study-of-information-stealers-… *** Report: Scripting languages most vulnerable, mobile apps need better crypto *** --------------------------------------------- According to an analysis of over 200,000 applications, PHP is the programming language with the most vulnerabilities, mobile apps suffer from cryptography problems, and developers are more likely to fix errors found with static instead of dynamic analysis. --------------------------------------------- http://www.cio.com/article/3011668/encryption/report-scripting-languages-mo… *** Botnetzbetreiber nutzen Dropbox als toten Briefkasten *** --------------------------------------------- Die Malware Lowball soll Dropbox-Accounts missbrauchen, um infizierte Rechner in einem Botnetz anzusteuern. So wollen Online-Kriminelle Ermittlern die Spurensuche erschweren. --------------------------------------------- http://heise.de/-3030993 *** Worldwide Cryptographic Products Survey: Edits and Additions Wanted *** --------------------------------------------- Back in September, I announced my intention to survey the world market of cryptographic products. The goal is to compile a list of both free and commercial encryption products that can be used to protect arbitrary data and messages. --------------------------------------------- https://www.schneier.com/blog/archives/2015/12/worldwide_crypt.html *** Week of Continuous Intrusion Tools - Day 4 - Common Abuse Set, Lateral Movement and Post Exploitation *** --------------------------------------------- Welcome to Day 4 of Week of Continuous Intrusion tools. We are discussing security of Continuous Integration (CI) tools in this series of blog posts. --------------------------------------------- http://www.labofapenetrationtester.com/2015/12/week-of-continuous-intrusion… *** Bugtraq: ESA-2015-171 EMC NetWorker Denial-of-service Vulnerability *** --------------------------------------------- EMC NetWorker contains a resolution for a Denial-of-service vulnerability. The vulnerability when exploited may allow malicious users to disrupt NetWorker services on affected systems. --------------------------------------------- http://www.securityfocus.com/archive/1/537037 *** OpenSSL Security Advisory [3 Dec 2015] *** --------------------------------------------- BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193) Certificate verify crash with missing PSS parameter (CVE-2015-3194) X509_ATTRIBUTE memory leak (CVE-2015-3195) Race condition handling PSK identify hint (CVE-2015-3196) --------------------------------------------- https://openssl.org/news/secadv/20151203.txt *** Security Advisory: Linux libuser vulnerability CVE-2015-3246 *** --------------------------------------------- libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, directly modifies /etc/passwd, which allows local users to cause a denial of service (inconsistent file state) by causing an error during the modification. NOTE: this issue can be combined with CVE-2015-3245 to gain privileges. (CVE-2015-3246) --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/05/sol05770600.html?… *** Cisco SIP Phone 3905 Resource Limitation Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the Cisco Unified SIP Phone 3905 could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Unity Connection Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability in the HTTP web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of the affected system. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IOS-XE 3S Platforms Series Root Shell License Bypass Vulnerability *** --------------------------------------------- A vulnerability in the way software packages are loaded in the Cisco IOS-XE Operating System for the Cisco IOS-XE 3S platforms could allow an authenticated, local attacker to gain restricted root shell access. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** IBM Security Bulletin *** --------------------------------------------- *** Vulnerability in Apache Commons affects IBM InfoSphere Discovery (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21971529 --------------------------------------------- *** Vulnerabilities in GSKit affect IBM MQ Appliance (CVE-2015-7421, CVE-2015-7420) *** http://www.ibm.com/support/docview.wss?uid=swg21971500 --------------------------------------------- *** Vulnerabilities in GSKit 8 affect Tivoli Directory Server and IBM Security Directory Server (CVE-2015-7421, CVE-2015-7420) *** http://www.ibm.com/support/docview.wss?uid=swg21972076 --------------------------------------------- *** IBM Spectrum Scale (GPFS) Hadoop connector is affected by a security vulnerability (CVE-2015-7430) *** http://www.ibm.com/support/docview.wss?uid=isg3T1022979 --------------------------------------------- *** IBM Spectrum Scale (GPFS) Hadoop connector is affected by a security vulnerability (CVE-2015-7430) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005461 --------------------------------------------- *** A vulnerability in IBM Java Runtime affects IBM Cognos Metrics Manager (CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21971753 --------------------------------------------- *** Multiple vulnerabilities in IBM Java Runtime affect IBM WebSphere Appliance Management Center (CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21971515 --------------------------------------------- *** Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime, affect IBM Endpoint Manager for Remote Control *** http://www.ibm.com/support/docview.wss?uid=swg21971798 --------------------------------------------- *** Multiple vulnerabilities in IBM Java Runtime affect ITCAM for SOA (October 2015: CVE-2015-4872, CVE-2015-4911, CVE-2015-5006) *** http://www.ibm.com/support/docview.wss?uid=swg21972112 --------------------------------------------- *** Multiple vulnerabilities in IBM Java SDK affect Rational Method Composer (CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21971419 --------------------------------------------- *** Vulnerability in Apache Commons affects IBM i (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021018 --------------------------------------------- *** Vulnerability in Apache Commons affects IBM Lotus Mashups (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21971925 --------------------------------------------- *** Infosphere BigInsights is affected by vulnerabilities in Apache HBase and Hive that could allow a remote attacker to gain unauthorized access to the system or authenticate with improper credentials (CVE-2015-1772, *** http://www.ibm.com/support/docview.wss?uid=swg21969546 --------------------------------------------- *** Vulnerability in Apache Commons affects RIT and RTCP in Rational Test Workbench, RTCP and RIT Agent in Rational Test Virtualization Server, and RIT Agent in Rational Performance Test Server (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21971818 --------------------------------------------- *** Vulnerability in Apache Commons affects IBM Emptoris Strategic Supply Management, and IBM Emptoris Services Procurement. (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21971731 --------------------------------------------- *** Vulnerability in Apache Commons affects Enterprise Records *** http://www.ibm.com/support/docview.wss?uid=swg21971268 --------------------------------------------- *** Vulnerability in Apache Commons affects IBM Sterling B2B Integrator (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21971758 --------------------------------------------- *** Vulnerability in Apache Commons affects IBM InfoSphere Information Server (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21971410 --------------------------------------------- *** Vulnerability in Apache Commons affects IBM WebSphere Service Registry and Repository (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21971580 --------------------------------------------- *** Vulnerability in Apache Commons affects IBM Algo Credit Administrator (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21971240 --------------------------------------------- *** Vulnerability in Apache Commons Collections affects IBM Forms Experience Builder (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21971536 --------------------------------------------- *** Vulnerability in Apache Commons affects IBM Application Server on Cloud (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21972179 --------------------------------------------- *** Multiple vulnerabilities in bundled components affects IBM SPSS Collaboration and Deployment Services (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21971599 --------------------------------------------- *** Vulnerability in Apache Commons affects IBM MQ Appliance (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21971498 --------------------------------------------- *** Vulnerability in Apache Commons affects IBM WebSphere Appliance Management Center (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21971506 --------------------------------------------- *** IBM Vulnerability in Apache Commons affects IBM WebSphere Application Server Community Edition v3.0.0.4 (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21972094 --------------------------------------------- *** Vulnerability in Apache Commons affects IBM WebSphere Service Registry and Repository Studio (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21971579 --------------------------------------------- *** Vulnerability in Apache Commons affects IBM Cognos Metrics Manager (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21971382 --------------------------------------------- *** Vulnerabilities in Apache Commons Collections and Apache Groovy affect IBM UrbanCode Deploy and IBM UrbanCode Deploy with Patterns (CVE-2015-4852, CVE-2015-3253) *** http://www.ibm.com/support/docview.wss?uid=swg21971291 --------------------------------------------- *** Vulnerability in Apache Commons affects IBM Tivoli Composite Application Manager Agent for WebSphere Applications (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21972216 --------------------------------------------- *** Fix Available for Security Vulnerabilities in IBM WebSphere Portal (CVE-2015-4993, CVE-2015-4998, CVE-2015-5001, CVE-2015-7413) *** http://www.ibm.com/support/docview.wss?uid=swg21970176 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 2-12-2015
by Daily end-of-shift report 02 Dec '15

02 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 01-12-2015 18:00 − Mittwoch 02-12-2015 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner *** Cisco Unified Computing System Central Software Cross-Site Scripting Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** DSA-3408 gnutls26 - security update *** --------------------------------------------- It was discovered that GnuTLS, a library implementing the TLS and SSLprotocols, incorrectly validates the first byte of padding in CBC modes.A remote attacker can possibly take advantage of this flaw to perform apadding oracle attack. --------------------------------------------- https://www.debian.org/security/2015/dsa-3408 *** VU#630239: Epiphany Cardio Server version 3.3 is vulnerable to SQL and LDAP injection *** --------------------------------------------- The Epiphany Cardio Server prior to version 4.0 is vulnerable to SQL injection and LDAP injection, allowing an unauthenticated attacker to gain administrator rights. --------------------------------------------- http://www.kb.cert.org/vuls/id/630239 *** Cisco UCS Central Software Server-Side Request Forgery Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Saia Burgess Controls PCD Controller Hard-coded Password Vulnerability *** --------------------------------------------- This advisory provides mitigation details for a hard-coded password vulnerability in Saia Burgess Controls's family of PCD controllers. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-335-01 *** Schneider Electric ProClima ActiveX Control Vulnerabilities *** --------------------------------------------- This advisory provides mitigation details for remote code execution vulnerabilities in the Schneider Electric ProClima F1 Bookview ActiveX control application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-335-02 *** Siemens SIMATIC Communication Processor Vulnerability *** --------------------------------------------- This advisory provides mitigation details for an authentication bypass vulnerability in the Siemens SIMATIC Communication Processor devices. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-335-03 *** DSA-3409 putty - security update *** --------------------------------------------- A memory-corrupting integer overflow in the handling of the ECH (erasecharacters) control sequence was discovered in PuTTYs terminalemulator. A remote attacker can take advantage of this flaw to mount adenial of service or potentially to execute arbitrary code. --------------------------------------------- https://www.debian.org/security/2015/dsa-3409 *** Security Advisory - Privilege Escalation Vulnerability in Huawei LogCenter *** --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** Security Advisory - DoS Vulnerability in Huawei LogCenter *** --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** Entropy drought hits Raspberry Pi harvests, weakens SSH security *** --------------------------------------------- Hotfix posted online to shore up Raspbian key generation Raspberry Pis running Raspbian - a flavor of Debian GNU/Linux tuned for the credit-card-sized computers - apparently generate weak SSH host keys. --------------------------------------------- www.theregister.co.uk/2015/12/02/raspberry_pi_weak_ssh_keys/ *** DSA-3410 icedove - security update *** --------------------------------------------- Multiple security issues have been found in Icedove, Debians version ofthe Mozilla Thunderbird mail client: Multiple memory safety errors,integer overflows, buffer overflows and other implementation errors maylead to the execution of arbitrary code or denial of service. --------------------------------------------- https://www.debian.org/security/2015/dsa-3410 *** Chrome für Linux: Google streicht 32-Bit-Version *** --------------------------------------------- Support endet März 2016 – Community kann weiterhin eigene Builds bauen --------------------------------------------- http://derstandard.at/2000026808558 *** BSides Vienna 2015 Slides *** --------------------------------------------- The slides of the BSides Vienna are available online and linked directly at the schedule page: https://bsidesvienna.at/talks/ You can also wget them: wget http://bsidesvienna.at/slides/2015/a_case_study_on_the_security_of_applicat… wget http://bsidesvienna.at/slides/2015/closing_slides.pdf wget http://bsidesvienna.at/slides/2015/crypto_wars_2.0.pdf wget http://bsidesvienna.at/slides/2015/digital_supply_chain_security.pdf wget --------------------------------------------- http://www.reddit.com/r/netsec/comments/3v50y7/bsides_vienna_2015_slides/ *** Security: Bug Bounty für Barbie-Puppen *** --------------------------------------------- Nicht nur Vtech-Spielzeug ist unsicher: Die umstrittene WLAN-Barbie von Mattel hält es mit der Sicherheit ebenfalls nicht so genau. Ein Hacker konnte aus der Puppe zahlreiche Informationen auslesen - und glaubt, auch die Serveranbindung manipulieren zu können. --------------------------------------------- http://www.golem.de/news/security-bug-bounty-fuer-barbie-puppen-1512-117769… *** Nessus and Powershell is like Chocolate and Peanut Butter!, (Wed, Dec 2nd) *** --------------------------------------------- In a typical security assessment, youll do authenticated scans of internal hosts, looking for vulnerabilities due to missed patches or configuration issues. I often use Nessus for this, but find that for a typical IT manager, the Nessus .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20431 *** Ponmocup *** --------------------------------------------- Ponmocup2. Dezember 2015Aktuell ist das Botnet, zu dem wir die meisten Infektionen gemeldet bekommen, immer noch Conficker. Weit abgeschlagen dahinter finden sich "gozi", "nymaim", "ZeuS" (incl. Varianten), "tinba" und "dyre". Die genauen Zahlen variieren stark, da ist die Konsistenz der Messungen nicht die beste.Jetzt haben wir einen neuen Namen hoch oben in der Liste: "Ponmocup". Die Malware selber ist nicht neu, manche setzten die --------------------------------------------- http://www.cert.at/services/blog/20151202163506-1641.html *** The Perils of Vendor Bloatware *** --------------------------------------------- In todays Stormcast, Johannes summarizes the current issue with some of the software that comes pre-installed on Dell Laptops. In short, Dell Foundation Services, which is used for remote management, allows unauthenticated WMI queries to be processed, .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20433 *** IBM Security Bulletin: A potential security vulnerability in WebSphere Liberty Profile affects InfoSphere Streams (CVE-2015-1927) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21967767 *** IBM Security Bulletin: IBM Cognos Business Intelligence Server 2015Q4 Security Updater : IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities. *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21959874 *** IBM Security Bulletin: Multiple vulnerabilities in Apache HttpComponents affect IBM Cognos Metrics Manager (CVE-2012-6153, CVE-2014-3577) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21970193 *** Dell verschlimmbessert die Foundation-Services-Lücke *** --------------------------------------------- Angreifer aus dem Web können bei bestimmten Dell-Rechnern den Service-Tag auslesen und die Nutzer so tracken. Dell hat diese Lücke nun geschlossen. Seit dem Update kann man allerdings unter anderem die gesamte Hardware-Konfiguration auslesen. --------------------------------------------- http://www.heise.de/security/meldung/Dell-verschlimmbessert-die-Foundation-…

1 0

Tageszusammenfassung - Dienstag 1-12-2015
by Daily end-of-shift report 01 Dec '15

01 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Montag 30-11-2015 18:00 − Dienstag 01-12-2015 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** 3119884 - Inadvertently Disclosed Digital Certificates Could Allow Spoofing - Version: 1.0 *** --------------------------------------------- Microsoft is aware of unconstrained digital certificates from Dell Inc. for which the private keys were inadvertently disclosed. [...] To help protect customers from potentially fraudulent use of these unconstrained digital certificates, the certificates have been deemed no longer valid by Dell Inc. and Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of these certificates. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/3119884 *** SHA1 Phase Out Overview, (Mon, Nov 30th) *** --------------------------------------------- SHA1 (Secure Hashing Algorithm 1) has been in use for about 20 years. More recently, some weaknesses have been identified in SHA1, and in general, faster computing hardware makes it more and more likely that collisions willbe found. As a result, SHA2 starts to replace SHA1and you should see this impacting your users next year. Various software will stop trusting SHA1 signatures, and users may receive warnings about invalid signatures or certificates as a result. First a very quick primer on... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20423&rss *** Belkins N150 router is perfect for learning hacking skills - wait, what, its in production? *** --------------------------------------------- Practice your CSRF and DNS meddling exploits here Belkins home routers can be commandeered by hackers, thanks to a Telnet backdoor, a cross-site request forgery (CSRF) vulnerability and other bugs, were told. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/12/01/hole_in_bel… *** DDoS-Attacken gegen griechische Banken *** --------------------------------------------- Armada Collective weitet DDoS-Angriffe in Europa aus und erpresst nun Kreditinstitute in Griechenland. --------------------------------------------- http://www.heise.de/newsticker/meldung/DDoS-Attacken-gegen-griechische-Bank… *** Guest Talk: "Alice in the Sky - On Security of Air Traffic Control Communication" *** --------------------------------------------- January 14, 2016 - 2:00 pm - 4:45 pm SBA Research Favoritenstraße 16 1040 Wien --------------------------------------------- https://www.sba-research.org/events/guest-talk-alice-in-the-sky-on-security… *** Conficker, back from the undead, dominates malware threat landscape *** --------------------------------------------- Look out, ransomware is coming up on the rails Conficker was the most common malware used to attack UK and international organisations in October, accounting for 20 per cent of all attacks globally, according to security vendor Check Point. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/12/01/conficker_d… *** Nuclear Pack loads a fileless CVE-2014-4113 Exploit *** --------------------------------------------- http://malware.dontneedcoffee.com/2015/12/nuclear-pack-loading-fileless-cve… *** Reverse Engineering Intel DRAM Addressing and Exploitation *** --------------------------------------------- We demonstrate the power of such attacks by implementing a high speed covert channel that achieves transmission rates of up to 1.5Mb/s, which is three orders of magnitude faster than current covert channels on main memory. Finally, we show how our results can be used to increase the efficiency of the Rowhammer attack significantly by reducing the search space by a factor of up to 16384. --------------------------------------------- http://arxiv.org/abs/1511.08756 *** Dell Foundation Service ermöglicht Tracking von Nutzern *** --------------------------------------------- Im Dell Foundation Service zur Wartung von Computern klafft eine Schwachstelle, über die Angreifer die Service-Tag-Nummer auslesen können. Eine gefixte Version steht zum Download bereit. --------------------------------------------- http://heise.de/-3028416 *** "Crash Course - PCI DSS 3.1 is here. Are you ready?" Part II *** --------------------------------------------- Thanks to all who attended our recent webinar, "Crash Course - PCI DSS 3.1 is here. Are you ready?". During the stream, there were a number of great questions asked by attendees that didn't get answered due to the limited time. This blog post is a means to answer many of those questions. Still have... --------------------------------------------- https://blog.whitehatsec.com/crash-course-pci-dss-3-1-is-here-are-you-ready… *** l+f: Das Telegram-Protokoll macht Stalking einfach *** --------------------------------------------- Hat man die Telefonnummer eines Telegram-Nutzers, kann man relativ einfach dessen Online-Status überwachen. --------------------------------------------- http://heise.de/-3028550 *** Can you trust SSL encryption of your email provider? *** --------------------------------------------- Have you ever though how secure and reliable is your SSL/TLS connection to your email servers? A brief research about encryption implementation of the most popular free email providers. --------------------------------------------- https://www.htbridge.com/blog/can-you-trust-ssl-encryption-of-your-email-pr… *** Xen Heap Overflow in PC-Net II Emulator Lets Local Users on a Guest System Gain Elevated Privileges on the Host System *** --------------------------------------------- http://www.securitytracker.com/id/1034268 *** Security Notice - Statement on Pierre Kim Revealing Security Vulnerabilities in Huawei WiMAX Routers *** --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices… *** Cisco ASR 1000 Series Root Shell License Bypass Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Cloud Services Router 1000V Command Injection Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Web Security Appliance Native FTP Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Security Advisory 2015-03: Vulnerability discovered in OTRS FAQ package *** --------------------------------------------- December 01, 2015 - Please read carefully and check if the version of your OTRS system is affected by this vulnerability. Please send information regarding vulnerabilities in OTRS to: security(a)otrs.org PGP Key pub 2048R/9C227C6B 2011-03-21 [expires at: 2016-03-02] uid OTRS Security Team GPG Fingerprint E330 4608 DA6E 34B7 1551 C244 7F9E 44E9 9C22... --------------------------------------------- https://www.otrs.com/security-advisory-2015-03-vulnerability-discovered-in-…

1 0

Tageszusammenfassung - Montag 30-11-2015
by Daily end-of-shift report 30 Nov '15

30 Nov '15

======================= = End-of-Shift report = ======================= Timeframe: Freitag 27-11-2015 18:00 − Montag 30-11-2015 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** IBM Security Bulletin: IBM Maximo Asset Management contains a vulnerability which could allow a user to log in with an expired password (CVE-2015-5017) *** --------------------------------------------- IBM Maximo Asset Management contains a vulnerability which could allow a user to log into the system with an expired password. This vulnerability could allow a local attacker to obtain sensitive information or compromise the integrity of the system. --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21969052 *** IBM Security Bulletin: Security Bulletin: Vulnerability in Apache Commons affects IBM Endpoint Manager for Remote Control (CVE-2015-7450) *** --------------------------------------------- Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21971490 *** Program:Win32/CompromisedCert.D *** --------------------------------------------- This threat is a Dell root certificate for which the private keys were leaked. This means a hacker can use this certificate to modify your browsing experience and steal sensitive information. --------------------------------------------- https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?na… *** Dell Root-CA-Desaster: Microsoft bringt Updates in Stellung *** --------------------------------------------- Mit einem Update für mehrere seiner Sicherheits-Tools will Microsoft zwei digitale Zertifikate entfernen, die auf Computern des Herstellers Dell zu Sicherheitsrisiken wurden. Erste Schadsoftware, die das Einfallstor nutzt, wurde bereits gefunden. --------------------------------------------- http://heise.de/-3025738 *** Turris Omnia Security Project protects home network users *** --------------------------------------------- The non-profit security research Turris Omnia project originating from the Czech Republic focuses on safety of SoHo users. The non-profit security research project originating from the Czech Republic, which focuses on safety of SoHo .. --------------------------------------------- http://securityaffairs.co/wordpress/42382/hacking/turris-omnia-router-proje… *** International NCSC One Conference 2016 *** --------------------------------------------- We are pleased to announce the fourth edition of our international One Conference 2016 that will take place at the World Forum in The Hague on April 5 and 6, 2016. Again the program will be informative and eye-opening offering something of interest to a wide variety of participants from private sectors, .. --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/ncsc-one-conference-2016.ht… *** Lancom fixt Verschlüsselungsproblem in Routern *** --------------------------------------------- In verschiedenen Routern von Lancom klafft eine Schwachstelle, über die Angreifer verschlüsselte Verbindungen aufbrechen können. Workarounds sichern betroffene Geräte ab. --------------------------------------------- http://heise.de/-3026432 *** DFN-CERT-2015-1837: Xen: Eine Schwachstelle ermöglicht das Ausführen beliebigen Programmcodes mit den Rechten des Dienstes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2015-1837/ *** Bugtraq: Proftpd 1.3.5a LATEST 0day Follow-up report (Part 2), Patch released!! 29/11/2015 --- Advanced Information Security Corporation *** --------------------------------------------- http://www.securityfocus.com/archive/1/537001 *** SSA-763427: Vulnerability in Communication Processor (CP) modules SIMATIC CP 343-1, TIM 3V-IE, TIM 4R-IE, and CP 443-1 *** --------------------------------------------- An authentication bypass vulnerability in Communication Processor (CP) module families SIMATIC CP 343-1/TIM 3V-IE/TIM 4R-IE/CP 443-1 could allow unauthenticated users to perform administrative operations under certain conditions. --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-763427… *** Multiple serious vulnerabilities in RSI Videofied's alarm protocol *** --------------------------------------------- RSI Videofied are a French company that produce a series of alarm panels that are fairly unique in the market. They are designed to be battery powered and send videos from the detectors if the alarm is triggered. This is called video .. http://cybergibbons.com/alarms-2/multiple-serious-vulnerabilities-in-rsi-vi… *** Forthcoming OpenSSL releases *** --------------------------------------------- The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2e, 1.0.1q, 1.0.0t and 0.9.8zh. These releases will be made available on 3rd December between approx. 1pm and 5pm (UTC). They will fix a number of security defects, the highest of which is classified as "moderate" severity. --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2015-November/000045.html

1 0

Tageszusammenfassung - Freitag 27-11-2015
by Daily end-of-shift report 27 Nov '15

27 Nov '15

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 26-11-2015 18:00 − Freitag 27-11-2015 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter, Robert Waldner *** Reader's Digest and other WordPress Sites Compromised, Push Angler EK *** --------------------------------------------- Readers Digest is among the latest compromised sites pushing Angler EK. --------------------------------------------- https://blog.malwarebytes.org/online-security/2015/11/readers-digest-and-ot… *** Known 'Good' DNS, An Observation, (Thu, Nov 26th) *** --------------------------------------------- This has come up enough it seems worth noting for this U.S. Thanks Giving Holiday. The concept of public Domain Name Service (DNS) is not new, but worth discussing both the merits and pitfalls. Weve discussed DNS here quite a bit over the years, for a prospectus. There are a few (this is not an endorsement *quickly looks around for legal counsel and dodges them*) good services around that are known. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20419&rss *** DSA-3407 dpkg - security update *** --------------------------------------------- Hanno Boeck discovered a stack-based buffer overflow in the dpkg-debcomponent of dpkg, the Debian package management system. This flaw couldpotentially lead to arbitrary code execution if a user or an automatedsystem were tricked into processing a specially crafted Debian binarypackage (.deb) in the old style Debian binary package format. --------------------------------------------- https://www.debian.org/security/2015/dsa-3407 *** Apache Cordova vulnerable to improper application of whitelist restrictions *** --------------------------------------------- Apache Cordova contains a vulnerability where whitelist restrictions are not properly applied. --------------------------------------------- http://jvn.jp/en/jp/JVN18889193/ *** ManageEngine Firewall Analyzer fails to restrict access permissions *** --------------------------------------------- ManageEngine Firewall Analyzer provided by Zoho Corporation contains a vulerability where access permissions are not restricted. --------------------------------------------- http://jvn.jp/en/jp/JVN12991684/ *** ManageEngine Firewall Analyzer vulnerable to directory traversal *** --------------------------------------------- ManageEngine Firewall Analyzer provided by Zoho Corporation contains a directory traversal vulnerability. --------------------------------------------- http://jvn.jp/en/jp/JVN21968837/ *** Defending against Actual IT Threats *** --------------------------------------------- Roger Grimes has written an interesting paper: "Implementing a Data-Driven Computer Security Defense." His thesis is that most organizations dont match their defenses to the actual risks. His paper explains how it got to be this way, and how to fix it.... --------------------------------------------- https://www.schneier.com/blog/archives/2015/11/defending_again_4.html *** Adobe will Weiterverteilung von Flash Player einschränken *** --------------------------------------------- Ab Januar 2016 können nur noch Business-Anwender mit einer gültigen Lizenz den Flash Player zur Weiterverteilung herunterladen, verkündet Adobe. --------------------------------------------- http://heise.de/-3025473 *** Paper: Optimizing ssDeep for use at scale *** --------------------------------------------- Brian Wallace presents tool to optimize ssDeep comparisons.Malware rarely comes as a single file, and to avoid having to analyse each sample in a set individually, a fuzzy hashing algorithm tool like ssDeep can tell a researcherwhether two files are very similar - or not similar at all.When working with a large set of samples, the number of comparisons (which grows quadratically with the set size) may soon become extremely large though. To make this task more manageable, Cylance --------------------------------------------- http://www.virusbtn.com/blog/2015/11_27.xml?rss

1 0

Tageszusammenfassung - Donnerstag 26-11-2015
by Daily end-of-shift report 26 Nov '15

26 Nov '15

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 25-11-2015 18:00 − Donnerstag 26-11-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Verschlüsselung: Punkte auf der falschen elliptischen Kurve *** --------------------------------------------- Forscher der Ruhr-Universität Bochum haben einen schon lange bekannten Angriff auf Verschlüsselungsverfahren mit elliptischen Kurven in der Praxis umsetzen können. Verwundbar ist neben Java-Bibliotheken auch ein Hardware-Verschlüsselungsgerät von Utimaco. --------------------------------------------- http://www.golem.de/news/verschluesselung-punkte-auf-der-falschen-elliptisc… *** Multiple Cisco Products Confidential Information Decryption Man-in-the-Middle Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Shields up on potentially unwanted applications in your enterprise *** --------------------------------------------- Has your enterprise environment been bogged down by a sneaky browser-modifier which tricked you into installing adware from a seemingly harmless software bundle? Then you might have already experienced what a potentially unwanted application (PUA) can do. The good news is, the new opt-in feature for .. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2015/11/25/shields-up-on-potentiall… *** "Cyberangriffe werden besser und komplexer" *** --------------------------------------------- Vertreter österreichischer Unternehmen und Sicherheitsexperten diskutierten mit der futurezone über Trends in der Cyberkriminalität und den Schutz kritischer Infrastruktur. --------------------------------------------- http://futurezone.at/digital-life/cyberangriffe-werden-besser-und-komplexer… *** DSA-3405 smokeping - security update *** --------------------------------------------- Tero Marttila discovered that the Debian packaging for smokepinginstalled it in such a way that the CGI implementation of Apache httpd(mod_cgi) passed additional arguments to the smokeping_cgi program,potentially leading to arbitrary code execution in response to craftedHTTP requests. --------------------------------------------- https://www.debian.org/security/2015/dsa-3405 *** Serverseitiges JavaScript: Zwei offene Lücken in Node.js *** --------------------------------------------- Eine DoS-Schwachstelle und einen Out-of-Bounds-Zugriffsfehler bei der JavaScript-Engine V8 sind in unterschiedlichen Node.js-Versionen zu finden. Ein Patch soll nächste Woche veröffentlicht werden. --------------------------------------------- http://heise.de/-3022698 *** Ads on popular Search Engine are leading to Phishing Sites *** --------------------------------------------- The Reporting and Analysis Centre for Information Assurance (MELANI) and GovCERT.ch is aware of an ongoing phishing campaign that is targeting a large credit card issuer in Switzerland. What makes this phishing campaign somehow unique is the way how the phishers are advertising their phishing sites: while .. --------------------------------------------- http://www.govcert.admin.ch/blog/16/ads-on-popular-search-engine-are-leadin… *** Malware Researcher's Handbook (Demystifying PE File) *** --------------------------------------------- PE File Portable executable file format is a type of format that is used in Windows (both x86 and x64). As per Wikipedia, the portable executable (PE) format is a file format for executable, object code, DLLs, FON font files, and core dumps. The PE file .. --------------------------------------------- http://resources.infosecinstitute.com/2-malware-researchers-handbook-demyst… *** Smart Home: Sicherheitslücken im Zigbee-Protokoll demonstriert *** --------------------------------------------- Sicherheitsforscher haben auf der Sicherheitskonferenz Deepsec in Wien eklatante Mängel in der Sicherheit von Zigbee-Smart-Home-Geräten demonstriert. Es gelang ihnen, ein Türschloss zu übernehmen und zu öffnen. --------------------------------------------- http://www.golem.de/news/smart-home-sicherheitsluecken-im-zigbee-protokoll-… *** Windows Defender mit verstecktem Adware-Killer *** --------------------------------------------- Microsofts Virenschutz blokiert jetzt auch Adware. Eigentlich ist die nützliche Funktion für Unternehmensnetze gedacht – sie lässt sich aber auch auf gewöhnlichen Windows-Systemen freischalten, wie ein Test von heise Security zeigt. --------------------------------------------- http://heise.de/-3023579

1 0

Tageszusammenfassung - Mittwoch 25-11-2015
by Daily end-of-shift report 25 Nov '15

25 Nov '15

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 24-11-2015 18:00 − Mittwoch 25-11-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Cisco Unified CallManager and Unified Presence Server ICMP Echo Request Handling Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-… *** A $10 Tool Can Guess (And Steal) Your Next Credit Card Number *** --------------------------------------------- A pattern in AmEx card numbers allows Samy Kamkars DIY gadget to predict and use new numbers for fraud as fast as the company can generate them. --------------------------------------------- http://www.wired.com/2015/11/samy-kamkar-10-dollar-tool-can-guess-and-steal… *** High-Security, Open-Source Router is a Hit on Indiegogo (Video) *** --------------------------------------------- The device is called the Turris Omnia, and its Indiegogo page says its a "hi-performance & open-source router." Their fundraising goal is $100,000. So far, 1,191 backers have pledged $248,446 (as of the moment this was typed), with 49 days left .. --------------------------------------------- http://linux.slashdot.org/story/15/11/24/1940251/high-security-open-source-… *** Hilton Acknowledges Credit Card Breach *** --------------------------------------------- Two months after KrebsOnSecurity first reported that multiple banks suspected a credit card breach at Hilton Hotel properties across the country, Hilton has acknowledged an intrusion involving malicious software found on some point-of-sale systems. --------------------------------------------- http://krebsonsecurity.com/?p=33068 *** Xen VPMU Feature May Let Local Users Deny Service, Obtain Information, and Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1034230 *** Unwanted Software and Harmful Programs *** --------------------------------------------- We frequently clean blacklisted websites and submit reconsideration requests to have them de-listed. We have encountered many kinds of blacklist warnings including search engines, anti-virus programs, firewalls and and e-mail spam. Recently I came .. --------------------------------------------- https://blog.sucuri.net/2015/11/unwanted-software-and-harmful-programs.html *** Google kann nicht ohne weiteres geschützte Geräte entsperren *** --------------------------------------------- Ein Sicherheitsbericht des Bezirksstaatsanwalts von Manhattan berichtet von einer Hintertür, durch die Google auf richterlichen Beschluss in den USA auf bestimmte passwortgeschützte Android-Smartphones zugreifen können soll. Dem widerspricht jetzt ein Mitarbeiter des Android-Sicherheitsteams. --------------------------------------------- http://www.golem.de/news/android-sicherheit-google-kann-nicht-ohne-weiteres… *** House of Keys: Industry-Wide HTTPS Certificate and SSH Key Reuse Endangers Millions of Devices Worldwide *** --------------------------------------------- In the course of an internal research project we have analyzed the firmware images of more than 4000 embedded devices of over 70 vendors. The devices we have looked at include Internet gateways, routers, modems, IP cameras, VoIP phones, etc. We have specifically analyzed .. --------------------------------------------- http://blog.sec-consult.com/2015/11/house-of-keys-industry-wide-https.html *** DSDTestProvider: Weiteres gefährliches Dell-Zertifikat entdeckt *** --------------------------------------------- Auf Dell-Computern ist ein weiteres CA-Zertifikat mitsamt privatem Schlüssel entdeckt worden. Damit kann jeder gültige Zertifikate ausstellen und die Verschlüsselung von Webseiten ad absurdum führen. Der Patch zum Löschen von eDellRoot ist verfügbar. --------------------------------------------- http://heise.de/-3020134 *** Internet Explorer: Microsoft stellt Support für fast alle Versionen ein *** --------------------------------------------- Ab Mitte Jänner wird nur mehr der IE11 mit Sicherheitsupdates versorgt – Fast ein Viertel der Web-Nutzer betroffen. --------------------------------------------- http://derstandard.at/2000026383964 *** Amazon.com setzt Passwörter von Kunden zurück *** --------------------------------------------- Einige Amazon-Kunden in den USA und Großbritannien müssen sich ein neues Passwort ausdenken. Amazon hat die Passwörter zurückgesetzt - eine reine Vorsichtsmaßnahme, wie es heißt. Doch das Statement von Amazon ist teilweise widersprüchlich und lässt viele Fragen offen. --------------------------------------------- http://www.golem.de/news/security-amazon-com-setzt-passwoerter-von-kunden-z… *** When Your CEO Won't Take Security Awareness Training *** --------------------------------------------- CEOs are often the busiest people in any organization. As security professionals, we should respect that: but what can we do when our CEO won't take security awareness training? This is not uncommon but it can be a hard nut for security .. --------------------------------------------- http://resources.infosecinstitute.com/when-your-ceo-wont-take-security-awar… *** Does prevalence matter? A different approach to traditional antimalware test scoring *** --------------------------------------------- Most well-known antimalware tests today focus on broad-spectrum malware. In other words, tests include malware that is somewhat indiscriminate (isnt necessarily targeted), at least somewhat prevalent and sometimes very prevalent. Typically,.. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2015/11/25/does-prevalence-matter-a… *** Moxa OnCell Central Manager Vulnerabilities *** --------------------------------------------- This advisory provides mitigation details for hardcoded credentials and authentication bypass vulnerabilities in the Moxa OnCell Central Manager Software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-328-01 *** Tor-Betreiber starten Crowdfunding *** --------------------------------------------- Private Gelder sollen Abhängigkeit von US-Behörden reduzieren und Weiterentwicklung ermöglichen --------------------------------------------- http://derstandard.at/2000026409932 *** A Problem Shared *** --------------------------------------------- Information sharing has been a much discussed, but traditionally a hit-and-miss affair within the world of information security - after all, one's information can hardly be said to be secure if you're bandying it about to anyone who expresses .. --------------------------------------------- https://blog.team-cymru.org/2015/11/a-problem-shared/ *** Protecting Windows Networks - Dealing with credential theft *** --------------------------------------------- Credential theft is a huge problem, if you care to look at Verizon Data Breach reports over the years, you will see that use of stolen credentials was lingering at the top intrusion method for quite some time. They also prevalent in APT attacks. And why .. --------------------------------------------- https://dfirblog.wordpress.com/2015/11/24/protecting-windows-networks-deali… *** Ransomware Playbook - Guide for Handling Ransomware Infections *** --------------------------------------------- The following post demonstrates the writing process of a ransomware playbook for effective incident response and handling ransomware infections. --------------------------------------------- https://www.demisto.com/playbooks/playbook-for-handling-ransomware-infectio… *** Breach at IT Automation Firm LANDESK *** --------------------------------------------- LANDESK, a company that sells software to help organizations securely and remotely manage their fleets of desktop computers, servers and mobile devices, alerted employees last week that a data breach may have exposed their personal information. But LANDESK .. --------------------------------------------- http://krebsonsecurity.com/2015/11/breach-at-it-automation-firm-landesk

1 0

Tageszusammenfassung - Dienstag 24-11-2015
by Daily end-of-shift report 24 Nov '15

24 Nov '15

======================= = End-of-Shift report = ======================= Timeframe: Montag 23-11-2015 18:00 − Dienstag 24-11-2015 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Stealthy GlassRAT Spies on Commercial Targets *** --------------------------------------------- RSA has uncovered GlassRAT, a spy tool targeting commercial targets thats signed with a stolen certificate from a large developer in China. --------------------------------------------- http://threatpost.com/stealthy-glassrat-spies-on-commercial-targets/115453/ *** Multiple vulnerabilities in Cisco products *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-… --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Multiple vulnerabilities in Apache Commons affecting IBM products *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21971377 --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21971376 --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21971415 --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21971412 --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21971246 *** IBM Security Bulletin: Tivoli Storage Manager for Virtual Environments: Data Protection for VMware and Tivoli Storage FlashCopy Manager for VMware affected by operating system command vulnerability (CVE-2015-7426) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21971484 *** IBM Security Bulletin: IBM i Access for Windows affected by vulnerability CVE-2015-7416 *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=nas8N1020995 *** IBM Security Bulletin: IBM Smart Analytics System 5600 is affected by a vulnerability in IBM GPFS (CVE-2015-1788) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21969177 *** IBM Security Bulletin:Multiple vulnerabilities in IBM Java SDK affect Sytem Storage DS8000 *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1005448 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect AppScan Standard (CVE-2015-2613, CVE-2015-2601, CVE-2015-4749, CVE-2015-2625, CVE-2015-1931) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21970847 *** Security Advisory - Overflow Vulnerabilities in SNMPv3 *** --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** Worlds most complex cash register malware plunders millions in US *** --------------------------------------------- ModPos kernel monster threatens haul during festive shopping blitz The worlds most complex sales till malware has been discovered ... after it ripped millions of bank cards from US retailers .. --------------------------------------------- www.theregister.co.uk/2015/11/24/modpos_point_of_sale_malware/ *** Break a dozen secret keys, get a million more for free *** --------------------------------------------- For many years NIST has officially claimed that AES-128 has "comparable strength" to 256-bit ECC, namely 128 "bits of security". Ten years ago, in a talk "Is 2255−19 big enough?", I disputed this claim. The underlying attack algorithms had already been known for years, and its not hard to see their impact on key-size selection; but somehow NIST hadnt gotten .. --------------------------------------------- http://blog.cr.yp.to/20151120-batchattacks.html *** Steam Weak File Permissions Privilege Escalation *** --------------------------------------------- A low privileged user could modify the steam.exe binary and obtain code execution with elevated privileges upon an administrator login or execution of steam.exe --------------------------------------------- http://www.securityfocus.com/archive/1/536961 *** Security Advisory - Memory Overflow Vulnerability in the Huawei Smartphone *** --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** Root-CA-Zertifikat: Dell will eDellRoot über Update entfernen *** --------------------------------------------- Dell versichert, dass Besitzer eines Dell-Computers das vom Hersteller standardmäßig installierte gefährliche CA-Zertifikat über ein Update deinstallieren oder per Hand dauerhaft entfernen können. --------------------------------------------- http://heise.de/-3015616 *** 3 Attacks on Cisco TACACS+: Bypassing the Ciscos auth *** --------------------------------------------- I would like to tell the results of my little security research of TACACS+ protocol. --------------------------------------------- http://agrrrdog.blogspot.ca/2015/11/3-attacks-on-cisco-tacacs-bypassing.html *** Hackers do the Haka - Part 1 *** --------------------------------------------- Haka is an open source network security oriented language that allows writing security rules and protocol dissectors. In this first part of a two-part series, we will focus on writing security rules. --------------------------------------------- http://thisissecurity.net/2015/11/23/hackers-do-the-haka-part-1/ *** Heap Overflow in PCRE *** --------------------------------------------- There are two variants of PCRE, the classic one and PCRE2. PCRE2 is not affected. ... If you use PCRE with potentially untrusted regular expressions you should update immediately. There is no immediate risk if you use regular expressions from a trusted source with an untrusted input. --------------------------------------------- https://blog.fuzzing-project.org/29-Heap-Overflow-in-PCRE.html *** Ermittlern gelingt Schlag gegen weltweit agierende Phisher-Bande *** --------------------------------------------- Das LKA Sachsen hat fünf Tatverdächtige verhaftet, die bandenmäßig mit Betrugsanrufen PIN-Codes für Online-Zahlungsgutscheine abgephisht haben sollen. --------------------------------------------- http://heise.de/-3016944 *** WP Page Widget <= 2.7 - Authenticated Reflected Cross-Site Scripting (XSS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8317 *** Social Share Button <= 2.1 - Authenticated Persistent Cross-Site Scripting (XSS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8326 *** Google kann Android-Geräte aus der Ferne entsperren *** --------------------------------------------- Google kann offensichtlich die Bildschirmsperren der meisten Android-Geräte auf Behördenanordnung zurücksetzen. Das geht aus dem Bericht eines New Yorker Bezirksstaatsanwalt hervor. Der einzige Schutz dagegen ist die Vollverschlüsselung. --------------------------------------------- http://heise.de/-3015984 *** WP Live Chat Support <= 4.3.5 - Unauthenticated Blind SQL Injection *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8343 *** WR ContactForm <= 1.1.9 - Authenticated SQL Injection *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8341

1 0

Tageszusammenfassung - Montag 23-11-2015
by Daily end-of-shift report 23 Nov '15

23 Nov '15

======================= = End-of-Shift report = ======================= Timeframe: Freitag 20-11-2015 18:00 − Montag 23-11-2015 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Cisco TelePresence Video Communication Server Cross-Site Request Forgery Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Command and Control Server Detection: Methods & Best Practices *** --------------------------------------------- Botnet C&C servers issue commands in many ways Recently I discussed botnets and the way they represent an ongoing and evolving threat to corporate IT security. This time I'll be discussing .. --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/command-and-control-se… *** Cisco Networking Services Sensitive Information Disclosure Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Deepsec: ZigBee macht Smart Home zum offenen Haus *** --------------------------------------------- ZigBee-Funknetze weisen nach neuen Erkenntnissen von Sicherheitsforschern eklatante Sicherheitsmängel auf. Die Technik wird beispielsweise bei der Steuerung von Türschlössern eingesetzt. --------------------------------------------- http://heise.de/-3010287 *** Blackberry Offers Lawful Device Interception Capabilities *** --------------------------------------------- An anonymous reader writes: Apple and Google have been vocal in their opposition to any kind of government regulation of cell phone encryption. BlackBerry, however, is taking a different stance, saying it specifically supports "lawful interception capabilities" .. --------------------------------------------- http://yro.slashdot.org/story/15/11/22/0048205/blackberry-offers-lawful-dev… *** JW Player 6 Plugin for Wordpress <= 2.1.14 - Authenticated Cross-Site Scripting (XSS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8260 *** DSA-3401 openjdk-7 - security update *** --------------------------------------------- It was discovered that rebinding a receiver of a direct method handlemay allow a protected method to be accessed. --------------------------------------------- https://www.debian.org/security/2015/dsa-3401 *** Bugtraq: Proftpd v1.3.5a ZERODAY - Heap Overflows due to zero length mallocs. Advanced Information Security Corporation *** --------------------------------------------- Proftpd v1.3.5a ZERODAY - Heap Overflows due to zero length mallocs. Advanced Information Security Corporation --------------------------------------------- http://www.securityfocus.com/archive/1/536951 *** Data breach at firm that manages Cisco, Microsoft certifications *** --------------------------------------------- Pearson VUE says credentials manager product affected Cisco, IBM, Oracle and Microsofts certification management provider, Pearson VUE, has copped to a data breach following a malware .. --------------------------------------------- www.theregister.co.uk/2015/11/23/pearson_vue_data_breach_pcm/ *** Ist hier jemand Dell-Kunde? Die shippen anscheinend ... *** --------------------------------------------- Ist hier jemand Dell-Kunde? Die shippen anscheinend eine Backdoor-CA mit ihrem Windows.Aber, mal unter uns, wer sich irgendeinen PC kauft und nicht als erstes das Windows wegschmeisst und frisch neu installiert, dem ist eh nicht zu helfen.Daher war das ja .. --------------------------------------------- http://blog.fefe.de/?ts=a8adce6b *** WP Database Backup <= 3.3 - Authenticated Persistent Cross-Site Scripting (XSS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8275 *** Pornography - A Favorite Costume For Android Malware *** --------------------------------------------- 30% of Internet traffic is in some way related to pornography and this is the primary reason why malware authors are using porn apps to infect large numbers of users. During recent data mining, we noticed an increasing volume of mobile malware using pornography (disguised as porn apps) to lure victims into different scams .. --------------------------------------------- http://research.zscaler.com/2015/11/pornography-favorite-costume-for.html

1 0

Tageszusammenfassung - Freitag 20-11-2015
by Daily end-of-shift report 20 Nov '15

20 Nov '15

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 19-11-2015 18:00 − Freitag 20-11-2015 18:00 Handler: Robert Waldner Co-Handler: n/a *** Trojanized adware family abuses accessibility service to install whatever apps it wants *** --------------------------------------------- Shedun does not exploit a vulnerability in the service, instead it takes advantage of the service's legitimate features. By gaining the permission to use the accessibility service, Shedun is able to read the text that appears on screen, determine if an application installation prompt is shown, scroll through the permission list, and finally, press the install button without any physical interaction from the user. --------------------------------------------- https://blog.lookout.com/blog/2015/11/19/shedun-trojanized-adware/ *** Tibbo AggreGate Platform Vulnerabilities *** --------------------------------------------- This advisory provides mitigation details for vulnerabilities in the Tibbo AggreGate SCADA/HMI package. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-323-01 *** When Hunting BeEF, Yara rules. *** --------------------------------------------- BeEF, The Browser Exploitation Framework, is a penetration-testing tool focusing on web browsers. You can think of it as the Metasploit for web browsers security testing. In fact, it offers several modules that may allow the attacker to, for example, steal web login credentials, switch on microphone and camera, etc. --------------------------------------------- https://isc.sans.edu/diary/When+Hunting+BeEF%2C+Yara+rules./20395 *** HTTP Evasions Explained - Part 8 - Borderline Robustness *** --------------------------------------------- This is part eight in a series which explains the evasions done by HTTP Evader. This part looks into the excessive and inconsistent robustness attempts done by the browser vendors and how this can be used to evade firewalls. --------------------------------------------- http://noxxi.de/research/http-evader-explained-8-borderline-robustness.html *** Nmap 7 Released! *** --------------------------------------------- I encounter many folks at security conferences who havent heard about all the modern Nmap capabilities and still just use it as a simple port scanner. Folks who dont use (or at least know about) NSE, Ncat, Nping, Zenmap, Ndiff, version detection and IPv6 scanning are really missing out! --------------------------------------------- http://seclists.org/nmap-announce/2015/6 *** contrast-rO0 *** --------------------------------------------- A lightweight Java agent for preventing attacks against object deserialization like those discussed by @breenmachine and the original researchers @frohoff and @gebl, affecting WebLogic, JBoss, Jenkins and more. --------------------------------------------- https://github.com/Contrast-Security-OSS/contrast-rO0 *** Metasploit module: Chkrootkit Local Privilege Escalation *** --------------------------------------------- Chkrootkit before 0.50 will run any executable file named /tmp/update as root, allowing a trivial privsec. CVE: CVE-2014-0476 --------------------------------------------- https://cxsecurity.com/issue/WLB-2015110179 *** ArcSight Management Center and ArcSight Logger vulnerable to cross-site scripting *** --------------------------------------------- ArcSight Management Center and ArcSight Logger contain a cross-site scripting vulnerability. --------------------------------------------- http://jvn.jp/en/jp/JVN51046809/ *** IBM Security Bulletin: IBM i Access for Windows affected by vulnerabilities CVE-2015-2023 and CVE-2015-7422 *** --------------------------------------------- IBM i Access for Windows is affected by vulnerabilities CVE-2015-2023 and CVE-2015-7422. These vulnerabilities affect the Windows system running the IBM i Access for Windows product. --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=nas8N1020996 *** IBM Security Bulletin: Multiple vulnerabilities in current releases of IBM WebSphere Real Time *** --------------------------------------------- Java SE issues disclosed in the Oracle October 2015 Critical Patch Update, plus CVE-2015-5006 --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21970978

1 0

Tageszusammenfassung - Donnerstag 19-11-2015
by Daily end-of-shift report 19 Nov '15

19 Nov '15

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 18-11-2015 18:00 − Donnerstag 19-11-2015 18:00 Handler: Robert Waldner Co-Handler: n/a *** GovCERT.ch zu den DDoS-Erpressungen *** --------------------------------------------- Die Kollegen aus der Schweiz haben ausführlich zu den aktuellen Erpressungsversuchen (DD4BC/Armada Collective) gebloggt und auch eine Zusammenfassung über Mitigations-Massnahmen geschrieben. --------------------------------------------- http://www.cert.at/services/blog/20151119115219-1633.html *** BSI veröffentlicht Bericht zur Lage der IT-Sicherheit in Deutschland 2015 *** --------------------------------------------- Der Bericht zur Lage der IT-Sicherheit in Deutschland beschreibt und analysiert die aktuelle IT-Sicherheitslage, die Ursachen von Cyber-Angriffen sowie die verwendeten Angriffsmittel und -methoden. Daraus abgeleitet thematisiert der Lagebericht Lösungsansätze zur Verbesserung der IT-Sicherheit in Deutschland. Der Lagebericht verdeutlicht, dass die Anzahl der Schwachstellen und Verwundbarkeiten in IT-Systemen weiterhin auf einem hohen Niveau liegt und ... --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2015/Lage_der_IT… *** ARRIS Cable Modem has a Backdoor in the Backdoor *** --------------------------------------------- While researching on the subject, I found a previously undisclosed backdoor on ARRIS cable modems, affecting many of their devices including TG862A, TG862G, DG860A. As of this writing, Shodan searches indicate that the backdoor affects over 600.000 externally accessible hosts and the vendor did not state whether its going to fix it yet. --------------------------------------------- https://w00tsec.blogspot.co.at/2015/11/arris-cable-modem-has-backdoor-in.ht… *** BSI veröffentlicht Sicherheitsstudie zu TrueCrypt *** --------------------------------------------- Im Auftrag des Bundesamtes für Sicherheit in der Informationstechnik (BSI) untersuchte das Fraunhofer-Institut für Sichere Informationstechnologie SIT die Verschlüsselungssoftware TrueCrypt auf Sicherheitslücken. ... Die Sicherheitsexperten kommen zu dem Ergebnis, dass TrueCrypt weiterhin für die Verschlüsselung von Daten auf Datenträgern geeignet ist. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2015/Sicherheits… *** ZDI-15-570: SQLite fts3_tokenizer Untrusted Pointer Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SQLite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/U5RlY6kAls0/ *** Encrypt - Moderately Critical - Weak Encryption - SA-CONTRIB-2015-166 *** --------------------------------------------- This module enables you to encrypt data within Drupal using a user-configurable encryption method and key provider. The module did not sufficiently validate good configurations and api usage resulting in multiple potential weaknesses ... --------------------------------------------- https://www.drupal.org/node/2618362 *** Actors using exploit kits - How they change tactics, (Thu, Nov 19th) *** --------------------------------------------- Introduction Exploit kits (EKs) are used by criminals to infect unsuspecting users while they are browsing the web. EKs are hosted on servers specifically dedicated to the EK. How are the users computers directed to an EK? It happens through compromised websites. Threat actors compromise legitimate websites, and pages from these compromised servers have injected script that connects the users computer to an EK server. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20391&rss *** NVIDIA Driver Windows Control Panel Unquoted Search Path Lets Local Users Gain Elevated Privileges *** --------------------------------------------- The NVIDIA Control Panel executable Smart Maximize Helper (nvSmartMaxApp.exe) uses an unquoted path when launching process threads. A local user can place a specially crafted program in certain locations in the search path to cause arbitrary code to be executee with elevated privileges during Windows startup. --------------------------------------------- http://www.securitytracker.com/id/1034175 *** NVIDIA 3D Driver for Windows Named Pipe Access Control Flaw Lets Remote Authenticated Users Gain Elevated Privileges *** --------------------------------------------- The 3D Driver's 'Vision service' (nvSCPAPISvr.exe) creates a named pipe without proper access controls. A local user or a remote authenticated user can create a specially crafted run key entry to execute arbitrary command line statements with the privileges of the target user. In a Windows Domain environment, a remote authenticated user with access to a domain-joined system can exploit this flaw within the joined domain. --------------------------------------------- http://www.securitytracker.com/id/1034173 *** Microsoft Security Intelligence Report: Strontium *** --------------------------------------------- The Microsoft Security Intelligence Report (SIR) provides a regular snapshot of the current threat landscape, using data from more than 600 million computers worldwide. The latest report (SIRv19) was released this week and includes a detailed analysis of the actor group STRONTIUM - a group that uses zero-day exploits to collect the sensitive information of high-value targets in government and political organizations. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2015/11/18/microsoft-security-intel… *** NVIDIA NVAPI and Kernel Mode Driver Bugs Let Local Users Deny Service, Obtain Potentially Sensitive Information, and Gain Elevated Privielges *** --------------------------------------------- The NVAPI support layer of NVIDIA GPU graphics drivers does not properly validate user-supplied input. In addition, an integer overflow may occur in the kernel mode driver. A local user can exploit these vulnerabilities to potentially sensitive information, deny service, or execute arbitrary code on the target system with elevated privileges. --------------------------------------------- http://www.securitytracker.com/id/1034176 *** Open-Xchange Guard 2.0 Cross Site Scripting *** --------------------------------------------- Topic: Open-Xchange Guard 2.0 Cross Site Scripting Risk: Low Text:Product: Open-Xchange Guard Vendor: Open-Xchange GmbH Internal reference: 41466 (Bug ID) Vulnerability type: Cross-Site-Sc... --------------------------------------------- https://cxsecurity.com/issue/WLB-2015110166 *** Edgy online shoppers face Dyre Christmas as malware mutates *** --------------------------------------------- Bank-plundering code now hunts Windows 10 and its Edge browser VXers have cooked up Windows 10 and Edge support for the nasty Dyre or Dyreza banking trojan. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/11/19/edgy_online… *** Windows Sandbox Attack Surface Analysis *** --------------------------------------------- TL;DR; I've released my tools I use internally to test out sandboxed code and determine the likely attack surface exposed to an attacker if a sandboxed process is compromised. You can get the source code from https://github.com/google/sandbox-attacksurface-analysis-tools. This blog post will describe a few common use cases so that you can use them to do your own sandbox analysis. --------------------------------------------- http://googleprojectzero.blogspot.co.at/2015/11/windows-sandbox-attack-surf… *** Bugtraq: CVE-2015-8131: Kibana CSRF vulnerability *** --------------------------------------------- Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a CSRF attack. We have been assigned CVE 2015-8131 for this issue. CVSS Score: 4.0 Remediation: We recommend that all Kibana users upgrade to either 4.1.3, 4.2.1, or a later version. --------------------------------------------- http://www.securityfocus.com/archive/1/536935 *** Russian financial cybercrime: how it works *** --------------------------------------------- The Russian-language cybercrime market is known all over the world. Kaspersky Lab experts have been monitoring the Russian hacker underground since its emergence. In this review we analyze how financial cybercrime works. --------------------------------------------- http://securelist.com/analysis/publications/72782/russian-financial-cybercr… *** VMSA-2015-0008 *** --------------------------------------------- vCenter Server, vCloud Director, Horizon View information disclosure issue VMware products that use Flex BlazeDS may be affected by a flaw in the processing of XML External Entity (XXE) requests. A specially crafted XML request sent to the server could lead to unintended information be disclosed. ... The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-3269 to this issue. --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2015-0008.html *** Cisco Unified Interaction Manager Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability in the web chat interface of Cisco Unified Interaction Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the chat on the affected system. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-… *** IBM Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450) *** --------------------------------------------- An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by WebSphere Application Server and WebSphere Application Server Hypervisor Edition. This vulnerability does not affect the IBM HTTP Server or versions of WebSphere Application Server prior to Version 7.0. --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21970575

1 0

Tageszusammenfassung - Mittwoch 18-11-2015
by Daily end-of-shift report 18 Nov '15

18 Nov '15

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 17-11-2015 18:00 − Mittwoch 18-11-2015 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Adobe releases out-of-band security patches - amazingly not for Flash *** --------------------------------------------- ColdFusion, LiveCycle and Premiere get fixed ... Adobe says that it hasnt seen any evidence that these flaws are being exploited in the wild, but that users should patch anyway, just to be on the safe side - certainly before hackers reverse-engineer the updates and start abusing the bugs... --------------------------------------------- http://www.theregister.co.uk/2015/11/17/adobe_releases_outofband_security_p… *** Introducing Chuckle and the importance of SMB signing *** --------------------------------------------- Digital signing is a feature of SMB designed to allow a recipient to confirm the authenticity of SMB packets and to prevent tampering during transit - this feature was first made available back in Windows NT 4.0 Service Pack 3. By default, only domain controllers require packets to be signed and this default behavior is usually seen in most corporate networks. --------------------------------------------- https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/novem… *** Team Cymru: Free tools for incident response *** --------------------------------------------- We at Team Cymru would like to be helpful to incident response vendors in implementing the USG's growing security strategy. To that end, we have identified a few of our free community resources (and one commercial service) that would be most useful to IR. --------------------------------------------- https://blog.team-cymru.org/2015/11/free-tools-for-incident-response-and-a-… *** How two seconds become two days *** --------------------------------------------- At 3:37PM PST, we had a power blip in one of our datacenters. In those two seconds, over 1,000 systems blinked offline. As a non-profit, we don't have all of those niceties such as hot-hot datacenters or those new fangled UPSes. Instead, we do it the old fashioned way, which means we are susceptible to... --------------------------------------------- http://blog.shadowserver.org/2015/11/17/how-two-seconds-become-two-days/ *** A flaw in D-Link Switches opens corporate networks to hack *** --------------------------------------------- A flaw in certain D-Link switches can be exploited by remote attackers to access configuration data and hack corporate networks. The independent security researcher Varang Amin and the chief architect at Elastica's Cloud Threat Labs Aditya Sood have discovered a vulnerability in the D-Link Switches belonging to the DGS-1210 Series Gigabit Smart Switches. The security experts revealed... --------------------------------------------- http://securityaffairs.co/wordpress/42054/hacking/d-link-switches-flaw.html *** Blast from the Past: Blackhole Exploit Kit Resurfaces in Live Attacks *** --------------------------------------------- The year is 2015 and a threat actor is using the defunct Blackhole exploit kit in active drive-by download campaigns via compromised websites.Categories: ExploitsTags: drive-by downloadsexploitexploit kitwebsite(Read more...) --------------------------------------------- https://blog.malwarebytes.org/exploits-2/2015/11/blast-from-the-past-blackh… *** Google VirusTotal - now with autoanalysis of OS X malware *** --------------------------------------------- Google just announced that its virus classification and auto-analysis service, VirusTotal, is now officially interested in OS X malware. --------------------------------------------- http://feedproxy.google.com/~r/nakedsecurity/~3/buCfkbvoJqQ/ *** Nishang: A Post-Exploitation Framework *** --------------------------------------------- Introduction I was recently doing an external penetration test for one of our clients, where I got shell access to Windows Server 2012(Internal WebServer sitting behind an IPS) with Administrative Privileges. It also appears to have an Antivirus installed on the system as everything I was uploading on to the machine was being deleted on... --------------------------------------------- http://resources.infosecinstitute.com/nishang-a-post-exploitation-framework/ *** 10 dumb security mistakes sys admins make *** --------------------------------------------- Security isn't merely a technical problem -- its a people problem. There's only so much technology you can throw at a network before dumb human mistakes trip you up.But guess what? Those mistakes are often committed by the very people who should know better: system administrators and other IT staff.[ Also on InfoWorld: 10 security mistakes that will get you fired. | Deep Dive: How to rethink security for the new world of IT. | Discover how to secure your systems with InfoWorlds... --------------------------------------------- http://www.cio.com/article/3006147/security/10-dumb-security-mistakes-sys-a… *** SANS Pentest Sumit: Evil DNS tricks by Ron Bowes - slide deck *** --------------------------------------------- Things Im gonna talk about: * How to use DNS in pentesting * How to use DNSs indirect nature * DNS tunnelling (dnscat2) --------------------------------------------- https://docs.google.com/presentation/d/1Jxh6PPO9JbUqXwOCTQFyA00uQoFMDBh-1Pe… *** Cyber Security Assessment Netherlands 2015: cross-border cyber security approach necessary *** --------------------------------------------- The CSAN has five Core Findings: * Cryptoware and other ransomware constitute the preferred business model for cyber criminals * Geopolitical tensions manifest themselves increasingly often in (impending) digital security breaches * Phishing is often used in targeted attacks and can barely be recognised by users * Availability becomes more important as alternatives to IT systems are disappearing * Vulnerabilities in software are still the Achilles heel of digital security --------------------------------------------- https://www.ncsc.nl/english/current-topics/Cyber+Security+Assessment+Nether… *** Inside the Conficker-Infected Police Body Cameras *** --------------------------------------------- A Florida integrator who discovered the Conficker worm lurking in body cameras meant for police use takes Threatpost inside the story, including a frustrating disclosure with a disbelieving manufacturer. --------------------------------------------- http://threatpost.com/inside-the-conficker-infected-police-body-cameras/115… *** EMC VPLEX GeoSynchrony Default Log Level Lets Local Users View Passwords *** --------------------------------------------- http://www.securitytracker.com/id/1034169 *** F5 security advisory: NTP vulnerability CVE-2015-5300 *** --------------------------------------------- A man-in-the-middle attacker able to intercept network time protocol (NTP) traffic between a connecting client and an NTP server could use this flaw to force that client to make multiple steps larger than the panic threshold, effectively changing the time to an arbitrary value at any time. --------------------------------------------- https://support.f5.com/kb/en-us/solutions/public/k/10/sol10600056.html?ref=… *** Atlassian Hipchat XSS to RCE *** --------------------------------------------- Topic: Atlassian Hipchat XSS to RCE Risk: Medium Text:Two issues exist in Atlassian’s HipChat desktop client that allow an attacker to retrieve files or execute remote code when a... --------------------------------------------- https://cxsecurity.com/issue/WLB-2015110164 *** [HTB23272]: RCE and SQL injection via CSRF in Horde Groupware *** --------------------------------------------- Product: Horde Groupware v5.2.10 Vulnerability Type: Cross-Site Request Forgery [CWE-352]Risk level: High Creater: http://www.horde.orgAdvisory Publication: September 30, 2015 [without technical details]Public Disclosure: November 18, 2015 CVE Reference: CVE-2015-7984 CVSSv2 Base Score: 8.3 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H] Vulnerability Details: High-Tech Bridge Security Research Lab discovered three Cross-Site Request Forgery (CSRF) vulnerabilities in a popular collaboration... --------------------------------------------- https://www.htbridge.com/advisory/HTB23272 *** Security Advisory - Information Leak Vulnerability in Huawei DSM Product *** --------------------------------------------- There is a information leak vulnerability in DSM (Document Security Management) Product. The DSM does not clear the clipboard after data in a secure file opened using the DSM is copied and the secure file is closed. Data in the clipboard can be copied in common documents that do not use the DSM, leading to information leaks. (Vulnerability ID: HWPSIRT-2015-09009) Huawei has released software updates to fix these vulnerabilities. --------------------------------------------- http://www1.huawei.com/en/security/psirt/security-bulletins/security-adviso… *** Symantec Endpoint Protection Elevation of Privilege Issues SYM15-011 *** --------------------------------------------- 11/16/2015 - Assigned a new CVE ID, CVE-2015-8113 and Bugtraq ID 77585, to the SEP Client Binary Planting Partial Fix to differentiate between the original fix released in 12.1-RU6-MP1 and the updated issue and fix released in 12.1-RU6-MP3 --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** Cisco Security Advisories *** --------------------------------------------- *** Cisco Firepower 9000 USB Kernel Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Firepower 9000 Command Injection at Management I/O Command-Line Interface Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Firepower 9000 Persistent Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Firepower 9000 Cross-Site Request Forgery Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Firepower 9000 Series Switch Clickjacking Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Firepower 9000 Arbitrary File Read Access Script Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-4852) *** http://www.ibm.com/support/docview.wss?uid=swg21970575 --------------------------------------------- *** IBM Security Bulletin: IBM Sterling B2B Integrator has Cross Site Scripting vulnerabilities in Queue Watcher (CVE-2015-7431) *** http://www.ibm.com/support/docview.wss?uid=swg21970676 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 1.5.0 and 1.7.0 affect IBM Flex System Manager (FSM) *** http://www.ibm.com/support/docview.wss?uid=isg3T1022835 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK 7 affect IBM Systems Director Storage Control (CVE-2015-2613 CVE-2015-2601 CVE-2015-2625 CVE-2015-1931 ) *** http://www.ibm.com/support/docview.wss?uid=isg3T1022936 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Monitoring (CVE-2015-1829, CVE-2015-3183, CVE-2015-1283, CVE-2015-4947, CVE-2015-2808) *** http://www.ibm.com/support/docview.wss?uid=swg21970056 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 1.5.0 and 1.7.0 affect IBM Flex System Manager (FSM) *** http://www.ibm.com/support/docview.wss?uid=isg3T1022820 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 17-11-2015
by Daily end-of-shift report 17 Nov '15

17 Nov '15

======================= = End-of-Shift report = ======================= Timeframe: Montag 16-11-2015 18:00 − Dienstag 17-11-2015 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Cyber crooks actively hijacking servers with unpatched vBulletin installations *** --------------------------------------------- Administrators of vBulletin installations would do well to install the latest vBulletin Connect updates as soon as possible, as cyber crooks are actively searching for servers running vulnerable versi... --------------------------------------------- http://www.net-security.org/secworld.php?id=19113 *** Windows driver signing bypass by Derusbi *** --------------------------------------------- Derusbi is an infamous piece of malware. The oldest identified version was compiled in 2008. It was used on well-known hacks such as the Mitsubishi Heavy Industries hack discovered in October 2011 or the Anthem hack discovered in 2015. --------------------------------------------- http://www.sekoia.fr/blog/windows-driver-signing-bypass-by-derusbi/ *** Developers Are (still) From Mars, Infosec People (still) From Venus *** --------------------------------------------- In March 2011, Brian Honan contributed to an issue of the INSECURE magazine with an article called "Management are from Mars, information security professional are from Venus". This title comes from the John Gray's worldwide bestseller where he presents the relations between men and women. Still today, we can reuse this subject for many purposes. Last week, I... --------------------------------------------- https://blog.rootshell.be/2015/11/17/developers-mars-infosec-people-venus/ *** Why Algebraic Eraser may be the riskiest cryptosystem you've never heard of *** --------------------------------------------- Researchers say there's a fatal flaw in proposed "Internet of things" standard. --------------------------------------------- http://arstechnica.com/security/2015/11/why-algebraic-eraser-may-be-the-mos… *** Cyber Security Assessment Netherlands 2015: cross-border cyber security approach necessary *** --------------------------------------------- Cybercrime and digital espionage remain the largest threat to digital security in the Netherlands. Geopolitical developments like international conflicts and political sensitivities have a major impact on the scope of this threat. These are key findings from the Cyber Security Assessment Netherlands (CSAN), presented to the House of Representatives by State Secretary Dijkhoff in October, and now available in English. --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/cyber-security-assessment-n… *** Gas- und Öl-Industrie: Leichte Ziele für Hacker *** --------------------------------------------- Sicherheitsforscher warnen davor, dass Cyber-Kriminelle mit vergleichsweise einfachen Methoden einen Großteil der weltweiten Öl-Produktion kontrollieren könnten. --------------------------------------------- http://heise.de/-2922912 *** Bugtraq: Open-Xchange Security Advisory 2015-11-17 *** --------------------------------------------- PGP public keys allow to specify arbitrary "User ID" information that gets encoded to the public key and is presented to OX Guard users at "Guard PGP Settings". Public keys containing such content are still valid. Therefor they can be distributed and in case the uid field contains javascript code, they can be used to inject code. --------------------------------------------- http://www.securityfocus.com/archive/1/536923 *** Cisco Firepower 9000 Unauthenticated File Access Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** D-Link DIR-645 UPNP Buffer Overflow *** --------------------------------------------- Topic: D-Link DIR-645 UPNP Buffer Overflow Risk: High Text:## Advisory Information Title: Dlink DIR-645 UPNP Buffer Overflow Vendors contacted: William Brown <william.brown(a)dlink.com... --------------------------------------------- https://cxsecurity.com/issue/WLB-2015110133 *** D-Link DIR-815 Buffer Overflow / Command Injection *** --------------------------------------------- Topic: D-Link DIR-815 Buffer Overflow / Command Injection Risk: High Text:## Advisory Information Title: DIR-815 Buffer overflows and Command injection in authentication and HNAP functionalities Ve... --------------------------------------------- https://cxsecurity.com/issue/WLB-2015110135 *** Huawei Security Notice - Statement on Seclists.org Revealing Security Vulnerability in Huawei P8 Smart Phone *** --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices…

1 0

Tageszusammenfassung - Montag 16-11-2015
by Daily end-of-shift report 16 Nov '15

16 Nov '15

======================= = End-of-Shift report = ======================= Timeframe: Freitag 13-11-2015 18:00 − Montag 16-11-2015 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** BitLocker encryption can be defeated with trivial Windows authentication bypass *** --------------------------------------------- Companies relying on Microsoft BitLocker to encrypt the drives of their employees computers should install the latest Windows patches immediately. A researcher disclosed a trivial Windows authentication bypass, fixed earlier this week, that puts data on BitLocker-encrypted drives at risk.Ian Haken, a researcher with software security testing firm Synopsys, demonstrated the attack Friday at the Black Hat Europe security conference in Amsterdam. The issue affects Windows computers that are part... --------------------------------------------- http://www.cio.com/article/3005178/bitlocker-encryption-can-be-defeated-wit… *** The November 2015 issue of our SWITCH Security Report is available! *** --------------------------------------------- Dear Reader! A new issue of our monthly SWITCH Security Report has just been released. The topics covered in this report are: No safe harbour in the Land of the Free - EU Court of Justice restricts data transfer to... --------------------------------------------- http://securityblog.switch.ch/2015/11/13/the-november-2015-issue-of-our-swi… *** Websicherheit: Datenleck durch dynamische Skripte *** --------------------------------------------- Moderne Webseiten erstellen häufig dynamischen Javascript-Code. Wenn darin private Daten enthalten sind, können fremde Webseiten diese auslesen. Bei einer Untersuchung von Sicherheitsforschern war ein Drittel der untersuchten Webseiten von diesem Problem betroffen. --------------------------------------------- http://www.golem.de/news/websicherheit-datenleck-durch-dynamische-skripte-1… *** Op-ed: (How) did they break Diffie-Hellman? *** --------------------------------------------- Relax - its not true that researchers have broken the Diffie-Hellman key exchange protocol. --------------------------------------------- http://arstechnica.com/security/2015/11/op-ed-how-did-they-break-diffie-hel… *** More POS malware, just in time for Christmas *** --------------------------------------------- VXers stuff evidence-purging malware in retailer stockings. Threat researchers are warning of two pieces of point of sales malware that have gone largely undetected during years of retail wrecking and now appear likely to earn VXers a haul over the coming festive break. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/11/16/more_pos_ma… *** Black Hat Europe 2015 slides *** --------------------------------------------- briefings - november 12-13 --------------------------------------------- https://www.blackhat.com/eu-15/briefings.html *** Choosing the Right Cryptography Library for your PHP Project: A Guide *** --------------------------------------------- ... conventional wisdom states that you almost certainly should not try to design your own cryptography. Instead, you should use an existing cryptography library. Okay, great. So which PHP cryptography library should I use? That depends on your exact requirements. Lets look at some good choices. (We wont cover any terrible choices.) --------------------------------------------- https://paragonie.com/blog/2015/11/choosing-right-cryptography-library-for-… *** Apple OS X authentication issue when recovering from sleep mode *** --------------------------------------------- When Apple Remote Desktop is used in full screen mode and the remote connection is alive upon entering sleep mode, the text entered in the dialog box upon recovering from sleep mode is sent to the remotely connected host instead of the local host. This may result in command execution at the remote host. --------------------------------------------- http://jvn.jp/en/jp/JVN56210048/index.html *** Programmbibliothek libpng verlangt nach Sicherheitsupdates *** --------------------------------------------- Eine Schwachstelle in libpng kann als Einfallstor für Angreifer dienen, um Anwendungen zum Absturz zu bringen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Programmbibliothek-libpng-verlangt-n… *** Container: CoreOS gibt CVE-Service als Open Source frei *** --------------------------------------------- Der Linux-Distributor CoreOS hat sein Container-Security-Werkzeug Clair als Open-Source-Software freigegeben. Das Tool ist in der Lage, jede einzelne Containerschicht nach Schwachstellen zu durchforsten und im Falle eines Fundes eine Meldung über die Art der Bedrohung zu übermitteln. Hierfür greift Clair auf die CVE-Datenbank (Common Vulnerabilities and Exposures) und ähnliche Ressourcen von Red Hat, Ubuntu, und Debian zurück. Clair hilft allerdings nicht, die... --------------------------------------------- http://www.heise.de/newsticker/meldung/Container-CoreOS-gibt-CVE-Service-al… *** LiME - Linux Memory Extractor *** --------------------------------------------- Features Full Android memory acquisition Acquisition over network interface Minimal process footprint --------------------------------------------- http://www.kitploit.com/2015/11/lime-linux-memory-extractor.html *** DD4BC / Armada Collective: Erpressung mittels DDoS *** --------------------------------------------- DD4BC / Armada Collective: Erpressung mittels DDoS16. November 2015Das ist mal wieder nichts wirklich Neues. Distributed Denial of Service Angriffe gibt es schon lange, das mag mit Turf-Fights in der Rotlicht-Szene angefangen haben, der Angriff auf Estland 2007 hat das Thema groß in die Presse gebracht, und spätestens seit den Angriffen der "Anonymous"-Bewegung sollte das Problem allgemein bekannt sein. Dazu gibt es auch einen Abschnitt in unserem letzten... --------------------------------------------- http://www.cert.at/services/blog/20151116114639-1627.html *** BlackBerry Enterprise Server Input Validation Flaw in Management Console Lets Remote Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1034154 *** D-link wireless router DIR-816L Cross-Site Request Forgery (CSRF) vulnerability *** --------------------------------------------- Cross-Site Request Forgery (CSRF) vulnerability in the DIR-816L wireless router enables an attacker to perform an unwanted action on a wireless router for which the user/admin is currently authenticated. --------------------------------------------- http://www.securityfocus.com/archive/1/536886 *** Debian: strongswan security update *** --------------------------------------------- Tobias Brunner found an authentication bypass vulnerability in strongSwan, an IKE/IPsec suite. Due to insufficient validation of its local state the server implementation of the EAP-MSCHAPv2 protocol in the eap-mschapv2 plugin can be tricked into successfully concluding the authentication without providing valid credentials. --------------------------------------------- https://lists.debian.org/debian-security-announce/2015/msg00303.html *** Cisco Security Advisories *** --------------------------------------------- *** Cisco Videoscape Distribution Suite Service Manager Information Disclosure Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS Software Virtual PPP Interfaces Security Bypass Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco FireSIGHT Management Center Certificate Validation Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Prime Collaboration Assurance Cross-Site Request Forgery Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** Apache Commons Vulnerability for handling Java object deserialization *** http://www.ibm.com/support/docview.wss?uid=swg21970575 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in GSKit affects IBM DataPower Gateways (CVE-2015-1788) *** http://www.ibm.com/support/docview.wss?uid=swg21969271 --------------------------------------------- *** IBM Security Bulletin: Certain cookies missing Secure attribute in IBM DataPower Gateways (CVE-2015-7427) *** http://www.ibm.com/support/docview.wss?uid=swg21969342 --------------------------------------------- *** Security Bulletin: Vulnerabilities in OpenSSL affect IBM System Networking RackSwitch (CVE-2015-1788, CVE-2015-1789, CVE-2015-1792) *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098801 --------------------------------------------- *** IBM Security Bulletin: IBM Cúram Social Program Management contains an Apache Batik Vulnerability (CVE-2015-0250) *** http://www.ibm.com/support/docview.wss?uid=swg21970112 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Edition *** http://www.ibm.com/support/docview.wss?uid=swg21969225 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in qemu-kvm affects IBM SmartCloud Provisioning for IBM Software Virtual Appliance *** http://www.ibm.com/support/docview.wss?uid=swg21968929 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in FUSE affects PowerKVM (CVE-2015-3202) *** http://www.ibm.com/support/docview.wss?uid=isg3T1022878 --------------------------------------------- *** IBM Security Bulletin: Lotus Protector for Mail Security affected by Opensource PHP Vulnerabilities (CVE-2015-6836 CVE-2015-6837 CVE-2015-6838) *** http://www.ibm.com/support/docview.wss?uid=swg21968353 --------------------------------------------- *** IBM Security Bulletin: GPFS security vulnerabilities in IBM SONAS (CVE-2015-4974 and CVE-2015-4981) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005425 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Mozilla gdk-pixbuf2 affects PowerKVM (CVE-2015-4491) *** http://www.ibm.com/support/docview.wss?uid=isg3T1022833 --------------------------------------------- *** Vulnerability in bind affects AIX (CVE-2015-5722) *** http://www.ibm.com/support/ ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 13-11-2015
by Daily end-of-shift report 13 Nov '15

13 Nov '15

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 12-11-2015 18:00 − Freitag 13-11-2015 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Using Facebook to log in - safe or not? *** --------------------------------------------- Open up your favorite web site and you can see what this is about right away. There are in many cases two options, an ordinary log-in and "Log in with Facebook". Have you been using the Facebook option? It is quite convenient, isn't it? I was talking to a journalist about privacy a while ago... --------------------------------------------- http://safeandsavvy.f-secure.com/2015/11/12/using-facebook-to-log-in-safe-o… *** MIG Mozilla InvestiGator *** --------------------------------------------- Search through your infrastructure in real-time from the command line --------------------------------------------- https://jve.linuxwall.info/ressources/taf/LISA15/ *** ZipInputStream Armageddon *** --------------------------------------------- Again, again, again .. and again these bugs are turning up because of the general lack of validation occurring on the ZIP contents. In most cases this is probably due to the fact that developers are making assumptions that these ZIP files are not being tampered with, and therefore dont really consider the ramifications. --------------------------------------------- http://rotlogix.com/2015/11/12/zipinputstream-armageddon/ *** botfrei.de: Werbeblocker-Sanktionen "der falsche Weg" *** --------------------------------------------- Das "Anti-Botnet Beratungszentrums" botfrei.de und der Betreiber, der eco Verband der Internetwirtschaft, halten Online-Werbung für wichtig. Sanktionen gegen Werbeblocker würden aber wichtige Nutzerinteressen unberücksichtigt lassen. --------------------------------------------- http://heise.de/-2920022 *** One BadBarcode Spoils Whole Bunch *** --------------------------------------------- At PacSec 2015, researchers demonstrated attacks using poisoned barcodes scanned by numerous keyboard wedge barcode scanners to open a shell on a machine and virtually type control commands. --------------------------------------------- http://threatpost.com/one-badbarcode-spoils-whole-bunch/115362/ *** Google Reconnaissance, Sprinter-style, (Fri, Nov 13th) *** --------------------------------------------- When doing security assessments or penetration tests, theres a significant amount of findings that you can get from search engines. For instance, if a client has sensitive information or any number of common vulnerabilities, you can often find those with a Google or Bing search, without sending a single packet to the clients infrastructure. This concept is called google dorking, and was pioneered by Johnny Long back in the day (he has since moved on to other projects see... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20375&rss *** Researchers Discover Two New Strains of POS Malware *** --------------------------------------------- Two new and different strains of point of sale malware have come to light, including one that's gone largely undetected for the past five years. --------------------------------------------- http://threatpost.com/researchers-discover-two-new-strains-of-pos-malware/1… *** Spring Social Core Vulnerability Disclosure *** --------------------------------------------- Today we would like to announce the discovery of a vulnerability in the Spring Social Core library. Spring Social provides Java bindings to popular service provider APIs like GitHub, Facebook, Twitter, etc., and is widely used by developers. All current versions (1.0.0.RELEASE to 1.1.2.RELEASE) of the library are affected by this vulnerability. --------------------------------------------- https://blog.srcclr.com/spring-social-core-vulnerability-disclosure/ *** Unitronics VisiLogic OPLC IDE Vulnerabilities *** --------------------------------------------- This advisory was originally posted to the US-CERT secure Portal library on November 3, 2015, and is being released to the NCCIC/ICS-CERT web site. This advisory provides mitigation details for vulnerabilities in Unitronics VisiLogic OPLC IDE. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-274-02 *** Security Advisory - App Validity Check Bypass Vulnerability in Huawei P7 Smartphone *** --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** Security Notice - Statement on Black Hat Europe 2015 Revealing Security Vulnerability in Huawei P7 Smart Phone *** --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices… *** DFN-CERT-2015-1761: Jenkins: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2015-1761/ *** Cisco AnyConnect Secure Mobility Client Arbitrary File Move Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IOS Software Tunnel Interfaces Security Bypass Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Aironet 1800 Series Access Point SSHv2 Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…

1 0

Tageszusammenfassung - Donnerstag 12-11-2015
by Daily end-of-shift report 12 Nov '15

12 Nov '15

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 11-11-2015 18:00 − Donnerstag 12-11-2015 18:01 Handler: Robert Waldner Co-Handler: Stephan Richter *** Distributed Vulnerability Search - Told via Access Logs *** --------------------------------------------- Sometimes just a few lines of access logs can tell a whole story: Many ongoing attacks against WordPress and Joomla sites use a collection of known vulnerabilities in many different plugins, themes and components. This helps hackers maximize the number of sites they can compromise. Google Dorks Do you ever think about how hackers find... --------------------------------------------- https://blog.sucuri.net/2015/11/distributed-vulnerability-search-told-via-a… *** Latest Android phones hijacked with tidy one-stop-Chrome-pop *** --------------------------------------------- Chinese researcher burns exploit for ski trip. PacSec: Googles Chrome for Android has been popped in a single exploit that could lead to the compromise of any handset. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/11/12/mobile_pwn2… *** Samsung S6 calls open to man-in-the-middle base station snooping *** --------------------------------------------- Their cheap man-in-the-middle attack requires an OpenBTS base station to be established and located near target handsets. Handsets will automatically connect to the bogus station. The malicious base station then pushes firmware to the phones baseband processor (the chip that handles voice calls, and which isnt directly accessible to end users). ... The Register would speculate that since the Qualcomm silicon in question isnt unique to Samsung kit, other researchers are probably setting to work... --------------------------------------------- http://www.theregister.co.uk/2015/11/12/mobile_pwn2own1/ *** Geschäftsgeheimnisse: Sicherheitsforscher warnt vor TTIP *** --------------------------------------------- Das Freihandelsabkommmen TTIP hat eine weitere Gegnergruppe: IT-Sicherheitsforscher. Das jedenfalls sagt René Pfeiffer, Organisator der Deepsec in Wien. Er fürchtet, dass Informationen über Sicherheitsrisiken damit noch stärker unterbunden werden. --------------------------------------------- http://www.golem.de/news/geschaeftsgeheimnisse-sicherheitsforscher-warnt-vo… *** Outlook-Probleme: Microsoft fixt Sicherheits-Update für Windows *** --------------------------------------------- Microsoft hat ein fehlerhaftes Update zurückgezogen und durch eine gefixte Version ersetzt. Nach der Installation soll Outlook nicht mehr abstürzen. Doch es gibt noch weitere Probleme. --------------------------------------------- http://heise.de/-2919456 *** Pentesting SAP Applications : An Introduction *** --------------------------------------------- Introduction to SAP SAP (Systems-Applications-Products) is a software suite that offers standard business solutions; it is used by thousands of customers across the globe to manage their business. In other words, SAP systems provide the capability to manage financial, asset, and cost accounting, production operations and materials, personnel and many more tasks. Before we jump... --------------------------------------------- http://resources.infosecinstitute.com/pen-stesting-sap-applications-part-1/ *** EMV Protocol Fuzzer *** --------------------------------------------- The world-wide introduction of the Europay, MasterCard and Visa standard (EMV), to facilitate communication between smartcards and EMV-enabled devices, such as point-of-sale (POS) terminals and automatic teller machines (ATMs), has altered the security landscape of the daily markets. Surprisingly limited public research exists addressing security aspects of hardware and software specific implementations. This is something we wanted to put right and therefore started a new research programme to... --------------------------------------------- https://labs.mwrinfosecurity.com/blog/2015/11/11/emv-protocol-fuzzer/ *** Got a time machine? Good, you can brute-force 2FA *** --------------------------------------------- Security researcher Gabor Szathmari says the problem is that if your 2FA tokens depend on the network time protocol (NTP), its too easy for a sysadmin to put together an attackable implementation. As he explains in two posts.., if an attacker can trick NTP, they can mount a brute-force attack against the security tokens produced by Google Authenticator (the example in the POC) and a bunch of other Time-based One-time Password Algorithm-based (TOTP) 2FA mechanisms. --------------------------------------------- http://www.theregister.co.uk/2015/11/12/got_a_time_machine_good_you_can_bru… *** Spam and phishing in Q3 2015 *** --------------------------------------------- The dating theme is typical for spam emails, but in the third quarter of 2015 we couldn't help but notice the sheer variety appearing in these types of mailings. We came across some rather interesting attempts to deceive recipients and to bypass filters, as well as new types of spam mailings that were bordering on fraud. --------------------------------------------- https://securelist.com/analysis/quarterly-spam-reports/72724/spam-and-phish… *** Oracle WebLogic Server: CVE-2015-4852 patched, (Thu, Nov 12th) *** --------------------------------------------- Lost in the hoopla around Microsoft and Adobe patch Tuesday was a critical patch released by Oracle which addressed CVE-2015-4852. CVE-2105-4852is a critical vulnerability in Apache Commons which affects Oracle WebLogic Server. This vulnerability permits remote exploitation without authentication and should be patchedas soon as practical. More information can be found at the Oracle Blog. -- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ -... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20369&rss *** Cisco Cloud Web Security DNS Hijack, (Thu, Nov 12th) *** --------------------------------------------- We have received a report that a domain critical in delivering the Cisco Cloud Web Security product had for a while earlier today been hijacked. The report indicates thatthe DNS entrys forscansafe.net were hijacked and pointed to 208.91.197.132, a site which both VirusTotal and Web of Trust indicate has a reputation for delivering malware.">Guidance that has been provided to customers is that the issue has been resolved but that the TTL on the DNS entries are 48 hours so it will take a... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20371&rss *** Volatility 2.5 released *** --------------------------------------------- This is the first release since the publication of The Art of Memory Forensics! It adds support for Windows 10 (initial), Linux kernels 4.2.3, and Mac OS X El Capitan. Additionally, the unified output rendering gives users the flexibility of asking for results in various formats (html, sqlite, json, xlsx, dot, text, etc.) while simplifying things for plugin developers. In short, less code... --------------------------------------------- http://www.volatilityfoundation.org/?_escaped_fragment_=25/c1f29 *** Die Apache Software Foundation zu dem Java Commons Collection/Java (De)Serialization Problem *** --------------------------------------------- Die Apache Software Foundation zu dem Java Commons Collection/Java (De)Serialization Problem12. November 2015Die Apache Software Foundation hat dazu einen ausführlichen Blog-Post verfasst. Die Money Quote daraus: "Even when the classes implementing a certain functionality cannot be blamed for this vulnerability, and fixing the known cases will also not make the usage of serialization in an untrusted context safe, there is still demand to fix at least the known cases, even when this... --------------------------------------------- http://www.cert.at/services/blog/20151112140918-1625.html *** R-Scripts VRS 7R Multiple Stored XSS And CSRF Vulnerabilities *** --------------------------------------------- The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Stored cross-site scripting vulnerabilitity was also discovered. The issue is triggered when input passed via multiple POST parameters is not properly sanitized before being returned to the user. This can be exploited to execute... --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5274.php *** Cisco FireSight Management Center Web Framework Cross-Site Scripting Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Google Picasa CAMF Section Integer Overflow Vulnerability *** --------------------------------------------- 2) Severity Rating: Highly critical Impact: System Access Where: From remote ... 4) Solution Update to version 3.9.140 Build 259. --------------------------------------------- http://www.securityfocus.com/archive/1/536878 *** Citrix XenServer Security Update for CVE-2015-5307 and CVE-2015-8104 *** --------------------------------------------- A security vulnerability has been identified in Citrix XenServer that may allow a malicious administrator of an HVM guest VM to crash the host. This vulnerability affects all currently supported versions of Citrix XenServer up to and including Citrix XenServer 6.5 Service Pack 1. --------------------------------------------- http://support.citrix.com/article/CTX202583 *** Security Notice - Statement on Security Researchers Revealing a Security Vulnerability in Huawei HG630a&HG630a-50 on Packet Storm Website *** --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices…

1 0

Tageszusammenfassung - Mittwoch 11-11-2015
by Daily end-of-shift report 11 Nov '15

11 Nov '15

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 10-11-2015 18:00 − Mittwoch 11-11-2015 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** November 2015 Security Update Release Summary *** --------------------------------------------- Today we released security updates to provide protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released. More information about this month's security updates and advisories can be found in the Security TechNet Library. MSRC Team --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2015/11/10/november-2015-security-u… *** MSRT November 2015: Detection updates *** --------------------------------------------- The Microsoft Malicious Software Removal Tool (MSRT) is updated monthly with new malware detections - so far this year we have added 29 malware families. This month we are updating our detections for some of the malware families already included in the tool. We choose the malware families we add to the MSRT each month using several criteria. One of the most common reasons is the prevalence of a family in the malware ecosystem. For example, in recent months we focused on... --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2015/11/10/msrt-november-2015-detec… *** Patchday: Adobe pflegt den Flash-Patienten *** --------------------------------------------- Flash liegt mal wieder auf dem OP-Tisch und wird geflickt. Nutzer sollten ihren Flash-Patienten zügig behandeln, denn die Lücken gelten als kritisch. Exploits sollen aber noch nicht kursieren. --------------------------------------------- http://www.heise.de/newsticker/meldung/Patchday-Adobe-pflegt-den-Flash-Pati… *** What You Should Know about Triangulation Fraud and eBay *** --------------------------------------------- The increasing phenomenon of triangulation fraud on eBay has led to a published analysis on behalf of the company, as to how buyers should get informed and what they should pay attention to. Over the past few months, a new phenomenon has risen and its proportions have been growing exponentially. It seems that, even if... --------------------------------------------- http://securityaffairs.co/wordpress/41891/cyber-crime/triangulation-fraud-a… *** Symantec Endpoint Protection: Alte Sicherheitslücke bricht wieder auf *** --------------------------------------------- Eine totgeglaubte Schwachstelle ist wieder da, da ein älterer Patch nur Teile des Problems angegangen ist. Das aktuelle Update für Symantecs Endpoint Protection soll es nun richten und noch weitere Schwachstellen abdichten. --------------------------------------------- http://www.heise.de/newsticker/meldung/Symantec-Endpoint-Protection-Alte-Si… *** What Happens to Hacked Social Media Accounts *** --------------------------------------------- This article is going to look at a few reasons why a social media account is hacked. The goal is for you to understand why you will want to better protect your account, regardless of whether or not you see yourself as "important". --------------------------------------------- http://www.tripwire.com/state-of-security/security-awareness/what-happens-t… *** InstaAgent: Passwort-sammelnder Instagram-Client fliegt aus App Store und Google Play *** --------------------------------------------- Die App, die Nutzern verschiedene Zusatzinformationen zu ihrem Profil bei Facebooks populärem Foto-Dienst verspricht, sendete offenbar Instagram-Benutzernamen und Passwort im Klartext an einen Dritt-Server. --------------------------------------------- http://heise.de/-2917792 *** GasPot Integrated Into Conpot, Contributing to Open Source ICS Research *** --------------------------------------------- In August of this year, we presented at Blackhat our paper titled The GasPot Experiment: Unexamined Perils in Using Gas-Tank-Monitoring Systems. GasPot was a honeypot designed to mimic the behavior of the Guardian AST gas-tank-monitoring system. It was designed to look like no other existing honeypot, with each instance being unique to make fingerprinting by attackers impossible. These were deployed within networks located in various countries, to give us a complete picture of the attacks... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/4jNwbTj60bk/ *** Questions are the answeres - How to avoid becoming the blamed victim *** --------------------------------------------- "You have to ask questions", I say. Questions before, during, and after a breach. If you ask the right questions at the right time, you'll be able to make better decisions than the knee-jerk ones you've been making. --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/questions-are-the-answ… *** TA15-314A: Web Shells - Threat Awareness and Guidance *** --------------------------------------------- Original release date: November 10, 2015 Systems Affected Web servers that allow web shells Overview This alert describes the frequent use of web shells as an exploitation vector. Web shells can be used to obtain unauthorized access and can lead to wider network compromise. This alert outlines the threat and provides prevention, detection, and mitigation strategies.Consistent use of web shells by Advanced Persistent Threat (APT) and criminal groups has led to significant cyber incidents.This... --------------------------------------------- https://www.us-cert.gov/ncas/alerts/TA15-313A *** Bugtraq: [security bulletin] HPSBGN03507 rev.2 - HP Arcsight Management Center, Arcsight Logger, Remote Cross-Site Scripting (XSS) *** --------------------------------------------- http://www.securityfocus.com/archive/1/536877 *** Huawei HG630a / HG630a-50 Default SSH Admin Password *** --------------------------------------------- Topic: Huawei HG630a / HG630a-50 Default SSH Admin Password Risk: High Text:# Exploit Title: Huawei HG630a and HG630a-50 Default SSH Admin Password on Adsl Modems # Date: 10.11.2015 # Exploit Author: M... --------------------------------------------- https://cxsecurity.com/issue/WLB-2015110087 *** Huawei Security Advisories *** --------------------------------------------- *** Security Advisory - Input Validation Vulnerability in Huawei VP9660 Products *** http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… --------------------------------------------- *** Security Advisory - Directory Traversal Vulnerability in Huawei AR Router *** http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… --------------------------------------------- *** Security Advisory - DoS Vulnerability in Huawei U2990 and U2980 *** http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… --------------------------------------------- *** Security Advisory - DoS Vulnerability in Huawei eSpace 8950 IP Phone *** http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… --------------------------------------------- *** Security Advisory - DoS Vulnerability in Huawei eSpace 7900 IP Phone *** http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… --------------------------------------------- *** ZDI-15-549: AlienVault Unified Security Management av-forward Deserialization of Untrusted Data Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of AlienVault Unified Security Management. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/eDK-If3dTI8/ *** ZDI-15-548: AlienVault Unified Security Management Local Privilege Escalation Vulnerability *** --------------------------------------------- This vulnerability allows local attackers to escalate privileges to root on vulnerable installations of AlienVault Unified Security Management. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/TpChWMSd5n0/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: IBM FileNet eForms is affected by vulnerabilities in Apache HttpComponents(CVE-2012-6153 and CVE-2014-3577) *** http://www.ibm.com/support/docview.wss?uid=swg21962659 --------------------------------------------- *** IBM Security Bulletin: IBM Forms Server could be affected by a denial of service attack (CVE-2013-4517) *** http://www.ibm.com/support/docview.wss?uid=swg21962659 --------------------------------------------- *** IBM Security Bulletin: Fix Available for Denial of Service Vulnerability in IBM WebSphere Portal (CVE-2015-7419) *** http://www.ibm.com/support/docview.wss?uid=swg21969906 --------------------------------------------- *** IBM Security Bulletin: Additional Password Disclosure via application tracing in FlashCopy Manager on Windows, Data Protection for Exchange, and Data Protection for SQL CVE-2015-7404 *** http://www.ibm.com/support/docview.wss?uid=swg21969514 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in libuser affect Power Hardware Management Console (CVE-2015-3245 CVE-2015-3246) *** http://www.ibm.com/support/docview.wss?uid=nas8N1020961 --------------------------------------------- *** IBM Security Bulletin: IBM Cúram Social Program Management is vulnerable to a SQL injection attack *** http://www.ibm.com/support/docview.wss?uid=swg21967851 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Content Collector and IBM CommonStore for Lotus Domino (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931) *** http://www.ibm.com/support/docview.wss?uid=swg21969654 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM WebSphere MQ *** http://www.ibm.com/support/docview.wss?uid=swg21970103 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects IBM Expeditor (CVE-2015-4000) *** http://www.ibm.com/support/docview.wss?uid=swg21959292 --------------------------------------------- *** Security Bulletin: Multiple vulnerabilities in IBM Java SDK 7 affect IBM Systems Director Storage Control *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098822 --------------------------------------------- *** IBM Security Bulletin: IBM FileNet eForms is affected by vulnerabilities in Apache HttpComponents(CVE-2012-6153 and CVE-2014-3577) *** http://www.ibm.com/support/docview.wss?uid=swg21970090 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 10-11-2015
by Daily end-of-shift report 10 Nov '15

10 Nov '15

======================= = End-of-Shift report = ======================= Timeframe: Montag 09-11-2015 18:00 − Dienstag 10-11-2015 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** The Internet of Bad Things, Observed *** --------------------------------------------- In his VB2015 keynote address, Ross Anderson described attacks against EMV cards.The VB2015 opening keynote by Ross Anderson could hardly have been more timely. In his talk "The Internet of Bad Things, Observed", the Cambridge professor looked at various attacks against the EMV standard for payment cards - attacks that have been used to steal real money from real people.Such cards, often called chip-and-PIN or chip-and-signature, are generally seen as better protected against... --------------------------------------------- http://www.virusbtn.com/blog/2015/11_10.xml?rss *** Linux.Encoder.1: Ransomware greift Magento-Nutzer an *** --------------------------------------------- Eine Malware für Linux verschlüsselt zurzeit die Daten von Nutzern des Magento-Shopsystems. Für die Entschlüsselung sollen die Opfer zahlen, doch die Angreifer haben geschlampt: Die Verschlüsselung lässt sich knacken. --------------------------------------------- http://www.golem.de/news/linux-encoder-1-ransomware-greift-magento-nutzer-a… *** Comodo fixes bug, revokes banned certificates *** --------------------------------------------- After reporting last week that it had issued banned certificates that could facilitate man in the middle (MitM) attacks, Comodo has fixed the "subtle bug" that the companys Senior Research and Development Scientist Rob Stradling wrote prompted the problem. --------------------------------------------- http://www.scmagazine.com/comodo-fixes-bug-revokes-banned-certificates/arti… *** Proof-of-concept threat is reminder OS X is not immune to crypto ransomware *** --------------------------------------------- Symantec analysis confirms that in the wrong hands, Mabouia ransomware could be used to attack Macs. Twitter Card Style: summary Analysis by Symantec has confirmed that the proof-of-concept (PoC) threat known as Mabouia works as described and could be used to create functional OS X crypto ransomware if it fell into the wrong hands.read more --------------------------------------------- http://www.symantec.com/connect/blogs/proof-concept-threat-reminder-os-x-no… *** Protecting Users and Enterprises from the Mobile Malware Threat, (Mon, Nov 9th) *** --------------------------------------------- With recent news of mobile malicious adware that roots smartphones, attention is again being paid to mobile security and the malware threat that is posed to it. While mobile ransomware is also a pervasive and growing threat, there are mobile RATs (such as JSocket and OmniRAT) that are also able to take full remote control of mobile devices. Some of the functionality of those tolls includes the ability to use the microphone to listen in on victims and to view whatever is in front of the camera... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20355&rss *** Cisco Connected Grid Network Management System Privilege Escalation Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Citrix XenServer Security Update for CVE-2015-5307 and CVE-2015-8104 *** --------------------------------------------- A security vulnerability has been identified in Citrix XenServer that may allow a malicious administrator of an HVM guest VM to crash the host. ... --------------------------------------------- http://support.citrix.com/article/CTX202583 *** PowerDNS Security Advisory 2015-03: Packet parsing bug can lead to crashes *** --------------------------------------------- A bug was found using afl-fuzz in our packet parsing code. This bug, when exploited, causes an assertion error and consequent termination of the the pdns_server process, causing a Denial of Service. ... PowerDNS Authoritative Server 3.4.4 - 3.4.6 are affected. No other versions are affected. The PowerDNS Recursor is not affected. --------------------------------------------- https://doc.powerdns.com/md/security/powerdns-advisory-2015-03/

1 0

Tageszusammenfassung - Montag 9-11-2015
by Daily end-of-shift report 09 Nov '15

09 Nov '15

======================= = End-of-Shift report = ======================= Timeframe: Freitag 06-11-2015 18:00 − Montag 09-11-2015 18:00 Handler: Robert Waldner Co-Handler: n/a *** ICYMI: Widespread Unserialize Vulnerability in Java, (Mon, Nov 9th) *** --------------------------------------------- On Friday, a blog post from Fox Glove Security was posted that details a widespread Java unserialize vulnerability that affects all the major flavors of middleware (WebSphere, WebLogic, et al). There is a lot of great details, including exploitation instructions for pentesters, in the post so go take a look. It didnt get much press because admittedly its complicated to explain. It also doesnt have a logo. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20353&rss *** SSH-Client PuTTY 0.66 schließt Sicherheitslücke *** --------------------------------------------- Die neue Version des SSH- und Telnet-Clients bringt ein paar kleine Verbesserungen und Fehlerkorrekturen. Zudem wurde eine Sicherheitslücke geschlossen. --------------------------------------------- http://www.heise.de/newsticker/meldung/SSH-Client-PuTTY-0-66-schliesst-Sich… *** Gratis-WLAN: Welche Risiken es gibt und wie man sich schützt *** --------------------------------------------- Ein öffentliches Netzwerk ist praktisch, Nutzer sollten sich aber nicht blindlings einloggen --------------------------------------------- http://derstandard.at/2000025293625 *** Guide to application whitelisting *** --------------------------------------------- The National Institute of Standards and Technology (NIST) has published a guide to deploying automated application whitelisting to help thwart malicious software from gaining access to organizations' computer systems. --------------------------------------------- http://www.net-security.org/secworld.php?id=19079 *** Dangerous bugs leave open doors to SAP HANA systems *** --------------------------------------------- The most serious software flaws ever have been found in SAPs HANA platform, the in-memory database platform that underpins many of the German companys products used by large companies.Eight of the flaws are ranked critical, the highest severity rating ... --------------------------------------------- http://www.cio.com/article/3003054/dangerous-bugs-leave-open-doors-to-sap-h… *** Vbulletin 5.1.X Unserialize Preauth RCE Exploit *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2015110060 *** Ransomware meets CMS / Linux *** --------------------------------------------- Ransomware am PC gibt es schon seit Jahren: Die Malware sperrt/verschlüsselt den infizierten PC und verlangt Lösegeld dafür, damit der User weiterarbeiten kann.Dass schlecht gewartete Webseiten mit Joomla, Wordpress, Drupal & co ein Fressen für Hacker sind, ist auch nichts neues. Wir sehen regelmäßig Wellen an Defacements und Exploitpacks, wenn mal wieder jemand das Ausnutzen einer Web-Schwachstelle automatisiert. --------------------------------------------- http://www.cert.at/services/blog/20151109095947-1618.html *** Google AdWords API client libraries - XML eXternal Entity Injection (XXE) *** --------------------------------------------- Confirmed in googleads-php-lib <= 6.2.0 for PHP, AdWords libraries: googleads-java-lib for Java, and googleads-dotnet-lib for .NET are also likely to be affected. --------------------------------------------- http://legalhackers.com/advisories/Google-AdWords-API-libraries-XXE-Injecti… *** Closing the Open Door of Java Object Serialization *** --------------------------------------------- If you can communicate with a JVM using Java object serialization using java.io.ObjectInputStream, then you can send a class that can execute commands against the OS from inside of the readObject method, and thereby get shell access. Once you have shell access, you can modify the Java server however you feel like. This is a class of exploit called 'deserialization of untrusted data', aka CWE-502. It's a class of bug that has been encountered from Python, PHP, and from Rails. --------------------------------------------- https://tersesystems.com/2015/11/08/closing-the-open-door-of-java-object-se… *** Protecting Windows Networks - Defeating Pass-the-Hash *** --------------------------------------------- Pass-the-hash is popular attack technique to move laterally inside the network that relies on two components - the NTLM authentication protocol and ability to gain password hashes. This attack allows you to log in on the systems via stolen hash instead of providing clear text password, so there is no need to crack those hashes. To make use of this attack, attacker already has to have admin rights on the box, which is a plausible scenario in a modern "assume breach" mindset. --------------------------------------------- https://dfirblog.wordpress.com/2015/11/08/protecting-windows-networks-defea… *** Security Notice - Statement about Path Traversal Vulnerability in Huawei HG532 Routers Disclosed by CERT/CC *** --------------------------------------------- It is confirmed that some customized versions of Huawei HG532, HG532e, HG532n, and HG532s have this vulnerability. Huawei has prepared a fixed version for affected carriers and is working with them to release the fixed version. --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices… *** No surprise here: Adobes Flash is a hackers favorite target *** --------------------------------------------- Adobe Systems Flash plugin gets no love from anyone in the security field these days. A new study released Monday shows just how much it is favored by cybercriminals to sneak their malware onto computers. --------------------------------------------- http://www.cio.com/article/3002668/no-surprise-here-adobes-flash-is-a-hacke… *** Joomla CMS - Bad Cryptography - Multiple Vulnerabilities *** --------------------------------------------- heres a complete enumeration of what Ive found: - JCrypt: Silent fallback to a weak, userspace PRNG (which is very bad for cryptography purposes) - JCryptCipherSimple: Homegrown weak cipher (XOR-ECB) - JCryptCipher: Chosen ciphertext attacks (no authentication) - JCryptCipher: Data corruption / padding oracle attack - JCryptCipher: Static IV for CBC mode (stored with JCryptKey under the misnomer property, "public") -- this sort of defeats the purpose of using CBC mode - JCryptPasswordSimple: PHP Non-Strict Type Comparison (a.k.a. Magic Hash vulnerability) --------------------------------------------- http://www.openwall.com/lists/oss-security/2015/11/08/1 *** HTTP Evasions Explained - Part 7 - Lucky Numbers *** --------------------------------------------- This is part seven in a series which will explain the evasions done by HTTP Evader. This part will be about using the wrong or even invalid status codes to evade the analysis. For 30% of the firewalls in the tests reports Ive got it is enough to use a status code of 100 instead of 200 to bypass analysis and at least Chrome, IE and Edge will download the data even with this wrong status code: --------------------------------------------- http://noxxi.de/research/http-evader-explained-7-lucky-number.html *** Security Advisory: Linux kernel vulnerability CVE-2014-9419 *** --------------------------------------------- F5 Product Development has assigned ID 530413 (BIG-IP), ID 530553 (BIG-IQ), ID 530554 (Enterprise Manager), ID 520651 (FirePass), ID 461496 (ARX), and INSTALLER-1299 (Traffix) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17551.htm… *** IBM Security Bulletins *** --------------------------------------------- *** Vulnerabilities in Qemu affect PowerKVM (Multiple Vulnerabilities) *** http://www.ibm.com/support/docview.wss?uid=isg3T1022875 --------------------------------------------- *** IBM Smart Analytics System 5600 is affected by vulnerabilities in IBM GPFS (CVE-2015-4974, CVE-2015-4981) *** http://www.ibm.com/support/docview.wss?uid=swg21969198 --------------------------------------------- *** Authentication Bypass vulnerability found in IBM Sterling B2B Integrator (CVE-2015-5019) *** http://www.ibm.com/support/docview.wss?uid=swg21967781 --------------------------------------------- *** IBM Smart Analytics System 5600 is affected by a vulnerability in BIND (CVE-2015-5722) *** http://www.ibm.com/support/docview.wss?uid=swg21964962 --------------------------------------------- *** Vulnerability in Net-SNMP affects PowerKVM (CVE-2015-5621) *** http://www.ibm.com/support/docview.wss?uid=isg3T1022903 --------------------------------------------- *** Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management, and IBM Emptoris Services Procurement. *** http://www.ibm.com/support/docview.wss?uid=swg21969875 --------------------------------------------- *** Multiple OpenSSL Vulnerabilities affect IBM WebSphere MQ 5.3 on HP NonStop (CVE-2015-1788) (CVE-2015-1789) (CVE-2015-1791) *** http://www.ibm.com/support/docview.wss?uid=swg21966723 --------------------------------------------- *** Multiple vulnerabilities in IBM Java Runtime affect Security Directory Integrator *** https://www-304.ibm.com/support/docview.wss?uid=swg21969901 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 6-11-2015
by Daily end-of-shift report 06 Nov '15

06 Nov '15

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 05-11-2015 18:00 − Freitag 06-11-2015 18:00 Handler: Robert Waldner Co-Handler: n/a *** jQuery.min.php Malware Affects Thousands of Websites *** --------------------------------------------- Fake jQuery injections have been popular among hackers since jQuery itself went mainstream and became one of the most widely adopted JavaScript libraries. Every now and then we write about such attacks. Almost every week we see new fake jQuery domains and scripts that mimic jQuery. --------------------------------------------- https://blog.sucuri.net/2015/11/jquery-min-php-malware-affects-thousands-of… *** OmniRAT malware scurrying into Android, PC, Mac, Linux systems *** --------------------------------------------- Leverages Stagefright scare for installs As police across Europe crack down on the use of the DroidJack malware, a similar software nasty has emerged that can control not just Android, but also Windows, Mac, and Linux systems and is being sold openly at a fraction of the cost. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/11/06/omnirat_mal… *** Check Point Discovers Critical vBulletin 0-Day *** --------------------------------------------- As widely reported, the main vBulletin.org forum was compromised earlier this week and an exploit for a vBulletin 0-day was up for sale in online markets. A patch later released by vBulletin fixes the vulnerability reported, but fails to neither credit any reporting nor mention the appropriate CVE number. As the vulnerability is now fixed and an exploit exists in the wild with public analyses, we follow with the technical description as submitted to vBulletin. --------------------------------------------- http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulle… *** Peter Kieseberg @ 5th KIRAS Fachtagung *** --------------------------------------------- Today Peter Kieseberg (SBA Research) presented the results of the SCUDO-Project together with Alexander Szönyi (Thales Austria) and Wolfgang Rosenkranz (Repuco) at the 5th 'KIRAS Fachtagung' in the Austria Trend Hotel Savoyen Vienna. This project was focused on the development of a training process for defence simulation trainings in the area of critical infrastructures ... --------------------------------------------- https://www.sba-research.org/2015/11/05/peter-kieseberg-5th-kiras-fachtagun… *** Bundestag will Mitarbeitern Flash verbieten *** --------------------------------------------- Nach dem schweren Hackerangriff vor rund sechs Monaten will der Deutsche Bundestag mit einigen Maßnahmen die IT-Sicherheit erhöhen. Mitarbeiter und Abgeordnete sollen zu längeren Passwörtern und PINs mit mindestens acht Zeichen verpflichtet werden, außerdem werden Flash und andere Browsererweiterungen von den Rechnern verbannt, wie Spiegel Online unter Berufung auf ein internes Dokument der Bundestagsverwaltung berichtet. --------------------------------------------- http://www.golem.de/news/nach-hackerangriff-bundestag-will-flash-verbieten-… *** Slides from RUXCON, Oct. 24-25, Melbourne *** --------------------------------------------- * DNS as a Defense Vector, Paul Vixie * High Performance Fuzzing, Richard Johnson * MalwAirDrop: Compromising iDevices via AirDrop, Mark Dowd * Broadcasting Your Attack: Security Testing DAB Radio In Cars, Andy Davis * Windows 10: 2 Steps Forward, 1 Step Back, James Forshaw ... --------------------------------------------- https://ruxcon.org.au/slides/?year=2015 *** Tracking HTTP POST data with ELK, (Fri, Nov 6th) *** --------------------------------------------- The Apache webserver has a very modular logging system. It is possible to customize what to log and how. But it lacks in logging data submitted to the server via POST HTTP requests. Recently, I had to investigate suspicious HTTP traffic and one of the requirements was to analyze POST data. If you already have a solution which performs full packet capture, youre lucky but it could quickly become a pain to search for information across gigabytes of PCAP files. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20345&rss *** Encryption ransomware threatens Linux users *** --------------------------------------------- November 6, 2015 Doctor Web warns users about new encryption ransomware targeting Linux operating systems. Judging from the directories in which the Trojan encrypts files, one can draw a conclusion that the main target of cybercriminals is website administrators whose machines have web servers deployed on. Doctor Web security researchers presume that at least tens of users have already fallen victim to this Trojan. --------------------------------------------- http://news.drweb.com/show/?i=9686&lng=en&c=9 *** Advantech EKI Hard-coded SSH Keys Vulnerability *** --------------------------------------------- This advisory provides mitigation details for a hard-coded SSH key vulnerability in Advantech's EKI-122X series products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-309-01 *** ICIT Brief: Know Your Enemies - A Primer on Advanced Persistent Threat Groups *** --------------------------------------------- This primer provides an overview of the threat landscape, attack vectors, size and sophistication of threat actors. Some of the Groups and Platforms include: The Elderwood Platform, Topsec, Axiom, Hidden Lynx, Deep Panda, PLA Unit 61398, Putter Panda, Tarh Andishan, Ajax, Bureau 121, Energetic Bear, Uroburos, APT 28, Hammertoss, CrazyDuke, Sandworm, Syrian Electronic Army, Anonymous and Butterfly Group among others. --------------------------------------------- http://icitech.org/icit-brief-know-your-enemies-a-primer-on-advanced-persis… *** Security Advisory: NTP vulnerability CVE-2015-7704 *** --------------------------------------------- An off-path attacker can send a crafted Kiss of Death (KoD) packet to the client, which will increase the client's polling interval to a large value and effectively disable synchronization with the server. --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17566.htm… *** Security Advisory - DoS Vulnerability in GPU Driver of Huawei Products *** --------------------------------------------- Some Huawei products have a DoS vulnerability. An attacker may trick a user into installing a malicious application and use it to input invalid parameters into the GPU driver program of the products, which can crash the system of the device. (Vulnerability ID: HWPSIRT-2015-09017) This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2015-7740. Huawei has released software updates to fix these vulnerabilities. --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** Security Advisory - DoS Vulnerability in Camera Driver of Huawei Products *** --------------------------------------------- Some Huawei products have a DoS vulnerability. An attacker who has the system or camera permission can input invalid parameters into the camera driver program to crash the system. (Vulnerability ID: HWPSIRT-2015-09013) Huawei has released software updates to fix these vulnerabilities. --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…

1 0

Tageszusammenfassung - Donnerstag 5-11-2015
by Daily end-of-shift report 05 Nov '15

05 Nov '15

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 04-11-2015 18:00 − Donnerstag 05-11-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** A Technical Look At Dyreza *** --------------------------------------------- Inside the core of Dyreza - a look at its malicious functions and their implementation.Categories: Malware AnalysisTags: dyrezamalware(Read more...) --------------------------------------------- https://blog.malwarebytes.org/intelligence/2015/11/a-technical-look-at-dyre… *** Malicious spam with links to CryptoWall 3.0 - Subject: Domain [name] Suspension Notice, (Thu, Nov 5th) *** --------------------------------------------- Introduction Since Monday 2015-10-26, weve noticed a particular campaign sending malicious spam (malspam) with links to download CryptoWall 3.0 ransomware. This campaign has been impersonating domain registrars. Conrad Longmore blogged about it last week [1], and Techhelplist.com has a good write-up on the campaign [2]. Several other sources have also discussed this wave of malspam [3, 4, 5, 6, 7, 8 to name a few]. For this diary, well take a closer look at the emails and associated CryptoWall --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20333&rss *** CryptoWall 4.0 Released with a New Look and Several New Features *** --------------------------------------------- The fourth member of the CryptoWall family of ransomware, CryptoWall 4.0, has just been released, complete with new features and a brand new look. We recently reported that CryptoWall 3.0 has allegedly caused over $325 million in annual damages. CryptoWall first emerged in April 2014. Its first major upgrade was dubbed CryptoWall 2.0, and first emerged in October... --------------------------------------------- http://securityaffairs.co/wordpress/41718/cyber-crime/cryptowall-4-0-releas… *** SSL-Zertifikate: Microsoft will sich schon nächstes Jahr von SHA-1 trennen *** --------------------------------------------- Die Firma überlegt ob der neuen Qualität von Angriffen auf den Hash-Algorithmus, diesen schon Mitte 2016 auf die verbotene Liste zu setzen. Google und Mozilla gehen ähnliche Wege. --------------------------------------------- http://heise.de/-2880134 *** Mabouia: The first ransomware in the world targeting MAC OS X *** --------------------------------------------- Rafael Salema Marques, a Brazilian researcher, published a PoC about the existence of Mabouia ransomware, the first ransomware that targets MAC OS X. Imagine this scenario: You received a ransom warning on your computer stating that all your personal files had been locked. In order to unlock the files, you would have to pay $500. --------------------------------------------- http://securityaffairs.co/wordpress/41755/cyber-crime/mabouia-ransomware-ma… *** Meet the Android rooting adware that cannot be removed *** --------------------------------------------- Researchers have identified a new strain of malicious adware that is impossible for affected Android device owners to uninstall. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/Prm6r3X3tzk/ *** No C&C server needed: Russia menaced by offline ransomware *** --------------------------------------------- Harder to take down, nyet? Miscreants have cooked up a new strain of ransomware that works offline and so might be more resistant to law enforcement takedown efforts as a result. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/11/05/offline_ran… *** Thousands of legitimate iOS apps discovered containing ad library backdoors *** --------------------------------------------- More than 2,000 iOS apps stocked in Apples legitimate App Store reportedly contained backdoored versions of an ad library, which could have allowed for surveillance without users knowledge. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/nxOb5Ac0sYo/ *** The Omnipresence of Ubiquiti Networks Devices on the Public Web *** --------------------------------------------- There are ongoing in the wild attacks against Ubiquiti Networks devices. Attackers are using default credentials to gain access to the affected devices via SSH. The devices are infected by a botnet client that is able to infect other devices.Further information about these attacks is available at:Krebs on Security: http://krebsonsecurity.com/2015/06/crooks-use-hacked-routers-to-aid-cyberhe… Research: https://www.incapsula.com/blog/ddos-botnet-soho-router.htmlCARISIRT --------------------------------------------- http://blog.sec-consult.com/2015/11/the-omnipresence-of-ubiquiti-networks.h… *** vBulletin Exploits in the Wild *** --------------------------------------------- The vBulletin team patched a serious object injection vulnerability yesterday, that can lead to full command execution on any site running on an out-of-date vBulletin version. The patch supports the latest versions, from 5.1.4 to 5.1.9. The vulnerability is serious and easy to exploit; it was used to hack and deface the main vBulletin.com website. As aRead More The post vBulletin Exploits in the Wild appeared first on Sucuri Blog. --------------------------------------------- http://feedproxy.google.com/~r/sucuri/blog/~3/NNlPrHaDARs/vbulletin-exploit… *** TalkTalk, Script Kids & The Quest for "OG" *** --------------------------------------------- So youve got two-step authentication set up to harden the security of your email account (you do, right?). But when was the last time you took a good look at the security of your inboxs recovery email address? That may well be the weakest link in your email security chain, as evidenced by the following tale of a IT professional who saw two of his linked email accounts recently hijacked in a bid to steal his Twitter identity.Earlier this week, I heard from Chris Blake, a longtime KrebsOnSecurity... --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/im8m6Imwfsk/ *** Connecting the Dots in Cyber Threat Campaigns, Part 2: Passive DNS *** --------------------------------------------- This is the second part of our series on "connecting the dots", where we investigate ways to link attacks together to gain a better understanding of how they are related. In Part 1, we looked... --------------------------------------------- http://feedproxy.google.com/~r/PaloAltoNetworks/~3/7x_ynKHJKns/ *** Xen Project 4.5.2 Maintenance Release Available *** --------------------------------------------- I am pleased to announce the release of Xen 4.5.2. Xen Project Maintenance releases are released roughly every 4 months, in line with our Maintenance Release Policy. We recommend that all users of the 4.5 stable series update to this point release. --------------------------------------------- https://blog.xenproject.org/2015/11/05/xen-project-4-5-2-maintenance-releas… *** Open-Xchange Input Validation Flaw in Printing Dialogs Lets Remote Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1034018 *** Bugtraq: [KIS-2015-10] Piwik <= 2.14.3 (DisplayTopKeywords) PHP Object Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/536839 *** Bugtraq: [KIS-2015-09] Piwik <= 2.14.3 (viewDataTable) Autoloaded File Inclusion Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/536838 *** MIT Kerberos Multiple Bugs Let Remote Users Cause the Target Service to Crash *** --------------------------------------------- http://www.securitytracker.com/id/1034084 *** [2015-11-05] Insecure default configuration in Ubiquiti Networks products *** --------------------------------------------- Ubiquiti Networks products have remote administration enabled by default (WAN port). Additionally these products use the same certificates and private keys for administration via HTTPS. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2015… *** Citrix XenServer Multiple Security Updates *** --------------------------------------------- A number of security vulnerabilities have been identified in Citrix XenServer that may allow a malicious administrator of a guest VM to compromise ... --------------------------------------------- http://support.citrix.com/article/CTX202404 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: IBM WebSphere MQ is affected by multiple vulnerabilities in IBM Runtime Environments Java Technology Edition, Versions 5, 6 & 7 *** http://www.ibm.com/support/docview.wss?uid=swg21968485 --------------------------------------------- *** IBM Security Bulletin: Apache Tomcat as used in IBM QRadar SIEM is vulnerable to Denial of Service Attack. (CVE-2014-0230) *** http://www.ibm.com/support/docview.wss?uid=swg21970036 --------------------------------------------- *** IBM Security Bulletin: Openstack Nova vulnerability affects IBM Cloud Manager with OpenStack (CVE-2015-2687) *** http://www.ibm.com/support/docview.wss?uid=isg3T1022691 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM DB2 LUW (CVE-2015-0204) *** http://www.ibm.com/support/docview.wss?uid=swg21968869 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities identified in IBM Java SDK affect WebSphere Service Registry and Repository Studio (CVE-2015-2613 CVE-2015-2601 CVE-2015-2625 CVE-2015-1931) *** http://www.ibm.com/support/docview.wss?uid=swg21969911 --------------------------------------------- *** PowerHA SystemMirror privilege escalation vulnerability (CVE-2015-5005) *** http://www.ibm.com/support/ --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management could allow an authenticated user to change work orders that the user should not have access to change (CVE-2015-7395 ) *** http://www.ibm.com/support/docview.wss?uid=swg21969072 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in the Linux Kernel affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1022785 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Python affect PowerKVM (CVE-2013-5123, CVE-2014-8991) *** http://www.ibm.com/support/docview.wss?uid=isg3T1022786 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSLP affects PowerKVM (CVE-2015-5177) *** http://www.ibm.com/support/docview.wss?uid=isg3T1022876 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Python-httplib2 affects PowerKVM (CVE-2013-2037) *** http://www.ibm.com/support/docview.wss?uid=isg3T1022877 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in lcms affects PowerKVM (CVE-2015-4276) *** http://www.ibm.com/support/docview.wss?uid=isg3T1022834 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Libcrypt++ affects PowerKVM (CVE-2015-2141) *** http://www.ibm.com/support/docview.wss?uid=isg3T1022879 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in lighttpd affects PowerKVM (CVE-2015-3200) *** http://www.ibm.com/support/docview.wss?uid=isg3T1022837 --------------------------------------------- *** IBM Security Bulletin:Vulnerabilities in wpa_supplicant may affect PowerKVM (CVE-2015-1863 and CVE-2015-4142) *** http://www.ibm.com/support/docview.wss?uid=isg3T1022832 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in libXfont affect PowerKVM (CVE-2015-1802, CVE-2015-1803, CVE-2015-1804) *** http://www.ibm.com/support/docview.wss?uid=isg3T1022787 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Mozilla NSS affects PowerKVM (CVE-2015-2730) *** http://www.ibm.com/support/docview.wss?uid=isg3T1022790 --------------------------------------------- *** IBM Security Bulletin: Information disclosure vulnerability could expose user personal data in IBM WebSphere Commerce (CVE-2015-5015) *** http://www.ibm.com/support/docview.wss?uid=swg21969174 --------------------------------------------- *** IBM Security Bulletin: IBM Flex System Manager is affected by a vulnerability from FSM's use of strongswan: (CVE-2015-4171) *** http://www.ibm.com/support/docview.wss?uid=isg3T1022817 --------------------------------------------- *** IBM Security Bulletin: IBM Netezza Host Management is vulnerable to a BIND 9 utility issue (CVE-2015-5722) *** http://www.ibm.com/support/docview.wss?uid=swg21966952 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 4-11-2015
by Daily end-of-shift report 04 Nov '15

04 Nov '15

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 03-11-2015 18:00 − Mittwoch 04-11-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** Return of the EXIF PHP Joomla Backdoor *** --------------------------------------------- Our Remediation and Research teams are in constant communication and collaboration. It's how we stay ahead of the latest threats, but it also presents an opportunity to identify interesting threats that aren't new but may be reoccuring. Such as today's post, in which we explore a case we shared close to two years ago where... --------------------------------------------- http://feedproxy.google.com/~r/sucuri/blog/~3/VZAI0vVYGjI/exif-php-joomla-b… *** Researchers map out hard-to-kill, multi-layered spam botnet *** --------------------------------------------- A dropper component sent to the Akamai researchers led them to the discovery of a spamming botnet that consists of at least 83,000 compromised systems. The botnet is multi-layered, decentralized, a... --------------------------------------------- http://feedproxy.google.com/~r/HelpNetSecurity/~3/B72jnhO-1Ds/secworld.php *** Nach Hack des Support-Forums: Mysteriöser vBulletin-Patch erschienen *** --------------------------------------------- Nach einem Angriff auf das offizielle Support-Forum der Forensoftware vBulletin ist ein Sicherheitsupdate erschienen. Ob dies die Lücke stopft, die bei dem Angriff ausgenutzt wurde, ist nicht ganz klar. --------------------------------------------- http://heise.de/-2869989 *** Internet Wide Scanners Wanted, (Wed, Nov 4th) *** --------------------------------------------- In our data, we often find researchers performing internet wide scans. To better identify these scans, we would like to add a label to these IPs identifying them as part of a research project. If you are part of such a project, or if you know of a project, please let me know. You can submit any information as a comment or via our contact form. If the IP addresses change often, then a URLs with a parseable list would be appreciated to facilitate automatic updates. --- Johannes B. Ullrich, Ph.D. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20337&rss *** GovRAT, the malware-signing-as-a-service platform in the underground *** --------------------------------------------- Security Experts at InfoArmor discovered GovRAT, a malware-signing-as-a-service platform that is offered to APT groups in the underground. In the past, I have explained why digital certificates are so attractive for crooks and intelligence agencies, one of the most interesting uses is the signature of malware code in order to fool antivirus. Naturally, digital certificates... --------------------------------------------- http://securityaffairs.co/wordpress/41714/cyber-crime/govrat-platform.html *** Confusing Convenience for Security: SSH Keys *** --------------------------------------------- Secure Shell (SSH) keys are a common part of accessing Unix systems, and you need to put some focus specifically on your organization's use of SSH keys. --------------------------------------------- http://blog.beyondtrust.com/confusing-convenience-for-security-ssh-keys *** Security Fixes in Firefox 42 *** --------------------------------------------- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firef… *** VU#391604: ZTE ZXHN H108N R1A routers contains multiple vulnerabilities *** --------------------------------------------- Vulnerability Note VU#391604 ZTE ZXHN H108N R1A routers contains multiple vulnerabilities Original Release date: 03 Nov 2015 | Last revised: 03 Nov 2015 Overview ZTE ZXHN H108N R1A router, version ZTE.bhs.ZXHNH108NR1A.h_PE, and ZXV10 W300 router, version W300V1.0.0f_ER1_PE, contain multiple vulnerabilities. Description CWE-200: Information Exposure - CVE-2015-7248 Multiple information exposure vulnerabilities enable an attacker to obtain credentials and other sensitive details about the ZXHN... --------------------------------------------- http://www.kb.cert.org/vuls/id/391604 *** Alcatel-Lucent Home Device Manager Spoofing *** --------------------------------------------- Topic: Alcatel-Lucent Home Device Manager Spoofing Risk: Low Text: ## # # SWISSCOM CSIRT ADVISORY - https://www.swisscom.ch/en/about/sustainability/digital- #switze... --------------------------------------------- https://cxsecurity.com/issue/WLB-2015110029 *** DSA-3391 php-horde - security update *** --------------------------------------------- It was discovered that the web-based administration interface in theHorde Application Framework did not guard against Cross-Site RequestForgery (CSRF) attacks. As a result, other, malicious web pages couldcause Horde applications to perform actions as the Horde user. --------------------------------------------- https://www.debian.org/security/2015/dsa-3391 *** DSA-3392 freeimage - security update *** --------------------------------------------- Pengsu Cheng discovered that FreeImage, a library for graphic imageformats, contained multiple integer underflows that could lead to adenial of service: remote attackers were able to trigger a crash bysupplying a specially crafted image. --------------------------------------------- https://www.debian.org/security/2015/dsa-3392 *** Bugtraq: [security bulletin] HPSBGN03425 rev.1 - HP ArcSight SmartConnectors, Remote Disclosure of Information, Local Escalation of Privilege *** --------------------------------------------- http://www.securityfocus.com/archive/1/536827 *** Bugtraq: [security bulletin] HPSBGN03386 rev.2 - HP Central View Fraud Risk Management, Revenue Leakage Control, Dealer Performance Audit, Credit Risk Control, Roaming Fraud Control, Subscription Fraud Prevention, Remote Disclosure of Information, *** --------------------------------------------- http://www.securityfocus.com/archive/1/536824 *** Security Advisory - Heap Overflow Vulnerability in the HIFI Driver of Huawei Smart Phone *** --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** Security Notice - Statement on Venustech Revealing Heap Overflow Vulnerability in Huawei Smart Phone *** --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices… *** Bugtraq: FreeBSD Security Advisory FreeBSD-SA-15:25.ntp [REVISED] *** --------------------------------------------- http://www.securityfocus.com/archive/1/536833 *** Cisco Security Advisories *** --------------------------------------------- *** Cisco SocialMiner WeChat Page Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Web Security Appliance Cache Reply Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Mobility Services Engine Static Credential Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco AsyncOS TCP Flood Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Web Security Appliance Range Request Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Mobility Services Engine Privilege Escalation Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Web Security Appliance Certificate Generation Command Injection Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Email Security Appliance Email Scanner Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…

1 0

Tageszusammenfassung - Dienstag 3-11-2015
by Daily end-of-shift report 03 Nov '15

03 Nov '15

======================= = End-of-Shift report = ======================= Timeframe: Montag 02-11-2015 18:00 − Dienstag 03-11-2015 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** UK-US Cyberattack Simulation On Finance Sector Set For This Month *** --------------------------------------------- US-CERT and CERT-UK putting President and Prime Ministers earlier plans into action. --------------------------------------------- http://www.darkreading.com/operations/uk-us-cyberattack-simulation-on-finan… *** Latest Adobe Flash vulnerability now in Angler, Nuclear EKs *** --------------------------------------------- Malwarebytes is reporting that once again Adobe Flash Player has become a target as the recently patched zero-day exploit that was discovered and patched has become a part of several exploit kits (EK). --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/s2Q_P9QhW74/ *** WoW! Want to beat Microsofts Windows security defenses? Poke some 32-bit software *** --------------------------------------------- Compatibility tool hampers EMET anti-malware protections Two chaps claim to have discovered how to trivially circumvent Microsofts Enhanced Mitigation Experience Toolkit (EMET) using Redmonds own compatibility tools. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/11/03/32bit_softw… *** Web server secured? Good, now lets talk about e-mail *** --------------------------------------------- Its not just Hillary whose servers a spillory While Website owners may have noticed the need to get rid of old, buggy or weak crypto, those operating e-mail servers seem to be operating on autopilot. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/11/03/web_server_… *** Dev to Mozilla: Please dump ancient Windows install processes *** --------------------------------------------- Old habits die hard Security bod Stefan Kanthak is asking Mozilla to quit using Windows self-extracting installs. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/11/03/dev_to_mozi… *** The official website of the popular vBulletin forum has been hacked *** --------------------------------------------- The website of the vBulletin forum software is down for maintenance following a data breach that exposed personal information of hundreds of thousands users On Sunday, the vBulletin official website has been hacked by an attacker using the moniker "Coldzer0". The website has been defaced and the vBulletin forum was displaying the message "Hacked by Coldzer0." At the... --------------------------------------------- http://securityaffairs.co/wordpress/41656/cyber-crime/vbulletin-forum-hacke… *** Chimera crypto-ransomware is hitting German companies *** --------------------------------------------- A new piece of crypto-ransomware is targeting German companies: its called Chimera, and the criminals behind the scheme are threatening to release sensitive corporate data on the Internet if the targ... --------------------------------------------- http://feedproxy.google.com/~r/HelpNetSecurity/~3/D53NfnuVrIM/malware_news.… *** KeyPass looter: The password plunderer to hose pwned sys admins *** --------------------------------------------- When youre owned, youre boned. Kiwi hacker Denis Andzakovic has developed an application that steals password vaults from the popular local storage vault KeyPass. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/11/03/keypass_loo… *** Security: Kommandozeilen-Zugriff auf Bankterminal dokumentiert *** --------------------------------------------- Ein deutscher Sicherheitsforscher hat eine Sicherheitslücke in Geldautomaten-Software gefunden. Die Schwachstelle ermöglichte den Zugriff auf die Kommandozeile des Geräts und das Auslesen zahlreicher kritischer Daten. --------------------------------------------- http://www.golem.de/news/security-kommandozeilen-zugriff-auf-bankterminal-d… *** OTA-Patch: Google verteilt Sicherheitsupdate für Android 6.0 *** --------------------------------------------- Die neue Android-Version 6.0 alias Marshmallow bekommt nach einem Monat ihre erste Sicherheitsaktualisierung. Grund sind insgesamt sieben Bedrohungen, von denen Google zwei als kritisch einstuft. --------------------------------------------- http://www.golem.de/news/ota-patch-google-verteilt-sicherheitsupdate-fuer-a… *** Kaspersky DDoS Intelligence Report Q3 2015 *** --------------------------------------------- In the third quarter of 2015 botnet-assisted DDoS attacks targeted victims in 79 countries around the world; 91.6% of targeted resources were located in 10 countries. The largest numbers of DDoS attacks targeted victims in China, the US and South Korea. The longest DDoS attack in Q3 2015 lasted for 320 hours. --------------------------------------------- http://securelist.com/analysis/quarterly-malware-reports/72560/kaspersky-dd… *** Wormhole-Schwachstelle: Backdoor in über 14.000 Android-Apps *** --------------------------------------------- Das Moplus SDK hält in zahlreichen Apps eine Hintertür für Angreifer auf, sodass diese etwa heimlich Dateien von Android-Gerät abziehen und SMS-Nachrichten versenden können. --------------------------------------------- http://www.heise.de/newsticker/meldung/Wormhole-Schwachstelle-Backdoor-in-u… *** A few things about Redis security *** --------------------------------------------- >From time to time I get security reports about Redis. It's good to get reports, but it's odd that what I get is usually about things like Lua sandbox escaping, insecure temporary file creation, and similar issues, in a software which is designed (as we explain in our security page here http://redis.io/topics/security) to be totally insecure if exposed to the outside world. Yet these bug reports are often useful since there are different levels of security concerning any software in... --------------------------------------------- http://antirez.com/news/96 *** How Carders Can Use eBay as a Virtual ATM *** --------------------------------------------- How do fraudsters "cash out" stolen credit card data? Increasingly, they are selling in-demand but underpriced products on eBay that they dont yet own. Once the auction is over, the auction fraudster uses stolen credit card data to buy the merchandise from an e-commerce store and have it shipped to the auction winner. Because the auction winners actually get what they bid on and unwittingly pay the fraudster, very often the only party left to dispute the charge is the legitimate... --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/E4QijbOr8i0/ *** ORX-Locker, a Web Platform to Create Ransomware *** --------------------------------------------- The only thing more dangerous than cryptolocker-type ransomware in the hands of a highly skilled hacker is the same ransomware offered as a service and made available to the general public. Similar to the private TOX RaaS (Ransomware as a Service) platform discovered in August, ORX-Locker is a free-to-use web platform where anyone can create and download malware that will encrypt a victim's file system and demand payment for recovery. This is one of the first public RaaS sites we've... --------------------------------------------- https://feeds.feedblitz.com/~/122089935/0/alienvault-blogs~ORXLocker-a-Web-… *** XcodeGhost S: A New Breed Hits the US *** --------------------------------------------- https://www.fireeye.com/blog/threat-research/2015/11/xcodeghost_s_a_new.html *** Enhancing pentesting recon with nmap, (Tue, Nov 3rd) *** --------------------------------------------- You might have used nmap several times for recon using the conventional portscan functionality (Connect scan, SYN Scan, FIN scan, UDP scan, ...) but for gathering extra info like HTTP directories, DNS host enumeration without performing zone transfer, Microsoft SQL Server enumeration and SMB device info people usually uses additional tools. I will show you how nmap can provide that information without use of extra tools: 1. HTTP Directories The http-enum script is able to test for the existence... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20331&rss *** VU#316888: MobaXterm server may allow arbitrary command injection due to missing X11 authentication *** --------------------------------------------- Vulnerability Note VU#316888 MobaXterm server may allow arbitrary command injection due to missing X11 authentication Original Release date: 02 Nov 2015 | Last revised: 02 Nov 2015 Overview The MobaXterm server prior to verion 8.3 is vulnerable to arbitrary command injection over port 6000 when using default X11 settings. Description CWE-306: Missing Authentication for Critical Function - CVE-2015-7244MobaXterm server prior to version 8.3 includes an X11 server listening on all IP addresses... --------------------------------------------- http://www.kb.cert.org/vuls/id/316888 *** Security Advisory - Local Permission Escalation Vulnerability in GPU of P7 Phones *** --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** Cisco Unified Computing System Blade Server Information Disclosure Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** F5 Security Advisories *** --------------------------------------------- *** Security Advisory: NTP vulnerability CVE-2015-7852 *** https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17516.htm… --------------------------------------------- *** Security Advisory: NTP vulnerability CVE-2015-7850 *** https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17528.htm… --------------------------------------------- *** Security Advisory: NTP vulnerability CVE-2015-7701 *** https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17517.htm… --------------------------------------------- *** Security Advisory: NTP vulnerabilities CVE-2015-7704 and CVE-2015-7705 *** https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17527.htm… --------------------------------------------- *** Security Advisory: NTP vulnerability CVE-2015-7703 *** https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17529.htm… --------------------------------------------- *** Security Advisory: NTP vulnerability CVE-2015-7848 *** https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17526.htm… --------------------------------------------- *** Security Advisory: NTP vulnerabilities CVE-2015-7691, CVE-2015-7692, and CVE-2015-7702 *** https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17530.htm… --------------------------------------------- *** Security Advisory: NTP vulnerability CVE-2015-7871 *** https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17518.htm… --------------------------------------------- *** Security Advisory: NTP vulnerability CVE-2015-7849 *** https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17521.htm… --------------------------------------------- *** Security Advisory: NTP vulnerability CVE-2015-7854 *** https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17524.htm… --------------------------------------------- *** Security Advisory: NTP vulnerability CVE-2015-7853 *** https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17525.htm… --------------------------------------------- *** Security Advisory: NTP vulnerability CVE-2015-7855 *** https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17515.htm… --------------------------------------------- *** Security Advisory: NTP vulnerability CVE-2015-7851 *** https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17522.htm… ---------------------------------------------

1 0

Tageszusammenfassung - Montag 2-11-2015
by Daily end-of-shift report 02 Nov '15

02 Nov '15

======================= = End-of-Shift report = ======================= Timeframe: Freitag 30-10-2015 18:00 − Montag 02-11-2015 18:00 Handler: Robert Waldner Co-Handler: n/a *** CoinVault and Bitcryptor Ransomware Victims Can Now Recover Their Files For Free *** --------------------------------------------- itwbennett writes: Researchers from Kaspersky Lab and the Dutch Public Prosecution Service have obtained the last set of encryption keys from command-and-control servers that were used by CoinVault and Bitcryptor, writes Lucian Constantin. Those keys have been uploaded to Kasperskys ransomware decrypt or service that was originally set up in April with a set of around 750 keys recovered from servers hosted in the Netherlands. --------------------------------------------- http://yro.slashdot.org/story/15/10/30/2341230/coinvault-and-bitcryptor-ran… *** Disaster Recovery Starts with a Plan, (Mon, Nov 2nd) *** --------------------------------------------- One of the security questions being asked of security professionals, by business executives these days, from both internal and external entities, is What is the status of our Disaster Recovery plan? The driving force behind the question varies, from compliance and our business partners are asking to I read an article about an earthquake. A disaster recovery plan is one of those things that you dont want to define the requirements as you go, this is one that is truly about the *plan*. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20325&rss *** About Lenovo System Update Vulnerabilities and CVE-2015-6971 *** --------------------------------------------- Over the past seven months, a number of vulnerabilities in Lenovo System Update software have come to light. Lenovo patched the first of a batch of these vulnerabilities in spring of this year. I decided to take a deeper look... --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/About-Lenovo-System-Update-V… *** Useful tools for malware analysis *** --------------------------------------------- In early October, the international project 'Cyber Security in the Danube Region' organized training for security teams operating within the region. As sharing of information and knowledge are essential in the field of security, I decided to write a post ... --------------------------------------------- http://en.blog.nic.cz/2015/10/30/useful-tools-for-malware-analysis/ *** Debian: elasticsearch end-of-life (DSA 3389-1) *** --------------------------------------------- Security support for elasticsearch in jessie is hereby discontinued. The project no longer releases information on fixed security issues which allow backporting them to released versions of Debian and actively discourages from doing so. elasticsearch will also be removed from Debian stretch (the next stable Debian release), but will continue to remain in unstable and available in jessie-backports. --------------------------------------------- https://lists.debian.org/debian-security-announce/2015/msg00290.html *** PageFair: Halloween Security Breach *** --------------------------------------------- I want to take some time here to describe exactly what happened, how it may have affected some of your visitors, and what we are doing to prevent this from ever happening again. --------------------------------------------- http://blog.pagefair.com/2015/halloween-security-breach/ *** RWSPS: WPA/2 Cracking Using HashCat *** --------------------------------------------- We will cover the following topics: WPA/2 Cracking with Dictionary attack using Hashcat. WPA/2 Cracking with Mask attack using Hashcat. WPA/2 Cracking with Hybrid attack using Hashcat. WPA/2 Cracking Pause/resume in Hashcat (One of the best features) WPA/2 Cracking save sessions and restore. --------------------------------------------- http://www.rootsh3ll.com/2015/10/rwsps-wpa2-cracking-using-hashcat-cloud-ch… *** Protecting Windows Networks - Local administrative accounts management *** --------------------------------------------- There is a common problem in all environments with local administrative accounts, such as local Administrator account, root accounts or any kind of application specific built-in admin accounts set to a common password, shared across all systems. --------------------------------------------- https://dfirblog.wordpress.com/2015/11/01/protecting-windows-networks-local… *** new Windows 10 cumulative update (3105210) *** --------------------------------------------- Bulletin revised to announce the release of a new Windows 10 cumulative update (3105210) to address an additional vulnerability, CVE-2015-6045, which has been added to this bulletin. Only customers running Windows 10 systems need to install this new update. Earlier operating systems are either not affected or have received the fix in the original updates of October 13, 2015. --------------------------------------------- https://technet.microsoft.com/library/security/ms15-106 *** 5 signs your Web application has been hacked *** --------------------------------------------- When customers interact with your business, they most likely go through a Web application first. It's your company's public face -- and by virtue of that exposure, an obvious point of vulnerability.Most attacks against Web applications are stealthy and hard to spot. --------------------------------------------- http://www.csoonline.com/article/3000315/application-security/5-signs-your-… *** How Much is a Zero-Day Exploit for an SCADA/ICS System? *** --------------------------------------------- Current scenario How much is a zero-day for an industrial control system? Where is it possible to buy them and who are the main buyers of these commodities? I can tell you that there isn't a unique answer to the above questions, but first all let us try to understand the current scenario ... --------------------------------------------- http://resources.infosecinstitute.com/how-much-is-a-zero-day-exploit-for-an… *** Cisco Security Advisories *** --------------------------------------------- *** Multiple Vulnerabilities in ntpd Affecting Cisco Products - October 2015 *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Unified Communications Domain Manager URI Enumeration Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco FireSIGHT Management Center HTML Injection Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco FireSIGHT Management Center Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco ASR 5500 SAE Gateway BGP Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Prime Service Catalog SQL Injection Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco ASA CX Context-Aware Security Web GUI Unauthorized Access Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Unified Border Element Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Secure Access Control Server Role-Based Access Control Weak Protection Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Secure Access Control Server Reflective Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Secure Access Control Server Role-Based Access Control URL Lack of Protection Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Secure Access Control Server Dom-Based Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Secure Access Control Server SQL Injection Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Wireless LAN Controller Client Disconnection Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 30-10-2015
by Daily end-of-shift report 30 Oct '15

30 Oct '15

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 29-10-2015 18:00 − Freitag 30-10-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** WPScan Intro: WordPress Vulnerability Scanner *** --------------------------------------------- Have you ever wanted to run security tests on your WordPress website to see if it could be easily hacked? WPScan is a black box vulnerability scanner for WordPress sponsored by Sucuri and maintained by the WPScan Team, .. --------------------------------------------- https://blog.sucuri.net/2015/10/install-wpscan-wordpress-vulnerability-scan… *** Anonymisierungsdienst Tor stellt sicheren Messenger vor *** --------------------------------------------- Es soll sich um die am einfachsten zu nutzende Verschlüsselungssoftware handeln --------------------------------------------- http://derstandard.at/2000024778063 *** Advertising Brokers: A Background Information *** --------------------------------------------- Provides background information about advertisement brokers, the men and women that are in the middle of web advertising between sites and advertisers. --------------------------------------------- https://blog.malwarebytes.org/privacy-2/2015/10/advertising-brokers-backgro… *** DSA-3384 virtualbox - security update *** --------------------------------------------- Two vulnerabilities have been discovered in VirtualBox, an x86virtualisation solution. --------------------------------------------- https://www.debian.org/security/2015/dsa-3384 *** Bankomat: Diebstahl per USB-Stick *** --------------------------------------------- Unbekannter konnte in Deutschland mehrere Geräte manipulieren --------------------------------------------- http://derstandard.at/2000024796664 *** Paper on TLS usage for all email protocols, IPv4-wide is online *** --------------------------------------------- Today we've published our paper on TLS use in e-mail protocols (SMTP, IMAP, POP..) on the Internet. Our paper and the corresponding dataset are now publicly available, you can find the paper here. Our dataset is published at scans.io. Over the time of .. --------------------------------------------- https://www.sba-research.org/2015/10/30/paper-on-tls-usage-for-all-email-pr… *** Weaknesses in the PLAID Protocol *** --------------------------------------------- In 2009, the Australian government released the Protocol for Lightweight Authentication of Identity (PLAID) protocol. It was recently analyzed (original paper is from 2014, but was just updated), and its a security disaster. Matt .. --------------------------------------------- https://www.schneier.com/blog/archives/2015/10/weaknesses_in_t.html *** Pagetable-Sicherheitslücke: Ausbruch aus dem virtuellen Xen-Käfig *** --------------------------------------------- Eine Lücke im Xen-Hypervisor erlaubt einem Gastsystem, die Kontrolle über das komplette Host-System zu übernehmen. Hierfür wird die Speicherverwaltung ausgetrickst. Die Entwickler der Qubes-Distribution üben heftige Kritik an Xen. --------------------------------------------- http://www.golem.de/news/pagetable-sicherheitsluecke-ausbruch-aus-dem-virtu… *** Citrix NetScaler Service Delivery Appliance Multiple Security Updates *** --------------------------------------------- A number of vulnerabilities have been identified in Citrix Service Delivery Appliance (SDX) that could allow a malicious, unprivileged user to .. --------------------------------------------- http://support.citrix.com/article/CTX201794 *** Fatale Sicherheitslücken in Zwangsroutern von Vodafone/Kabel Deutschland *** --------------------------------------------- Bis zu 1,3 Millionen Router im Kabel-Netz von Vodafone sind über WLAN angreifbar. Der Provider verspricht, die Lücken mit Firmware-Updates zu schliessen. Das kann sich jedoch noch bis Jahresende hinziehen. --------------------------------------------- http://heise.de/-2866037 *** Breaches, traders, plain text passwords, ethical disclosure and 000webhost *** --------------------------------------------- It's a bit hard to even know where to begin with this one, perhaps at the start and then I'll try and piece all the bits together as best I can. As you may already know if you're familiar with this blog, I run the service Have I been pwned? (HIBP) which allows people to discover where their personal data has been compromised on .. --------------------------------------------- http://www.troyhunt.com/2015/10/breaches-traders-plain-text-passwords.html *** VMSA-2015-0003.14 *** --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2015-0003.html

1 0

Tageszusammenfassung - Donnerstag 29-10-2015
by Daily end-of-shift report 29 Oct '15

29 Oct '15

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 28-10-2015 18:00 − Donnerstag 29-10-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** Why Is the NSA Moving Away from Elliptic Curve Cryptography? *** --------------------------------------------- In August, I wrote about the NSAs plans to move to quantum-resistant algorithms for its own cryptographic needs. Cryptographers Neal Koblitz and Alfred Menezes just published a long paper speculating as to the governments real motives for doing this. They range from some new cryptanalysis of ECC to a political need after the DUAL_EC_PRNG disaster -- to the stated reason... --------------------------------------------- https://www.schneier.com/blog/archives/2015/10/why_is_the_nsa_.html *** New DDoS attacks misuse NetBIOS name server, RPC portmap, and Sentinel licensing servers *** --------------------------------------------- Akamai has observed three new reflection DDoS attacks in recent months: NetBIOS name server reflection, RPC portmap reflection, and Sentinel reflection. In a reflection DDoS attack, also called a D... --------------------------------------------- http://feedproxy.google.com/~r/HelpNetSecurity/~3/g4MR874bgXg/secworld.php *** TLS-Zertifikate: Google greift gegen Symantec durch *** --------------------------------------------- Symantec hatte im September mehrere Tausend unberechtigte TLS-Zertifikate ausgestellt, verschweigt aber zunächst das Ausmaß des Vorfalls. Google zeigt dafür wenig Verständnis und stellt einige Bedingungen für den Verbleib der Symantec-Rootzertifikate im Chrome-Browser. (Symantec, Google) --------------------------------------------- http://www.golem.de/news/tls-zertifikate-google-greift-gegen-symantec-durch… *** Jackpotting: Geldautomaten in Deutschland mit USB-Stick ausgeräumt *** --------------------------------------------- Seit 2010 ist das Plündern von Geldautomaten per USB-Stick bekannt. In Deutschland wurde nun erstmals ein Täter dabei gefilmt, wie er zwei Automaten an einem Tag ausräumte. (Security, Black Hat) --------------------------------------------- http://www.golem.de/news/jackpotting-geldautomaten-in-deutschland-mit-usb-s… *** Security: Forscher stellen LTE-Angriffe mit 1.250-Euro-Hardware vor *** --------------------------------------------- LTE-Netzwerke galten bislang als deutlich sicherer als GSM- und 3G-Netzwerke. Anfang der Woche hat ein Team von Forschern jetzt verschiedene praktische Angriffe vorgestellt, die mit geringen Kosten und kommerzieller Hardware funktionieren sollen. (Security, Smartphone) --------------------------------------------- http://www.golem.de/news/security-forscher-stellen-lte-angriffe-mit-1-250-e… *** USB cleaning device for the masses, (Thu, Oct 29th) *** --------------------------------------------- For so long, USB keys have been a nice out-of-bandinfection vector. People like goodies and people like to plug those small pieces of plastic into their computers. Even if good solutions exists (like BitLocker- the standard solution provided by Microsoft), a lot of infrastructureare not protected against the use ofrogue USB keys for many good or obscure reasons. There are also multiple reasons to receive USB keys: from partners, customers, contractors, vendors, etc. The best practice should be... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20315&rss *** XEN Security Advisories *** --------------------------------------------- Advisory | Public release | Updated | Version | CVE(s) | Title XSA-153 | 2015-10-29 11:59 | 2015-10-29 11:59 | 3 | CVE-2015-7972 | x86: populate-on-demand balloon size inaccuracy can crash guests XSA-152 | 2015-10-29 11:59 | 2015-10-29 11:59 | 3 | CVE-2015-7971 | x86: some pmu and profiling hypercalls log without rate limiting XSA-151 | 2015-10-29 11:59 | 2015-10-29 11:59 | 3 | CVE-2015-7969 | x86: leak of per-domain profiling-related vcpu pointer array XSA-150 | 2015-10-29 11:59 | 2015-10-29... --------------------------------------------- http://xenbits.xen.org/xsa/ *** Cisco ASR 5500 SAE Gateway Lets Remote Users Cause the Target BGP Process to Restart *** --------------------------------------------- http://www.securitytracker.com/id/1034024 *** IBM DB2 TLS Diffie-Hellman Export Cipher Downgrade Attack Lets Remote Users Decrypt Connections *** --------------------------------------------- http://www.securitytracker.com/id/1033991 *** JBoss Operations Network Cassandra JMX/RMI Interface Lets Remote Users Execute Arbitrary Code on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1034002 *** DSA-3382 phpmyadmin - security update *** --------------------------------------------- https://www.debian.org/security/2015/dsa-3382 *** Security Notice - Statement About WormHole Vulnerability in Baidu Apps Preset in Huawei Phones *** --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices… *** Security Advisory - UE Measurement Leak Vulnerability in Huawei P8 Phones *** --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** Security Advisory: OpenSSH vulnerability CVE-2015-5352 *** --------------------------------------------- (SOL17461) --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/17000/400/sol17461.htm… *** VU#573848: Qolsys IQ Panel contains multiple vulnerabilities *** --------------------------------------------- Vulnerability Note VU#573848 Qolsys IQ Panel contains multiple vulnerabilities Original Release date: 29 Oct 2015 | Last revised: 29 Oct 2015 Overview All firmware versions of Qolsys IQ Panel contain hard-coded cryptographic keys, do not validate signatures during software updates, and use a vulnerable version of Android OS. Description Qolsys IQ Panel is an Android OS-based touch screen controller for home automation devices and functions. All firmware versions contain the following --------------------------------------------- http://www.kb.cert.org/vuls/id/573848 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in IBM Java SDK affects IBM SAN Volume Controller and Storwize Family (CVE-2015-2613 CVE-2015-2601 CVE-2015-2625 CVE-2015-1931) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005435 *** IBM Security Bulletin: Vulnerabilities in OpenSSL affects SAN Volume Controller and Storwize Family (CVE-2015-1789 CVE-2015-1791 CVE-2015-1788 ) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005434 *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Storwize V7000 Unified (CVE-2014-8176, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005314 *** IBM Security Bulletin: Weak file permissions vulnerability affects IBM Tivoli Monitoring for Tivoli Storage Manager (CVE-2015-4927) *** http://www.ibm.com/support/docview.wss?uid=swg21969340 *** IBM Security Bulletin: A security vulnerability in IBM WebSphere Application Server affects IBM Security Access Manager for Web version 7.0 software installations and IBM Tivoli Access Manager for e-business (CVE-2015-1946) *** http://www.ibm.com/support/docview.wss?uid=swg21969077 *** IBM Security Bulletin: Vulnerability in RC4 stream cipher affects N-series Data ONTAP (CVE-2015-2808) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005273 *** IBM Security Bulletin: Multiple vulnerabilities in Firefox, affect IBM SmartCloud Provisioning for IBM Software Virtual Appliance (CVE-2015-4497, CVE-2015-4498) *** http://www.ibm.com/support/docview.wss?uid=swg21968836 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security Access Manager for Mobile (CVE-2015-2613, CVE-2015-2601, CVE-2015-4749, CVE-2015-2625, CVE-2015-1931) *** http://www.ibm.com/support/docview.wss?uid=swg21963711

1 0

Tageszusammenfassung - Mittwoch 28-10-2015
by Daily end-of-shift report 28 Oct '15

28 Oct '15

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 27-10-2015 18:00 − Mittwoch 28-10-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** One in 20 apps on private PCs are end-of-life *** --------------------------------------------- Secunia Research revealed the state of security for PC users in a total of 14 countries, including the US. One in 20 applications on private US PCs are end-of-life and 12 percent of Windows operating ... --------------------------------------------- http://www.net-security.org/secworld.php?id=19032 *** Yahoo! crypto! chap! turns! security! code! into! evil! tracker! *** --------------------------------------------- HTTP Strict Transport Security isnt working as advertised or planned Yahoo! crypto bod Yan Zhu has found twin attacks that allow websites to learn the web histories of visitors users by targeting HTTP Strict Transport Security (HSTS). --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/10/28/sniffly/ *** Update unbedingt installieren: Joomla im Fokus von Angreifern *** --------------------------------------------- Nutzer von Joomla sollten das in der vergangenen Woche veröffentlichte Update dringend einspielen. Denn Angreifer attackieren aktuell massenweise Webseiten, die eine verwundbare Version einsetzen. --------------------------------------------- http://heise.de/-2860521 *** Windows 10 Security *** --------------------------------------------- Windows 10 was launched on July 29th of this year and had been adopted by 75 million users by the end of August. Despite its initial popularity, the adoption rate for the new operating system has slowed down since the time of its launch. While the Windows 10 market share for desktop operating systems climbed... --------------------------------------------- http://resources.infosecinstitute.com/windows-10-security/ *** Victim of its own success and (ab)used by malwares, (Wed, Oct 28th) *** --------------------------------------------- This morning, I faced an interesting case. We were notified that one of our computers was doing potentially malicious HTTP requests. The malicious URL was: api.wipmania.com. We quickly checked and detected to many hosts were sendingrequests to this API. It is a website hosted in France which provides geolocalisation services via a text/json/xml API. The usage is pretty quick and">xavier@vps2$curl http://api.wipmania.com/ip_address BE You provide an IP address and it returns its... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20311&rss *** Certificate Authorities Will Stop Issuing SHA1 Certificates as of January 1 (October 23, 2015) *** --------------------------------------------- As of midnight January 1, 2016, certificate authorities will cease issuing SHA1 digital certificates... --------------------------------------------- http://www.sans.org/newsletters/newsbites/r/17/84/308 *** We set up a simple test page to see how browsers deal with mixed language IDNs. Try it out: http://www.example.xn--comindex-634g.jp/ . Test yours. (sorry, earlier link did not render right), (Tue, Oct 27th) *** --------------------------------------------- --- Johannes B. Ullrich, Ph.D. STI|Twitter|LinkedIn (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20305&rss *** DFN-CERT-2015-1672: NTP: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2015-1672/ *** DSA-3381 openjdk-7 - security update *** --------------------------------------------- Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the executionof arbitrary code, breakouts of the Java sandbox, information disclosure,or denial of service. --------------------------------------------- https://www.debian.org/security/2015/dsa-3381 *** DSA-3380 php5 - security update *** --------------------------------------------- Two vulnerabilities were found in PHP, a general-purpose scriptinglanguage commonly used for web application development. --------------------------------------------- https://www.debian.org/security/2015/dsa-3380 *** VU#350508: HP ArcSight SmartConnector fails to properly validate SSL and contains a hard-coded password *** --------------------------------------------- Vulnerability Note VU#350508 HP ArcSight SmartConnector fails to properly validate SSL and contains a hard-coded password Original Release date: 27 Oct 2015 | Last revised: 27 Oct 2015 Overview The HP ArcSight SmartConnector fails to properly validate SSL certificates, and also contains a hard-coded password. Description CWE-295: Improper Certificate Validation - CVE-2015-2902The ArcSight SmartConnector fails to validate the certificate of the upstream Logger device it is reporting logs to. --------------------------------------------- http://www.kb.cert.org/vuls/id/350508 *** Security Advisory: PAM vulnerability CVE-2015-3238 *** --------------------------------------------- (SOL17494) --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/17000/400/sol17494.htm… *** Security Advisory: Datastor kernel vulnerability CVE-2015-7394 *** --------------------------------------------- (SOL17407) --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/17000/400/sol17407.htm… *** Infinite Automation Systems Mango Automation Vulnerabilities *** --------------------------------------------- This advisory provides mitigation details for vulnerabilities in the Infinite Automation Systems Mango Automation application. Infinite Automation Systems has produced a new version to mitigate these vulnerabilities. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-300-02 *** Rockwell Automation Micrologix 1100 and 1400 PLC Systems Vulnerabilities *** --------------------------------------------- This advisory provides mitigation details for vulnerabilities in the Rockwell Automation Allen-Bradley MicroLogix 1100 and 1400 programmable logic controller (PLC) systems. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-300-03

1 0

Tageszusammenfassung - Dienstag 27-10-2015
by Daily end-of-shift report 27 Oct '15

27 Oct '15

======================= = End-of-Shift report = ======================= Timeframe: Freitag 23-10-2015 18:00 − Dienstag 27-10-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** Botnets spreading Dridex still active, (Fri, Oct 23rd) *** --------------------------------------------- Introduction In early September 2015, we started seeing reports about arrests tied to Dridex malware [1, 2]. About that time, we noticed a lack of botnet-based malicious spam (malspam) pushing Dridex malware. During the month of September, Dridex disappeared from our radar. By the beginning of October 2015, malspam pushing Dridex came back [3], and its continued since then. However, organizations still discussed the Dridex takedown, even after Dridex came back. The most recent wave of reporting... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20295&rss *** Unsichere App-TAN: Sparkasse verteidigt ihr pushTAN-Banking *** --------------------------------------------- Die Manipulationen beträfen "veraltete Versionsstände der S-pushTAN-App" und tatsächliche Schadensfälle seien unwahrscheinlich, heißt es in einer Stellungnahme der Sparkassen zu einem erfolgreichen Angriff auf ihr AppTAN-Verfahren. --------------------------------------------- http://www.heise.de/newsticker/meldung/Unsichere-App-TAN-Sparkasse-verteidi… *** Free and Commercial Tools to Implement the SANS Top 20 Security Controls, Part 5: Malware Defenses *** --------------------------------------------- This is Part 5 of a How-To effort to compile a list of tools (free and commercial) that can help IT administrators comply with SANS Security Controls. In Part 1 we looked at Inventory of Authorized and Unauthorized Devices. In Part 2 we looked at Inventory of Authorized and Unauthorized Software. In Part 3 we looked at Secure Configurations. In Part 4 we looked at Continuous Vulnerability Assessment and Remediation. Now in Part 5 well take on Malware Defenses. 5-1 Employ automated tools... --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/free-and-commercial-to… *** Beyond Automated Penetration Testing *** --------------------------------------------- #WarStoryWednesday Not too long ago, I was tasked with performing an Application Security Assessment while onsite at a client location. I had worked with this client before, and was eager to see how they had matured their applications over the past couple years. Originally, I had performed an Application Security Assessment on an older version... --------------------------------------------- http://resources.infosecinstitute.com/beyond-automated-penetration-testing/ *** Joomla SQL Injection Attacks in the Wild *** --------------------------------------------- Last week, the Joomla team released an update patching a serious vulnerability in Joomla 3.x. This vulnerability, an SQL injection (CVE-2015-7858), allows for an attacker to take over a vulnerable site with ease. We predicted that the attacks would start in the wild very soon, due to the popularity of the Joomla platform alongRead More The post Joomla SQL Injection Attacks in the Wild appeared first on Sucuri Blog. --------------------------------------------- https://blog.sucuri.net/2015/10/joomla-sql-injection-attacks-in-the-wild.ht… *** Patch außer der Reihe: Adobe schließt kritische Lücke in Shockwave *** --------------------------------------------- Angreifer können den Shockwave Player verwenden, um aus der Ferne Schadcode auf Rechner zu schleusen. Adobe bewertet die Lücke mit der höchsten Prioritätsstufe. --------------------------------------------- http://heise.de/-2860125 *** Intel x86 considered harmful (new paper) *** --------------------------------------------- Oct 27, 2015 - Joanna Rutkowska | Back in summer I have read a new book published by one of the core Intel architects about the Management Engine (ME). I didnt quite like what I read there. In fact I even found this a bit depressing, even though Intel ME wasnt particular news to me as we, at the ITL, have already studied this topic quite in-depth, so to say, back in 2008... But, as you can see in the linked article, I believed we could use VT-d to protect the host OS from the potentially... --------------------------------------------- http://blog.invisiblethings.org/2015/10/27/x86_harmful.html *** Patchday: Updates für Xen-Hypervisor *** --------------------------------------------- Xen hat einige Lücken in seinem Hypervisor geschlossen. Details werden, wie üblich, erst später bekannt gegeben. --------------------------------------------- http://www.golem.de/news/patchday-updates-fuer-xen-hypervisor-1510-117152-r… *** Volkswagen: Hacker deaktivieren Airbag über gefälschte Diagnose-Software *** --------------------------------------------- Wieder gibt es manipulierte Software bei VW - doch dieses Mal ist der Konzern nicht selbst verantwortlich. Hackern ist es offensichtlich gelungen, die Steuersoftware eines Audi TT so zu manipulieren, dass der Airbag ohne Wissen der Nutzer abgeschaltet werden kann. --------------------------------------------- http://www.golem.de/news/volkswagen-hacker-deaktivieren-airbag-ueber-gefael… *** The "Yes, but..." syndrome, (Tue, Oct 27th) *** --------------------------------------------- This weekend, I worked on a pentest report that was already pending for a while. Im honest: Im lazzy to write reports (like many of us, no?).During a pentest, it is mandatory to keep evidences of all your findings. No only the tools you used and how you used them but as much details as possible (screenshots, logs, videos, papers,etc). Every day, we had a quick debriefing meeting with the customer to make the point about the new findings. The first feedback was often a Yes, but...: Me: We were --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20303&rss *** JSA10711 - 2015-10 Out of Cycle Security Bulletin: NTP.org announcement of multiple vulnerabilities. *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10711&actp=RSS *** Bugtraq: [security bulletin] HPSBGN03429 rev.1 - HP Arcsight Logger, Remote Disclosure of Information *** --------------------------------------------- http://www.securityfocus.com/archive/1/536749 *** Bugtraq: [security bulletin] HPSBGN03428 rev.1 - HP Asset Manager, Local Disclosure of Sensitive Information *** --------------------------------------------- http://www.securityfocus.com/archive/1/536748 *** DSA-3377 mysql-5.5 - security update *** --------------------------------------------- Several issues have been discovered in the MySQL database server. Thevulnerabilities are addressed by upgrading MySQL to the new upstreamversion 5.5.46. Please see the MySQL 5.5 Release Notes and OraclesCritical Patch Update advisory for further details:... --------------------------------------------- https://www.debian.org/security/2015/dsa-3377 *** DSA-3378 gdk-pixbuf - security update *** --------------------------------------------- Several vulnerabilities have been discovered in gdk-pixbuf, a toolkitfor image loading and pixel buffer manipulation. The CommonVulnerabilities and Exposures project identifies the following problems:... --------------------------------------------- https://www.debian.org/security/2015/dsa-3378 *** Security Notice - Statement on the Huawei Honor phone Vulnerability Mentioned at the GeekPwn Conference *** --------------------------------------------- Oct 25, 2015 09:27 --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices… *** Cisco Security Advisories *** --------------------------------------------- *** Cisco Secure Access Control Server Input Validation Flaw Lets Remote Conduct Cross-Site Scripting Attacks *** http://www.securitytracker.com/id/1033968 *** Cisco Secure Access Control Server Input Validation Flaw Lets Remote Authenticated Users Inject SQL Commands *** http://www.securitytracker.com/id/1033967 *** Cisco Secure Access Control Server RBAC Flaw Lets Remote Authenticated Users Modify Dashboard Portlets on the Target System *** http://www.securitytracker.com/id/1033971 *** Cisco Secure Access Control Server RBAC Flaw Lets Remote Authenticated Users Obtain System Administrator Reports and Status *** http://www.securitytracker.com/id/1033970 *** Cisco Secure Access Control Server DOM Statement Input Validation Flaw Lets Remote Conduct Cross-Site Scripting Attacks *** http://www.securitytracker.com/id/1033969 *** Siemens Rugged Operating System (ROS) Ethernet Frame Padding Bug Lets Remote Users on the Local Network Obtain Potentially Sensitive VLAN Information *** --------------------------------------------- http://www.securitytracker.com/id/1033973

1 0

Tageszusammenfassung - Freitag 23-10-2015
by Daily end-of-shift report 23 Oct '15

23 Oct '15

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 22-10-2015 18:00 − Freitag 23-10-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Red Hat CVE Database Revamp *** --------------------------------------------- Since 2009, Red Hat has provided details of vulnerabilities with CVE names as part of our mission to provide as much information around vulnerabilities that affect Red Hat products as possible. These CVE pages distill information from a variety .. --------------------------------------------- https://securityblog.redhat.com/2015/10/22/red-hat-cve-database-revamp/ *** Hack.lu 2015 Wrap-Up Day #3 *** --------------------------------------------- I just drove back to home after the 11th edition of hack.lu. As always, it was an amazing event organized by, amongst others, many team members of the CIRCL. So, let's write a quick wrap-up for this third day. Some talk will be less covered due to interesting chat sessions with a lot of infosec peers. Lik .. --------------------------------------------- https://blog.rootshell.be/2015/10/22/hack-lu-2015-wrap-up-day-3/ *** Oracle Critical Patch Update Advisory - October 2015 *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html *** Janitza UMG Power Quality Measuring Products Vulnerabilities *** --------------------------------------------- This advisory was originally posted to the US-CERT secure Portal library on September 22, 2015, and is being released to the ICS-CERT web site. This advisory provides mitigation details for several vulnerabilities in the Janitza UMG power quality measuring products. Janitza has produced new firmware and new documentation to mitigate these vulnerabilities. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-265-03 *** 5E5: Die nächste runde Ticketnummer *** --------------------------------------------- Es ist soweit: unser Ticketsystem hat wieder eine symbolische Grenze überschritten: Wir haben das Ticket #500000 behandelt:Date: Thu Oct 22 11:07:54 2015Queue: InvestigationsSubject: [CERT.at #500000] SSDP-Service aus dem Internet erreichbar in AS12635 Was bedeuten diese Zahlen? Und was nicht? Wir bekommen und senden .. --------------------------------------------- http://www.cert.at/services/blog/20151023103846-1610.html *** Forscher demontieren App-TANs der Sparkasse *** --------------------------------------------- "Komfortabel, aber leider unsicher" - so lässt sich das Ergebnis eines Forschungsprojekts zu den von immer mehr Banken angebotetenen App-basierten TAN-Verfahren zusammenfassen. Die Online-Banking-Apps der Sparkasse haben sie bereits geknackt. --------------------------------------------- http://heise.de/-2853492 *** CCTV botnets proliferate due to unchanged default factory credentials *** --------------------------------------------- Incapsula researchers have uncovered a botnet consisting of some 9,000 CCTV cameras located around the world, which was being used to target, among others, one of the companys clients with HTTP flood... --------------------------------------------- http://www.net-security.org/secworld.php?id=19020 *** PMASA-2015-5 *** --------------------------------------------- Content spoofing vulnerability when redirecting user to an external siteAffected VersionsVersions 4.4.x (prior to 4.4.15.1) and 4.5.x (prior to 4.5.1) are affected.CVE ID2015-7873 --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2015-5/ *** Malvertising-Kampagne verteilt Exploit-Kit über ebay.de *** --------------------------------------------- Betrüger sollen aktuell Werbenetzwerke missbrauchen, um Exploit-Kits über Werbeanzeigen auf etwa ebay.de und t-online.de zu verteilen. --------------------------------------------- http://heise.de/-2853882 Aufgrund des Feiertages am kommenden Montag, den 26.10.2015, erscheint der nächste End-of-Shift Report erst am 27.10.2015.

1 0

Tageszusammenfassung - Donnerstag 22-10-2015
by Daily end-of-shift report 22 Oct '15

22 Oct '15

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 21-10-2015 18:00 − Donnerstag 22-10-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Cisco ASA Software DNS Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the DNS code of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause an affected system to reload. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco ASA Software DNS Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the DNS code of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause an affected system to reload. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Google Moving Gmail to Strict DMARC Implementation *** --------------------------------------------- Google said it will move gmail.com to a policy of rejecting any messages that don't pass the authentication checks spelled out in the DMARC specification. --------------------------------------------- http://threatpost.com/google-moving-gmail-to-strict-dmarc-implementation/11… *** IBM Runs World's Worst Spam-Hosting ISP? *** --------------------------------------------- This author has long sought to shame Web hosting and Internet service providers who fail to take the necessary steps to keep spammers, scammers and other online neer-do-wells .. --------------------------------------------- http://krebsonsecurity.com/2015/10/ibm-runs-worlds-worst-spam-hosting-isp *** Apple Releases Updates for iOS, WatchOS, OS X, Safari and iTunes. *** --------------------------------------------- Apple published one of its usual updates for everything. Below I took a shot at a quick summary. You can find .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20285 *** Drupal Core - Overlay - Less Critical - Open Redirect - SA-CORE-2015-004 *** --------------------------------------------- The Overlay module in Drupal core displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability. --------------------------------------------- https://www.drupal.org/SA-CORE-2015-004 *** jQuery Update - Less Critical - Open Redirect - SA-CONTRIB-2015-158 *** --------------------------------------------- The jQuery Update module enables you to update jQuery on your site. The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack (see SA-CORE-2015-004). --------------------------------------------- https://www.drupal.org/node/2598426 *** Hack.lu 2015 Wrap-Up Day #2 *** --------------------------------------------- Here we go with my wrap-up for the second day. After some coffee and pastries, the day started hardly with a very technical talk. Samuel Chevet & Clement Rouault presented their research about Windows local kernel debugging. Kernel debugging .. --------------------------------------------- https://blog.rootshell.be/2015/10/21/hack-lu-2015-wrap-up-day-2/ *** E-Mail-Sicherheit: Was Provider beitragen können *** --------------------------------------------- https://www.rtr.at/de/inf/E_Mail_Sicherheit05112015 *** Drahtlose Infektion: Erste Malware für Fitnesstracker entwickelt *** --------------------------------------------- Übertragung auf Fitbit Flex in zehn Sekunden möglich – Schadsoftware befällt PC von Opfer --------------------------------------------- http://derstandard.at/2000024345670 *** Geplante Obsoleszenz: Diese Software lässt Computer rasend schnell altern *** --------------------------------------------- Forscher haben ein Programm entwickelt, das Prozessoren in kurzer Zeit so abnutzt, dass sie unbrauchbar werden. Mögliche Nutznießer: Hersteller, Kunden - oder Militärs. --------------------------------------------- http://www.golem.de/news/geplante-obsoleszenz-diese-software-laesst-compute… *** [20151001] - Core - SQL Injection *** --------------------------------------------- http://developer.joomla.org/security-centre/628-20151001-core-sql-injection… *** [20151002] - Core - ACL Violations *** --------------------------------------------- http://developer.joomla.org/security-centre/629-20151002-core-acl-violation… *** [20151003] - Core - ACL Violations *** --------------------------------------------- http://developer.joomla.org/security-centre/630-20151003-core-acl-violation… *** [2015-10-22] Lime Survey Multiple Critical Vulnerabilities *** --------------------------------------------- Lime Survey contains multiple vulnerabilities which can be used by unauthenticated attackers to execute administrative functions. Moreover, in certain conditions unauthenticated attackers can run arbitrary PHP code and gain access to the filesystem and the Lime Survey database. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2015… *** NAK to the Future: NTP Symmetric Association Authentication Bypass Vulnerability *** --------------------------------------------- Unauthenticated off-path attackers can force ntpd processes to peer with malicious time sources of the attacker's choosing allowing the attacker to make arbitrary changes to system time. This attack leverages a logic error in ntpd's handling of .. --------------------------------------------- http://talosintel.com/reports/TALOS-2015-0069/

1 0

Tageszusammenfassung - Mittwoch 21-10-2015
by Daily end-of-shift report 21 Oct '15

21 Oct '15

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 20-10-2015 18:00 − Mittwoch 21-10-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** VMSA-2015-0003.13 *** --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2015-0003.html *** APPLE-SA-2015-10-20-1 OS X: Flash Player plug-in blocked *** --------------------------------------------- Due to security issues in older versions, Apple has updated the web plug-in blocking mechanism to disable all versions prior to Flash Player 19.0.0.226 and 18.0.0.255. --------------------------------------------- http://prod.lists.apple.com/archives/security-announce/2015/Oct/msg00001.ht… *** VMSA-2015-0007.2 *** --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2015-0007.html *** Oracle Linux Bulletin - October 2015 *** --------------------------------------------- Oracle Linux Bulletin - October 2015 --------------------------------------------- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719… *** New Headaches: How The Pawn Storm Zero-Day Evaded Java's Click-to-Play Protection *** --------------------------------------------- Several months ago, we disclosed that Pawn Storm was using a then-undiscovered zero-day Java vulnerability to carry out its attacks. At the time, we noted that a separate vulnerability was used to bypass the click-to-play protection that is in use by Java. This second vulnerability has now been .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-ho… *** Multiple vulnerabilities in SAP products *** --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-15-532/ http://www.zerodayinitiative.com/advisories/ZDI-15-531/ http://www.zerodayinitiative.com/advisories/ZDI-15-530/ http://www.zerodayinitiative.com/advisories/ZDI-15-529/ http://www.zerodayinitiative.com/advisories/ZDI-15-528/ http://www.zerodayinitiative.com/advisories/ZDI-15-527/ http://www.zerodayinitiative.com/advisories/ZDI-15-526/ *** G DATA Malware Report - January - June 2015 *** --------------------------------------------- The G Data SecurityLabs published the Malware Report for the first half of 2015. Here are the most important findings. --------------------------------------------- https://blog.gdatasoftware.com/blog/article/g-data-malware-report-january-j… *** EMET: To be, or not to be, A Server-Based Protection Mechanism *** --------------------------------------------- Hi Folks - Platforms PFE Dan Cuomo here to discuss a common question seen in the field: 'My customer is deploying EMET and would like to know if it is supported on Server Operating Systems.' On the surface there is a simple answer to this question, .. --------------------------------------------- http://blogs.technet.com/b/srd/archive/2015/10/20/emet-to-be-or-not-to-be-a… *** Hack.lu 2015 Wrap-Up Day #1 *** --------------------------------------------- Today started the 11th edition of hack.lu in Luxembourg. Being one of my preferred event, I drove to Luxembourg this morning direction to the Alvisse Parc hotel! The first day started with a security breakfast and a round .. --------------------------------------------- https://blog.rootshell.be/2015/10/20/hack-lu-2015-wrap-up-day-1/ *** Flash, Java Patches Fix Critical Holes *** --------------------------------------------- Adobe has issued a patch to fix a zero-day vulnerability in its Flash Player software. Separately, Oracle today released an update to plug more than two-dozen flaws in its Java software. Both programs plug directly into the browser and are .. --------------------------------------------- http://krebsonsecurity.com/2015/10/flash-java-patches-fix-critical-holes/ *** Online-Banking: Neue Angriffe auf die mTAN *** --------------------------------------------- Betrüger haben wieder einmal eine Methode gefunden, um Daten von Kunden beim Online-Banking abzugreifen und das mTAN-System auszuhebeln. --------------------------------------------- http://heise.de/-2851624 *** Microsoft startet Bug-Bounty-Programm für .NET Core und ASP.NET *** --------------------------------------------- Bis zum 20. Januar 2016 können Entwickler im Rahmen des Programms auf Sicherheitslücken in den Betas der CoreCLR und ASP.NET 5 hinweisen. Gute Lösungsvorschläge sind Microsoft bis zu 15.000 US-Dollar wert. --------------------------------------------- http://heise.de/-2851587 *** Gwolle Guestbook <= 1.5.3 - Remote File Inclusion (RFI) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8218 *** High-Tech Bridge launches free PCI and NIST compliant SSL test *** --------------------------------------------- High-Tech Bridge is pleased to announce availability of its new online service to test SSL/TLS server security and configuration for compliance with NIST and PCI DSS. --------------------------------------------- https://www.htbridge.com/news/high-tech-bridge-launches-free-pci-and-nist-c… *** Metadaten-Leak: 1Password stellt Dateiformat um *** --------------------------------------------- Nutzer der Abgleichfunktion "1Password Anywhere" hinterließen unter Umständen eine Liste mit den von ihnen verwendeten Websites im Netz. Ein neues Dateiformat für den Passworttresor soll Abhilfe schaffen. --------------------------------------------- http://heise.de/-2851618 *** IniNet Solutions embeddedWebServer Cleartext Storage Vulnerability *** --------------------------------------------- This advisory provides mitigation details for a cleartext storage of sensitive information vulnerability in the IniNet Solutions GmbH embeddedWebServer. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-293-01 *** IniNet Solutions SCADA Web Server Vulnerabilities *** --------------------------------------------- This advisory provides mitigation details for three vulnerabilities in the IniNet Solutions GmbH SCADA Web Server. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-293-02 *** 3S CODESYS Gateway Null Pointer Exception Vulnerability *** --------------------------------------------- This advisory provides mitigation details for a null pointer exception vulnerability in the 3S-Smart Software Solutions GmbH CODESYS Gateway Server. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-293-03 *** Angriffe auf Magento-Shops über bereits bekannte Lücken *** --------------------------------------------- Die aktuellen Angriffe auf Tausende von Magento-Webseiten finden wohl über Lücken statt, für die bereits Patches existieren. Außerdem werden auch Seiten angegriffen, die Magento gar nicht einsetzen. --------------------------------------------- http://heise.de/-2851842 *** Hacking Challenge: Staatsdruckerei sucht IT-Talente *** --------------------------------------------- Die Österreichische Staatsdruckerei veranstaltet auf der Karrieremesse des Campus Hagenberg der FH OÖ eine Hacking Challenge mit dem Ziel, junge IT-Talente zu finden. --------------------------------------------- http://futurezone.at/digital-life/hacking-challenge-staatsdruckerei-sucht-i… *** Kampagnen Malvertising Campaign Goes After German Users *** --------------------------------------------- Malvertising targets German users via carefully crafted attack to dupe ad networks...) --------------------------------------------- https://blog.malwarebytes.org/malvertising-2/2015/10/kampagnen-malvertising… *** Trend Micro kauft Tipping Point *** --------------------------------------------- Mit Tipping Point verleibt sich der Antiviren-Hersteller auch die Zero Day Initiative (ZDI) und die Digital Vaccine Labs ein. Tipping Point, bisher Teil von HP, ist unter anderem auch als Sponsor der Pwn2Own-Events bekannt. --------------------------------------------- http://heise.de/-2851848

1 0

Tageszusammenfassung - Dienstag 20-10-2015
by Daily end-of-shift report 20 Oct '15

20 Oct '15

======================= = End-of-Shift report = ======================= Timeframe: Montag 19-10-2015 18:00 − Dienstag 20-10-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Joomla! - Important Security Announcement - Patch Available Soon *** --------------------------------------------- A Joomla 3.4.5 release containing a security fix will be published on Thursday 22nd October at approximately 14:00 UTC The Joomla Security Strike Team (JSST) has been informed of a critical security issue in the Joomla core. Since this is a *very important security fix*, please be prepared to update your Joomla installations next Thursday. --------------------------------------------- https://www.joomla.org/announcements/release-news/5633-important-security-a… *** JSA10700 - 2015-10 Security Bulletin: Junos: J-Web in SRX5000-Series: A remote attacker can cause a denial of service to SRX5000-Series when J-Web is enabled causing the SRX to enter debug prompt. (CVE-2014-6451) *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10700&actp=RSS *** ZDI-15-525: Foxit Reader Forms Out-Of-Bounds Read Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-15-525/ *** ZDI-15-524: Foxit Reader Forms Out-Of-Bounds Read Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-15-524/ *** Lets Encrypt: Cross-Sign mit Identtrust abgeschlossen *** --------------------------------------------- Let's Encrypt hat einen neuen Meilenstein erreicht: Der Cross-Sign mit Identtrust ist abgeschlossen. Ab Mitte November soll der Dienst für die breite Öffentlichkeit verfügbar sein. --------------------------------------------- http://www.golem.de/news/let-s-encrypt-cross-sign-mit-identtrust-abgeschlos… *** DSA-3375 wordpress - security update *** --------------------------------------------- Several vulnerabilities have been fixed in Wordpress, the popularblogging engine. --------------------------------------------- https://www.debian.org/security/2015/dsa-3375 *** Android 6.0: Verschlüsselung wird verpflichtend *** --------------------------------------------- Einen zweiten Anlauf nimmt Google zur Absicherung von Android-Smartphones und Tablets: Mit Android 6.0 müssen – fast – alle neuen Geräte von Haus aus verschlüsselt werden, dies schreibt die neueste Version des Android Compatibility Definition Document vor. --------------------------------------------- http://derstandard.at/2000024183416 *** Hacking ZigBee Networks *** --------------------------------------------- What is ZigBee? Internet of Things (IoT) is what most experts consider as the next step of the Internet revolution where physical objects are invariably linked to the real and virtual world at the same time. Connected devices now .. --------------------------------------------- http://resources.infosecinstitute.com/hacking-zigbee-networks/ *** OpenSSH: Erster Code von SSH für Windows frei verfügbar *** --------------------------------------------- Die portable Version des aktuellen OpenSSH 7.1 stellt Microsoft nun auch für Windows bereit. Interessierte können außerdem künftig zu dem Projekt beitragen. Der produktive Einsatz soll noch in der ersten Jahreshälfte 2016 möglich sein. --------------------------------------------- http://www.golem.de/news/openssh-erster-code-von-ssh-fuer-windows-frei-verf… *** How a criminal ring defeated the secure chip-and-PIN credit cards *** --------------------------------------------- Over $680,000 stolen via a clever man-in-the-middle attack. --------------------------------------------- http://arstechnica.com/tech-policy/2015/10/how-a-criminal-ring-defeated-the… *** .:: Attacking Ruby on Rails Applications ::. *** --------------------------------------------- This little article aims to give an introduction to the topic of attacking Ruby on Rails applications. Its neither complete nor dropping 0day. Its rather the authors attempt to accumulate the interesting attack paths and techniques in one write up. As yours truly spend most of his work on Ruby .. --------------------------------------------- http://phrack.org/papers/attacking_ruby_on_rails.html *** Korrupter Silk-Road-Ermittler zu über sechs Jahren Haft verurteilt *** --------------------------------------------- Seine verdeckten Ermittlungen gegen den Drogenmarktplatz Silk Road nutzte ein US-Beamter für eigene kriminelle Machenschaften. Unter anderem wegen Erpressung und Geldwäsche muss er nun ins Gefängnis. --------------------------------------------- http://heise.de/-2851334 *** Tech Support Scammers Impersonate Apple Technicians *** --------------------------------------------- By setting up a phishing site for Apples remote sharing service, this tech support scam looks quite genuine. --------------------------------------------- https://blog.malwarebytes.org/fraud-scam/2015/10/tech-support-scammers-impe… *** There's no place like ::1 - Malware for the masses *** --------------------------------------------- Analyzing malware samples provided by customers usually leads to interesting results. Recently, an HP customer downloaded something via Microsoft Internet Explorer and provided the sample analyzed in this blog. In some cases, analysis of these types of samples provides insight into previously unknown .. --------------------------------------------- http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/There-s-no-place-lik… *** Das BSI nimmt sich der Router-Sicherheit an *** --------------------------------------------- Das BSI hat ein Testkonzept vorgestellt, das die Sicherheit von Endkunden-Routern vergleichbar machen soll. Die 'wesentliche Sicherheitskomponente zum Schutz des internen Netzes' soll endlich sicher werden. --------------------------------------------- http://heise.de/-2851354

1 0

Tageszusammenfassung - Montag 19-10-2015
by Daily end-of-shift report 19 Oct '15

19 Oct '15

======================= = End-of-Shift report = ======================= Timeframe: Freitag 16-10-2015 18:00 − Montag 19-10-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** eFast browser hijacks file associations *** --------------------------------------------- We take a look at an Eorezo/Tuto4PC hijacker that installs a new browser called eFast rather than hijacking an existing one. --------------------------------------------- https://blog.malwarebytes.org/online-security/2015/10/efast-browser-hijacks… *** Surveillance Malware Trends: Tracking Predator Pain and HawkEye *** --------------------------------------------- Malicious actors employ a range of tools to achieve their objectives. One of the most damaging activities an actor pursues is the theft of authentication information, whether it .. --------------------------------------------- http://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-tre… *** SDG Technologies Plug and Play SCADA XSS Vulnerability *** --------------------------------------------- NCCIC/ICS-CERT is aware of a public disclosure of a cross-site scripting vulnerability with proof-of-concept (PoC) exploit code affecting SDG Technologies Plug and Play SCADA, a supervisory control and data acquisition/human-machine .. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-15-288-01 *** DSA-3373 owncloud - security update *** --------------------------------------------- Multiple vulnerabilities were discovered in ownCloud, a cloud storageweb service for files, music, contacts, calendars and many more. These flaws may lead to the execution of arbitrary code, authorization bypass,information disclosure, cross-site scripting or denial of service. --------------------------------------------- https://www.debian.org/security/2015/dsa-3373 *** Massive Magento Guruincsite Infection *** --------------------------------------------- We are currently seeing a massive attack on Magento sites where hackers inject malicious scripts that create iframes from 'guruincsite[.]com'. Google already blacklisted about seven thousand sites because of this malware. There are two .. --------------------------------------------- https://blog.sucuri.net/2015/10/massive-magento-guruincsite-infection.html *** New Neutrino EK Campaign Drops Andromeda *** --------------------------------------------- On October 15th, we started seeing a new pattern of redirections to the Neutrino Exploit Kit via compromised websites. What actually caught our attention was one of the file names used to inject an iframe pointing to the exploit kit landing page. Ironically, it was called neitrino.php. --------------------------------------------- https://blog.malwarebytes.org/exploits-2/2015/10/new-neutrino-ek-campaign-d… *** Freies Unix: OpenBSD 5.8 zähmt das System *** --------------------------------------------- Etwas eher als üblich ist OpenBSD auf den Tag genau 20 Jahre nach der Projektgründung erschienen. Für bessere Sicherheit wird das NX-Bit nun auch in der 32-Bit-X86-Architektur genutzt, der Sudo-Befehl ist ersetzt worden und das System kann offiziell gezähmt werden. --------------------------------------------- http://www.golem.de/news/freies-unix-openbsd-5-8-zaehmt-das-system-1510-116… *** 1Password Leaks Your Data *** --------------------------------------------- For those of you who don't know, 1PasswordAnywhere is a feature of 1Password which allows you to access your data without needing their client software. 1Password originally only used the �Agile Keychain� format to store their data (not including when they were OS X keychain only). This format basically stores your data as a series of JavaScript files which are decrypted .. --------------------------------------------- http://myers.io/2015/10/22/1password-leaks-your-data/ *** Staatliche Hackerangriffe: Facebook will seine Nutzer warnen *** --------------------------------------------- Facebook will von staatlichen Angriffen bedrohte Nutzer künftig warnen und ihnen den Einsatz von Zwei-Faktor-Authentifizeriung empfehlen. Bei der Klarnamenpflicht bleibt das Unternehmen aber bei seiner Position. --------------------------------------------- http://www.golem.de/news/staatliche-hackerangriffe-facebook-will-seine-nutz… *** Supporting the Android Ecosystem *** --------------------------------------------- A few months ago, a widely-publicized set of vulnerabilities called StageFright hit the Android ecosystem. While Google fixed the vulnerabilities in what appears to be a reasonable amount of time, the deployment of those fixes to .. --------------------------------------------- https://insights.sei.cmu.edu/cert/2015/10/supporting-the-android-ecosystem.…

1 0

Tageszusammenfassung - Freitag 16-10-2015
by Daily end-of-shift report 16 Oct '15

16 Oct '15

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 15-10-2015 18:00 − Freitag 16-10-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** Security Updates Available for Adobe Flash Player (APSB15-27) *** --------------------------------------------- A security bulletin (APSB15-27) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1288 *** Exposing the most dangerous financial malware threats *** --------------------------------------------- Cyphort analyzed the top eight types of financial malware cybercriminals are using today to target banks and electronic payment systems. The most dangerous financial malware threats have resulted i... --------------------------------------------- http://feedproxy.google.com/~r/HelpNetSecurity/~3/otxCIk5qeu4/malware_news.… *** Data dump points to a breach at Electronic Arts *** --------------------------------------------- Account details of some 600 Electronic Arts (EA) customers have apparently been leaked on Pastebin. The company has yet to confirm that the leak is genuine, but they are "taking steps to secure any ac... --------------------------------------------- http://feedproxy.google.com/~r/HelpNetSecurity/~3/-grCjlQtA4c/secworld.php *** Enhanced Mitigation Experience Toolkit (EMET) version 5.5 Beta is now available *** --------------------------------------------- Enhanced Mitigation Experience Toolkit (EMET) version 5.5 Beta is now available The Enhanced Mitigation Experience Toolkit (EMET) benefits enterprises and all computer users by helping to protect against security threats and breaches that can disrupt businesses and daily lives. It does this by anticipating, diverting, terminating, blocking, or otherwise invalidating the most common actions and techniques adversaries might use to compromise a computer. In this way, EMET can help protect your... --------------------------------------------- http://blogs.technet.com/b/srd/archive/2015/10/15/enhanced-mitigation-exper… *** Windows Drivers are True'ly Tricky *** --------------------------------------------- Posted by James Forshaw, Driving for BugsAuditing a product for security vulnerabilities can be a difficult challenge, and there's no guarantee you'll catch all vulnerabilities even when you do. This post describes an issue I identified in the Windows Driver code for Truecrypt, which has already gone through a security audit. The issue allows an application running as a normal user or within a low-integrity sandbox to remap the main system drive and elevate privileges to SYSTEM or... --------------------------------------------- http://googleprojectzero.blogspot.com/2015/10/windows-drivers-are-truely-tr… *** Breaking Diffie-Hellman with Massive Precomputation (Again) *** --------------------------------------------- The Internet is abuzz with this blog post and paper, speculating that the NSA is breaking the Diffie-Hellman key-exchange protocol in the wild through massive precomputation. I wrote about this at length in May when this paper was first made public. (The reason its news again is that the paper was just presented at the ACM Computer and Communications Security... --------------------------------------------- https://www.schneier.com/blog/archives/2015/10/breaking_diffie.html *** Auch Ubuntu Phone hat seine Sicherheitslücken *** --------------------------------------------- Eine App aus dem Ubuntu Phone Store hat eine Sicherheitslücke aufgezeigt, mit der Angreifer die komplette Kontrolle über die Geräte der Opfer hätte erlangen können. Stattdessen ändert die App nur den Boot-Splash. --------------------------------------------- http://heise.de/-2849370 *** Elasticsearch 1.7.3 released *** --------------------------------------------- Today, we are happy to announce the bug fix release of Elasticsearch 1.7.3, based on Lucene 4.10.4. This is the latest stable release. Users are advised to upgrade if they find themselves affected by any of the bugs which have been fixed.You can download Elasticsearch 1.7.3 and read the full changes list here.Previous blog posts about the 1.7 series:Elasticsearch 1.7.2Elasticsearch 1.7.1Elasticsearch 1.7.0This release contains a number of bug fixes including:Synced flushes were reactivating... --------------------------------------------- https://www.elastic.co/blog/elasticsearch-1-7-3-released *** VMSA-2015-0003.12 *** --------------------------------------------- VMware product updates address critical information disclosure issue in JRE --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2015-0003.html *** Bugtraq: [security bulletin] HPSBUX03512 SSRT102254 rev.1 - HP-UX Web Server Suite running Apache, Remote Denial of Service (DoS) and Other Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/536687 *** Bugtraq: [security bulletin] HPSBOV03503 rev.1 - HP OpenVMS CSWS_JAVA running Tomcat, Multiple Remote Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/536689 *** Updated F5 Security Advisory: OpenSSL vulnerability CVE-2014-0224 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/15000/300/sol15325.htm… *** F5 Security Advisory: vCMP DoS vulnerability CVE-2015-6546 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/17000/300/sol17386.htm… *** APPLE-SA-2015-10-15-1 Keynote 6.6, Pages 5.6, Numbers 3.6, and iWork for iOS 2.6 *** --------------------------------------------- APPLE-SA-2015-10-15-1 Keynote 6.6, Pages 5.6, Numbers 3.6, andiWork for iOS 2.6Keynote 6.6, Pages 5.6, Numbers 3.6, and iWork for iOS 2.6 are nowavailable which address the following:Keynote, Pages, and NumbersAvailable for: OS X Yosemite v10.10.4 or later, iOS 8. [...] --------------------------------------------- http://prod.lists.apple.com/archives/security-announce/2015/Oct/msg00000.ht… *** USN-2772-1: PostgreSQL vulnerabilities *** --------------------------------------------- Ubuntu Security Notice USN-2772-116th October, 2015postgresql-9.1, postgresql-9.3, postgresql-9.4 vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.04 Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryPostgreSQL could be made to crash or expose private information if ithandled specially crafted data.Software description postgresql-9.1 - Object-relational SQL database postgresql-9.3 - Object-relational SQL database postgresql-9.4 - Object-relational SQL... --------------------------------------------- http://www.ubuntu.com/usn/usn-2772-1/ *** 3S CODESYS Runtime Toolkit Null Pointer Dereference Vulnerability *** --------------------------------------------- This advisory provides mitigation details for a NULL pointer dereference vulnerability in the 3S-Smart Software Solutions GmbHs CODESYS Runtime Toolkit. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-288-01 *** Bugtraq: Qualys Security Advisory - LibreSSL (CVE-2015-5333 and CVE-2015-5334) *** --------------------------------------------- http://www.securityfocus.com/archive/1/536692 *** Windows 10 Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111) *** --------------------------------------------- Topic: Windows 10 Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111) Risk: Medium Text:Source: https://code.google.com/p/google-security-research/issues/detail?id=486 Windows: Sandboxed Mount Reparse Point Crea... --------------------------------------------- https://cxsecurity.com/issue/WLB-2015100120 *** Bugtraq: ERPSCAN Research Advisory [ERPSCAN-15-017] SAP NetWeaver J2EE DAS service - Unauthorized Access *** --------------------------------------------- http://www.securityfocus.com/archive/1/536695

1 0

Tageszusammenfassung - Donnerstag 15-10-2015
by Daily end-of-shift report 15 Oct '15

15 Oct '15

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 14-10-2015 18:00 − Donnerstag 15-10-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** Zero-Day in Magento Plugin Magmi Under Attack *** --------------------------------------------- A zero-day in a popular plugin for the Magento ecommerce platform called Magmi is under attack. --------------------------------------------- http://threatpost.com/zero-day-in-magento-plugin-magmi-under-attack/115026/ *** Security Advisory for Adobe Flash Player (APSA15-05) *** --------------------------------------------- A Security Advisory (APSA15-05) has been published regarding a critical vulnerability (CVE-2015-7645) in Adobe Flash Player 19.0.0.207 and earlier versions for Windows, Macintosh and Linux. Adobe is aware of a report that an exploit for this vulnerability is being used... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1280 *** Kritische Flash-Lücke: Adobe stellt Patch in Aussicht *** --------------------------------------------- Einer Sicherheitsfirma zufolge greift die Gruppe Pawn Storm derzeit gezielt aktuelle Flash-Versionen über eine Zero-Day-Lücke an. Adobe hat nun einen Patch angekündigt. --------------------------------------------- http://heise.de/-2847993 *** Exploit kit roundup: Less Angler, more Nuclear, (Thu, Oct 15th) *** --------------------------------------------- Introduction Earlier this month, Ciscos Talos team published an in-depth report on the Angler exploit kit (EK) [1]. The report also documentedCiscos coordination with hosting providers to shut down malicious servers associated with this EK. The result? Ive found far less Angler EK in the last two... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20255&rss *** How is NSA breaking so much crypto? *** --------------------------------------------- However, the documents do not explain how these breakthroughs work, and speculation about possible backdoors or broken algorithms has been rampant in the technical community. Yesterday at ACM CCS, one of the leading security research venues, we and twelve coauthors presented a paper that we think solves this technical mystery. --------------------------------------------- https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so… *** HTTP Evasions Explained - Part 5 - GZip Compression *** --------------------------------------------- This is the fifth part in a series which will explain the evasions done by HTTP Evader. This part is about failures to handle gzip compression properly. Contrary to deflate compression all products Ive seen are able to handle gzip compression in theory. But several major products fail if you set some special bits, invalidate the checksum, remove some bytes from the end etc. But, the browsers unpack the content anyway so we get a bypass again. --------------------------------------------- http://noxxi.de/research/http-evader-explained-5-gzip.html *** Existing security standards do not sufficiently address IoT *** --------------------------------------------- A lack of clarity and standards around Internet of Things (IoT) security is leading to a lack of confidence. According to the UK IT professionals surveyed by ISACA, 75 percent of the security exper... --------------------------------------------- http://feedproxy.google.com/~r/HelpNetSecurity/~3/624P7Nfkph8/secworld.php *** IETF verabschiedet Standard für die Absicherung des verschlüsselten Mail-Transports *** --------------------------------------------- Die Spezifikation DANE over SMTP hat nur zwei Jahre für ihre Standardisierung benötigt. Das Bundesamt für Sicherheit und Informationstechnik fordert nun bereits von zertifizierten Mail-Providern die Umsetzung des DANE-Verfahrens. --------------------------------------------- http://heise.de/-2848049 *** Juniper Security Advisories *** --------------------------------------------- *** JSA10695 - 2015-10 Security Bulletin: Junos: Multiple privilege escalation vulnerabilities in Python on Junos (CVE-2014-6448) *** http://kb.juniper.net/index?page=content&id=JSA10695&actp=RSS *** JSA10702 - 2015-10 Security Bulletin: QFabric 3100 Director: CUPS printing system Improper Update of Reference Count leads to remote chained vulnerability attack via XSS against authenticated users (CVE-2015-1158, CVE-2015-1159) *** http://kb.juniper.net/index?page=content&id=JSA10702&actp=RSS *** JSA10706 - 2015-10 Security Bulletin: Junos: FTPS through SRX opens up wide range of data channel TCP ports (CVE-2015-5361) *** http://kb.juniper.net/index?page=content&id=JSA10706&actp=RSS *** JSA10701 - 2015-10 Security Bulletin: Junos: Trio Chipset (Trinity) Denial of service due to maliciously crafted uBFD packet. (CVE-2015-7748) *** http://kb.juniper.net/index?page=content&id=JSA10701&actp=RSS *** JSA10700 - 2015-10 Security Bulletin: Junos: J-Web in vSRX-Series: A remote attacker can cause a denial of service to vSRX when J-Web is enabled causing the vSRX instance to reboot. (CVE-2014-6451) *** http://kb.juniper.net/index?page=content&id=JSA10700&actp=RSS *** JSA10703 - 2015-10 Security Bulletin: Junos: vSRX-Series: A remote attacker can cause a persistent denial of service to the vSRX through a specific connection request to the firewalls host-OS.(CVE-2015-7749) *** http://kb.juniper.net/index?page=content&id=JSA10703&actp=RSS *** JSA10708 - 2015-10 Security Bulletin: Junos: SSH allows unauthenticated remote user to consume large amounts of resources (CVE-2015-7752) *** http://kb.juniper.net/index?page=content&id=JSA10708&actp=RSS *** JSA10704 - 2015-10 Security Bulletin: ScreenOS: Network based denial of service vulnerability in ScreenOS (CVE-2015-7750) *** http://kb.juniper.net/index?page=content&id=JSA10704&actp=RSS *** JSA10707 - 2015-10 Security Bulletin: Junos: Corrupt pam.conf file allows unauthenticated root access (CVE-2015-7751) *** http://kb.juniper.net/index?page=content&id=JSA10707&actp=RSS *** JSA10705 - 2015-10 Security Bulletin: CTPView: Multiple Vulnerabilities in CTPView *** http://kb.juniper.net/index?page=content&id=JSA10705&actp=RSS *** JSA10699 - 2015-10 Security Bulletin: Junos: Crafted packets cause mbuf chain corruption which may result in kernel panic (CVE-2014-6450) *** http://kb.juniper.net/index?page=content&id=JSA10699&actp=RSS *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in GNU glibc affect IBM Security Network Intrusion Prevention System (CVE-2013-2207, CVE-2014-8121, and CVE-2015-1781 ) *** http://www.ibm.com/support/docview.wss?uid=swg21966788 *** IBM Security Bulletin: A vulnerability in net-snmp affects IBM Security Network Intrusion Prevention System (CVE-2015-5621) *** http://www.ibm.com/support/docview.wss?uid=swg21966694 *** IBM Security Bulletin: IBM NetInsight is impacted by multiple vulnerabilities in open source cURL libcurl (CVE-2015-3153, CVE-2015-3236) *** http://www.ibm.com/support/docview.wss?uid=swg21967448 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM FileNet System Monitor/IBM Enterprise Content Management System Monitor (CVE-2015-2601, CVE-2015-2613, CVE-2015-2625, CVE-2015-1931) *** http://www.ibm.com/support/docview.wss?uid=swg21968048 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM InfoSphere Information Server (CVE-2015-1931 CVE-2015-2601 CVE-2015-2613 CVE-2015-2625) *** http://www.ibm.com/support/docview.wss?uid=swg21964927 *** IBM Security Bulletin: IBM Personal Communications with IBM GSKit - Malformed ECParameters causes infinite loop (CVE-2015-1788) *** http://www.ibm.com/support/docview.wss?uid=swg21962890 *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM FileNet System Monitor/IBM Enterprise Content Management System Monitor (CVE-2015-1789, CVE-2015-1790, CVE-2015-1792) *** http://www.ibm.com/support/docview.wss?uid=swg21968046 *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational Team Concert Build Agent (CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, CVE-2014-8176) *** http://www.ibm.com/support/docview.wss?uid=swg21968724 *** IBM Security Bulletin: Logjam vulnerability affects IBM SmartCloud Entry (CVE-2015-4000) *** http://www.ibm.com/support/docview.wss?uid=isg3T1022754 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM FileNet System Monitor/IBM Enterprise Content Management System Monitor (CVE-2015-0488) *** http://www.ibm.com/support/docview.wss?uid=swg21968052 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational DOORS Web Access (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-0488 CVE-2015-0478 CVE-2015-1916 CVE-2015-0204) *** http://www.ibm.com/support/docview.wss?uid=swg21963609 *** IBM Security Bulletin: Cross Site Scripting (XSS) Vulnerability in IBM Sametime Rich Client and in IBM Sametime Proxy (CVE-2015-1917) *** http://www.ibm.com/support/docview.wss?uid=swg21965839 *** Security Advisory: Stored XSS in Akismet WordPress Plugin *** --------------------------------------------- Security Risk: Dangerous Exploitation Level: Easy/Remote DREAD Score: 9/10 Vulnerability: Stored XSS Patched Version: 3.1.5 During a routine audit for our WAF, we discovered a critical stored XSS vulnerability affecting Akismet, a popular WordPress plugin deployed by millions of installs. Vulnerability Disclosure Timeline: October 2nd, 2015 - Bug discovered, initial report to Automattic security team October 5th, 2015... --------------------------------------------- http://feedproxy.google.com/~r/sucuri/blog/~3/abpAvnfFREc/security-advisory…

1 0

Tageszusammenfassung - Mittwoch 14-10-2015
by Daily end-of-shift report 14 Oct '15

14 Oct '15

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 13-10-2015 18:00 − Mittwoch 14-10-2015 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Patchday: Adobe schließt kritische Lücken in Flash und Reader *** --------------------------------------------- Sicherheitslücken in beiden Produkten erlauben es Angreifern, den Rechner des Opfers aus der Ferne zu kapern. Bei Flash werden insgesamt 13 Lücken durch die Updates geschlossen, bei Acrobat und Reader sind es 56 Lücken. --------------------------------------------- http://heise.de/-2845079 *** Nach Patchday: Flash über neue Sicherheitslücke immer noch angreifbar *** --------------------------------------------- Eine Sicherheitsfirma berichtet von gezielten Angriffen, die momentan stattfinden und eine Zero-Day-Lücke in der aktuellen Flash-Version für Windows missbrauchen. --------------------------------------------- http://heise.de/-2846807 *** MS15-OCT - Microsoft Security Bulletin Summary for October 2015 - Version: 1.0 *** --------------------------------------------- This bulletin summary lists security bulletins released for October 2015. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS15-OCT *** Microsoft Patch Tuesday - October 2015 *** --------------------------------------------- This month the vendor is releasing six bulletins covering a total of 33 vulnerabilities. Thirteen of this months issues are rated Critical. --------------------------------------------- http://www.symantec.com/connect/blogs/microsoft-patch-tuesday-october-2015 *** Redirect to Microsoft Word Macro Virus *** --------------------------------------------- These days we rarely see Microsoft Word malware on websites, but it still exists and compromised websites can distribute this kind of malware as well. It's not just email attachments when it comes to sharing infected documents. For example, this malicious file was found on a hacked Joomla site by our analyst Krasimir Konov. --------------------------------------------- https://blog.sucuri.net/2015/10/redirect-to-microsoft-word-macro-virus.html *** The Web Authentication Arms Race - A Tale of Two Security Experts *** --------------------------------------------- Web authentication systems have evolved over the past ten years to counter a growing variety of threats. This post will present a fictional arms race between a web application developer and an attacker, showing how different threats can be countered with the latest security technologies. --------------------------------------------- http://blog.slaks.net/2015-10-13/web-authentication-arms-race-a-tale-of-two… *** MSRT October 2015: Tescrypt *** --------------------------------------------- Octobers Microsoft Malicious Software Removal Tool (MSRT) includes detection and remediation for the following families: Tescrypt Blakamba Diplugem Escad Joanap Brambul Drixed This blog focuses on the ransomware family Tescrypt. Tescrypt started showing up early in 2015 and, like most of its file-encrypting predecessors, it does what most typical ransomware does: Searches for specific file types on the infected machine (see our encyclopedia description for a list of known file extensions --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2015/10/13/msrt-october-2015-tescry… *** AndroidVulnerabilities.org - Calculating the score *** --------------------------------------------- We developed the FUM score to compare the security provided by different device manufacturers. The score gives each Android manufacturer a score out of 10 based on the security they have provided to their customers over the last four years. --------------------------------------------- http://androidvulnerabilities.org/ *** AV Phone Scan via Fake BSOD Web Pages, (Tue, Oct 13th) *** --------------------------------------------- A few days ago, I found a malicious website which triesto lure the visitor by simulating a Microsoft Windows Blue Screen of Death(BSOD) and popping up error messages within their browser. This is not a brand new attack but it remains in the wild. For a while, we saw Microsoft engineers calling people to warn them about an important problem with their computer (I blogged about this last year). In this case, it is different: the computer itself warns the user about a security issue and users... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20251&rss *** Injection on Steroids: Code-less Code Injections and 0-Day Techniques *** --------------------------------------------- In this talk, we discuss known-yet-complex and less documented code injection techniques. We further expose additional new user- and kernel-mode injection techniques. One of these techniques we've coined as "code-less code injection" since, as opposed to other known injection techniques, does not require adding code to the injected process. We also reveal an additional kernel-mode code injection which is a variation to the technique used by the AVs. However, as we demonstrate,... --------------------------------------------- http://breakingmalware.com/injection-techniques/code-less-code-injections-a… *** On (OAuth) token hijacks for fun and profit part #2 (Microsoft/xxx integration) *** --------------------------------------------- In a previous blogpost we have already analyzed a token hijack on one OAuth integration between some Microsoft and Google service and seen what went wrong. Now it is time to see yet another integration between Microsoft and xxxx (unluckily I cant disclose the name of the other company due the fact the havent still fixed a related issue...) and see some fallacy. But before to focus on the attack we might need a bit of introduction. --------------------------------------------- http://intothesymmetry.blogspot.ie/2015/10/on-oauth-token-hijacks-for-fun-a… *** VU#870744: ZyXEL NBG-418N, PMG5318-B20A and P-660HW-T1 routers contain multiple vulnerabilities *** --------------------------------------------- Vulnerability Note VU#870744 ZyXEL NBG-418N, PMG5318-B20A and P-660HW-T1 routers contain multiple vulnerabilities Original Release date: 13 Oct 2015 | Last revised: 13 Oct 2015 Overview Several models of ZyXEL routers are vulnerable to multiple issues, including weak default passwords, command injections due to improper input validation, and cross-site scripting. Description CWE-255: Credentials Management - CVE-2015-6016According to the reporter, the following models contain the weak... --------------------------------------------- http://www.kb.cert.org/vuls/id/870744 *** KerioControl Input Validation and Access Control Flaws Let Remote Users Conduct Cross-Site Request Forgery, Cross-Site Scripting, and SQL Injection Attacks and Remote Authenticated Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1033807

1 0

Tageszusammenfassung - Dienstag 13-10-2015
by Daily end-of-shift report 13 Oct '15

13 Oct '15

======================= = End-of-Shift report = ======================= Timeframe: Montag 12-10-2015 18:00 − Dienstag 13-10-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** Free and Commercial Tools to Implement the SANS Top 20 Security Controls, Part 3: Secure Configurations *** --------------------------------------------- This is Part 3 of a How-To effort to compile a list of tools (free and commercial) that can help IT administrators comply with SANS Security Controls. In Part 1 we looked at Inventory of Authorized and Unauthorized Devices. In Part 2 we looked at Inventory of Authorized and Unauthorized Software. Now well move on to Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers. 3-1 Establish and ensure the use of standard secure configurations of... --------------------------------------------- https://feeds.feedblitz.com/~/117076473/0/alienvault-blogs~Free-and-Commerc… *** Certificate authorities issue SSL certificates to fraudsters *** --------------------------------------------- In just one month, certificate authorities have issued hundreds of SSL certificates for deceptive domain names used in phishing attacks. SSL certificates lend an additional air of authenticity to phishing sites, causing the victims browsers to display a padlock icon to indicate a secure connection. Despite industry requirements for increased vetting of high-risk requests, many fraudsters slip through the net, obtaining SSL certificates for domain names such as banskfamerica.com (issued by... --------------------------------------------- http://news.netcraft.com/archives/2015/10/12/certificate-authorities-issue-… *** I am HDRoot! Part 2 *** --------------------------------------------- Some time ago while tracking Winnti group activity we came across a standalone utility with the name HDD Rootkit for planting a bootkit on a computer. During our investigation we found several backdoors that the HDRoot bootkit used for infecting operating systems. --------------------------------------------- http://securelist.com/analysis/publications/72356/i-am-hdroot-part-2/ *** Best Practices for Securing Remote Access *** --------------------------------------------- Most, if not all, of the day-to-day tasks performed in offices today rely heavily on technology, mainly computers, laptops, tablets & smart devices. As the world and the global economy become increasingly interconnected, members of the staff too are required to go mobile. Sometimes, the need arises to work from home or somewhere away from... --------------------------------------------- http://resources.infosecinstitute.com/best-practices-for-securing-remote-ac… *** Social Media Security: Your Biggest Threat is Yourself *** --------------------------------------------- I set out to write this blog to explore the security threats faced by both businesses and individuals in Social Media. I had the intention of making this a rather technical blog, full of charts and statistics. However, as I began talking to people within the security and social media world, I discovered that the top threat to both individuals and businesses has nothing to do with the actual technology and network vulnerability. The biggest threat to social media security is actually ourselves. --------------------------------------------- https://feeds.feedblitz.com/~/117261057/0/alienvault-blogs~Social-Media-Sec… *** Windows Exploit Suggester - An Easy Way to Find and Exploit Windows Vulnerabilities *** --------------------------------------------- Introduction During our penetration testing engagements, we often come across the situations where we need to find the right exploits to escalate the privileges on a compromised host. Though there are multiple techniques to escalate the privileges, finding out missing patches could be an easy way if an exploit is publicly available. Blindly trying various... --------------------------------------------- http://resources.infosecinstitute.com/windows-exploit-suggester-an-easy-way… *** Security Bulletins Posted for Adobe Acrobat, Reader and Flash Player *** --------------------------------------------- Security Bulletins for Adobe Acrobat and Reader (APSB15-24) and Adobe Flash Player (APSB15-25) have been published. These updates address critical vulnerabilities, and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1278 *** WiFi jamming attacks more simple and cheaper than ever *** --------------------------------------------- A security researcher has demonstrated that jamming WiFi, Bluetooth, and Zigbee networks is not difficult to perform but, most importantly, also not as costly as one might think. According to Math... --------------------------------------------- http://feedproxy.google.com/~r/HelpNetSecurity/~3/f-PMACEc174/secworld.php *** Best Quality and Quantity of Contributions in the New Xen Project 4.6 Release *** --------------------------------------------- I'm pleased to announce the release of Xen Project Hypervisor 4.6. This release focused on improving code quality, security hardening, enablement of security appliances, and release cycle predictability - this is the most punctual release we have ever had. --------------------------------------------- https://blog.xenproject.org/2015/10/13/xen-4-6/ *** Netgear Router: Eine Schwachstelle ermöglicht das Erlangen von Administratorrechten *** --------------------------------------------- Netgear stellt die Firmware 1.1.0.32 für die Router-Modelle JNR1010v2, WNR614, WNR618, JWNR2000v5, WNR2020, JWNR2010v5, WNR1000v4 und WNR2020v2 zur Verfügung. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K15-1482%20UPDATE%201 *** VU#751328: QNAP QTS is vulnerable to a path traversal attack when used with the AFP protocol and OS X *** --------------------------------------------- Vulnerability Note VU#751328 QNAP QTS is vulnerable to a path traversal attack when used with the AFP protocol and OS X Original Release date: 12 Oct 2015 | Last revised: 12 Oct 2015 Overview QNAP QTS is a Network-Attached Storage (NAS) system. The QNAP QTS is vulnerable to a path traversal attack when used with the AFP protocol and OS X. Description CWE-23: Relative Path Traversal - CVE-2015-6003When the Apple Filing Protocol (AFP) is enabled, any OS X user account (including the --------------------------------------------- http://www.kb.cert.org/vuls/id/751328 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Stored IQ (CVE-2015-2625) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21968526 *** IBM Security Bulletin: Vulnerability in IBM Java SDK affect IBM SONAS (CVE-2015-2808) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1005319 *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM SONAS (CVE-2013-7423) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1005315 *** F5 Security Advisory: OpenJDK vulnerability CVE-2014-0428 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/17000/300/sol17381.htm… *** Cisco Application Policy Infrastructure Controller SSH Key Handling Flaw Lets Local Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1033793 *** Cisco ASR Router TACACS Implementation Bug Lets Remote Users Cause the Target vpnmgr Service to Restart *** --------------------------------------------- http://www.securitytracker.com/id/1033792 *** Password Safe And Repository Enterprise 7.4.4 Build 2247 Crypto Issues *** --------------------------------------------- Topic: Password Safe And Repository Enterprise 7.4.4 Build 2247 Crypto Issues Risk: Medium Text:Advisory ID: SYSS-2015-037 Product(s): Password Safe and Repository Enterprise Manufacturer: MATESO GmbH Affected Version(s)... --------------------------------------------- https://cxsecurity.com/issue/WLB-2015100089 *** Password Safe And Repository Enterprise 7.4.4 Build 2247 SQL Injection *** --------------------------------------------- Topic: Password Safe And Repository Enterprise 7.4.4 Build 2247 SQL Injection Risk: Medium Text:Advisory ID: SYSS-2015-034 Product(s): Password Safe and Repository Enterprise Manufacturer: MATESO GmbH Affected Version(s)... --------------------------------------------- https://cxsecurity.com/issue/WLB-2015100092 *** Bugtraq: CVE-2015-7683: Absolute Path Traversal in the Font WordPress Plugin *** --------------------------------------------- http://www.securityfocus.com/archive/1/536670 *** Bugtraq: CVE-2015-7682: Multiple Blind SQL Injections in Pie Register WordPress Plugin *** --------------------------------------------- http://www.securityfocus.com/archive/1/536669 *** Bugtraq: CVE-2015-7377: Unauthenticated Reflected XSS in Pie Register WordPress Plugin *** --------------------------------------------- http://www.securityfocus.com/archive/1/536668

1 0

Tageszusammenfassung - Montag 12-10-2015
by Daily end-of-shift report 12 Oct '15

12 Oct '15

======================= = End-of-Shift report = ======================= Timeframe: Freitag 09-10-2015 18:00 − Montag 12-10-2015 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** GnuPG (GPG) 2.1.9 release announced, (Sun, Oct 11th) *** --------------------------------------------- The GnuPG group has announced the release of GPG version 2.1.9, which addresses a number of technical issues within the components of the code. The update of any encryption component should be carefully planned, as the impact is often not fully understood until some data cannot be accessed because of encryption issues. If you are running a version of GPG older than version 2.1, i strongly recommend taking a look at the changes... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20235&rss *** Cloud DDoS Mitigation Services Can Be Easily Bypassed *** --------------------------------------------- An anonymous reader writes: A recent research paper shows that most Cloud-Based Security Providers are ineffective in protecting websites from DDoS attacks, mainly because they cannot entirely hide the origin websites IP address from attackers. As five security researchers from Belgium and the U.S. are claiming, there are eight methods through which these mitigation services can be bypassed. The techniques of obtaining a websites origin IP address rely on hackers searching through historical... --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/kzYQm-Sz02k/cloud-ddos-miti… *** Sicherheitslücke in TeamSpeak-Desktop-Client 3.0.18 *** --------------------------------------------- Die besonders bei Gamern populäre Voice-Chat-Software TeamSpeak erlaubt Angreifern, Dateien auf Client-PCs hochzuladen. Server-Betreiber sollen alte Clients aussperren. --------------------------------------------- http://www.heise.de/newsticker/meldung/Sicherheitsluecke-in-TeamSpeak-Deskt… *** HP perfomance monitor can climb through Windows *** --------------------------------------------- Crimp nasty privilege escalation bug by running it in Linux instead says Rapid7 Rapid7 is advising HP SiteScope users to run the tool on Linux rather than Windows servers because of a nasty privilege escalation vulnerability. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/10/11/hp_says_get… *** European Aviation Safety Agency - Airplane hacking is reality *** --------------------------------------------- European Aviation Safety Agency European Aviation confirmed the concerns about the Airplane hacking. Hackers could easily infiltrate critical systems. On October 8, 2015, the director of the European Aviation Safety Agency, Patrick Ky revealed he has hired consultant, which is also a commercial pilot, who was able to exploit vulnerabilities in the Aircraft Communications Addressing... --------------------------------------------- http://securityaffairs.co/wordpress/40975/hacking/easa-airplane-hacking.html *** A Study in Bots: DiamondFox *** --------------------------------------------- DiamondFox is a multipurpose botnet with capabilities ranging from credential stealing to theft of credit card information from point of sale systems. This capable malware is being distributed in a number of hacker forums, allowing it to be operated by attackers with extremely limited capabilities to operate it. Fortunately for malware researchers, DiamondFox fails to protect itself in various ways. --------------------------------------------- http://blog.cylance.com/a-study-in-bots-diamondfox *** TLS Fingerprinting (Smarter Defending & Stealthier Attacking) *** --------------------------------------------- Previously, I have been able to demonstrate that certain clients could be differentiated from other network traffic. Specifically, that meant discriminating SuperFish, PrivDog, and GeniusBox from mainstream browsers when making HTTPS connections, and generating IDS signatures based on these findings to assist network administrators in being able to identify problematic hosts without requiring access to either endpoint. I have now expanded this technique to improve the accuracy of the... --------------------------------------------- https://blog.squarelemon.com/tls-fingerprinting/ *** Kaspersky Internet Security: Network Attack Blocker Design Flaw *** --------------------------------------------- A component of Kaspersky Internet Security that's enabled by default is called the "Network Attack Blocker", described as "protects the computer against dangerous network activity". I examined the implementation, and determined that it's actually a simple stateless packet filter with a pattern-matching signature system. It has no concept of flow reassembly or protocol decoding, which require stateful packet inspection. When the software detects an attack, it adds... --------------------------------------------- https://code.google.com/p/google-security-research/issues/detail?id=564 *** USB Killer 2.0 - How to easily burn a PC with a USB device *** --------------------------------------------- In March I presented the PoC of a computer-frying Killer USB pendrive designed by the Russian researcher, now the USB Killer 2.0 is arrived! Do you remember the killer USB? In March I presented the proof-of-concept computer-frying Killer USB pendrive designed by the Russian researcher with the pseudonym "Dark Purple". Dark Purple works for a company that develops and manufactures electronic components,... --------------------------------------------- http://securityaffairs.co/wordpress/40984/hacking/usb-killer-2-0.html *** Thousands of Zhone SOHO routers can be easily hijacked *** --------------------------------------------- Two days before he is scheduled to give a talk about discovering and exploiting 0-day vulnerabilities in SOHO routers firmware, security researcher Lyon Yang has released details about a number of vu... --------------------------------------------- http://feedproxy.google.com/~r/HelpNetSecurity/~3/94i2m6_inBI/secworld.php *** DFN-CERT-2015-1574: Foxit Reader, Foxit PhantomPDF: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2015-1574/ *** Bugtraq: ESA-2015-153 EMC SourceOne Email Supervisor Security Update for Multiple Security Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/536662

1 0

Tageszusammenfassung - Freitag 9-10-2015
by Daily end-of-shift report 09 Oct '15

09 Oct '15

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 08-10-2015 18:00 − Freitag 09-10-2015 18:00 Handler: Robert Waldner Co-Handler: n/a *** Prenotification: Upcoming Security Updates for Adobe Acrobat and Reader (APSB15-24) *** --------------------------------------------- A prenotification security advisory (APSB15-24) has been posted regarding upcoming Adobe Acrobat and Reader updates scheduled for Tuesday, October 13, 2015. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1276 *** Brute Force Amplification Attacks Against WordPress XMLRPC *** --------------------------------------------- Brute Force attacks are one of the oldest and most common types of attacks that we still see on the Internet today. If you have a server online, it's most likely being hit right now. It could be via protocols like SSH or FTP, and if it's a web server, via web-based brute force attempts againstRead More The post Brute Force Amplification Attacks Against WordPress XMLRPC appeared first on Sucuri Blog. --------------------------------------------- https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-w… *** PostgreSQL: 2015-10-08 Security Update Release *** --------------------------------------------- Two security issues have been fixed in this release which affect users of specific PostgreSQL features: CVE-2015-5289: json or jsonb input values constructed from arbitrary user input can crash the PostgreSQL server and cause a denial of service. CVE-2015-5288: The crypt() function included with the optional pgCrypto extension could be exploited to read a few additional bytes of memory. No working exploit for this issue has been developed. --------------------------------------------- http://www.postgresql.org/about/news/1615/ *** PowerShell Command Line Logging *** --------------------------------------------- The problem is that, by default, Windows only logs that PowerShell was launched. No additional details about what exactly happened are preserved. The only thing we can tell is that PowerShell called additional programs and possibly opened up a few network sessions. However, there is a way to gather additional details on PowerShell sessions and the command line in general. --------------------------------------------- https://logrhythm.com/blog/powershell-command-line-logging/ *** MYSQL v5.6.24 Buffer Overflows *** --------------------------------------------- SUMMARY During a manual source code audit of MYSQL Version 5.6.24, various buffer overflow issues have been realized. --------------------------------------------- http://www.securityfocus.com/archive/1/536652 *** Aktive Angriffe auf Cisco-VPN-Zugänge *** --------------------------------------------- Vornehmlich über bekannte Sicherheitsprobleme kapern Unbekannte in großem Stil Firmenzugänge über Cisco Clientless SSL VPN (Web VPN), berichtet die Sicherheitsfirma Volexity. --------------------------------------------- http://heise.de/-2841963 *** IBM Security Bulletins *** --------------------------------------------- *** Multiple vulnerabilities of Mozilla Firefox in IBM Storwize V7000 Unified *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005332 --------------------------------------------- *** Mozilla Firefox vulnerability issues in IBM SONAS *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005333 --------------------------------------------- *** Vulnerabilities in Java affect the IBM FlashSystem V9000 (CVE-2015-1931, CVE-2015-2601, CVE-2015-2613, and CVE-2015-2625) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005411 --------------------------------------------- *** Vulnerabilities in Java affect the IBM FlashSystem V840 (CVE-2015-1931, CVE-2015-2601, CVE-2015-2613, and CVE-2015-2625) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005412 --------------------------------------------- *** Vulnerabilities in Java affect the IBM FlashSystem models 840 and 900 (CVE-2015-1931, CVE-2015-2601, CVE-2015-2613, and CVE-2015-2625) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005413 --------------------------------------------- *** Vulnerabilities in IBM Java SDK affect IBM Storwize V7000 Unified (CVE-2015-2613, CVE-2015-2601, CVE-2015-4000, CVE-2015-2625, and CVE-2015-1931) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005342 --------------------------------------------- *** Multiple vulnerabilities in IBM Java Runtime Version 6 affect IBM Cognos Business Viewpoint (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931) *** http://www.ibm.com/support/docview.wss?uid=swg21967563 --------------------------------------------- *** Vulnerabilities in Open Source OpenSSL affects the IBM FlashSystem V840 (CVE-2015-1788, CVE-2015-1789, CVE-2015-1791, and CVE-2015-3216) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005376 --------------------------------------------- *** Vulnerabilities in OpenSSL affect IBM SONAS (CVE-2014-8176, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005313 ---------------------------------------------

1 0