- Daily - CERT.at

Tageszusammenfassung - Montag 28-07-2014
by Daily end-of-shift report 28 Jul '14

28 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 25-07-2014 18:00 − Montag 28-07-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Cisco WebEx Meetings Server Authenticated Encryption Vulnerability *** --------------------------------------------- A vulnerability in the user.php script of Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to view sensitive information. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Cacti cross-site scripting *** --------------------------------------------- Cacti is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the Full Name field to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting .. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/94862 *** Cisco WebEx Meetings Server OutlookAction Class Vulnerability *** --------------------------------------------- A vulnerability in the OutlookAction Class of Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to enumerate valid user accounts. The vulnerability is due to .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Cisco WebEx Meetings Server Web Framework Vulnerability *** --------------------------------------------- A vulnerability in the web framework of Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to view sensitive information. The vulnerability occurs because sensitive information is passed in a query string. An attacker could .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Service Drains Competitors' Online Ad Budget *** --------------------------------------------- The longer one lurks in the Internet underground, the more difficult it becomes to ignore the harsh reality that for nearly every legitimate online business there is a cybercrime-oriented anti-business. Case in point: Todays post looks at a popular service that helps crooked online marketers exhaust the Google AdWords budgets of their competitors. --------------------------------------------- http://krebsonsecurity.com/2014/07/service-drains-competitors-online-ad-bud… *** Daimler: Mit eigener Hacker-Gruppe gegen Sicherheitslücken *** --------------------------------------------- Der Automobilhersteller Daimler beschäftigt eine fest angestellte Gruppe von Datenspezialisten, deren Aufgabe es ist, das eigene Firmennetzwerk zu attackieren. So sollen Sicherheitslücken schneller aufgespürt werden. --------------------------------------------- http://www.golem.de/news/daimler-mit-eigener-hacker-gruppe-gegen-sicherheit… *** Ubiquiti UbiFi Controller 2.4.5 Password Hash Disclosure *** --------------------------------------------- If remote logging is enabled on the UniFi controller, syslog messages are sent to a syslog server. Contained within the syslog messages is the admin password that is used by both the UniFi controller, and all managed Access Points. This CVE was .. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070146 *** Tails: Zero-Day im Invisible Internet Project *** --------------------------------------------- In der Linux-Distribution Tails befindet sich eine Sicherheitslücke, über die Nutzeridentitäten aufgedeckt werden können. Die Schwachstelle ist nicht in Tor, sondern im Invisible-Internet-Project-Netzwerk zu finden. --------------------------------------------- http://www.golem.de/news/tails-zero-day-im-invisible-internet-project-1407-… *** DANE disruptiv: Authentifizierte OpenPGP-Schlüssel im DNS *** --------------------------------------------- Pretty Good Privacy soll das DNS zur Schlüsselpropagierung nutzen. Auf der Liste der Entwickler der Internet Engineering Task Force (IETF) steht als nächstes die Zulassung eigenen Schlüsselmaterials. --------------------------------------------- http://www.heise.de/security/meldung/DANE-disruptiv-Authentifizierte-OpenPG… *** Behind the Android.OS.Koler distribution network *** --------------------------------------------- Android.OS.Koler.a a ransomware program that blocks the screen of an infected device and requests a ransom in order to unlock the device. An entire network of malicious porn sites linked to a traffic direction system that redirects the victim to different payloads targeting not only mobile devices but any other visitor. --------------------------------------------- https://securelist.com/blog/research/65189/behind-the-android-os-koler-dist… *** Dissecting the CVE-2013-2460 Java Exploit *** --------------------------------------------- In this vulnerability, code is able to get the references of some restricted classes which are cleverly used for privilege escalation and bypassing the JVM sandbox. The vulnerable 'invoke' method of the 'sun.tracing.ProviderSkeleton' class is used to .. --------------------------------------------- http://research.zscaler.com/2014/07/dissecting-cve-2013-2460-java-exploit.h… *** Anatomy of an iTunes phish - tips to avoid getting caught out *** --------------------------------------------- Even if youd back yourself to spot a phish every time, heres a step-by-step account that might help to save your friends and family in the future... --------------------------------------------- http://nakedsecurity.sophos.com/2014/07/28/anatomy-of-an-itunes-phish-tips-… *** ICS 3C - ICS Cybersecurity Council Conference *** --------------------------------------------- ICS 3C gathers experts and decision makers placing Cybersecurity at the heart of a Pan-European Dialogue on solutions for securing critical processes. --------------------------------------------- http://www.anapur.de/u_e_ICS_Cybersecurity_Conference_2014_HD.htm *** Trojaner: Warnungen vor gefälschten Ikea-Mails *** --------------------------------------------- Schon mehrere tausend Funde, E-Mails sind "täuschend echt" .. --------------------------------------------- http://derstandard.at/2000003626539 *** Malware, Would You Install it for One Cent? *** --------------------------------------------- A research study report entitled It's All About The Benjamins: An empirical study on incentivizing users to ignore security .. --------------------------------------------- http://www.seculert.com/blog/2014/07/would-you-install-potential-malware-fo…

1 0

Tageszusammenfassung - Freitag 25-07-2014
by Daily end-of-shift report 25 Jul '14

25 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 24-07-2014 18:00 − Freitag 25-07-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** More Details of Onion/Critroni Crypto Ransomware Emerge *** --------------------------------------------- New ransomware has been dubbed Onion by researchers at Kaspersky Lab as its creators use command and control servers hidden in the Tor Network (a/k/a The Onion Router) to obscure their malicious activity. --------------------------------------------- http://threatpost.com/onion-ransomware-demands-bitcoins-uses-tor-advanced-e… *** Kali 1.0.8 released with UEFI boot support, more info at http://www.kali.org/news/kali-1-0-8-released-uefi-boot-support/, (Fri, Jul 25th) *** --------------------------------------------- -- Bojan INFIGO IS (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18443&rss *** Gefährlicher als die NSA: Firmen unterschätzen kriminelle Hacker *** --------------------------------------------- Allianz für Cyber-Sicherheit beim deutschen Bundesamt für Sicherheit in der Informationstechnik sieht größten Nachholbedarf in produzierenden Unternehmen --------------------------------------------- http://derstandard.at/2000003528513 *** TAILS Team Recommends Workarounds for Flaw in I2P *** --------------------------------------------- The developers of the TAILS operating system say that users can mitigate the severity of the critical vulnerability researchers discovered in the I2P software that's bundled with TAILS with a couple of workarounds, but there is no patch for the bug yet. The vulnerability that affects TAILS is in the I2P anonymity network software that comes... --------------------------------------------- http://threatpost.com/tails-team-recommends-workarounds-for-flaw-in-i2p/107… *** Fake GoogleBots are third most common DDoS attacker *** --------------------------------------------- An analysis of 400 million search engine visits to 10,000 sites done by Incapsula researchers has revealed details that might be interesting to web operators and SEO professionals. --------------------------------------------- http://www.net-security.org/secworld.php?id=17169 *** New SSL server rules go into effect Nov. 1 *** --------------------------------------------- Public certificate authorities (CAs) are warning that as of Nov. 1 they will reject requests for internal SSL server certificates that don't conform to new internal domain naming and IP address conventions designed to safeguard networks. --------------------------------------------- http://www.networkworld.com/article/2457649/security0/new-ssl-server-rules-… *** The App I Used to Break Into My Neighbor's Home *** --------------------------------------------- Leave your ring of cut-brass secrets unattended on your desk at work, at a bar table while you buy another round, or in a hotel room, and any stranger---or friend---can upload your keys to their online collection. --------------------------------------------- http://feeds.wired.com/c/35185/f/661467/s/3cdb9908/sc/36/l/0L0Swired0N0C20A… *** Attackers abusing Internet Explorer to enumerate software and detect security products *** --------------------------------------------- During the last few years we have seen an increase on the number of malicious actors using tricks and browser vulnerabilities to enumerate the software that is running on the victim's system using Internet Explorer.In this blog post we will describe some of the techniques that attackers are using to perform reconnaisance that gives them information for future attacks. We have also seen these techniques being used to decide whether or not they exploit the victim based on detected... --------------------------------------------- http://www.alienvault.com/open-threat-exchange/blog/attackers-abusing-inter… *** Building a Legal Botnet in the Cloud *** --------------------------------------------- Two researchers have built a botnet using free anonymous accounts. They only collected 1,000 accounts, but theres no reason this cant scale to much larger numbers.... --------------------------------------------- https://www.schneier.com/blog/archives/2014/07/building_a_lega.html *** Bugtraq: Security advisory for Bugzilla 4.5.5, 4.4.5, 4.2.10, and 4.0.14 *** --------------------------------------------- http://www.securityfocus.com/archive/1/532895 *** Morpho Itemiser 3 Hard-Coded Credential *** --------------------------------------------- This advisory provides vulnerability information for hard-coded credentials in the Morpho Itemiser 3. --------------------------------------------- http://ics-cert.us-cert.gov//advisories/ICSA-14-205-01 *** VU#394540: Sabre AirCentre Crew contains a SQL injection vulnerability *** --------------------------------------------- Vulnerability Note VU#394540 Sabre AirCentre Crew contains a SQL injection vulnerability Original Release date: 25 Jul 2014 | Last revised: 25 Jul 2014 Overview Sabre AirCentre Crew 2010.2.12.20008 and earlier contains a SQL injection vulnerability. Description CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) Sabre AirCentre Crew 2010.2.12.20008 and earlier is vulnerable to a SQL Injection attack in the username and password fields in CWPLogin.aspx. --------------------------------------------- http://www.kb.cert.org/vuls/id/394540 *** Cisco Unified Presence Server Sync Agent Vulnerability *** --------------------------------------------- CVE-2014-3328 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Cisco WebEx Meetings Server Cross-Site Request Forgery Vulnerability *** --------------------------------------------- CVE-2014-3305 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Cisco WebEx Meetings Server Stack Trace Vulnerability *** --------------------------------------------- CVE-2014-3301 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…

1 0

Tageszusammenfassung - Donnerstag 24-07-2014
by Daily end-of-shift report 24 Jul '14

24 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 23-07-2014 18:00 − Donnerstag 24-07-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** ZDI-14-264: (0Day) Apple QuickTime mvhd Atom Heap Memory Corruption Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-14-264/ *** ZDI-14-263: (0Day) Hewlett-Packard Data Protector Cell Request Service Opcode 1091 Directory Traversal Arbitrary File Write Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Data Protector. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-14-263/ *** ZDI-14-262: (0Day) Hewlett-Packard Data Protector Cell Request Service Opcode 305 Directory Traversal Arbitrary File Creation Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Data Protector. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-14-262/ *** [Honeypot Alert] Wordpress XML-RPC Brute Force Scanning *** --------------------------------------------- There are news reports of new Wordpress XML-PRC brute force attacks being seen in the wild. The SANS Internet Storm Center also has a Diary entry showing similar data. We have captured similar attacks in our web honeypots so we wanted to share more data with the community. Please reference earlier blog posts we have done related to Wordpress: Wordpress XML-RPC Pingback Vulnerability Analysis Defending Wordpress Logins from Brute Force Attacks Thanks goes to my SpiderLabs Research colleague --------------------------------------------- http://blog.spiderlabs.com/2014/07/honeypot-alert-wordpress-xml-rpc-brute-f… *** Smart Grid Attack Scenarios *** --------------------------------------------- This is the third (and last) in a series of posts looking at the threats surrounding smart grids and smart meters. In the first post, we introduced smart meters, smart grids, and showed why these can pose risks. In the second post, we looked at the risks of attacks on smart meters. In this post,... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/6sRN65gV904/ *** Windows Previous Versions against ransomware, (Thu, Jul 24th) *** --------------------------------------------- One of the cool features that Microsoft actually added in Windows Vista is the ability to recover previous versions of files and folders. This is part of the VSS (Volume Shadow Copy Service) which allows automatic creation of backup copies on the system. Most users "virtually meet" this service when they are installing new software, when a restore point is created that allows a user to easily revert the operating system back to the original state, if something goes wrong. However, --------------------------------------------- https://isc.sans.edu/diary/Windows+Previous+Versions+against+ransomware/184… *** BMWs ConnectedDrive falls over, bosses blame upgrade snafu *** --------------------------------------------- Traffic flows up 20% as motorway middle lanes miraculously unclog BMWs ConnectedDrive car-to-mobe interface has suffered a UK-wide outage that may also affect customers in mainland Europe. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/07/24/bmw_connect… *** Dirty Dozen Spampionship - which country is spewing the most spam? *** --------------------------------------------- The World Cup may be done and dusted, but the Spampionship continues! Where did you come in our spam-sending league tables? --------------------------------------------- http://nakedsecurity.sophos.com/2014/07/22/dirty-dozen-spampionship-which-c… *** A new generation of ransomware *** --------------------------------------------- Trojan-Ransom.Win32.Onion a highly dangerous threat and one of the most technologically advanced encryptors out there. Its developers used both proven techniques 'tested' on its predecessors and solutions that are completely new for this class of malware. The use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server. --------------------------------------------- https://securelist.com/analysis/publications/64608/a-new-generation-of-rans… *** Bugcrowd Releases Open Source Vulnerability Disclosure Framework *** --------------------------------------------- The problems that come from doing security research on modern Web applications and other software aren't just challenging for researchers, but also for the companies on the receiving end of their advisories. Companies unaccustomed to dealing with researchers can find themselves in a difficult position, trying to figure out the clearest path forward. To help... --------------------------------------------- http://threatpost.com/bugcrowd-releases-open-source-vulnerability-disclosur… *** SA-CONTRIB-2014-072 - Freelinking, Freelinking Case Tracker - Access bypass *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-072Project: freelinking (third-party module)Project: freelinking case tracker (third-party module)Version: 6.x, 7.xDate: 2014-July-23Security risk: CriticalExploitable from: RemoteVulnerability: Access bypassDescriptionThe freelinking and freelinking case tracker modules implement a filter for the easier creation of HTML links to other pages in the site or external sites with a wiki style format such as [[pluginname:identifier]].The module doesnt sufficiently... --------------------------------------------- https://www.drupal.org/node/2308503 *** Siemens OpenSSL Vulnerabilities (Update A) *** --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-14-198-03 Siemens OpenSSL Vulnerabilities that was published July 17, 2014, on the NCCIC/ICS-CERT web site. This updated advisory provides mitigation details for vulnerabilities in the Siemens OpenSSL cryptographic software library affecting several Siemens industrial products. --------------------------------------------- http://ics-cert.us-cert.gov//advisories/ICSA-14-198-03A *** Sierra Wireless AirLink Raven X EV-DO Vulnerabilities (Update B) *** --------------------------------------------- This updated advisory is a follow-up to the advisory titled ICSA-14-007-01A Sierra Wireless AirLink Raven X EV-DO Multiple Vulnerabilities that was published January 16, 2014, on the NCCIC/ICS CERT web site. --------------------------------------------- http://ics-cert.us-cert.gov//advisories/ICSA-14-007-01B *** HPSBMU03076 rev.1 - HP Systems Insight Manager (SIM) on Linux and Windows running OpenSSL, Multiple Vulnerabilities *** --------------------------------------------- Potential security vulnerabilities have been identified with HP Systems Insight Manager running on Linux and Windows which could be exploited remotely resulting in multiple vulnerabilities. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** HPSBMU03074 rev.1 - HP Insight Control server migration on Linux and Windows running OpenSSL, Remote Denial of Service (DoS), Code Execution, Unauthorized Access, Disclosure of Information *** --------------------------------------------- Potential security vulnerabilities have been identified with HP Insight Control server migration running on Linux and Windows which could be exploited remotely resulting in denial of service (DoS), code execution, unauthorized access, or disclosure of information. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** Cisco TelePresence Management Interface Vulnerability *** --------------------------------------------- CVE-2014-3324 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Bugtraq: Beginners error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account *** --------------------------------------------- Beginners error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account --------------------------------------------- http://www.securityfocus.com/archive/1/532875

1 0

Tageszusammenfassung - Mittwoch 23-07-2014
by Daily end-of-shift report 23 Jul '14

23 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 22-07-2014 18:00 − Mittwoch 23-07-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** DDoS attacks remain up, stronger in Q2, report says *** --------------------------------------------- Prolexics second quarter DDoS report noted the proliferation of shorter attacks that ate up more bandwidth. --------------------------------------------- http://www.scmagazine.com/ddos-attacks-remain-up-stronger-in-q2-report-says… *** De-obfuscating the DOM based JavaScript obfuscation found in EK's such as Fiesta and Rig *** --------------------------------------------- There is little doubt that exploit kit (EK) developers are continuing to improve their techniques and are making exploit kits harder to detect. They have heavily leveraged obfuscation techniques for JavaScript and are utilizing browser functionality to their advantage. Recent exploit kits such as "Fiesta" and "Rig" for example, have been found to be using DOM based JavaScript obfuscation. In... --------------------------------------------- http://research.zscaler.com/2014/07/de-obfuscating-dom-based-javascript.html *** Securing the Nest Thermostat *** --------------------------------------------- A group of hackers are using a vulnerability in the Nest thermostat to secure it against Nests remote data collection.... --------------------------------------------- https://www.schneier.com/blog/archives/2014/07/securing_the_ne.html *** WordPress brute force attack via wp.getUsersBlogs, (Tue, Jul 22nd) *** --------------------------------------------- Now that the XMLRPC "pingback" DDoS problem in WordPress is increasingly under control, the crooks now seem to try brute force password guessing attacks via the "wp.getUsersBlogs" method of xmlrpc.php. ISC reader Robert sent in some logs that show a massive distributed (> 3000 source IPs) attempt at guessing passwords on his Wordpress installation. The requests look like the one shown below and are posted into xmlrpc.php. Unfortunately, the web server responds with a --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18427&rss *** New Feature: "Live" SSH Brute Force Logs and New Kippo Client, (Wed, Jul 23rd) *** --------------------------------------------- We are announcing a new feature we have been working on for a while, that will display live statistics on passwords used by SSH brute forcing bots. In addition, we also updated our script that will allow you to contribute data to this effort. Right now, we are supporting the kippo honeypot to collect data. This script will submit usernames, passwords and the IP address of the attacker to our system. To download the script see https://isc.sans.edu/clients/kippo/kippodshield.pl . The script uses --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18433&rss *** Arbeit für Admins: Apache 2.4.10 stopft Sicherheitslücken *** --------------------------------------------- Für Administratoren von Webservern, die auf Apache 2.4.x laufen, heißt es updaten. Die Apache-Entwickler haben mit der neuesten Version der Software fünf Lücken geschlossen, eine davon erlaubt das Ausführen von Schadcode aus dem Netz. --------------------------------------------- http://www.heise.de/security/meldung/Arbeit-fuer-Admins-Apache-2-4-10-stopf… *** How Thieves Can Hack and Disable Your Home Alarm System *** --------------------------------------------- When it comes to the security of the Internet of Things, a lot of the attention has focused on the dangers of the connected toaster, fridge and thermostat. But a more insidious security threat lies with devices that aren't even on the internet: wireless home alarms. Two researchers say that top-selling home alarm setups can... --------------------------------------------- http://feeds.wired.com/c/35185/f/661467/s/3cc7d302/sc/15/l/0L0Swired0N0C20A… *** EU to Roll Out Cybercrime Taskforce *** --------------------------------------------- International Team Will Target Cross-Border Crime Campaigns The European Union is set to launch a trial run of an international cybercrime task force that will coordinate investigations across Europe, as well as with a handful of other countries, including Australia, Canada and the United States. --------------------------------------------- http://www.bankinfosecurity.com/eu-to-roll-out-cybercrime-taskforce-a-7093 *** The psychology of phishing *** --------------------------------------------- Phishing emails are without a doubt one of the biggest security issues consumers and businesses face today. Cybercriminals no longer send out thousands of emails at random hoping to get a handful of hits, today they create highly targeted phishing emails which are tailored to suit their recipients. --------------------------------------------- http://www.net-security.org/article.php?id=2078 *** Just Released - The Phishing Planning Kit *** --------------------------------------------- One of the biggest challenges with an effective phishing program is not the technology you use, but how you communicate and implement your phishing program. To assist you in getting the most out of your phishing program we have put together the Phishing Planning Kit. Based on the feedback and input of numerous security awareness officers, this kit... --------------------------------------------- http://www.securingthehuman.org/blog/2014/07/22/phishing-planning-kit *** Facebook Scam Leads to Nuclear Exploit Kit *** --------------------------------------------- Attackers have become more aggressive and are now using Facebook scams to lead to exploit kits so they can control a user's system. --------------------------------------------- http://www.symantec.com/connect/blogs/facebook-scam-leads-nuclear-exploit-k… *** Cisco IOS XR Software NetFlow Processing Denial of Service Vulnerability *** --------------------------------------------- CVE-2014-3322 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** SonicWALL GMS 7.2 Build 7221.1701 Cross Site Scripting *** --------------------------------------------- Topic: SonicWALL GMS 7.2 Build 7221.1701 Cross Site Scripting Risk: Low Text:I. VULNERABILITY - Reflected XSS vulnerabilities in DELL SonicWALL GMS 7.2 Build: 7221.1701 II. BACKGROUND ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070121 *** Barracuda Networks Spam And Virus Firewall 6.0.2 XSS *** --------------------------------------------- Topic: Barracuda Networks Spam And Virus Firewall 6.0.2 XSS Risk: Low Text:Document Title: Barracuda Networks Spam&Virus Firewall v6.0.2 (600 & Vx) - Client Side Cross Site Vulnerability Re... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070118 *** Security Notice-Statement on the XSS Security Vulnerability in Huawei E355 *** --------------------------------------------- Jul 23, 2014 17:37 --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices… *** SSA-214365 (Last Update 2014-07-23): Vulnerabilities in SIMATIC WinCC *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** Omron NS Series HMI Vulnerabilities *** --------------------------------------------- This advisory provides mitigation details for multiple vulnerabilities in Omron Corporation's NS series human-machine interface (HMI) terminals. --------------------------------------------- http://ics-cert.us-cert.gov//advisories/ICSA-14-203-01 *** Honeywell FALCON XLWeb Controllers Vulnerabilities *** --------------------------------------------- This advisory was originally posted to the US-CERT secure Portal library on June 24, 2014, and is being released to the NCCIC/ICS-CERT web site. This advisory provides mitigation details for vulnerabilities in Honeywell FALCON XLWeb controllers. --------------------------------------------- http://ics-cert.us-cert.gov//advisories/ICSA-14-175-01 *** HPSBMU03073 rev.1 - HP Network Virtualization, Remote Execution of Code, Disclosure of Information *** --------------------------------------------- A potential security vulnerability has been identified with HP Network Vitalization. The vulnerability could be exploited remotely to allow execution of code and disclosure of information. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…

1 0

Tageszusammenfassung - Dienstag 22-07-2014
by Daily end-of-shift report 22 Jul '14

22 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 21-07-2014 18:00 − Dienstag 22-07-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Retefe Bankentrojaner *** --------------------------------------------- Die meisten [...] Bankentrojaner basieren auf technisch betrachtet ziemlich komplexen Softwarekomponenten: Verschlüsselte Konfigurationen, Man-in-the-Browser-Funktionalität, Persistenz- und Updatemechanismen, um einige zu nennen. Im letzten halben Jahr hat sich eine gänzlich neue Variante behauptet, welche erst im Februar 2014 einen Namen erhielt: Retefe. --------------------------------------------- http://securityblog.switch.ch/2014/07/22/retefe-bankentrojaner/ *** IBM Fixes Code Execution, Cookie-Stealing Vulnerabilities in Switches *** --------------------------------------------- IBM recently patched a handful of vulnerabilities in some of its KVM switches that if exploited, could have given an attacker free reign over any system attached to it. --------------------------------------------- http://threatpost.com/ibm-fixes-code-execution-cookie-stealing-vulnerabilit… *** Mobile App Wall of Shame: CNN App for iPhone *** --------------------------------------------- The CNN App for iPhone is one of the most popular news applications available for the iPhone. At present, it is sitting at #2 in the iTunes free News app category and #165 among all free apps. Along with providing news stories, alerts and live video, it also includes iReport functionality, allowing... --------------------------------------------- http://research.zscaler.com/2014/07/cnn-app-for-iphone.html *** OWASP Zed Attack Proxy, (Mon, Jul 21st) *** --------------------------------------------- Affectionately know as ZAP the OWASP Zed Attack Proxy in an excellent web application testing tool. It finds its way into the hands of experienced penetration testers, newer security administrators, vulnerability assessors, as well as auditors and the curious. One of the reasons for its popularity is the ease of use and the extensive granular capability to examine transactions. While some may know ZAP as a fork or successor to the old Paros proxy,it is so much more. Roughly 20% of the code base... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18421&rss *** Old and Persistent Malware *** --------------------------------------------- User error is the best reason to explain why Excel spreadsheets infected with the Laroux macro virus have been published on the China Securities Regulatory Commission website (csrc.gov.cn). The commission regulates China's financial markets and provides an online law library on their website where visitors can download various files and texts. Two of the files available in the library contain the MSEXcel.Laroux virus. --------------------------------------------- https://blogs.cisco.com/security/old-and-persistent-malware/ *** FakeNet Malware Analysis *** --------------------------------------------- FakeNet is a tool that aids in the dynamic analysis of malicious software. The tool simulates a network so that malware interacting with a remote host continues to run allowing the analyst to observe the malware's network activity from within a safe environment. --------------------------------------------- http://www.ehacking.net/2014/07/fakenet-malware-analysis.html *** Cisco-Routerlücke: Der mysteriöse Vorab-Patch *** --------------------------------------------- Die kritische Sicherheitslücke, die neun Router und Kabelmodems von Cisco verwundbar für Angriffe aus dem Netz macht, ist bei deutschen Providern vor Jahren mit einem Update geschlossen worden. Allerdings bleibt unklar, warum Cisco den Fix erst jetzt öffentlich machte. --------------------------------------------- http://www.heise.de/security/meldung/Cisco-Routerluecke-Der-mysterioese-Vor… *** App "telemetry", (Tue, Jul 22nd) *** --------------------------------------------- ISC reader James had just installed "Foxit Reader" on his iPhone, and had answered "NO" to the "In order to help us improve Foxit Mobile PDF, we would like to collect anonymous usage data..." question, when he noticed his phone talking to China anyway. The connected-to site was alog.umeng.com, 211.151.151.7. Umeng is an "application telemetry" and online advertising company. Below is what was sent (some of the ids are masked or have been obfuscated) I --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18425&rss *** Massive Malware Infection Breaking WordPress Sites *** --------------------------------------------- The last few days has brought about a massive influx of broken WordPress websites. What makes it so unique is that the malicious payload is being blindly injected which is causing websites to break. While we're still researching, we do want to share share some observations: This infection is aimed at websites built on the... --------------------------------------------- http://blog.sucuri.net/2014/07/malware-infection-breaking-wordpress-sites.h… *** Privacy Badger Extension Blocks Tracking Through Social Icons *** --------------------------------------------- Online tracking has been a thorny problem for years, and as Web security companies, browser vendors and users have become more aware of the problem and smarter about how to defend themselves, ad companies and trackers have responded in kind. The advent of social networks has made it far easier for tracking companies to monitor user behavior across... --------------------------------------------- http://threatpost.com/privacy-badger-extension-blocks-tracking-through-soci… *** [webapps] - MTS MBlaze Ultra Wi-Fi / ZTE AC3633 - Multiple Vulnerabilities *** --------------------------------------------- http://www.exploit-db.com/exploits/34128 *** Apache Multiple Flaws Let Remote Users Deny Service or Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1030615 *** Tenable Nessus Access Control Flaw in Web UI Lets Remote Users Obtain Potentially Sensitive Information *** --------------------------------------------- http://www.securitytracker.com/id/1030614 *** Apache Scoreboard / Status Race Condition *** --------------------------------------------- Topic: Apache Scoreboard / Status Race Condition Risk: Medium Text:Hi there, --[ 0. Sparse summary Race condition between updating ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070114 *** HPSBMU03071 rev.1 - HP Autonomy IDOL, Running OpenSSL, Remote Unauthorized Access, Disclosure of Information *** --------------------------------------------- A potential security vulnerability has been identified with HP Autonomy IDOL. The vulnerability could be exploited to allow remote unauthorized access and disclosure of information. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** Moodle rubric/advanced grading cross-site scripting *** --------------------------------------------- Moodle rubric/advanced grading cross-site scripting --------------------------------------------- http://xforce.iss.net/xforce/xfdb/94724 *** OleumTech WIO Family Vulnerabilities *** --------------------------------------------- Security researchers Lucas Apa and Carlos Mario Penagos Hollman of IOActive have identified multiple vulnerabilities in OleumTech's WIO family including the sensors and the DH2 data collector. The researchers have coordinated the vulnerability details with NCCIC/ICS-CERT and OleumTech in hopes the vendor would develop security patches to resolve these vulnerabilities. While ICS-CERT has had many discussions with both OleumTech and IOActive this past year, there has not been consensus... --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-202-01 *** Bugtraq: Web Login Bruteforce in Symantec Endpoint Protection Manager 12.1.4023.4080 *** --------------------------------------------- http://www.securityfocus.com/archive/1/532857

1 0

Tageszusammenfassung - Montag 21-07-2014
by Daily end-of-shift report 21 Jul '14

21 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 18-07-2014 18:00 − Montag 21-07-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** The Little Signature That Could: The Curious Case of CZ Solution *** --------------------------------------------- Malware authors are always looking for new ways to masquerade their actions. Attackers are looking for their malware to be not only fully undetectable, but also appear valid on a system, so as not to draw attention. Digital signatures are... --------------------------------------------- http://www.fireeye.com/blog/technical/2014/07/the-little-signature-that-cou… *** Keeping the RATs out: the trap is sprung - Part 3, (Sat, Jul 19th) *** --------------------------------------------- As we bring out three part series on RAT tools suffered upon our friends at Hazrat Supply we must visit the centerpiece of it all. The big dog in this fight is indeed the bybtt.cc3 file (Jake suspected this), Backdoor:Win32/Zegost.B. The file is unquestionably a PEDLL but renamed a .cc3 to hide on system like a CueCards Professional database file. Based on the TrendMicro writeup on this family, the backdoor drops four files, including %Program Files%\%SESSIONNAME%\{random characters}.cc3 This... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18415&rss *** Top 10 Common Database Security Issues *** --------------------------------------------- Introduction The database typically contains the crown jewels of any environment; it usually holds the most business sensitive information which is why it is a high priority target for any attacker. The purpose of this post is to create awareness among database administrators and security managers about some of the areas on which it is important to focus on when implementing a new database or hardening the security of an existing one. --------------------------------------------- https://www.nccgroup.com/en/blog/2014/07/top-10-common-database-security-is… *** Smart Meter Attack Scenarios *** --------------------------------------------- In our previous post, we looked at how smart meters were being introduced across multiple countries and regions, and why these devices pose security risks to their users. At their heart, a smart meter is simply... a computer. Let's look at our existing computers - whether they are PCs, smartphones, tablets, or embedded devices. Similarly, these... --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/smart-meter-atta… *** Angriffe auf Web-Server via Wordpress-Plugin MailPoet *** --------------------------------------------- Über eine kürzlich entdeckte Sicherheitslücke werden derzeit systematisch Server gekapert. Wer das Anfang Juli veröffentlichte Update noch nicht installiert hat, sollte das dringend nachholen. --------------------------------------------- http://www.heise.de/security/meldung/Angriffe-auf-Web-Server-via-Wordpress-… *** Home router security to be tested in upcoming hacking contest *** --------------------------------------------- Researchers are gearing up to hack an array of different home routers during a contest next month at the Defcon 22 security conference. The contest is called SOHOpelessly Broken - a nod to the small office/home office space targeted by the products - and follows a growing number of large scale attacks this year against routers and other home embedded systems. --------------------------------------------- http://www.cio.com/article/2455981/home-router-security-to-be-tested-in-upc… *** Sicherheitsforscher weist auf "Hintertüren" in iOS hin *** --------------------------------------------- Undokumentierte Systemdienste in iOS machen Angreifern das Auslesen von Nutzerdaten leicht, wenn das iPhone oder iPad mit einem Desktop-Computer lokal gepairt wurde, erklärt Jonathan Zdziarski - und hofft auf Antwort von Apple. --------------------------------------------- http://www.heise.de/security/meldung/Sicherheitsforscher-weist-auf-Hintertu… *** Call for last-minute papers for VB2014 announced *** --------------------------------------------- Seven speaking slots waiting to be filled with presentations on hot security topics. --------------------------------------------- http://www.virusbtn.com/news/2014/07_21.xml?rss *** Heartbleed bedroht kritische Industrie-Kontrollsysteme *** --------------------------------------------- Über drei Monate nach Bekanntwerden der massiven Sicherheitslücke sind immer noch zahlreiche Systeme von Siemens ungeschützt. --------------------------------------------- http://futurezone.at/digital-life/heartbleed-bedroht-kritische-industrie-ko… *** VMSA-2014-0006.8 *** --------------------------------------------- VMware product updates address OpenSSL security vulnerabilities --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0006.html *** EMC RecoverPoint Internal Firewall Ruleset Error Lets Remote Users Bypass the Firewall *** --------------------------------------------- http://www.securitytracker.com/id/1030608 *** DSA-2981 polarssl *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-2981 *** DSA-2982 ruby-activerecord-3.2 *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-2982 *** IBM Security Bulletins *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** VU#688812: Huawei E355 contains a stored cross-site scripting vulnerability *** --------------------------------------------- Vulnerability Note VU#688812 Huawei E355 contains a stored cross-site scripting vulnerability Original Release date: 21 Jul 2014 | Last revised: 21 Jul 2014 Overview The Huawei E355 built-in web interface contains a stored cross-site scripting vulnerability. Description Huawei E355 wireless broadband modems include a web interface for administration and additional services. The web interface allows users to receive SMS messages using the connected cellular network.CWE-79: Improper... --------------------------------------------- http://www.kb.cert.org/vuls/id/688812 *** Bugtraq: CVE-2014-4326 Remote command execution in Logstash zabbix and nagios_nsca outputs. *** --------------------------------------------- Vendor: Elasticsearch Product: Logstash CVE: CVE-2014-4326 Affected versions: Logstash 1.0.14 through 1.4.1 --------------------------------------------- http://www.securityfocus.com/archive/1/532841

1 0

Tageszusammenfassung - Freitag 18-07-2014
by Daily end-of-shift report 18 Jul '14

18 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 17-07-2014 18:00 − Freitag 18-07-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** SQL Injection Vulnerability - vBulletin 5.x *** --------------------------------------------- The vBulletin team just released a security patch for vBulletin 5.0.4, 5.0.5, 5.1.0, 5.1.1, and 5.1.2 to address a SQL injection vulnerability on the member list page. Every vBulletin user needs to upgrade to the latest version asap. vBulletin is a very popular forum sofware used on more than .. --------------------------------------------- http://blog.sucuri.net/2014/07/sql-injection-on-vbulletin-5-x.html *** Siemens OpenSSL Vulnerabilities *** --------------------------------------------- Siemens has identified four vulnerabilities in its OpenSSL cryptographic software library affecting several Siemens industrial products. Updates are available for APE 2.0.2 and WinCC OA (PVSS). The ROX 1, ROX 2, S7-1500, and CP1543-1 products do not have a patch at this time; however, Siemens has made mitigation recommendations. Siemens is continuing to work on patching these vulnerabilities. --------------------------------------------- http://ics-cert.us-cert.gov//advisories/ICSA-14-198-03 *** Cogent DataHub Code Injection Vulnerability *** --------------------------------------------- NCCIC/ICS-CERT has become aware of a code injection vulnerability affecting the Cogent DataHub application produced by Cogent Real-Time Systems, Inc. (hereafter referred to as Cogent). Security researcher John Leitch reported this vulnerability to the Zero Day Initiative (ZDI), who then reported it directly to Cogent. Successful exploitation of this vulnerability could allow remote execution of arbitrary code. --------------------------------------------- http://ics-cert.us-cert.gov//advisories/ICSA-14-198-01 *** Advantech WebAccess Vulnerabilities *** --------------------------------------------- NCCIC/ICS-CERT received a report from the Zero Day Initiative (ZDI) concerning vulnerabilities affecting the Advantech WebAccess application. These vulnerabilities were reported to ZDI by security researchers Dave Weinstein, Tom Gallagher, John Leitch, and others. Advantech has produced an updated software version that mitigates these vulnerabilities. --------------------------------------------- http://ics-cert.us-cert.gov//advisories/ICSA-14-198-02 *** Mitigating UAF Exploits with Delay Free for Internet Explorer *** --------------------------------------------- After introducing the 'isolated heap' in June security patch for Internet Explorer, Microsoft has once again introduced several improvements in the July patch for Internet Explorer. The most interesting and smart improvement is one which we will call 'delay free.' This improvement is designed to mitigate Use After Free (UAF) vulnerability exploits .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/mitigating-uaf-e… *** DSA-2979 fail2ban *** --------------------------------------------- Two vulnerabilities were discovered in Fail2ban, a solution to ban hosts that cause multiple authentication errors. When using Fail2ban to monitor Postfix or Cyrus IMAP logs, improper input validation in log parsing could enable a remote attacker to trigger an IP ban on arbitrary addresses, resulting in denial of service. --------------------------------------------- http://www.debian.org/security/2014/dsa-2979 *** Bugtraq: Microsoft MSN HBE - Blind SQL Injection Vulnerability *** --------------------------------------------- A boolean-based blind SQL Injection web vulnerability has been detected in the official MSN (habitos.be.msn.com) web application Service. The vulnerability allows remote attackers to inject own sql commands to compromise the affected .. --------------------------------------------- http://www.securityfocus.com/archive/1/532830 *** Critroni Crypto Ransomware Seen Using Tor for Command and Control *** --------------------------------------------- There's a new kid on the crypto ransomware block, known as Critroni, that's been sold in underground forums for the last month or so and is now being dropped by the Angler exploit kit. The ransomware includes a number of unusual features and researchers say .. --------------------------------------------- http://threatpost.com/critroni-crypto-ransomware-seen-using-tor-for-command… *** LibreSSL: Linuxer und OpenBSDler raufen sich zusammen *** --------------------------------------------- Anhand der Probleme bei der Portierung von LibreSSL auf andere Plattformen wie Linux kann man erkennen, wie aus OpenSSL so ein Security-Alptraum werden konnte. Und der ist noch längst nicht vorbei. --------------------------------------------- http://www.heise.de/security/meldung/LibreSSL-Linuxer-und-OpenBSDler-raufen…

1 0

Tageszusammenfassung - Donnerstag 17-07-2014
by Daily end-of-shift report 17 Jul '14

17 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 16-07-2014 18:00 − Donnerstag 17-07-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Kritische Sicherheitslücke gefährdet Router und Modems von Cisco *** --------------------------------------------- Neun Consumer-Router und Kabelmodems von Cisco sind anfällig für eine kritische Lücke, die es Angreifern aus dem Netz ermöglicht, das Gerät zu kapern. Auch deutsche Provider setzten die betroffenen Modelle ein. --------------------------------------------- http://www.heise.de/security/meldung/Kritische-Sicherheitsluecke-gefaehrdet… *** Cisco Wireless Residential Gateway Remote Code Execution Vulnerability *** --------------------------------------------- A vulnerability in the web server used in multiple Cisco Wireless Residential Gateway products could allow an unauthenticated, remote attacker to exploit a buffer overflow and cause arbitrary code execution. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ciscos… *** Cisco Cable Modem Buffer Overflow Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- A remote user can send a specially crafted HTTP request to the target device to trigger a buffer overflow and execute arbitrary code on the target system. --------------------------------------------- http://www.securitytracker.com/id/1030598 *** Apache httpd mod_status Heap Buffer Overflow Remote Code Execution Vulnerability *** --------------------------------------------- The specific flaw exists within the updating of mod_status. A race condition in mod_status allows an attacker to disclose information or corrupt memory with several requests to endpoints with handler server-status and other endpoints. By abusing this flaw, an attacker can possibly disclose credentials or leverage this situation to achieve remote code execution. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-14-236/ *** Zusatzinformationen zum Interview im Standard *** --------------------------------------------- Zusatzinformationen zum Interview im Standard16. Juli 2014Wir freuen uns (fast) immer, wenn wir in Medien zitiert werden, und wir damit eine deutlich breitere Masse erreichen, als nur über unsere direkten Kanäle (Webseite, RSS, Mail, Twitter).Nur: Interviews müssen meist recht schnell gehen, Journalisten arbeiten täglich mit harten Deadlines und auf Papier gibt es beschränkten Platz und keine Hyperlinks.Daher will ich hier ein bisschen Kontext zum Interview geben, das .. --------------------------------------------- http://www.cert.at/services/blog/20140716101643-1199.html *** SA-CORE-2014-003 - Drupal core - Multiple vulnerabilities *** --------------------------------------------- Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. (Denial of Service, Cross Site Scripting, Access Bypass) --------------------------------------------- https://www.drupal.org/SA-CORE-2014-003 *** SA-CONTRIB-2014-071 - FileField - Access bypass *** --------------------------------------------- A vulnerability was discovered in the FileField third-party module that could allow attackers to gain access to private files. --------------------------------------------- https://www.drupal.org/node/2304561 *** Kaum eingeführt, schon umgestellt: Apple verbessert iCloud-Mail-Verschlüsselung *** --------------------------------------------- Nur wenige Tage nach der Einführung einer Transportverschlüsselung für Apples iCloud-Mail-Dienste bessert der Konzern nach. Zumindest einige Server genügen jetzt aktuellen Anforderungen an gute Verschlüsselung. --------------------------------------------- http://www.heise.de/security/meldung/Kaum-eingefuehrt-schon-umgestellt-Appl… *** Pushdo Trojan outbreak: 11 THOUSAND systems infected in just 24 hours *** --------------------------------------------- A wave of attacks by cybercrooks pushing a new variant of the resilient Pushdo Trojan has compromised more than 11,000 systems in just 24 hours. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/07/17/pushdo_troj… *** Paper: Mayhem - a hidden threat for *nix web servers *** --------------------------------------------- New kind of malware has the functions of a traditional Windows bot, but can act under restricted privileges in the system. --------------------------------------------- http://www.virusbtn.com/news/2014/07_17.xml *** Havex, It's Down With OPC *** --------------------------------------------- FireEye recently analyzed the capabilities of a variant of Havex (referred to by FireEye as 'Fertger' or 'PEACEPIPE'), the first publicized malware reported to actively scan OPC servers used for controlling SCADA (Supervisory Control and Data Acquisition) devices in .. --------------------------------------------- http://www.fireeye.com/blog/technical/targeted-attack/2014/07/havex-its-dow…

1 0

Tageszusammenfassung - Mittwoch 16-07-2014
by Daily end-of-shift report 16 Jul '14

16 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 15-07-2014 18:00 − Mittwoch 16-07-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** SSL Black List Aims to Publicize Certificates Associated With Malware *** --------------------------------------------- Malware and botnet operators are always adapting their tactics, trying to stay a step or two ahead of defensive technologies and techniques. One of the methods many attackers have adopted is using SSL to communicate with the infected machines they control, and a researcher has started a new .. --------------------------------------------- http://threatpost.com/ssl-black-list-aims-to-publicize-certificates-associa… *** Early Review of LibreSSL Finds Problematic PRNG *** --------------------------------------------- A critical vulnerability was reported in the random number generator in LibreSSL, a fork of OpenSSL. LibreSSL preview versions were released this weekend. --------------------------------------------- http://threatpost.com/early-review-of-libressl-finds-problematic-prng/107239 *** Critical Patch Update - July 2014 *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html *** About Two Recently Patched IBM DB2 LUW Vulnerabilities *** --------------------------------------------- IBM recently released patches for three security vulnerabilities affecting various versions of DB2 for Linux, Unix and Windows. This post will explore some more technical details of two of these vulnerabilities (CVE-2014-0907 and CVE-2013-6744) to help database administrators assess the risk of .. --------------------------------------------- http://blog.spiderlabs.com/2014/07/about-two-ibm-db2-luw-vulnerabilities-pa… *** Citrix XenServer Multiple Security Updates *** --------------------------------------------- A number of security vulnerabilities have been identified in Citrix XenServer. These vulnerabilities affect all currently supported versions of Citrix .. --------------------------------------------- http://support.citrix.com/article/CTX140984 *** Elipse E3 Scada PLC Denial Of Service *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070083 *** [2014-07-16] Multiple SSRF vulnerabilities in Alfresco Community Edition *** --------------------------------------------- The Alfresco Community Edition Server is prone to multiple Server Side Request Forgery vulnerabilities allowing access to internal resources for an unauthenticated attacker. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** HP Data Protector, Remote Execution of Arbitrary Code *** --------------------------------------------- A potential security vulnerability has been identified with HP Data Protector. This vulnerability could be remotely exploited to execute arbitrary code. --------------------------------------------- http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDispl… *** [2014-07-16] Remote Code Execution via CSRF in OpenVPN Access Server "Desktop Client" *** --------------------------------------------- Remote attackers can execute arbitrary code and execute other attacks on computers with the OpenVPN Access Server "Desktop Client" installed. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** [2014-07-16] Multiple critical vulnerabilities in Bitdefender GravityZone *** --------------------------------------------- Attackers are able to completely compromise the Bitdefender GravityZone solution as they can gain system and database level access. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Schwachstelle in Symfony: W0rm hackt Cnet *** --------------------------------------------- Die russische Hackergruppe W0rm hat sich Zugang zu den Servern der Nachrichtenwebseite Cnet verschafft. Die Datenbank mit Benutzerdaten wollen die Hacker für einen symbolische Betrag von einem Bitcoin verkaufen. --------------------------------------------- http://www.golem.de/news/schwachstelle-in-symfony-w0rm-hackt-cnet-1407-1079… *** Common Misconceptions IT Admins Have on Targeted Attacks *** --------------------------------------------- In our efforts around addressing targeted attacks, we often work with IT administrators from different companies in dealing with threats against their network. During these collaborations, we've recognized certain misconceptions that IT administrators - or perhaps enterprises in general - have in terms of targeted attacks. I will cover some of them in this .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/common-misconcep…

1 0

Tageszusammenfassung - Dienstag 15-07-2014
by Daily end-of-shift report 15 Jul '14

15 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 14-07-2014 18:00 − Dienstag 15-07-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Introduction to Smart Meters *** --------------------------------------------- While wearable personal technology may be the most 'public' face of the Internet of Everything, the most widespread use of it may be in smart meters. What is a smart meter, exactly? It's a meter for utilities (electricity, gas, or water) that records the consumption of the utility in question, and transmits it .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/introduction-to-… *** Disclosure: Insecure Nonce Generation in WPtouch *** --------------------------------------------- If you use the popular WPtouch plugin (5m+ downloads) on your WordPress website, you should update it immediately. During a routine audit for our WAF, we discovered a very dangerous vulnerability that could potentially allow a user with no administrative privileges, who was logged in .. --------------------------------------------- http://blog.sucuri.net/2014/07/disclosure-insecure-nonce-generation-in-wpto… *** Five Year Old Phishing Campaign Unveiled *** --------------------------------------------- Details have been disclosed on a five-year-old phishing campaign where in attackers have pilfered victims's login credentials from Google, Yahoo, Facebook, Dropbox and Skype. --------------------------------------------- http://threatpost.com/five-year-old-phishing-campaign-unveiled/107197 *** OpenVPN PrivateTunnel ptservice privilege escalation *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/94482 *** HP StoreVirtual Bugs Let Remote Users Obtain Information and Remote Authenticated Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1030567 *** Citrix NetScaler Application Delivery Controller and NetScaler Gateway Multiple Security Updates *** --------------------------------------------- A number of security vulnerabilities have been identified in the Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway, formerly known .. --------------------------------------------- http://support.citrix.com/article/CTX140863 *** iCloud-Mail-Versand jetzt auch verschlüsselt *** --------------------------------------------- Als einer der letzten grossen Mail-Provider hat Apple nun die Sicherung des Transports gegen einfaches Mitlesen eingeschaltet. Die eingesetzten Verfahren lassen allerdings viel zu wünschen übrig. --------------------------------------------- http://www.heise.de/security/meldung/iCloud-Mail-Versand-jetzt-auch-verschl… *** OpenCart <= 1.5.6.4 (cart.php) PHP Object Injection Vulnerability *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070078 *** Oracle zur Zukunft von Java 7 unter Windows XP *** --------------------------------------------- Java 7 wird bis frühestens April 2015 mit Security-Updates versorgt. Alle weiteren Releases der vorletzten Java-Version bis dahin werden auch weiterhin mit dem nicht mehr von Microsoft offiziell unterstützten Windows XP funktionieren. --------------------------------------------- http://www.heise.de/security/meldung/Oracle-zur-Zukunft-von-Java-7-unter-Wi… *** The 'Forbidden' Apple: App Stores and the Illusion of Control Part I *** --------------------------------------------- There is no doubt we truly live in an 'App Economy.' From personal to professional, we direct and live our lives through our smart phones. But while we enjoy the latest games, stream the latest content or catch up on our friends activities, few think .. --------------------------------------------- http://research.zscaler.com/2014/07/the-forbidden-apple-app-stores-and.html *** And the mice will 'Play': App Stores and the Illusion of Control Part II *** --------------------------------------------- In the last blog, we began analyzing what we've termed the vApp Dichotomy' of the App Economy - The fact that we are at least as much the consumed, as we are the consumer. Our goal was to analyze popular apps from Apple's App Store and Google Play to .. --------------------------------------------- http://research.zscaler.com/2014/07/and-mice-will-play-app-stores-and.html *** Project Zero: Google baut Internet-Sicherheitsteam auf *** --------------------------------------------- Mit Vollzeit-Entwicklern im Project Zero will Google, das Sicherheitsforschung bisher nur nebenbei betrieben hat, das Internet sicherer machen und politisch Verfolgten helfen. --------------------------------------------- http://www.golem.de/news/project-zero-google-baut-internet-sicherheitsteam-… *** New Kronos Banking Malware Advertised On Russian Forums *** --------------------------------------------- Researchers have spotted a new banking Trojan advertised for sale on Russian forums. Kronos promises features that help it evade detection and analysis, such as a Ring3 rootkit. --------------------------------------------- http://threatpost.com/new-kronos-banking-malware-advertised-on-russian-foru…

1 0

Tageszusammenfassung - Montag 14-07-2014
by Daily end-of-shift report 14 Jul '14

14 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 11-07-2014 18:00 − Montag 14-07-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Oracle to release 115 security patches *** --------------------------------------------- Oracle is planning to release 115 security patches for vulnerabilities affecting a wide array of its products, including its flagship database, Java SE, Fusion Middleware and business applications. The update includes fixes for 20 weaknesses in Java SE, all of which can be exploited by an attacker remotely, without the need for login credentials, .. --------------------------------------------- http://www.cio.com/article/2453362/oracle-to-release-115-security-patches.h… *** VU#917348: Datum Systems satellite modem devices contain multiple vulnerabilities *** --------------------------------------------- The Datum Systems SnIP operating system on PSM-4500 and PSM-500 satellite modem devices has FTP enabled by default with no credentials required, which allows open access to sensitive areas of the file system. A remote unauthenticated attacker may be able to gain full control of the device. --------------------------------------------- http://www.kb.cert.org/vuls/id/917348 *** Cisco ASA CIFS Share Enumeration Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the WebVPN Common Internet File System (CIFS) access function of Cisco Adaptive Security Appliance (ASA) could allow an authenticated, remote attacker to trigger a reload of the affected device. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… *** Juniper Junos Unspecified Command Line Interface Flaw Lets Local Users Gain Root Privileges *** --------------------------------------------- A local user on the command line interface can invoke certain combinations of commands to gain root privileges on the target system. --------------------------------------------- http://www.securitytracker.com/id/1030559 *** Dell Sonicwall Scrutinizer 11.01 Code Execution / SQL Injection *** --------------------------------------------- Dell Sonicwall Scrutinizer suffers from several SQL injections, many of which can end up with remote code execution. An attacker needs to be authenticated, but not as an administrator. However, that wouldn not stop anyone since there is also a privilege escalation vulnerability in that .. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070065 *** Schrack MICROCONTROL XSS / Disclosure / Weak Default Password *** --------------------------------------------- The Microcontrol emergency light system, distributed by Schrack Technik GmbH, is an autarchic emergency light system, which is configurable over a web interface. Through the vulnerabilities described in this advisory an attacker can reconfigure the whole emergency light system without authentication. Furthermore he can perform attacks.. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070067 *** 'Gameover' malware returns from the dead *** --------------------------------------------- In early June 2014, a internationally co-ordinated law enforcement effort against the criminals behind the infamous Gameover malware pretty much wiped out their botnet altogether. Bad news - it looks as though Gameover is back... --------------------------------------------- http://nakedsecurity.sophos.com/2014/07/13/gameover-malware-returns-from-th… *** Popular password protection programs p0wnable *** --------------------------------------------- LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword all flawed Researchers have detailed a series of quickly patched vulnerabilities in five popular password managers that could allow attackers to steal user credentials. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/07/14/popular_web… *** Beware Keyloggers at Hotel Business Centers *** --------------------------------------------- The U.S. Secret Service is advising the hospitality industry to inspect computers made available to guests in hotel business centers, warning that crooks have been compromising hotel business center PCs with keystroke-logging malware in a bid to steal personal and financial data from guests. --------------------------------------------- http://krebsonsecurity.com/2014/07/beware-keyloggers-at-hotel-business-cent… *** The Internet of Things: How do you "on-board" devices?, (Mon, Jul 14th) *** --------------------------------------------- Certified pre-pw0ned devices are nothing new. We talked years ago about USB picture frames that came with malware pre-installed. But for the most part, the malware was added to the device accidentally, or for example by customers who later returned the device just to have it resold without adequately resetting/wiping the device. But more recently, more evidence emerged that .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18387&rss *** Verschlüsselung: LibreSSL wird flügge *** --------------------------------------------- Die Entwickler des OpenSSL-Forks LibreSSL haben die erste Version ihrer Software veröffentlicht, die andere Plattformen als OpenBSD unterstützt. Damit schickt sich die SSL-Bibliothek an, eine echte Alternative zum Heartbleed-geplagten OpenSSL zu werden. --------------------------------------------- http://www.heise.de/security/meldung/Verschluesselung-LibreSSL-wird-fluegge… *** Understanding Ransomware *** --------------------------------------------- Our Cyber Defence Operations team, led by David Cannings, has published a new whitepaper on understanding ransomware. It looks at the impact, evolution and defensive strategies that can be employed by organisations. While the paper is primarily focused on Microsoft Windows due to the historic .. --------------------------------------------- https://www.nccgroup.com/en/blog/2014/07/understanding-ransomware/ *** VU#204988: Kaseyas agent driver contains NULL pointer dereference *** --------------------------------------------- Kaseyas agent driver, kapfa.sys, is vulnerable to a NULL pointer dereference. A local authenticated attacker may be able to crash the application, thereby causing a denial of service. Kaseya has .. --------------------------------------------- http://www.kb.cert.org/vuls/id/204988 *** WordPress Download Manager 2.6.8 Shell Upload *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070062 *** Shopizer 1.1.5 Code Execution / XSS / CSRF / Data Manipulation *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070066

1 0

Tageszusammenfassung - Freitag 11-07-2014
by Daily end-of-shift report 11 Jul '14

11 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 10-07-2014 18:00 − Freitag 11-07-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Finding the Clowns on the Syslog Carousel, (Thu, Jul 10th) *** --------------------------------------------- So often I see clients faithfully logging everything from the firewalls, routers and switches - taking terabytes of disk space to store it all. Sadly, the interaction after the logs are created is often simply to make sure that the partition doesnt fill up - either old logs are just deleted, or each month logs are burned to DVD and filed away. The comment I often get is that logs entries are complex, and that the sheer volume of information makes it impossible to make sense of it. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18373&rss *** Security Advisory 2982792 released, Certificate Trust List updated *** --------------------------------------------- Today, we are updating the Certificate Trust List (CTL) for all supported releases of Microsoft Windows to remove the trust of mis-issued third-party digital certificates. These certificates could be used to spoof content and perform phishing or man-in-the-middle attacks against web properties. With this update, most customers will be automatically protected against this issue and will not need to take any action. If you do not have automatic updates enabled, or if you are on Windows Server... --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2014/07/10/security-advisory-298279… *** Weekly Metasploit Update: Another Meterpreter Evasion Option *** --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/07/10/weekly-me… *** Website Malware - Mobile Redirect to BaDoink Porn App *** --------------------------------------------- A few weeks ago we reported that we were seeing a huge increase in the number of web sites compromised with a hidden redirection to pornographic content. It was a very tricky injection, with the redirection happening only once per day per IP address and only if the visitor was using a mobile device... --------------------------------------------- http://feedproxy.google.com/~r/sucuri/blog/~3/pAisQqonxQM/website-malware-m… *** VU#712660: Raritian PX power distribution software is vulnerable to the cipher zero attack. *** --------------------------------------------- Vulnerability Note VU#712660 Raritian PX power distribution software is vulnerable to the cipher zero attack. Original Release date: 10 Jul 2014 | Last revised: 10 Jul 2014 Overview Raritan PX power distribution software version 01.05.08 and previous running on a model DPXR20A-16 device allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password. Description CWE-287: Improper Authentication - --------------------------------------------- http://www.kb.cert.org/vuls/id/712660 *** Oracle Critical Patch Update - July 2014 - Pre-Release Announcement *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html *** Cisco ASA Filter and Inspect Overlap Denial of Service Vulnerability *** --------------------------------------------- CVE-2013-5567 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… *** Adobe Flash: The most INSECURE program on a UK users PC *** --------------------------------------------- XML a weak spot, but nothings as dire as Adobe player Adobe Flash Player was the most insecure program installed on UK computer users PCs throughout the second quarter of 2014, according to stats from vulnerability management firm Secunia. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/07/10/secunia_pc_… *** Crooks Seek Revival of "Gameover Zeus" Botnet *** --------------------------------------------- Cybercrooks today began taking steps to resurrect the Gameover ZeuS botnet, a complex crime machine that has been blamed for the theft more than $100 million from banks, businesses and consumers worldwide. The revival attempt comes roughly five weeks after the FBI joined several nations, researchers and security firms in a global and thus far successful effort to eradicate it. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/yLU9-y_8J-k/ *** VMSA-2014-0006.7 *** --------------------------------------------- VMware product updates address OpenSSL security vulnerabilities --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0006.html *** DSA-2976 eglibc *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-2976 *** osCommerce 2.3.4 - Multiple vulnerabilities *** --------------------------------------------- Topic: osCommerce 2.3.4 - Multiple vulnerabilities Risk: Medium Text:#Title: osCommerce 2.3.4 - Multiple vulnerabilities #Date: 10.07.14 #Affected versions: => 2.3.4 (latest atm) #Vendor: oscom... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070059 *** C99 Shell Authentication Bypass via Backdoor *** --------------------------------------------- Topic: C99 Shell Authentication Bypass via Backdoor Risk: Medium Text:# Exploit Title: C99 Shell Authentication Bypass via Backdoor # Google Dork: inurl:c99.php # Date: June 23, 2014 # Exploit A... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070057 *** Exploit emerges for LZO algo hole *** --------------------------------------------- Take one Nyan Cat, add Firefox and hope your Linux distro has been patched Security Mouse security researcher Don A Bailey has showcased an exploit of the Lempel-Ziv-Oberhumer (LZ0) compression algorithm running in the Mplayer2 media player and says it could leave some Linuxes vulnerable to attack. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/07/11/firefox_lzo… *** Microsoft entzieht Indischer CA das Vertrauen *** --------------------------------------------- Als Konsequenz auf die missbräuchlich ausgestellten Google-Zertifikate hat Microsoft die betroffenen SubCAs auf die Sperrliste gesetzt. Darüber hinaus wurde das ganze Ausmaß des Zwischenfalls bekannt: Betroffen sind 45 Domains - auch von Yahoo. --------------------------------------------- http://www.heise.de/security/meldung/Microsoft-entzieht-Indischer-CA-das-Ve… *** Lack of Certificate Pinning Exposes Encrypted iOS Gmail App Communication *** --------------------------------------------- Google has failed to implement certificate pinning in its official iOS Gmail application, which could enable Man-in-the-Middle attacks exposing encrypted user communications. --------------------------------------------- http://threatpost.com/lack-of-certificate-pinning-exposes-encrypted-ios-gma…

1 0

Tageszusammenfassung - Donnerstag 10-07-2014
by Daily end-of-shift report 10 Jul '14

10 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 09-07-2014 18:00 − Donnerstag 10-07-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** MSRT July 2014 - Caphaw *** --------------------------------------------- This month we added Win32/Caphaw and Win32/Bepush to the Malicious Software Removal Tool (MSRT). Caphaw is a malware family that can be used by criminals to gain access to your PC - the ultimate goal is to steal your financial or banking-related information. The graph below shows the number of machine encounters we have seen since September 2013. Figure 1: Caphaw encounters Caphaw can be installed on a PC via malicious links posted on Facebook, YouTube, and Skype. It can also spread through --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/07/08/msrt-july-2014-caphaw.as… *** International Authorities Take Down Shylock Banking Malware *** --------------------------------------------- Europol announced today that it, along with international law enforcement and industry partners, conducted a successful takedown of the infrastructure supporting the Shylock banking malware. --------------------------------------------- http://threatpost.com/international-authorities-take-down-shylock-banking-m… *** Certificate Errors in Office 365 Today, (Thu, Jul 10th) *** --------------------------------------------- It looks like theres a mis-assignment of certificates today at Office 365. After login, the redirect to portal.office.com reports the following error: portal.office.com uses an invalid security certificate. The certificate is only valid for the following names: *.bing.com, *.platform.bing.com, bing.com, ieonline.microsoft.com, *.windowssearch.com, cn.ieonline.microsoft.com, *.origin.bing.com, *.mm.bing.net, *.api.bing.com, ecn.dev.virtualearth.net, *.cn.bing.net, *.cn.bing.com, *.ssl.bing.com, --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18371&rss *** ZDI-14-224: (0Day) Embarcadero ER/Studio Data Architect TSVisualization ActiveX loadExtensionFactory Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Embarcadero ER/Studio Data Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-14-224/ *** SA-CONTRIB-2014-069 - Logintoboggan - Access Bypass and Cross Site Scripting (XSS) *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-069Project: LoginToboggan (third-party module)Version: 7.xDate: 2014-July-09Security risk: Moderately criticalExploitable from: RemoteVulnerability: Cross Site Scripting, Access bypassDescriptionThis module enables you to customise the standard Drupal registration and login processes.Cross Site ScriptingThe module doesnt filter user-supplied information from the URL resulting in a reflected Cross Site Scripting (XSS) vulnerability.Access BypassThe module --------------------------------------------- https://www.drupal.org/node/2300369 *** Cisco WebEx Meetings Client Vulnerabilities *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Cisco Unified Communications Manager DNA Vulnerabilities *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products *** --------------------------------------------- cisco-sa-20140709-struts2 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Infoblox NetMRI Input Validation Flaw Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1030541 *** [2014-07-10] Multiple critical vulnerabilities in Shopizer webshop *** --------------------------------------------- The webshop software Shopizer is affected by multiple critical vulnerabilities. Attackers are able to completely compromise the system through arbitrary code execution or manipulate product prices or customer data. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** [2014-07-10] Multiple high risk vulnerabilities in Shopizer webshop *** --------------------------------------------- The webshop software Shopizer is affected by multiple high risk vulnerabilities. Attackers are able to bypass authentication / authorization and access invoice data of other customers. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** [2014-07-10] Multiple critical vulnerabilites in Schrack MICROCONTROL emergency light system *** --------------------------------------------- Unauthenticated attackers are able to reconfigure the Schrack MICROCONTROL emergency light system by accessing the file system via telnet or FTP. Furthermore a weak default password can be exploited. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** [2014-07-10] Design Issue / Password Disclosure in WAGO-I/O-SYSTEM with CODESYS V2.3 WebVisu *** --------------------------------------------- The vulnerability in WAGO-I/O-SYSTEM with CODESYS V2.3 WebVisu enables an attacker to extract all the configured passwords without authentication. The attacker can use the extracted passwords to access the WebVisu and control the system. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Vulnerability in Citrix XenDesktop could result in unauthorized access to another users desktop *** --------------------------------------------- Severity: High Description of Problem A vulnerability has been identified in Citrix XenDesktop that could result in a user gaining unauthorized interactive access to another user's desktop. --------------------------------------------- http://support.citrix.com/article/CTX139591 *** HPSBMU03070 rev.1 - HP Cloud Service Automation, OpenSSL Vulnerability, Unauthorized Access, Disclosure of Information *** --------------------------------------------- A potential security vulnerability has been identified with HP Cloud Service Automation. The vulnerability could be exploited to allow unauthorized access and disclosure of information. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** HPSBMU03069 rev.1 - HP Software Operation Orchestration, OpenSSL Vulnerability, SSL/TLS, Remote Code Execution, Denial of Service (DoS), Disclosure of Information *** --------------------------------------------- Potential security vulnerabilities have been identified with HP Software Operation Orchestration. The vulnerabilities could be exploited to allow remote code execution, denial of service (DoS) and disclosure of information. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** Vuln: PHP unserialize() Function Type Confusion Security Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/68237

1 0

Tageszusammenfassung - Mittwoch 9-07-2014
by Daily end-of-shift report 09 Jul '14

09 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 08-07-2014 18:00 − Mittwoch 09-07-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** "Weaponized" exploit can steal sensitive user data on eBay, Tumblr, et al. *** --------------------------------------------- Google and Twitter already patched against potent "Rosetta Flash" attack. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/B_J-82SKyS4/ *** Who owns your typo?, (Wed, Jul 9th) *** --------------------------------------------- Heres one way how to get at sensitive data that seems to be making a comeback. Already in the olden days, it was popular with the crooks to register domain names that only differed by a typo from the name of a legitimate high traffic site. Googl.com, for example. The crooks would then run web pages with lots of advertisements on these domains, and live happily ever after from the ad revenue that the misdirected typo traffic alone brought their way. Google put a stop to this by registering, for --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18363&rss *** Exploiting IoT technologies *** --------------------------------------------- How many Internet of Things (IoT) devices do you have? From smart TVs to coffee machines, these devices are becoming more and more popular in both homes and offices. A team of researchers at NCC Group, led by technical director, Paul Vlissidis, conducted research into a number of IoT devices and looked at some of the ways that an attacker could exploit them. The team, which also consisted of Pete Beck and Felix Ingram, principal consultants, conducted a live demonstration which explored the --------------------------------------------- https://www.nccgroup.com/en/blog/2014/07/exploiting-iot-technologies/ *** Who inherits your IP address?, (Wed, Jul 9th) *** --------------------------------------------- Somewhat similar to the typo squatting story earlier, the recent proliferation of cloud service usage by enterprises has led to a new problem. For a project at a community college, we needed a couple servers, and didnt want (or have the funds) to build them on-site. In view of the limited duration of the experiment, we decided to "rent" the boxes as IaaS (infrastructure as a service) devices from two "cloud" providers. So far, all went well. But when we brought the instances --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18365&rss *** Yahoo Patches Bugs in Mail, Messenger, Flickr *** --------------------------------------------- Yahoo recently fixed a trio of remotely exploitable vulnerabilities in its services that could have let attackers execute a handful of nefarious tricks. --------------------------------------------- http://threatpost.com/yahoo-fixes-trio-of-bugs-in-mail-messenger-flickr/107… *** Trojan:W32/Lecpetex: Bitcoin miner spreading via FB messages *** --------------------------------------------- In early March this year, while investigating various threats as part of our Facebook malware cleanup effort, we ran across an interesting one that was spreading in zipped files attached to messages.The messages themselves were classic social engineering bait that lead the users to install the executable file in the attachment, which turned out to be a Bitcoin miner, which we identify as Trojan:W32/Lecpetex. Some of the more interesting details of our analysis are presented in our Lecpetex --------------------------------------------- http://www.f-secure.com/weblog/archives/00002725.html *** Indien stellte falsche Google-Zertifikate aus *** --------------------------------------------- Erneut kam es zu einem schwerwiegenden Zwischenfall bei einem Herausgeber von SSL-Zertifikaten: Die staatlich betriebene CA von Indien hat unter anderem Zertifikate für Google-Dienste herausgegeben. Diese eignen sich zum Ausspähen von SSL-Traffic. --------------------------------------------- http://www.heise.de/security/meldung/Indien-stellte-falsche-Google-Zertifik… *** DPAPI vulnerability allows intruders to decrypt personal data *** --------------------------------------------- Passcape Software has discovered a DPAPI vulnerability that could potentially lead to unauthorized decryption of personal data and passwords of interactive domain users. The vulnerability is present in all Windows Server operating systems. --------------------------------------------- http://www.net-security.org/secworld.php?id=17094 *** ATTACK of the Windows ZOMBIES on point-of-sale terminals *** --------------------------------------------- Infosec bods infiltrate botnet, uncover crap password security Security watchers have spotted a fresh Windows-based botnet that attempts to hack into point-of-sale systems. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/07/09/botnet_brut… *** Security updates available for Adobe Flash Player (APSB14-17) *** --------------------------------------------- July 8, 2014 --------------------------------------------- http://blogs.adobe.com/psirt/?p=1108 *** MS14-JUL - Microsoft Security Bulletin Summary for July 2014 - Version: 1.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS14-JUL *** Assessing risk for the July 2014 security updates *** --------------------------------------------- Today we released six security bulletins addressing 29 unique CVE's. Two bulletins have a maximum severity rating of Critical, three have maximum severity Important, and one is Moderate. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. --------------------------------------------- http://blogs.technet.com/b/srd/archive/2014/07/08/assessing-risk-for-the-ju… *** VMSA-2014-0006.6 *** --------------------------------------------- VMware product updates address OpenSSL security vulnerabilities --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0006.html *** Cisco Small Business SPA300 and SPA500 Series IP Phones Cross-Site Scripting Vulnerability *** --------------------------------------------- CVE-2014-3313 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Yokogawa Centum Buffer Overflow Vulnerability *** --------------------------------------------- Advisory Document --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-189-01 *** DSA-2974 php5 *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-2974 *** DSA-2973 vlc *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-2973 *** HPSBMU03065 rev.1 - HP Operations Analytics, OpenSSL Vulnerability, SSL/TLS, Remote Code Execution, Denial of Service (DoS), Disclosure of Information *** --------------------------------------------- A potential security vulnerability has been identified with HP Operations Analytics. The vulnerability could be exploited to allow remote code execution, denial of service (DoS) and disclosure of information. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** ABB Relion 650 Series OpenSSL Vulnerability (Update A) *** --------------------------------------------- Advisory Document --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-126-01A *** Cisco IOS Software and Cisco IOS XE Software NTP Access Group Vulnerability *** --------------------------------------------- CVE-2014-3309 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Bugtraq: FreeBSD Security Advisory FreeBSD-SA-14:17.kmem *** --------------------------------------------- http://www.securityfocus.com/archive/1/532698 *** Juniper Security Bulletins *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10634&actp=RSS http://kb.juniper.net/index?page=content&id=JSA10633&actp=RSS http://kb.juniper.net/index?page=content&id=JSA10638&actp=RSS http://kb.juniper.net/index?page=content&id=JSA10637&actp=RSS http://kb.juniper.net/index?page=content&id=JSA10641&actp=RSS http://kb.juniper.net/index?page=content&id=JSA10635&actp=RSS http://kb.juniper.net/index?page=content&id=JSA10613&actp=RSS http://kb.juniper.net/index?page=content&id=JSA10640&actp=RSS *** IBM Security Bulletin: IBM InfoSphere Guardium System x/Flex Systems appliances are affected by vulnerabilities in OpenSSL *** --------------------------------------------- IBM InfoSphere Guardium System x/Flex Systems appliances are affected by vulnerabilities in OpenSSL (CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470) Security vulnerabilities have been discovered in OpenSSL. CVE(s): CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470 and CVE-2014-5298 Affected product(s) and affected version(s): Hardware versions affected: InfoSphere Guardium Collector X1000 InfoSphere --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** IBM Security Bulletin: Rational Systems Tester is affected by Libxml2 vulnerability (CVE-2014-0191) *** --------------------------------------------- Denial-Of-service vulnerability has been discovered in Libxml2 that was reported on May 09, 2014 CVE(s): CVE-2014-0191 Affected product(s) and affected version(s): Rational Systems Tester 3.3, 3.3.0.1, 3.3.0.2, 3.3.0.3, 3.3.0.4, 3.3.0.5, 3.3.0.6, 3.3.0.7 Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21678183 X-Force Database: http://xforce.iss.net/xforce/xfdb/93092 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…

1 0

Tageszusammenfassung - Dienstag 8-07-2014
by Daily end-of-shift report 08 Jul '14

08 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 07-07-2014 18:00 − Dienstag 08-07-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Multi Platform *Coin Miner Attacking Routers on Port 32764, (Mon, Jul 7th) *** --------------------------------------------- Thanks to reader Gary for sending us in a sample of a *Coin miner that he found attacking Port 32764. Port 32764 was recently found to offer yet another backdoor on Sercomm equipped devices. We covered this backdoor before [1] The bot itself appears to be a variant of the "zollard" worm sean before by Symantec [2]. Symantecs writeup describes the worm as attacking a php-cgi vulnerability, not the Sercomm backdoor. But this worm has been seen using various exploits. Here some quick,... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18353&rss *** When Adware Goes Bad: The Installbrain and Sefnit Connection *** --------------------------------------------- "Monetize On Non-buyers" is the bold motto of InstallBrain-adware that turns out to have been developed by an Israeli company called iBario Ltd. This motto clearly summarizes the potential risks adware companies can introduce to users, especially when they install stuff on... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/nRXcb4Udr5o/ *** IEEE expands malware initiatives *** --------------------------------------------- Clearing-house for software metadata Standards body the IEEE has launched two new anti-malware initiatives designed to help software and security vendors spot malware thats been inserted into other software, and improve the performance of malware detection by cutting down on false positives. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/07/08/ieee_expand… *** NTT Group 2014 Global Threat Intelligence Report *** --------------------------------------------- The NTT Group 2014 Global Threat Intelligence Report (GTIR) emphasizes that the security basics, when done right, can be enough to mitigate and even avoid high-profile, costly data breaches altogether. Using statistics and real-world case studies, the report shows that combining threat avoidance and threat response capabilities into a strategic approach provides the best chance to reduce the impact of threats. --------------------------------------------- http://www.solutionary.com/research/threat-reports/annual-threat-report/ntt… *** Paper: VBA is not dead! *** --------------------------------------------- Gabor Szappanos looks at the resurgence of malicious VBA macros that use social engineering to activate. --------------------------------------------- http://www.virusbtn.com/news/2014/07_07.xml?rss *** Android Vulnerability Allows Applications to Make Unauthorized Calls without Permissions *** --------------------------------------------- A major vulnerability believed to be present in most versions of Android can allow a malicious Android applications on the Android app store to make phone calls on a user's device, even when they lack the necessary permissions. The critical vulnerability was identified and reported to Google Inc. late last year by researchers from German security firm Curesec. The researchers believe the... --------------------------------------------- http://thehackernews.com/2014/07/android-vulnerability-allows.html *** Google Android / eduroam-Zugangsdaten *** --------------------------------------------- Bei mobilen Geräten mit Android-Betriebssystem ist die Default-Konfiguration für die Option CA-Zertifikat für WLAN-Verbindungen "keine Angabe". Konkret bedeutet dieses als normal dokumentierte Verhalten, dass die Prüfung der Zertifikatskette komplett deaktiviert ist, d.h. jedes beliebige Zertifikat wird ohne weitere Warnung akzeptiert. Erschwerend kommt hinzu,... --------------------------------------------- https://www.dfn-cert.de/aktuell/Google-Android-Eduroam-Zugangsdaten.html *** How not to tell your customers how much you care about their security *** --------------------------------------------- Weve written before about "what not to do" when sending emails to your customers. Heres another example, with an explanation of why doing the right thing will be better for everyone - including your marketing team! - in the long run. --------------------------------------------- http://nakedsecurity.sophos.com/2014/07/08/how-not-to-tell-your-customers-h… *** Metadaten gegen Viren-Fehlerkennugen *** --------------------------------------------- Die IEEE hat eine Datenbank für Metadaten von Binaries gestartet. Sie liefert Informationen, über die ein Virenscanner eindeutig feststellen kann, ob eine Datei gutartig ist. --------------------------------------------- http://www.heise.de/security/meldung/Metadaten-gegen-Viren-Fehlerkennugen-2… *** GKsu and VirtualBox Root Command Execution by Filename (CVE-2014-2943) *** --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/07/07/virtualbo… *** Bugtraq: Backdoor access to Techboard/Syac devices *** --------------------------------------------- http://www.securityfocus.com/archive/1/532665 *** [remote] - Oracle Event Processing FileUploadServlet Arbitrary File Upload *** --------------------------------------------- http://www.exploit-db.com/exploits/33989 *** Vuln: GitList CVE-2014-4511 Unspecified Remote Code Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/68253 *** Security Advisory-Apache Struts2 vulnerability on Huawei multiple products *** --------------------------------------------- Jul 07, 2014 21:09 --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** Apple iTunes 11.2.2 Insecure Libraries *** --------------------------------------------- Topic: Apple iTunes 11.2.2 Insecure Libraries Risk: High Text:Hi @ll, Apples current iTunes 11.2.2 for Windows comes with the following COMPLETELY outdated and vulnerable 3rd party libr... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070042 *** Apache Syncope Insecure Password Generation *** --------------------------------------------- Topic: Apache Syncope Insecure Password Generation Risk: Medium Text:CVE-2014-3503: Insecure Random implementations used to generate passwords in Apache Syncope Severity: Major Vendor: The ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014070039 *** Vuln: WordPress Easy Banners Plugin easy-banners.php Cross Site Scripting Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/68281 *** Vuln: WordPress Custom Banners Plugin options.php Cross Site Scripting Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/68279 *** TYPO3 CMS 4.5.35, 6.1.10 and 6.2.4 released *** --------------------------------------------- The TYPO3 Community announces the versions 4.5.35, 6.1.10 and 6.2.4 of the TYPO3 Enterprise Content Management System. All versions are maintenance releases and contain bug fixes. --------------------------------------------- https://typo3.org/news/article/typo3-cms-4535-6110-and-624-released/ *** HPSBGN03050 rev.1 - HP IceWall SSO Dfw and HP IceWall MCRP running OpenSSL, Remote Denial of Service (DoS), Code Execution, Security Restriction Bypass, Disclosure of Information, or Unauthorized Access *** --------------------------------------------- Potential security vulnerabilities have been identified with HP IceWall SSO Dfw and HP IceWall MCRP running OpenSSL. The vulnerabilities could be exploited remotely to create a Denial of Service (DoS), execute code, allow unauthorized access, or disclose information. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…

1 0

Tageszusammenfassung - Montag 7-07-2014
by Daily end-of-shift report 07 Jul '14

07 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 04-07-2014 18:00 − Montag 07-07-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Self-signing custom Android ROMs *** --------------------------------------------- The security model on the Google Nexus devices is pretty straightforward. The OS is (nominally) secure and prevents anything from accessing the raw MTD devices. The bootloader will only allow the user to write to partitions if its unlocked. The recovery image will only permit you to install images that are signed with a trusted key. In combination, these facts mean that its impossible for an attacker to modify the OS image without unlocking the bootloader[1], and unlocking the bootloader wipes --------------------------------------------- http://mjg59.dreamwidth.org/31765.html *** Java Support ends for Windows XP, (Sat, Jul 5th) *** --------------------------------------------- Oracle is no longer supporting Java for Windows XP and will only support Windows Vista or later. Java 8 is not supported for Windows XP and users will be unable to install on their systems. Oracle warns "Users may still continue to use Java 7 updates on Windows XP at their own risk" [1] [1] https://www.java.com/en/download/faq/winxp.xml [2] http://www.oracle.com/us/support/library/057419.pdfhttps://www.java.com/en/… ----------- Guy Bruneau IPSS Inc. gbruneau at --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18345&rss *** Critical Vulnerability and Privacy LoopHole Found in RoboForm Password Manager *** --------------------------------------------- Unless you are a human supercomputer, remembering password is not so easy, and that too if you have a different password for each site. But luckily to make the whole process very easy, there is a growing market out there for password managers and lockers with extra layers of security. But, if you are using the mobile version of most popular password manager from Password management company --------------------------------------------- http://feedproxy.google.com/~r/TheHackersNews/~3/Ajpf8i6yTao/critical-vulne… *** Zwei Patches schließen SQL-Injection-Lücken in Ruby on Rails *** --------------------------------------------- Zwei recht ähnliche Lücken erlaubten SQL-Injections auf Websites, die auf Ruby on Rails 2.0.0 bis 3.1.18 sowie auf 4.x aufsetzen. In mehreren Anläufen haben die Rails-Entwickler die Lücken nun geschlossen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Zwei-Patches-schliessen-SQL-Injectio… *** Malware Analysis with pedump, (Sat, Jul 5th) *** --------------------------------------------- Are you looking for a tool to analyze Windows Portable Executable (PE) files? Consider using pedump a ruby win32 PE binary file analyzer. It currently support DOS MZ EXE, win16 NE and win32/64 PE. There are several ways to install the ruby package; however, the simplest way is to execute "gem install pedump" from a Linux workstation. You can also download the file here or use the pedump website to upload your file for analysis. This example shows the output from the pedump website. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18347&rss *** Industrial Control System Firms In Dragonfly Attack Identified *** --------------------------------------------- chicksdaddy (814965) writes Two of the three industrial control system (ICS) software companies that were victims of the so-called "Dragonfly" malware have been identified. ... Dale Peterson of the firm Digitalbond identified the vendors as MB Connect Line, a German maker of industrial routers and remote access appliances and eWon, a Belgian firm that makes virtual private network (VPN) software that is used to access industrial control devices like programmable logic controllers. --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/Jr0QiFtg7lc/story01.htm *** Coinbase wallet app in SSL/TLS SNAFU *** --------------------------------------------- The popular Bitcoin wallet Coinbase has a security flaw in its Android apps which could allow an attacker to steal authentication codes and access users accounts, according to a security researcher. Coinbase is far from alone in leaving its wallet app users vulnerable, so what should you do to stay safe when using mobile banking apps? --------------------------------------------- http://feedproxy.google.com/~r/nakedsecurity/~3/GsgGIYu7TA0/ *** The Rise of Thin, Mini and Insert Skimmers *** --------------------------------------------- Like most electronic gadgets these days, ATM skimmers are getting smaller and thinner, with extended battery life. Heres a look at several miniaturized fraud devices that were pulled from compromised cash machines at various ATMs in Europe so far this year. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/8s5hQ323oMY/ *** Fridge hacked. Car hacked. Next up, your LIGHT BULBS *** --------------------------------------------- So shall you languish in darkness - or under disco-style strobes - FOREVER Those convinced that the emerging Internet of Things (IoT) will become a hackers playground were given more grist for their mill with news on Friday that security researchers have discovered a weakness in Wi-Fi/mesh networked lightbulbs. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/07/07/wifi_enable… *** Anwälte: Falsche Filesharing-Abmahnung verbreitet massenhaft Malware *** --------------------------------------------- Zwei bekannte Anwälte warnen vor gefälschten Abmahnungen wegen illegalen Musikdownloads. An den massenhaft verschickten E-Mails hängt eine Zip-Datei mit Schadcode. --------------------------------------------- http://www.golem.de/news/anwaelte-falsche-filesharing-abmahnung-verbreitet-… *** IBM Security Bulletin: Multiple vulnerabilities exist in IMS Enterprise Suite SOAP Gateway (CVE-2014-0453, CVE-2013-4286, CVE-2013-4322) *** --------------------------------------------- The IMS Enterprise Suite SOAP Gateway is affected by multiple vulnerabilities in IBM SDK, Java Technology Edition (April Update) and Apache Tomcat. CVE(s): CVE-2014-0453, CVE-2013-4286 and CVE-2013-4322 Affected product(s) and affected version(s): CVE ID: CVE-2014-0453 The SOAP Gateway component of the IMS Enterprise Suite versions 2.1, 2.2, 3.1. CVE ID: CVE-2013-4286 CVE ID: CVE-2013-4322 The SOAP Gateway component of the IMS Enterprise Suite versions 2.2, 3.1. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** OpenSSL vulnerabilities in IBM Products *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** RealPlayer MP4 Memory Corruption Flaw Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1030524 *** [webapps] - Netgear WNR1000v3 - Password Recovery Credential Disclosure Vulnerability *** --------------------------------------------- http://www.exploit-db.com/exploits/33984 *** VU#960193: AVG Secure Search ActiveX control provides insecure methods *** --------------------------------------------- Vulnerability Note VU#960193 AVG Secure Search ActiveX control provides insecure methods Original Release date: 07 Jul 2014 | Last revised: 07 Jul 2014 Overview The AVG Secure Search toolbar includes an ActiveX control that provides a number of unsafe methods, which may allow a remote, unauthenticated attacker to execute arbitrary code with the privileges of the user. Description AVG Secure Search is a toolbar add-on for web browsers that "... provides an additional security layer while --------------------------------------------- http://www.kb.cert.org/vuls/id/960193 *** Bugtraq: CVE-2014-3863 - Stored XSS in JChatSocial *** --------------------------------------------- http://www.securityfocus.com/archive/1/532662 *** WordPress Theme My Login for WordPress file include *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/94160

1 0

Tageszusammenfassung - Freitag 4-07-2014
by Daily end-of-shift report 04 Jul '14

04 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 03-07-2014 18:00 − Freitag 04-07-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Cisco Intelligent Automation for Cloud Form Data Viewer information disclosure *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/94177 *** VU#143740: Netgear GS108PE Prosafe Plus Switch contains hard-coded login credentials *** --------------------------------------------- Netgear GS108PE Prosafe Plus Switch contains hard-coded login credentials that can be used for authenticating to the web server running on the device. The username is .. --------------------------------------------- http://www.kb.cert.org/vuls/id/143740 *** MS14-JUL - Microsoft Security Bulletin Advance Notification for July 2014 - Version: 1.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS14-JUL *** Phishing: iPhone 6 und iWatch als Lockmittel *** --------------------------------------------- Angreifer nutzen derzeit die Aufmerksamkeit rund um zukünftige Apple-Produkte, um Nutzer auf eine gefälschte Apple-Webseite zu locken. Die Aufmachung der Mail erinnert an offizielle Apple-Mitteilungen. --------------------------------------------- http://www.heise.de/security/meldung/Phishing-iPhone-6-und-iWatch-als-Lockm… *** Security Bulletin: IBM BladeCenter Advanced Management Module (AMM), Integrated Management Module (IMM), and Integrated Management Module 2 (IMM2) Potential IPMI credentials Exposure (CVE-2014-0860) *** --------------------------------------------- The administrative IPMI credentials for authenticating communications between the IBM BladeCenter Advanced Management Module (AMM), Integrated Management Module (IMM), and Integrated Management Module 2 (IMM2) are stored in plaintext within the AMM firmware binaries. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Dailymotion Compromised to Send Users to Exploit Kit *** --------------------------------------------- Attackers made the popular video site redirect users to the Sweet Orange Exploit Kit. On June 28, the popular video sharing website Dailymotion was compromised to redirect users to the Sweet Orange Exploit Kit. This exploit kit takes advantage of vulnerabilities in Java, Internet Explorer, and Flash Player. If the .. --------------------------------------------- http://www.symantec.com/connect/blogs/dailymotion-compromised-send-users-ex… *** HP Universal Configuration Management Database Flaws Let Remote Users Obtain Information and Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1030518 *** "Phishing wird vom seltenen Anlass zum Tagesgeschäft" *** --------------------------------------------- Während immer mehr Phishing-Webseiten auftauchen, werden die angewandten Taktiken immer raffinierter. Opfer werden vermehrt persönlich angesprochen. --------------------------------------------- http://futurezone.at/digital-life/phishing-wird-vom-seltenen-anlass-zum-tag… *** Miniduke is back: Nemesis Gemina and the Botgen Studio *** --------------------------------------------- In the wake of our publications from 2013, the Miniduke campaigns have stopped or at least decreased in intensity. However, in the beginning of 2014 they resumed attacks in full force, once again grabbing our attention. We believe its time to uncover more information on their operations. --------------------------------------------- https://www.securelist.com/en/blog/208214341/Miniduke_is_back_Nemesis_Gemin… *** phpinfo() Type Confusion Infoleak Vulnerability and SSL Private Keys *** --------------------------------------------- In this post we will detail the phpinfo() type confusion vulnerability that we disclosed to PHP.net and show how it allows a PHP script to steal the private SSL key. We demonstrate this on a Ubuntu 12.04 LTS 32 bit default installation of PHP and mod_ssl. Unfortunately this kind of problem is not considered a security problem by PHP.net and therefore this security vulnerability does not have a CVE name assignet to it, yet. --------------------------------------------- https://www.sektioneins.de/en/blog/14-07-04-phpinfo-infoleak.html

1 0

Tageszusammenfassung - Donnerstag 3-07-2014
by Daily end-of-shift report 03 Jul '14

03 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 02-07-2014 18:00 − Donnerstag 03-07-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Multiple Vulnerabilities in Cisco Unified Communications Domain Manager *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Analysis of a New Banking Trojan Spammed by Cutwail *** --------------------------------------------- The Cutwail spambot has a long history of sending spam with attached malicious files such as Zbot, Blackhole Exploit Kit and Cryptolocker. Another trick in Cutwail's portfolio is to use links pointing to popular file hosting services. Over the past weeks, we have observed spam that claims to be an unpaid invoice from .. --------------------------------------------- http://blog.spiderlabs.com/2014/07/analysis-of-a-banking-trojan-spammed-by-… *** Simple Javascript Extortion Scheme Advertised via Bing, (Wed, Jul 2nd) *** --------------------------------------------- Thanks to our reader Dan for spotting this one. As of today, a search for "Katie Matusik" on Bing will include the following result. The rank has been slowly rising during the day, and as of right now, it is the first link after the link to "Videos" Once a user clicks on the link, the user is redirected to .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18337&rss *** Multiple vulnerabilities in third-party Drupal modules *** --------------------------------------------- https://www.drupal.org/node/2296783 https://www.drupal.org/node/2296511 https://www.drupal.org/node/2296495 *** New Android Malware HijackRAT Attacks Mobile Banking Users *** --------------------------------------------- Cybercriminals have rolled out a new malicious Android application that wraps different varieties of banking fraud trick into a single piece of advanced mobile malware. --------------------------------------------- http://thehackernews.com/2014/07/new-android-malware-hijackrat-attacks.html *** Exploring the Java vulnerability (CVE-2013-2465) used in the Fiesta EK *** --------------------------------------------- While going through our daily analysis this month, we came across several Fiesta Exploit Kit attacks. Although this EK first emerged in August 2013, the authors have constantly updated their .. --------------------------------------------- http://research.zscaler.com/2014/07/exploring-java-vulnerability-cve-2013.h… *** Avast hielt Krypto-Messenger für Trojaner *** --------------------------------------------- Wer angeblich mit dem Trojaner "Android:Banker-BW" infiziert ist, kann die Warnung unter Umständen getrost ignorieren. Der Avast-Virenscanner hat Moxie Marlinspikes Krypto-Messenger TextSecure fälschlicherweise als Malware eingestuft. --------------------------------------------- http://www.heise.de/security/meldung/Avast-hielt-Krypto-Messenger-fuer-Troj… *** Bugtraq: [security bulletin] HPSBMU03059 rev.1 - HP SiteScope, Remote Authentication Bypass *** --------------------------------------------- http://www.securityfocus.com/archive/1/532631 *** DynDNS-Dienst: Microsoft hat Domains an NoIP zurückgegeben *** --------------------------------------------- Seit Tagen funktioniert der DynDNS-Dienst NoIP für viele Kunden nicht, weil Microsoft die Domains übertragen wurden und viele Anfragen ins Leere liefen. Nun hat Microsoft die Domains zurückgegeben und die Lage sollte sich normalisieren. --------------------------------------------- http://www.heise.de/security/meldung/DynDNS-Dienst-Microsoft-hat-Domains-an… *** VU#402020: Autodesk VRED contains an unauthenticated remote code execution vulnerability *** --------------------------------------------- Improper Neutralization of Special Elements used in an OS Command (OS Command Injection): Autodesk VRED Professional 2014 contains an unauthenticated remote code execution vulnerability. Autodesk VRED Professional 2014. --------------------------------------------- http://www.kb.cert.org/vuls/id/402020 *** 8 Common Pitfalls of HeartBleed Identification and Remediation (CVE-2014-0160) *** --------------------------------------------- Unfortunately, one of the biggest vulnerabilities disclosed this year, HeartBleed, has been inefficiently addressed and for some, already forgotten about. Plenty of details about the vulnerability already exist including our FAQ and .. --------------------------------------------- http://blog.spiderlabs.com/2014/07/pitfalls-of-heartbleed-identification-an…

1 0

Tageszusammenfassung - Mittwoch 2-07-2014
by Daily end-of-shift report 02 Jul '14

02 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 01-07-2014 18:00 − Mittwoch 02-07-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Microsoft Expands TLS, Forward Secrecy Support *** --------------------------------------------- Microsoft announced TLS support on Outlook.com and that OneDrive cloud storage now supports Perfect Forward Secrecy. --------------------------------------------- http://threatpost.com/microsoft-expands-tls-forward-secrecy-support/106965 *** Cisco Small Cell Command Execution Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** DOWNAD Tops Malware Spam Source in Q2 2014 *** --------------------------------------------- DOWNAD , also known as Conficker remains to be one of the top 3 malware that affects enterprises and small and medium businesses. This is attributed to the fact that a number of companies are still using Windows XP, susceptible to this threat. It can infect .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/downad-tops-malw… *** VMSA-2014-0006.4 *** --------------------------------------------- VMware product updates address OpenSSL security vulnerabilities --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0006.html *** Microsoft Digital Crimes Unit disrupts Jenxcus and Bladabindi malware families *** --------------------------------------------- Today, following an investigation to which the Microsoft Malware Protection Center (MMPC) contributed, the Microsoft Digital Crimes Unit initiated a disruption of the Jenxcus and Bladabindi malware families. These families are believed to have been created by individuals Naser Al Mutairi, aka njQ8, and .. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/06/30/microsoft-digital-crimes… *** MONSTER COOKIES can nom nom nom ALL THE BLOGS *** --------------------------------------------- Blog networks can be force-fed more than they can chew Giant cookies could be used to create a denial of service (DoS) on blog networks, says infosec researcher Bogdan Calin. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/07/02/monster_coo… *** Transparenzzentrum: Microsoft gewährt Behörden Quellcode-Einsicht *** --------------------------------------------- In einem Transparenzzentrum will Microsoft Behörden, die Code-Manipulationen durch fremde Geheimdienste befürchten, die Gelegenheit bieten, den Source-Code selbst zu untersuchen. --------------------------------------------- http://www.heise.de/security/meldung/Transparenzzentrum-Microsoft-gewaehrt-… *** Anatomy of a buffer overflow - Googles "KeyStore" security module for Android *** --------------------------------------------- Heres a cautionary tale about a bug, courtesy of IBM. Not that IBM had the bug, just to be clear: Google had the bug, and IBM researchers spotted it. --------------------------------------------- http://nakedsecurity.sophos.com/2014/07/02/anatomy-of-a-buffer-overflow-goo… *** OpenSSL legt Sanierungsplan vor *** --------------------------------------------- Nach der Heartbleed-Katastrophe hat das OpenSSL-Projekt nun eine Roadmap veröffentlicht, die helfen soll, organisatorische Mängel im Entwicklungsprozess auszubessern. --------------------------------------------- http://www.heise.de/security/meldung/OpenSSL-legt-Sanierungsplan-vor-224810… *** Rig Exploit Kit Used in Recent Website Compromise *** --------------------------------------------- Attackers planted code in a popular Web portal to redirect users to an exploit kit .. --------------------------------------------- http://www.symantec.com/connect/blogs/rig-exploit-kit-used-recent-website-c…

1 0

Tageszusammenfassung - Dienstag 1-07-2014
by Daily end-of-shift report 01 Jul '14

01 Jul '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 30-06-2014 18:00 − Dienstag 01-07-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Microsoft Darkens 4MM Sites in Malware Fight *** --------------------------------------------- Millions of Web sites were shuttered Monday morning after Microsoft executed a legal sneak attack against a malware network thought to be responsible for more than 7.4 million infections of Windows PCs worldwide. --------------------------------------------- http://krebsonsecurity.com/2014/07/microsoft-darkens-4mm-sites-in-malware-f… *** Apple Releases Security Updates for OS X, Safari, iOS devices, and Apple TV *** --------------------------------------------- Apple has released security updates for Mac OS X, Safari, iOS devices, and Apple TV to address multiple vulnerabilities, some of which could allow attackers to execute arbitrary code with system privileges or cause an unexpected application termination. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2014/07/01/Apple-Releases-Sec… *** [2014-06-30] Multiple vulnerabilities in IBM Algorithmics RICOS *** --------------------------------------------- Abusing multiple vulnerabilities within IBM Algorithmics RICOS, an attacker can take over foreign user accounts and bypass authorization mechanisms. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** JBoss Seam org.jboss.seam.web.AuthenticationFilter code execution *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/94090 *** ICS Focused Malware *** --------------------------------------------- http://ics-cert.us-cert.gov//advisories/ICSA-14-178-01 *** CERT-Bund: Trojaner-Opfer ändern Passwörter, PCs bleiben infiziert *** --------------------------------------------- Die Auswertung von zehntausenden kompromittierten Mail-Zugangsdaten zeigt, dass ein beträchtlicher Teil der Opfer zwar sein Passwort ändert, allerdings schnell erneut zum Opfer wird - möglicherweise, weil der Rechner nicht desinfiziert wurde. --------------------------------------------- http://www.heise.de/security/meldung/CERT-Bund-Trojaner-Opfer-aendern-Passw… *** [2014-07-01] Stored cross site scripting in EMC Documentum eRoom *** --------------------------------------------- Due to improper input validation, EMC Documentum eRoom suffers from multiple stored cross-site scripting vulnerabilities, which allow an attacker to steal other users sessions, to impersonate other users and to gain unauthorized access to documents hosted in eRooms. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Apple testet Zwei-Faktor-Authentifizierung auf iCloud.com *** --------------------------------------------- Künftig sollen auch auf Apples Cloud-Portal Zugangsdaten besser abgesichert werden. Gestern war die Funktion kurzzeitig freigegeben. --------------------------------------------- http://www.heise.de/security/meldung/Apple-testet-Zwei-Faktor-Authentifizie… *** Verwirrung um Microsofts Sicherheits-Newsletter *** --------------------------------------------- Wer Windows-Rechner administriert, weiss den Security-Notifications-Newsletter von Microsoft zu schätzen. Letzte Woche kündigte das Unternehmen an, diesen einzustellen - um die Entscheidung kurz darauf zu revidieren. --------------------------------------------- http://www.heise.de/security/meldung/Verwirrung-um-Microsofts-Sicherheits-N… *** Cyberspying Campaign Comes With Sabotage Option *** --------------------------------------------- New research from Symantec spots US and Western European energy interests in the bulls eye, but the campaign could encompass more than just utilities. --------------------------------------------- http://www.darkreading.com/vulnerabilities---threats/advanced-threats/cyber… *** Geodo: New Cridex Version Combines Data Stealer and Email Worm *** --------------------------------------------- Recent efforts by our Research Lab has revealed new activity related to Cridex. As you may recall, Cridex is a data stealer also referred to as Feodo, and Bugat. The new Cridex version we are seeing now, aka Geodo, combines a self-spreading infection method - effectively turning each bot in the botnet .. --------------------------------------------- http://www.seculert.com/blog/2014/07/geodo-new-cridex-version-combines-data… *** Remote File Upload Vulnerability in WordPress MailPoet Plugin (wysija-newsletters) *** --------------------------------------------- Marc-Alexandre Montpas, from our research team, found a serious security vulnerability in the MailPoet WordPress plugin. This bug allows an attacker to upload any file remotely to the vulnerable website (i.e., no authentication is required). This is a serious vulnerability, The MailPoet plugin (wysija-newsletters) .. --------------------------------------------- http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet… *** IBM BladeCenter Advanced Management Module (AMM), Integrated Management Module (IMM), and Integrated Management Module 2 (IMM2) Potential IPMI credentials Exposure *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/90880

1 0

Tageszusammenfassung - Montag 30-06-2014
by Daily end-of-shift report 30 Jun '14

30 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 27-06-2014 18:00 − Montag 30-06-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** The Akamai State of the Internet Report *** --------------------------------------------- The globally distributed Akamai Intelligent Platform delivers over 2 trillion Internet interactions and defends against multiple DDoS attacks each day. This provides us with unique visibility into Internet connection speeds, broadband adoption, mobile usage, outages, and attacks. Drawing .. --------------------------------------------- http://www.akamai.com/stateoftheinternet/ *** OpenAFS Memory Error Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1030459 *** 20 Jahre alte Kompressionsverfahren-Lücke sorgt für Verwirrung *** --------------------------------------------- Sicherheitsforscher deckte Schwachstelle auf, von der hauptsächlich Linux-User betroffen sein sollen - Entwarnung von Autoren --------------------------------------------- http://derstandard.at/2000002429137 *** Serious Android crypto key theft vulnerability affects 86% of devices *** --------------------------------------------- Bug in Android KeyStore that leaks credentials fixed only in KitKat. --------------------------------------------- http://arstechnica.com/security/2014/06/serious-android-crypto-key-theft-vu… *** Anatomy of an Android SMS virus - watch out for text messages, even from your friends! *** --------------------------------------------- Paul Ducklin looks into "Andr/SlfMite-A", an Android SMS virus. The malware sends itself to your top 20 contacts and foists an third party app for an alternative Android software market onto your device... --------------------------------------------- http://nakedsecurity.sophos.com/2014/06/29/anatomy-of-an-android-sms-virus-… *** DSA-2970 cacti *** --------------------------------------------- http://www.debian.org/security/2014/dsa-2970 *** Microsoft Kills Security Emails, Blames Canada *** --------------------------------------------- In a move that may wind up helping spammers, Microsoft is blaming a new Canadian anti-spam law for the companys recent decision to stop sending regular emails about security updates for its Windows operating system and other Microsoft software. --------------------------------------------- http://krebsonsecurity.com/2014/06/microsoft-kills-security-emails-blames-c… *** ICS Focused Malware (Update A) *** --------------------------------------------- This alert update is a follow-up to the original NCCIC/ICS-CERT Alert titled ICS-ALERT-14-176-02 ICS Focused Malware that was published June 25, 2014 on the ICS-CERT web site, and includes information previously published to the US-CERT secure portal. --------------------------------------------- http://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-176-02A *** Disqus Wordpress Plugin Flaw Leaves Millions of Blogs Vulnerable to Hackers *** --------------------------------------------- A Remote code execution (RCE) vulnerability has been discovered in the comment and discussion service, Disqus plugin for the most popular Blogging Platform Wordpress. While there are more than 70 million websites on the Internet currently running WordPress, about 1.3 million of them use the 'Disqus Comment System' Plugin, making it one of the popular plugins of Wordpress for web comments --------------------------------------------- http://thehackernews.com/2014/06/disqus-wordpress-plugin-flaw-leaves.html *** Medienplayer VLC mit kritischer Krypto-Lücke *** --------------------------------------------- Eine Schwachstelle in GnuTLS kann offenbar auch VLC-Nutzern zum Verhängnis werden: Versucht der Mediaplayer einen Stream von einem präparierten Server zu öffnen, droht die Infektion mit Schadcode. --------------------------------------------- http://www.heise.de/security/meldung/Medienplayer-VLC-mit-kritischer-Krypto… *** Analysis: Spam in May 2014 *** --------------------------------------------- In the run-up to the summer, spammers offered their potential customers seedlings and seeds for gardening. In addition, English-language festive spam in May was dedicated to Mother's Day - the attackers sent out adverts offering flowers and candies. --------------------------------------------- http://www.securelist.com/en/analysis/204792339/Spam_in_May_2014 *** How to protect yourself against privileged user abuse *** --------------------------------------------- Network World - The typical organization loses 5% of its revenues to fraud by its own employees each year, with most thefts committed by trusted employees in executive management, operations, accounting, sales, customer service or purchasing, .. --------------------------------------------- http://www.computerworld.com/s/article/9249440/How_to_protect_yourself_agai… *** Auch Google schliesst Datenleck im Cloud-Speicher *** --------------------------------------------- Wer Links in bei Google Drive abgelegten Dokumenten anklickt, hinterlässt Datenspuren. Durch diese können Dritte auf die Dokumente zugreifen. --------------------------------------------- http://www.heise.de/security/meldung/Auch-Google-schliesst-Datenleck-im-Clo…

1 0

Tageszusammenfassung - Freitag 27-06-2014
by Daily end-of-shift report 27 Jun '14

27 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 26-06-2014 18:00 − Freitag 27-06-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Stuxnet-like Havex Malware Strikes European SCADA Systems *** --------------------------------------------- Security researchers have uncovered a new Stuxnet like malware, named as "Havex", which was used in a number of previous cyber attacks against organizations in the energy sector. Just like Famous Stuxnet Worm, which was specially designed to sabotage the Iranian nuclear project, the new trojan Havex is also programmed to infect industrial control system softwares of SCADA and ICS systems,... --------------------------------------------- http://thehackernews.com/2014/06/stuxnet-like-havex-malware-strikes.html *** Integer-Overflow: Sicherheitslücke in Kompressionsverfahren LZ4 und LZO *** --------------------------------------------- Im Code für die weit verbreiteten Kompressionsverfahren LZO und LZ4 wurde eine Sicherheitslücke entdeckt. Das betrifft zahlreiche Anwendungen, darunter den Linux-Kernel, die Multimediabibliotheken FFmpeg und Libav, sowie OpenVPN. --------------------------------------------- http://www.golem.de/news/integer-overflow-sicherheitsluecke-in-kompressions… *** Image Stock Spam Reemerges *** --------------------------------------------- Image stock spam, which can affect share prices and cause financial loss, has become more prominent in the last week. Image spam has been around for a longtime and peaked in January 2007 when Symantec estimated that image spam accounted for nearly 52 percent of all spam. Pump-and-dump image stock spam made up a significant portion of that 52 percent. --------------------------------------------- http://www.symantec.com/connect/blogs/image-stock-spam-reemerges *** 1st International Conference on Information Systems Security and Privacy - ICISSP 2015 *** --------------------------------------------- Venue: ESEO, Angers, Loire Valley, France Event date: 9 - 11 February, 2015 Scope: The International Conference on Information Systems Security and Privacy aims at creating a meeting point of researchers and practitioners that address security and privacy challenges that concern information systems, especially in organizations, including not only technological issues but also social issues. --------------------------------------------- http://www.securityfocus.com/archive/1/532572 *** Neue PHP-Versionen verarzten Sicherheitslücken *** --------------------------------------------- PHP 5.4.30 und 5.5.14 schließen jeweils eine größere Anzahl von Sicherheitslücken; die Entwickler empfehlen ein zügiges Upgrade. --------------------------------------------- http://www.heise.de/security/meldung/Neue-PHP-Versionen-verarzten-Sicherhei… *** Thomson TWG87OUIR Cross Site Request Forgery *** --------------------------------------------- Topic: Thomson TWG87OUIR Cross Site Request Forgery Risk: Medium Text:#Author: nopesled #Date: 24/06/14 #Vulnerability: POST Password Reset CSRF #Tested on: Thomson TWG87OUIR (Hardware Version) ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060148 *** Bugtraq: [RT-SA-2014-008] Python CGIHTTPServer File Disclosure and Potential Code Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/532571 *** Security Notice-Statement About the Impact of the Dual_EC_DRBG Vulnerability on Huawei Devices *** --------------------------------------------- Jun 27, 2014 17:39 --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices… *** Vuln: LZ4 lz4.c Memory Corruption Vulnerability *** --------------------------------------------- LZ4 lz4.c Memory Corruption Vulnerability --------------------------------------------- http://www.securityfocus.com/bid/68218

1 0

Tageszusammenfassung - Donnerstag 26-06-2014
by Daily end-of-shift report 26 Jun '14

26 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 25-06-2014 18:00 − Donnerstag 26-06-2014 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner *** Symantec Data Insight Management Console HTML Injection and Cross-Site Scripting *** --------------------------------------------- The management console for Symantec Data Insight does not sufficiently validate/sanitize arbitrary input in two separate fields within the management GUI. This could potentially allow unauthorized command execution or potential malicious redirection. --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** VMware Patches Apache Struts Flaws in vCOPS *** --------------------------------------------- VMware has patched several serious security vulnerabilities in its vCenter Operations Center Management suite, one of which could lead to remote code execution on vulnerable machines. --------------------------------------------- http://threatpost.com/vmware-patches-apache-struts-flaws-in-vcops/106858 *** phpMyAdmin 4.2.3 XSS *** --------------------------------------------- Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.1.x before 4.1.14.1 and 4.2.x before 4.2.4 allow remote authenticated users to inject arbitrary web script or HTML via a crafted table name that is improperly handled after a hide or unhide action. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060139 *** Sophos Anti-Virus Input Validation Flaw in Configuration Console Permits Cross-Site Scripting Attacks *** --------------------------------------------- A vulnerability was reported in the Sophos Anti-Virus Configuration Console. A remote user can conduct cross-site scripting attacks. Several scripts do not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Sophos Anti-Virus configuration console software and will run in the security context of that site. --------------------------------------------- http://www.securitytracker.com/id/1030467 *** IBM Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 7.0.0.33 *** --------------------------------------------- Cross reference list for security vulnerabilites fixed in IBM WebSphere Application Server 7.0.0.33 and IBM WebSphere Application Server Hypervisor Edition 7.0.0.33 CVE(s): CVE-2013-6323, CVE-2013-6329, CVE-2013-6349, CVE-2013-6738, CVE-2014-0859, CVE-2013-6438, CVE-2013-6747, CVE-2014-3022, CVE-2014-0891, CVE-2014-0965, CVE-2014-0050, CVE-2014-0098, CVE-2014-0963 and CVE-2014-0114 Affected product(s) and affected version(s): WebSphere Application Server and bundling --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** IBM Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 8.0.0.9 *** --------------------------------------------- Cross reference list for security vulnerabilites fixed in IBM WebSphere Application Server 8.0.0.9 and IBM WebSphere Application Server Hypervisor 8.0.0.9 CVE(s): CVE-2013-6323, CVE-2013-6329, CVE-2013-6349, CVE-2014-0823, CVE-2013-6738, CVE-2014-0857, CVE-2014-0859, CVE-2013-6438, CVE-2013-6747, CVE-2014-3022, CVE-2014-0891, CVE-2014-0965, CVE-2014-0050, CVE-2014-0098, CVE-2014-0963 and CVE-2014-0076 Affected product(s) and affected version(s): WebSphere Application Server and bundling --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** IBM Security Bulletin: Rational ClearQuest is affected by the following OpenSSL vulnerabilities: CVE-2014-0224, CVE-2014-3470 *** --------------------------------------------- Security vulnerabilities have been discovered in OpenSSL that were reported on June 5, 2014 by the OpenSSL Project. The OpenSSL commponent is shipped as embedded in cqperl. Customers might be affected when there is perl hooks or scripts that are using SSL connections. ClearQuest itself does not provide any service using OpenSSL. CVE(s): CVE-2014-0224 and CVE-2014-3470 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** PayPal 2FA mobe flaw chills warm and fuzzy security feeling *** --------------------------------------------- PayPal's second factor authentication (2FA) protection can be mitigated through mobile device interfaces that allow fraudsters to steal funds with a victim's username and password, Duo Security researchers say. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/06/26/paypal_2fa_… *** Multiple Cross Site Scripting in Sophos Antivirus Configuration Console (Linux) *** --------------------------------------------- The Configuration Console of Sophos Antivirus 9.5.1 (Linux) does not sanitize several input parameters before sending them back to the browser, so an attacker could inject code inside these parameters, including JavaScript code. ... CVE: CVE-2014-2385 Affected version: 9.5.1 Fixed version: 9.6.1 --------------------------------------------- https://www.portcullis-security.com/security-research-and-downloads/securit… *** Weniger NTP-Server für dDoS ausnutzbar, aber... *** --------------------------------------------- Die noch verwundbaren Zeitserver sind aber zum Teil so schlecht konfiguriert, dass verheerende NTP-Verstärkungsangriffe nach wie vor möglich sind. --------------------------------------------- http://www.heise.de/newsticker/meldung/Weniger-NTP-Server-fuer-dDoS-ausnutz… *** Fighting cybercrime: Strategic cooperation agreement signed between ENISA and Europol *** --------------------------------------------- The heads of ENISA and Europol today signed a strategic cooperation agreement in Europol's headquarters in The Hague, to facilitate closer cooperation and exchange of expertise in the fight against cybercrime. --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/fighting-cybercrime-strateg… *** 2014 Cyber Attacks Timeline Master Index (at least so far) *** --------------------------------------------- Finally I was able to organize the timelines collected in 2014. I have created a new page with the 2014 Cyber Attacks Timeline Master Index accessible either directly or from the link in the top menu bar. Hopefully it will be regularly updated. With this opportunity I also re-ordered the timelines and stats for 2013. Now everything should be more structured. --------------------------------------------- http://hackmageddon.com/2014/06/24/2014-cyber-attacks-timeline-master-index… *** Update to Microsoft Update client *** --------------------------------------------- This article describes the update that further improves the security of Windows Update (WU) / Microsoft Update (MU) client for Windows 8, Windows RT, Windows Server 2012, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1. Note: Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 with update 2919355 already include these improvements. --------------------------------------------- http://support.microsoft.com/kb/2887535 *** Hacking Blind (PDF) *** --------------------------------------------- Abstract We show that it is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash. This makes it possible to hack proprietary closed-binary services, or open-source servers manually compiled and installed from source where the binary remains unknown to the attacker. --------------------------------------------- http://www.exploit-db.com/download_pdf/33872

1 0

Tageszusammenfassung - Mittwoch 25-06-2014
by Daily end-of-shift report 25 Jun '14

25 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 24-06-2014 18:00 − Mittwoch 25-06-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** TimThumb WebShot Code Execution Exploit (0-day) *** --------------------------------------------- If you are still using Timthumb after the serious vulnerability that was found on it last year, you have one more reason to be concerned. A new 0-day was just disclosed on TimThumb's "Webshot" feature that allows for certain commands to be executed on the vulnerable website remotely (no authentication required). With a simple command,... --------------------------------------------- http://blog.sucuri.net/2014/06/timthumb-webshot-code-execution-exploit-0-da… *** SPAM Hack Targets WordPress Core Install Directories *** --------------------------------------------- Do you run your website on WordPress? Have you checked the integrity of your core install lately for SPAM like "Google Pharmacy" stores or other fake stores? We have been tracking and analyzing a growing trend in SEO Spam (a.k.a., Search Engine Poisoning (SEP)) attacks in which thousands of compromised WordPress websites are being used... --------------------------------------------- http://blog.sucuri.net/2014/06/spam-hack-targets-wordpress-core-install-dir… *** Asprox botnet campaign shifts tactics, evades detection *** --------------------------------------------- FireEye researchers are tracking spikes in malicious emails attributed to an ongoing Asprox campaign. --------------------------------------------- http://www.scmagazine.com/asprox-botnet-campaign-shifts-tactics-evades-dete… *** R2DR2: ANALYSIS AND EXPLOITATION OF UDP AMPLIFICATION VULNERABILITIES *** --------------------------------------------- Since we began our studies in the Masters degree on ICT security at the European University, drew our attention the possibility of doing a project under the guidance of Alejandro Ramos (@aramosf), a professional of the scene that we admire. After several ideas and proposals by both parties, we decided to make a project about finding new attack vectors on distributed reflection denial of service attacks (DRDOS). Recently this blog talked about it in a article focused on SNMP vulnerability,... --------------------------------------------- http://www.securitybydefault.com/2014/06/r2dr2-analysis-and-exploitation-of… *** PlugX RAT With "Time Bomb" Abuses Dropbox for Command-and-Control Settings *** --------------------------------------------- Monitoring network traffic is one of the means for IT administrators to determine if there is an ongoing targeted attack in the network. Remote access tools or RATs, commonly seen in targeted attack campaigns, are employed to establish command-and-control (C&C) communications. Although the network traffic of these RATs, such as Gh0st, PoisonIvy, Hupigon, and PlugX, among... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/4SyyRxr49gU/ *** HackPorts - Mac OS X Penetration Testing Framework and Tools *** --------------------------------------------- HackPorts was developed as a penetration testing framework with accompanying tools and exploits that run natively on Mac platforms. HackPorts is a "super-project" that leverages existing code porting efforts, security professionals can now use hundreds of penetration tools on Mac systems without the need for Virtual Machines. --------------------------------------------- http://hack-tools.blackploit.com/2014/06/hackports-mac-os-x-penetration-tes… *** Flaw Lets Attackers Bypass PayPal Two-Factor Authentication *** --------------------------------------------- There's a vulnerability in the way that PayPal handles certain requests from mobile clients that can allow an attacker to bypass the two-factor authentication mechanism for the service and transfer money from a victim's account to any recipient he chooses. The flaw lies in the way that the PayPal authentication flow works with the service's... --------------------------------------------- http://threatpost.com/flaw-lets-attackers-bypass-paypal-two-factor-authenti… *** ZyXEL P660RT2 EE rpAuth_1 cross-site scripting *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/93924 *** [papers] - Searching SHODAN For Fun And Profit *** --------------------------------------------- http://www.exploit-db.com/download_pdf/33859 *** Cisco IOS Software IPsec Denial of Service Vulnerability *** --------------------------------------------- CVE-2014-3299 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** GnuPG data packets denial of service *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/93935 *** VMSA-2014-0006.3 *** --------------------------------------------- VMware product updates address OpenSSL security vulnerabilities --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0006.html *** VMSA-2014-0007 *** --------------------------------------------- VMware product updates address security vulnerabilities in Apache Struts library --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0007.html *** TimThumb 2.8.13 Remote Code Execution *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060134 *** Bugtraq: [security bulletin] HPSBMU03053 rev.1 - HP Software Database and Middleware Automation, OpenSSL Vulnerability, Remote Unauthorized Access or Disclosure of Information *** --------------------------------------------- http://www.securityfocus.com/archive/1/532541

1 0

Tageszusammenfassung - Dienstag 24-06-2014
by Daily end-of-shift report 24 Jun '14

24 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 23-06-2014 18:00 − Dienstag 24-06-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Stop running this script? notification redirects to Angler Exploit Kit *** --------------------------------------------- ESET researchers identified a website serving up a Stop running this script? notification that, when clicked, redirects Internet Explorer users to the Angler Exploit Kit. --------------------------------------------- http://www.scmagazine.com/stop-running-this-script-notification-redirects-t… *** Android KeyStore::getKeyForName buffer overflow *** --------------------------------------------- Google Android is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the KeyStore::getKeyForName method. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system under the keystore process. ... Remedy: Upgrade to the latest version of Android (4.4 or later), available from the Google Web site. See References. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/93916 *** Havex Hunts for ICS/SCADA Systems *** --------------------------------------------- During the past year, weve been keeping a close eye on the Havex malware family and the group behind it. Havex is known to be used in targeted attacks against different industry sectors, and it was earlier reported to have specific interest in the energy sector. The main components of Havex are a general purpose Remote Access Trojan (RAT) and a server written in PHP. --------------------------------------------- http://www.f-secure.com/weblog/archives/00002718.html *** Beware of Skype Adware *** --------------------------------------------- During our daily log analysis, we recently encountered a sample purporting to power up Skype with different emoticons. The binary, when installed, integrated itself with Skype and sent the following message contacts without further intervention. --------------------------------------------- http://research.zscaler.com/2014/06/beware-of-skype-adware.html *** Dramatic Drop in Vulnerable NTP Servers Used in DDoS Attacks *** --------------------------------------------- 95 percent of vulnerable NTP servers leveraged in massive DDoS attacks earlier this year have been patched, but the remaining servers still have experts concerned. --------------------------------------------- http://threatpost.com/dramatic-drop-in-vulnerable-ntp-servers-used-in-ddos-…

1 0

Tageszusammenfassung - Montag 23-06-2014
by Daily end-of-shift report 23 Jun '14

23 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 20-06-2014 18:00 − Montag 23-06-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** IBM Security Bulletin: IBM Security Proventia Network Enterprise Scanner is affected by the following OpenSSL vulnerabilities *** --------------------------------------------- Security vulnerabilities have been discovered in OpenSSL that were reported on June 5, 2014 by the OpenSSL Project. CVE(s): CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298 and CVE-2014-3470 Affected product(s) and affected version(s): Products: IBM Security Enterprise Scanner Versions: 2.3 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** Wordpress 3.9.1-CSRF vulnerability *** --------------------------------------------- This is the new version released by Wordpress. version is 3.9.1(Latest) Cross site request Forgery(CSRF) is present in this version at the url shown: http://localhost/wordpress/wp-comments-post.php --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060119 *** cups-filters 1.0.52 execute arbitrary commands *** --------------------------------------------- Topic: cups-filters 1.0.52 execute arbitrary commands Risk: High Text:The generate_local_queue function in utils/cups-browsed.c in cups-browsed in cups-filters before 1.0.53 allows remote IPP print... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060124 *** [SECURITY] [DSA 2966-1] samba security update *** --------------------------------------------- Multiple vulnerabilities were discovered and fixed in Samba, a SMB/CIFS file, print, and login server: CVE-2014-0178 Information leak vulnerability in the VFS code.. CVE-2014-0244 Denial of service (infinite CPU loop) in the nmbd.. CVE-2014-3493 Denial of service (daemon crash) in the smbd.. --------------------------------------------- https://lists.debian.org/debian-security-announce/2014/msg00147.html *** Security Bulletin: IBM Security Access Manager for Mobile and IBM Security Access Manager for Web appliances - LMI Authentication Bypass *** --------------------------------------------- IBM Security Access Manager for Mobile / IBM Security Access Manager for Web fails to properly handle certain input data such that it could be possible for an attacker to authenticate to the appliance Local Management Interface using invalid authentication data. CVE: CVE-2014-3053 CVSS Base Score: 8.0 --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21676700 *** A peek inside a commercially available Android-based botnet for hire *** --------------------------------------------- Relying on the systematic release of DIY (do-it-yourself) mobile malware generating tools, commercial availability of mobile malware releases intersecting with the efficient exploitation of legitimate Web sites through fraudulent underground traffic exchanges, as well as the utilization of cybercrime-friendly affiliate based revenue sharing schemes, cybercriminals continue capitalizing on the ever-growing Android mobile market segment for the purpose of achieving a positive ROI ... --------------------------------------------- http://feedproxy.google.com/~r/WebrootThreatBlog/~3/m9Fm5dNY9bg/

1 0

Tageszusammenfassung - Freitag 20-06-2014
by Daily end-of-shift report 20 Jun '14

20 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 18-06-2014 18:00 − Freitag 20-06-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** SA-CONTRIB-2014-062 -Passsword Policy - Multiple vulnerabilities *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-062 Project: Password policy (third-party module) Version: 6.x, 7.x Date: 2014-June-18 Security risk: Moderately critical Exploitable from: Remote Vulnerability: Multiple vulnerabilities Description: The Password Policy module enables you to define and enforce password policies with various constraints on allowable user passwords.Access bypass and information disclosure (7.x only) --------------------------------------------- https://drupal.org/node/2288341 *** KDE: Fehler in Kmail ermöglicht Man-in-the-Middle-Angriffe *** --------------------------------------------- Im Code des POP3-Kioslaves in KDEs E-Mail-Anwendung Kmail beziehungsweise in Kdelibs ist ein Fehler, durch den ungültige Zertifikate ohne Abfrage akzeptiert werden. Angreifer könnten sich so in den verschlüsselten E-Mail-Verkehr einklinken. --------------------------------------------- http://www.golem.de/news/kde-fehler-in-kmail-erlaubt-man-in-the-middle-angr… *** Cisco WebEx Meeting Server Sensitive Information Disclosure Vulnerability *** --------------------------------------------- A vulnerability in the XML programmatic interface (XML PI) of Cisco WebEx Meeting Server could allow an authenticated, remote attacker to access sensitive information. The vulnerability is due to disclosure of the meeting information. An attacker could exploit this vulnerability by sending a crafted URL request to a vulnerable device. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Tausende Android-Apps geben geheime Schlüssel preis *** --------------------------------------------- Viele Android-Programme betten geheime Zugangsschlüssel direkt in ihren Quellcode ein. Ein Angreifer kann diese nutzen, um private Daten der App-Nutzer zu erbeuten und im schlimmsten Fall die Server-Infrastruktur der Entwickler übernehmen. --------------------------------------------- http://www.heise.de/security/meldung/Tausende-Android-Apps-geben-geheime-Sc… *** Android 4.4.4 is rolling out to devices; contains OpenSSL fix *** --------------------------------------------- Official change log lists "security fixes;" Googler says it is OpenSSL related. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/rMSXTBPBcjU/ *** 'Your fault - core dumped' - Diving into the BSOD caused by Rovnix *** --------------------------------------------- Recently we have noticed some Win32/Rovnix samples (detected as TrojanDropper:Win32/Rovnix.K) causing the BSOD on Windows 7 machines. We spent some time investigating this situation and discovered an interesting story behind the BSOD. Analyzing the crash dump We first saw TrojanDropper:Win32/Rovnix.K in October 2013. During a normal Windows Boot the malware will cause the BSOD. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/06/18/your-fault-core-dumped-d… *** Linux Kernel PI Futex Requeuing Bug Lets Local Users Gain Elevated Privileges *** --------------------------------------------- A vulnerability was reported in the Linux Kernel. A local user can obtain elevated privileges on the target system. A local user can can exploit a flaw in the requeuing of Priority Inheritance (PI) to PI futexes to gain elevated privileges on the target system. --------------------------------------------- http://www.securitytracker.com/id/1030451 *** Yet Another BMC Vulnerability (And some added extras) *** --------------------------------------------- After considering the matter for the past 6 months while continuing to work with Supermicro on the issues, I have decided to release the following to everyone. On 11/7/2013, after reading a couple articles on the problems in IPMI by Rapid7's HD Moore (linked at the end), I discovered that Supermicro had created the password file PSBlock in plain text and left it open to the world on port 49152. --------------------------------------------- http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-… *** Simplocker ransomware: New variants spread by Android downloader apps *** --------------------------------------------- Since our initial discovery of Android/Simplocker we have observed several different variants. The differences between them are mostly in: Tor usage - some use a Tor .onion domain, whereas others use a more conventional C&C domain. Different ways of receiving the 'decrypt' command, indicating that the ransom has been paid. ... --------------------------------------------- http://www.welivesecurity.com/2014/06/19/simplocker-new-variants/ *** Pen Testing Payment Terminals - A Step by Step How-to Guide *** --------------------------------------------- There is plentitude of payment terminals out there and the design principles vary quite a bit. The ones I have run into in Finland appear to be tightly secured with no attack surface. At first glance, that is. These generally open only outbound connections and use SSL encryption to protect the traffic. Here, I explain why testing a simple, tightly secured payment terminal is not as simple as one might think. --------------------------------------------- http://pen-testing.sans.org/blog/pen-testing/2014/06/12/pen-testing-payment…

1 0

Tageszusammenfassung - Mittwoch 18-06-2014
by Daily end-of-shift report 18 Jun '14

18 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 17-06-2014 18:00 − Mittwoch 18-06-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Evernote forum breached, profile information compromised *** --------------------------------------------- The official discussion forum of Evernote has been hacked, leaving users profile information accessible to attackers. --------------------------------------------- http://www.scmagazine.com/evernote-forum-breached-profile-information-compr… *** Xen Lets Local Guests Obtain Hypervisor Heap Memory Contents *** --------------------------------------------- A vulnerability was reported in Xen. A local user can obtain potentially sensitive information from other domains. The system does not properly control access to memory pages during memory cleanup for dying guest systems. A local user on a guest system can access information from guest or hypervisor memory, potentially including guest CPU register state and hypercall arguments. --------------------------------------------- http://www.securitytracker.com/id/1030442 *** HP Software Executive Scorecard, Remote Execution of Code, Directory Traversal *** --------------------------------------------- VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Executive Scorecard. The vulnerability could be exploited remotely to allow remote code execution and directory traversal. References: CVE-2014-2609 (ZDI-CAN-2116, SSRT101436) CVE-2014-2610 (ZDI-CAN-2117, SSRT101435) CVE-2014-2611 (ZDI-CAN-2120, SSRT101431) --------------------------------------------- http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDispl… *** OpenStack Neutron L3-agent Remote Denial of Service Vulnerability *** --------------------------------------------- OpenStack Neutron is prone to a remote denial-of-service vulnerability. An attacker can leverage this issue to cause a denial-of-service condition; denying service to legitimate users. The following versions are vulnerable: Versions Neutron 2013.2.3 and prior. Versions Neutron 2014.1 and prior. --------------------------------------------- http://www.securityfocus.com/bid/68064/discuss *** Microsoft bessert absturzgefährdeten Virenschutz nach *** --------------------------------------------- Mit einem Update außer der Patchday-Reihe beseitigt Microsoft einen Fehler in der Malware Protection Engine durch den Schädlinge den Virenschutz lahmlegen konnten. --------------------------------------------- http://www.heise.de/newsticker/meldung/Microsoft-bessert-absturzgefaehrdete… *** VU#774788: Belkin N150 path traversal vulnerability *** --------------------------------------------- Belkin N150 wireless router firmware versions 1.00.07 and earlier contain a path traversal vulnerability through the built-in web interface. The webproc cgi module accepts a getpage parameter which takes an unrestricted file path as input. The web server runs with root privileges by default, allowing a malicious attacker to read any file on the system. --------------------------------------------- http://www.kb.cert.org/vuls/id/774788 *** [remote] - Ubisoft Rayman Legends 1.2.103716 - Remote Stack Buffer Overflow Vulnerability *** --------------------------------------------- Summary: Rayman Legends is a 2013 platform game developed by Ubisoft Montpellier and published by Ubisoft. ... Desc: The vulnerability is caused due to a memset() boundary error in the processing of incoming data thru raw socket connections on TCP port 1001, which can be exploited to cause a stack based buffer overflow by sending a long string of bytes on the second connection. Successful exploitation could allow execution of arbitrary code on the affected node. --------------------------------------------- http://www.exploit-db.com/exploits/33804 *** Forensik-Tool soll iCloud-Backups ohne Passwort herunterladen können *** --------------------------------------------- Elcomsoft hat angekündigt, dass sein "Phone Password Breaker" Authentifizierungstokens von Rechnern auslesen kann, mit denen sich Ermittler dann Zugang zu iCloud-Daten eines Verdächtigen verschaffen können. Dessen Passwort sei nicht mehr nötig. --------------------------------------------- http://www.heise.de/security/meldung/Forensik-Tool-soll-iCloud-Backups-ohne… *** When Vulnerabilities are Exploited: the Timing of First Known Exploits for Remote Code Execution Vulnerabilities *** --------------------------------------------- One of the questions I get asked from time to time is about the days of risk between the time that a vulnerability is disclosed and when we first see active exploitation of it; i.e. how long do organizations have to deploy the update before active attacks are going to happen? Trustworthy Computing's Security Science team published new data that helps put the timing of exploitation into perspective, in the recently released Microsoft Security Intelligence Report volume 16. --------------------------------------------- http://blogs.technet.com/b/security/archive/2014/06/17/when-vulnerabilities…

1 0

Tageszusammenfassung - Dienstag 17-06-2014
by Daily end-of-shift report 17 Jun '14

17 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 16-06-2014 18:00 − Dienstag 17-06-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** Malicious Web-based Java applet generating tool spotted in the wild *** --------------------------------------------- Despite the prevalence of Web based client-side exploitation tools as the cybercrime ecosystem's primary infection vector, in a series of blog posts, we've been emphasizing on the emergence of managed/hosted/DIY malicious Java applet generating tools/platforms, highlighting the existence of a growing market segment relying on 'visual social engineering' vectors for the purpose of tricking end users into executing malicious/rogue/fake Java applets, ultimately joining a --------------------------------------------- http://www.webroot.com/blog/2014/06/16/malicious-web-based-java-applet-gene… *** Cisco ASA WebVPN Information Disclosure Vulnerability *** --------------------------------------------- CVE ID: CVE-2014-2151 ... A vulnerability in the WebVPN portal of Cisco Adaptive Security Appliance (ASA) could allow an authenticated, remote attacker to view sensitive information from the affected system. The vulnerability is due to improper input validation in the WebVPN portal. An attacker could exploit this vulnerability by providing a crafted JavaScript file to an authenticated WebVPN user. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Security Advisory-Heap Overflow Vulnerability in Huawei eSap Platform *** --------------------------------------------- Huawei eSap software platform has four heap overflow vulnerabilities. Huawei products that have used this platform are affected. When receiving some special malformed packets, such devices access heap memory that is beyond the valid range and cause unexpected restart of the devices. If an attacker keeps sending such malformed packets, the devices will repeatedly restart, causing a denial of service (DoS) attack (Vulnerability ID: HWPSIRT-2014-0111). Huawei has provided fixed versions. --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** IBM AIX ntpd Query Function Lets Remote Users Conduct Amplified Denial of Service Attacks *** --------------------------------------------- A vulnerability was reported in IBM AIX. A remote user can conduct amplified denial of service attacks. A remote user can exploit an administrative query function in ntpd to amplify distributed denial of service (DDoS) attacks against other sites. --------------------------------------------- http://www.securitytracker.com/id/1030433 *** Hacking the Java Debug Wire Protocol - or - 'How I met your Java debugger' *** --------------------------------------------- In this post, I will explain the Java Debug Wire Protocol (JDWP) and why it is interesting from a pentester's point of view. I will cover some JDWP internals and how to use them to perform code execution, resulting in a reliable and universal exploitation script. ... As a matter of fact, JDWP is used quite a lot in the Java application world. Pentesters might, however, not see it that often when performing remote assessments as firewalls would (and should) mostly block the port it is --------------------------------------------- http://blog.ioactive.com/2014/04/hacking-java-debug-wire-protocol-or-how.ht… *** CVE-2014-4049 php: heap-based buffer overflow in DNS TXT record parsing *** --------------------------------------------- A malicious server or man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application uses dns_get_record() to perform a DNS query. --------------------------------------------- https://bugzilla.redhat.com/show_bug.cgi?id=1108447 *** SLocker Android Ransomware Communicates Via Tor And SMS *** --------------------------------------------- A little over two weeks ago, we found a new family of Android ransomware: SLocker.We have no evidence that SLocker is related to Koler, the most recently discovered Android ransomware. It does however carry through on the threat Koler made. Unlike Koler - which pretended to, but didnt actually encrypt files - SLocker will actually scan the devices SD card for specific file types: When the SLocker app is launched, it encrypts these files and then displays a ransom message:The message --------------------------------------------- http://www.f-secure.com/weblog/archives/00002716.html *** Microsoft dichtet OneDrive-Links ab *** --------------------------------------------- In der Dokument-Freigabe von Microsofts Cloud-Speicher klaffte ein Loch, das es Angreifern erlaubt hätte, unbefugten Zugriff auf Dokumente zu erhalten. Microsoft hat die Lücke nun geschlossen, altere Freigabe-URLs könnten aber noch verwundbar sein. --------------------------------------------- http://www.heise.de/security/meldung/Microsoft-dichtet-OneDrive-Links-ab-22… *** Technology sites "riskier" than illegal sites in 2013, according to Symantec data *** --------------------------------------------- The 'riskiest' pages to visit in 2013 were technology websites, according to data from users of Norton Web Safe, which monitors billions of traffic requests and millions of software downloads per day. --------------------------------------------- http://www.scmagazine.com/technology-sites-riskier-than-illegal-sites-in-20… *** Popular HTTPS Sites Still Vulnerable to OpenSSL Connection Hijacking Attack *** --------------------------------------------- Some of the Internets most visited websites that encrypt data with the SSL protocol are still susceptible to a recently announced vulnerability that could allow attackers to intercept and decrypt connections. --------------------------------------------- http://www.cio.com/article/754250/Popular_HTTPS_Sites_Still_Vulnerable_to_O… *** Researchers Outline Spammers Business Ecosystem *** --------------------------------------------- An anonymous reader writes A team of researchers at the UC Santa Barbara and RWTH Aachen presented new findings on the relationship of spam actors [abstract; full paper here] at the ACM Symposium on Information, Computer and Communications Security. This presents the first end-to-end analysis of the spam delivery ecosystem including: harvesters crawl the web and compile email lists, botmasters infect and operate botnets, and spammers rent botnets and buy email lists to run spam campaigns. --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/-AKpHVGH5us/story01.htm

1 0

Tageszusammenfassung - Montag 16-06-2014
by Daily end-of-shift report 16 Jun '14

16 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 13-06-2014 18:00 − Montag 16-06-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** BlackEnergy Rootkit, Sort of *** --------------------------------------------- A sample of the BlackEnergy family was recently uploaded to VirusTotal from Ukraine. The family is allegedly the same malware used in the cyber attack against Georgia in 2008. The malware provides attackers full access to their infected hosts. Check out SecureWorks detailed analysis from 2010 for more information about the family.The new sample is not much of a rootkit anymore, in the sense that it no longer hides files, .. --------------------------------------------- http://www.f-secure.com/weblog/archives/00002715.html *** Vorinstallierter Trojaner auf chinesischem S4-Klon gefunden *** --------------------------------------------- Spionagesoftware liest sensible Daten aus und lässt Gerät zu Wanze umfunktionieren. --------------------------------------------- http://derstandard.at/2000002023277 *** Hinweis für Debian-Benutzer bei OpenSSL Upgrade *** --------------------------------------------- Hinweis für Debian-Benutzer bei OpenSSL Upgrade6. Juni 2014Again, Openssl was the centre of patching in the last two days. While Debian was quick to release a patched version, it seems like Debian forgot to restart some services which link against openssl (libssl) get restarted.Here is how you can check with services use .. --------------------------------------------- http://www.cert.at/services/blog/20140606123624-1163.html *** Ruling Raises Stakes for Cyberheist Victims *** --------------------------------------------- A Missouri firm that unsuccessfully sued its bank to recover $440,000 stolen in a 2010 cyberheist may now be on the hook to cover the financial institutions legal fees, an appeals court has ruled. Legal experts say the decision is likely to discourage future victims from pursuing such cases. --------------------------------------------- http://krebsonsecurity.com/2014/06/ruling-raises-stakes-for-cyberheist-vict… *** BruteForce-Angriffe auf wp-login.php abwehren *** --------------------------------------------- Gegenwärtig werden verstärkt "BruteForce"-Attacken auf WordPress-Blogs gefahren. Auch wir registrieren eine Zunahme solcher Angriffe. [...] Im nachfolgenden zeigen wir Ihnen wie Sie den Erfolg solcher Angriffe eindämmen können. --------------------------------------------- http://blog.initiative-s.de/2013/04/bruteforce-angriffe-auf-wp-login-php-ab… *** One-third of cyber attacks take hours to detect *** --------------------------------------------- More than one-third of cyber attacks take hours to detect. Even more alarming, resolving breaches takes days, weeks, and in some cases, even .. --------------------------------------------- http://www.net-security.org/secworld.php?id=17005 *** Ende-zu-Ende-Verschlüsselung für BlackBerry Messenger *** --------------------------------------------- Der BlackBerry Messenger erhält mit BBM Protected eine Ende-zu-Ende-Verschlüsselung, zunächst nur im verschärften Regulated-Modus ohne BlackBerry Balance oder Android- und iOS-Clients. --------------------------------------------- http://www.heise.de/security/meldung/Ende-zu-Ende-Verschluesselung-fuer-Bla… *** Deutscher Nachfolger für TrueCrypt angekündigt *** --------------------------------------------- Das aus nicht ganz geklärten Gründen eingestellte Open-Source-Verschlüsselungs-Projekt TrueCrypt hat einen neuen Anwärter auf seine Nachfolge. Die angekündigte Software hat ihren direkten Ursprung in TrueCrypt. --------------------------------------------- http://www.heise.de/ix/meldung/Deutscher-Nachfolger-fuer-TrueCrypt-angekuen… *** Towelroot knackt Android in Sekunden *** --------------------------------------------- Geohot hat überraschend ein Tool herausgebracht, das fast alle Android-Geräte rooten können soll. In einem ersten Test funktionierte das erstaunlich gut. Er demonstriert damit aber auch eine fatale Sicherheitslücke. --------------------------------------------- http://www.heise.de/security/meldung/Towelroot-knackt-Android-in-Sekunden-2… *** Multiple vulnerabilities in Openfiler *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/93764 http://xforce.iss.net/xforce/xfdb/93763 http://xforce.iss.net/xforce/xfdb/93762 http://xforce.iss.net/xforce/xfdb/93761 *** Bugtraq: [SE-2014-01] Security vulnerabilities in Oracle Database Java VM *** --------------------------------------------- http://www.securityfocus.com/archive/1/532433 *** Asterisk MixMonitor Lets Remote Authenticated Users Execute Arbitrary Shell Commands *** --------------------------------------------- http://www.securitytracker.com/id/1030426 *** PostgreSQL 8.4.1 Denial Of Service Integer Overflow *** --------------------------------------------- PostgreSQL is prone to a remote denial-of-service vulnerability because it fails to properly validate user-supplied data before... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060082 *** PowerDNS in default configuration is vulnerable to DoS attack *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060083

1 0

Tageszusammenfassung - Freitag 13-06-2014
by Daily end-of-shift report 13 Jun '14

13 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 12-06-2014 18:00 − Freitag 13-06-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Microsoft zieht die "Secure Boot"-Bremse *** --------------------------------------------- Mit einem Update für Windows 8, Server 2012, 8.1 und Server 2012 R2 installiert Microsoft neue Schlüssel-Datenbanken, die den Start einiger UEFI-Module blockieren. --------------------------------------------- http://www.heise.de/security/meldung/Microsoft-zieht-die-Secure-Boot-Bremse… *** Setting HoneyTraps with ModSecurity: Adding Fake Hidden Form Fields *** --------------------------------------------- This blog post continues with the topic of setting "HoneyTraps" within your web applications to catch attackers. Please review the previous posts for more examples: Project Honeypot Integration Unused Web Ports Adding Fake robots.txt Entries Adding Fake HTML Comments This blog post will discuss Recipe 3-4: Adding Fake Hidden Form Fields from my book "Web Application Defenders Cookbook: Battling Hackers and Protecting Users". Recipe 3-4: Adding Fake Hidden Form Fields --------------------------------------------- http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/btSzvx21q3s/setting-ho… *** Hacker claims PayPal loophole generates FREE MONEY *** --------------------------------------------- Convicted hacker comes good with fraudster flowchart A PayPal loophole can be exploited to earn free cash according to a convicted former NASA hacker turned white hat. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/06/13/hacker_clai… *** You have no SQL inj--... sorry, NoSQL injections in your application *** --------------------------------------------- Everyone knows about SQL injections. They are classic, first widely publicized by Rain Forest Puppy, and still widely prevalent today (hint: don't interpolate query string params with SQL). But who cares? SQL injections are so ten years ago. I want to talk about a vulnerability I hadn't run into before that I recently had a lot of fun exploiting. It was a NoSQL injection. --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/06/12/you-have-… *** Banking malware using Windows to block anti-malware apps *** --------------------------------------------- BKDR_VAWTRAK is using Software Restriction Policies to restrict security software. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/s0xxmloC9XA/ *** Mergers and Acquisitions: When Two Companies and APT Groups Come Together *** --------------------------------------------- With Apple's purchase of Beats, Pfizer's failed bids for AstraZeneca, and financial experts pointing to a rally in the M&A market, the last month was a busy one for mergers and acquisitions. Of course, when we first see headlines of... --------------------------------------------- http://www.fireeye.com/blog/technical/targeted-attack/2014/06/mergers-and-a… *** Microsofts Juni-Patches können Office-2013-Installation zerstören *** --------------------------------------------- Die Office-2013-Patches vom 11. Juni bereiten mitunter größere Probleme und können dazu führen, sich die Office-Programme nicht mehr starten lassen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Microsofts-Juni-Patches-koennen-Offi… *** How iOS 8 Will Affect the Security of iPhones and iPads *** --------------------------------------------- Apple's mobile OS has been enhanced, but is it more secure? --------------------------------------------- http://www.symantec.com/connect/blogs/how-ios-8-will-affect-security-iphone… *** Stratfor-Hack: Geheimer Bericht stellt gravierende Sicherheitslücken fest *** --------------------------------------------- Eine Untersuchung nach dem Einbruch auf die Stratfor-Server durch die Gruppe Antisec hat ergeben: Das Unternehmen hat wichtigste Sicherheitsmaßnahmen nicht beachtet. --------------------------------------------- http://www.golem.de/news/stratfor-hack-geheimer-bericht-stellt-gravierende-… *** CloudFlare offers free DDoS protection to public interest websites *** --------------------------------------------- A project launched by CloudFlare, a provider of website performance and security services, allows organizations engaged in news gathering, civil society and political or artistic speech to use the companys distributed denial-of-service (DDoS) protection technology for free.The goal of the project, dubbed Galileo, is to protect freedom of expression on the Web by helping sites with public interest information from being censored through online attacks, according to the San Francisco-based --------------------------------------------- http://www.csoonline.com/article/2363382/cloudflare-offers-free-ddos-protec… *** ISC Patches Critical DoS Vulnerability in BIND *** --------------------------------------------- A critical, remotely exploitable bug in some BIND domain name system (DNS) servers could cause a denial of service situation and trigger them to crash. --------------------------------------------- http://threatpost.com/isc-patches-critical-dos-vulnerability-in-bind/106653 *** CVE-2014-3859: BIND named can crash due to a defect in EDNS printing processing *** --------------------------------------------- A specially crafted query sent to a BIND nameserver can cause it to crash with a REQUIRE assertion error. --------------------------------------------- https://kb.isc.org/article/AA-01166/74/CVE-2014-3859:-BIND-named-can-crash-… *** IBM Security Bulletin: IBM Algo One - cryptographic key information discovery (CVE-2014-0076) *** --------------------------------------------- Under certain circumstances, a local attacker could discover cryptographic key information from IBM Algo One. CVE(s): CVE-2014-0076 Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21675765 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL *** --------------------------------------------- Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL CVE(s): CVE-2010-5298 Affected product(s) and affected version(s): AIX 5.3, 6.1 and 7.1 VIOS 2.X Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: http://aix.software.ibm.com/aix/efixes/security/openssl_advisory8.asc X-Force Database: http://xforce.iss.net/xforce/xfdb/92632 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/race_condition_in_the… *** IBM Security Advisory for AIX *** --------------------------------------------- AIX OpenSSL SSL/TLS Man In The Middle (MITM) vulnerability AIX OpenSSL DTLS recursion flaw AIX OpenSSL DTLS invalid fragment vulnerability AIX OpenSSL SSL_MODE_RELEASE_BUFFERS NULL pointer dereference AIX OpenSSL Anonymous ECDH denial of service --------------------------------------------- http://aix.software.ibm.com/aix/efixes/security/openssl_advisory9.asc *** Cisco Autonomic Networking Infrastructure Overwrite Vulnerability *** --------------------------------------------- CVE-2014-3290 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** DSA-2958 apt *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-2958 *** DSA-2957 mediawiki *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-2957 *** VMSA-2014-0006.1 *** --------------------------------------------- VMware product updates address OpenSSL security vulnerabilities --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0006.html *** Yealink VoIP Phones XSS / CRLF Injection *** --------------------------------------------- Topic: Yealink VoIP Phones XSS / CRLF Injection Risk: Low Text:I. ADVISORY CVE-2014-3427 CRLF Injection in Yealink VoIP Phones CVE-2014-3428 XSS vulnerabilities in Yealink VoIP Phones ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060079 *** SSA-963338 (Last Update 2014-06-13): Multiple Buffer Overflows in UPnP Interface of OZW and OZS Products *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** Bugtraq: AST-2014-005: Remote Crash in PJSIP Channel Drivers Publish/Subscribe Framework *** --------------------------------------------- http://www.securityfocus.com/archive/1/532414 *** Bugtraq: AST-2014-007: Exhaustion of Allowed Concurrent HTTP Connections *** --------------------------------------------- http://www.securityfocus.com/archive/1/532415 *** HPSBUX03046 SSRT101590 rev.1 - HP-UX Running OpenSSL, Remote Denial of Service (DoS), Code Execution, Security Restriction Bypass, Disclosure of Information, or Unauthorized Access *** --------------------------------------------- Potential security vulnerabilities have been identified with HP-UX running OpenSSL. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS), execute code, bypass security restrictions, disclose information, or allow unauthorized access. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…

1 0

Tageszusammenfassung - Donnerstag 12-06-2014
by Daily end-of-shift report 12 Jun '14

12 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 11-06-2014 18:00 − Donnerstag 12-06-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Weekly Metasploit Update: Meterpreter Madness *** --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/06/11/weekly-me… *** MSRT June 2014 - Necurs *** --------------------------------------------- This month we added Win32/Necurs to the Microsoft Malicious Software Removal Tool (MSRT). In a previous blog about Necurs I outlined the familys prevalence and the techniques it uses to execute its payload. In this blog, I will discuss the Necurs rootkit components Trojan:WinNT/Necurs.A and Trojan:Win64/Necurs.A in greater depth. These Necurs rootkit components are sophisticated drivers that try to block security products during every stage of Windows startup. It's important to note that... --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/06/10/msrt-june-2014-necurs.as… *** Gmail Bug Could Have Exposed Every User's Address *** --------------------------------------------- Security tester Oren Hafif says that he found and helped fix a bug in Googles Gmail service that could have been used to extract millions of Gmail addresses, if not all of them, in a matter of days or weeks. --------------------------------------------- http://feeds.wired.com/c/35185/f/661467/s/3b66e7a5/sc/4/l/0L0Swired0N0C20A1… *** Small businesses running cloud-based POS software hit with unique POSCLOUD malware *** --------------------------------------------- Researchers with IntelCrawler have identified a unique type of malware, known as POSCLOUD, which targets cloud-based point-of-sale software. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/PLQgnJ1-_Mc/ *** Yahoo Toolbar triggers XSS in Google, other popular services, researcher finds *** --------------------------------------------- A researcher discovered that Yahoo Toolbar triggers XSS in highly popular services, which could enable an attacker to hijack accounts. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/rM026xMWg8U/ *** Feedly and Evernote Hit by DDoS Attacks, Extortion Demands *** --------------------------------------------- Yesterday, the most popular RSS reader Feedly was down as a result of a large scale distributed-denial-of service (DDoS) attack carried by the cybercriminals to extort money. On Wednesday, the Feedly was temporarily unavailable for its users. Feedly posted details of the attack at 5:00 AM ET on its blog saying that they were under a Distributed Denial of Service (DDoS) attack and --------------------------------------------- http://feedproxy.google.com/~r/TheHackersNews/~3/9ZGb8CUzJwg/feedly-and-eve… *** RSS-Dienst: Feedly ist wieder erreichbar *** --------------------------------------------- Nach einem Ausfall von knapp 24 Stunden ist der RSS-Dienst Feedly wieder nutzbar. Kriminelle führten eine DDos-Attacke gegen die Feedly-Server durch und forderten eine Geldzahlung, um den Angriff zu beenden. --------------------------------------------- http://www.golem.de/news/rss-dienst-feedly-ist-wieder-erreichbar-1406-10713… *** Feedly wieder unter DDoS-Beschuss *** --------------------------------------------- Die Cyber-Erpresser, die den Newsreader-Dienst Feedly am MIttwoch lahm gelegt haben, geben offenbar nicht auf. Erneut ist der Dienst nicht erreichbar. --------------------------------------------- http://www.heise.de/security/meldung/Feedly-wieder-unter-DDoS-Beschuss-2220… *** TweetDeck mit Herzfehler *** --------------------------------------------- Durch einen Bug hat der Twitter-Client in Tweets eingebettete JavaScript-Code ausgeführt, wenn daran ein Unicode-Herz angehängt wurde. --------------------------------------------- http://www.heise.de/security/meldung/TweetDeck-mit-Herzfehler-2220478.html *** The Computer Security Threat From Ultrasonic Networks *** --------------------------------------------- KentuckyFC (1144503) writes Security researchers in Germany have demonstrated an entirely new way to attack computer networks and steal information without anybody knowing. The new medium of attack is ultrasonic sound. It relies on software that uses the built-in speakers on a laptop to broadcast at ultrasonic frequencies while nearby laptops listen out for the transmissions and pass them on, a set up known as a mesh network. The team has tested this kind of attack on a set of Lenovo T400... --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/1R8EpiBl880/story01.htm *** VMware Patches ESXi Against OpenSSL Flaw, But Many Other Products Still Vulnerable *** --------------------------------------------- While the group of vulnerabilities that the OpenSSL Project patched last week hasn't grown into the kind of mess that the Heartbleed flaw did, the vulnerabilities still affect a huge range of products. Vendors are still making their way through the patching process, and VMware has released an advisory confirming that a long list of... --------------------------------------------- http://threatpost.com/vmware-patches-esxi-against-openssl-flaw-but-many-oth… *** Project Un1c0rn Wants to Be the Google for Lazy Security Flaws *** --------------------------------------------- Following broad security scares like that caused by the Heartbleed bug, it can be frustratingly difficult to find out if a site you use often still has gaping flaws. But a little known community of software developers is trying to change that, by creating a searchable, public index of websites with known security issues. --------------------------------------------- http://motherboard.vice.com/en_ca/read/is-this-website-vulnerable-to-hacker… *** Cisco IOS XR Software IPv6 Malformed Packet Denial of Service Vulnerability *** --------------------------------------------- cisco-sa-20140611-ipv6 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** JSA10628 - 2014-06 Security Bulletin: Junos Pulse Secure Access Service (SSL VPN) and Junos Pulse Access Control Service (UAC): Weak SSL cipher allowed unexpectedly when higher level cipher group is configured (CVE-2014-3812) *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10628&actp=RSS *** JSA10631 - 2014-06 Security Bulletin: NetScreen Firewall: DNS lookup issue may cause denial of service (CVE-2014-3813) *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10631&actp=RSS *** JSA10632 - 2014-06 Security Bulletin: NetScreen Firewall: Malformed IPv6 packet DoS issue (CVE-2014-3814) *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10632&actp=RSS *** JSA10630 - 2014-06 Security Bulletin: Junos WebApp Secure: Local user privilege escalation issue (CVE-2013-2094) *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10630&actp=RSS *** SA-CONTRIB-2014-060- Petitions - Cross Site Request Forgery (CSRF) *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-060Project: - Petitions - (third-party distribution)Version: 7.xDate: 2014-June-11Security risk: Less criticalExploitable from: RemoteVulnerability: Cross Site Request ForgeryDescriptionThis distribution enables you to build an application that lets users create and sign petitions.The contained wh_petitions module doesnt sufficiently verify the intent of the user when signing a petition. A malicious user could trick another user into signing a petition they... --------------------------------------------- https://drupal.org/node/2284571 *** SA-CONTRIB-2014-059 - Touch Theme - Cross Site Scripting (XSS) *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-059Project: Touch (third-party module)Version: 7.xDate: 2014-June-11Security risk: Moderately criticalExploitable from: RemoteVulnerability: Cross Site ScriptingDescriptionTouch Theme is a light weight theme with modern look and feel.The theme does not sufficiently sanitize theme settings input for Twitter and Facebook username. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer themes".CVE... --------------------------------------------- https://drupal.org/node/2284415 *** Cisco IOS XR ASR 9000 IPv6 Processing Flaw Lets Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1030400 *** DSA-2956 icinga *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-2956 *** DSA-2955 iceweasel *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-2955 *** Netscape Portable Runtime API Buffer Overflow May Let Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1030404

1 0

Tageszusammenfassung - Mittwoch 11-06-2014
by Daily end-of-shift report 11 Jun '14

11 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 10-06-2014 18:00 − Mittwoch 11-06-2014 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner *** Microsoft Security Bulletin Summary for June 2014 - Version: 1.0 *** --------------------------------------------- This bulletin summary lists security bulletins released for June 2014. With the release of the security bulletins for June 2014, this bulletin summary replaces the bulletin advance notification originally issued June 5, 2014. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS14-JUN *** Assessing risk for the June 2014 security updates *** --------------------------------------------- Today we released seven security bulletins addressing 66 unique CVEs. Two bulletins have a maximum severity rating of Critical while the other five have a maximum severity rating of Important. This table is designed to help you prioritize the deployment of updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max XI Likely first 30 days impact Platform mitigations and key notes MS14-035(Internet Explorer) Victim browses to a malicious --------------------------------------------- http://blogs.technet.com/b/srd/archive/2014/06/10/assessing-risk-for-the-ju… *** Android no longer reveals app permission changes in automatic updates *** --------------------------------------------- Change could heighten security risks for users. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/KCMtV-_xnqA/ *** May 2014 Cyber Attack Statistics *** --------------------------------------------- As I noticed previously in these pages, looks like attackers are just waiting for the Summer, since the number of events in May has experienced a sensible decreease. The Daily Trend Of Attacks chart shows quite a linear trend with two small peaks around the 15 and 30 May. Overall the activity appears quite limited. --------------------------------------------- http://hackmageddon.com/2014/06/11/may-2014-cyber-attack-statistics/

1 0

Tageszusammenfassung - Dienstag 10-06-2014
by Daily end-of-shift report 10 Jun '14

10 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 06-06-2014 18:00 − Dienstag 10-06-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Microsoft preps seven fixes, two critical, for Patch Tuesday release *** --------------------------------------------- The critical patches will remediate remote code execute (RCE) bugs in Windows, IE, Office and Microsoft Lync. --------------------------------------------- http://www.scmagazine.com/microsoft-preps-seven-fixes-two-critical-for-patc… *** Microsoft will Uralt-Lücke bei Internet Explorer ausmerzen *** --------------------------------------------- Sieben Update-Pakete für kommenden Patchday angekündigt - Support für XP fraglich --------------------------------------------- http://derstandard.at/2000001862657 *** Security updates available for Adobe Flash Player (APSB14-16) *** --------------------------------------------- Adobe has released security updates for Adobe Flash Player 13.0.0.214 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.359 and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions:... --------------------------------------------- https://helpx.adobe.com/security/products/flash-player/apsb14-16.html *** Microsoft Fixing Windows 8 Flaws, But Leaving Them In Windows 7 *** --------------------------------------------- mask.of.sanity sends this news from El Reg: "Microsoft has left Windows 7 exposed by only applying security upgrades to its newest operating systems. Researchers found the gaps after they scanned 900 Windows libraries using a custom diffing tool and uncovered a variety of security functions that were updated in Windows 8 but not in 7. They said the shortcoming could lead to the discovery of zero day vulnerabilities. The missing safe functions were part of Microsofts dedicated libraries... --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/Rz2E0q7KOps/story01.htm *** Coordinated malware eradication nears launch *** --------------------------------------------- Good news: the coordinated malware eradication preparations are almost done. We have held several roundtable meetings at industry events around the world, and the last two are scheduled for June and July. We had insightful conversations with a diverse group of experts from across the antimalware industry. The ideas have converged into a shared vision of how we'll work together to put pressure on the malware ecosystem. I am excited for the first coordinated eradication campaigns to... --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/06/04/coordinated-malware-erad… *** Routersicherheit: Fritzbox sucht automatisch nach Firmware-Updates *** --------------------------------------------- AVM hat eine Konsequenz aus der schweren Sicherheitslücke seiner Router gezogen. Eine Laborversion ermöglicht nun ein automatisches Update der Firmware. --------------------------------------------- http://www.golem.de/news/routersicherheit-fritzbox-sucht-automatisch-nach-f… *** Backstage with the Gameover Botnet Hijackers *** --------------------------------------------- When youre planning to rob the Russian cyber mob, youd better be sure that you have the element of surprise, that you can make a clean getaway, and that you understand how your target is going to respond. Todays column features an interview with two security experts who helped plan and execute this weeks global, collaborative effort to hijack the Gameover Zeus botnet, an extremely resilient and sophisticated crime machine that helped an elite group of thieves steal more than $100 million from --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/QUb7mFxjXlc/ *** Extracting the payload from a CVE-2014-1761 RTF document *** --------------------------------------------- Background In March Microsoft published security advisory 2953095, detailing a remote code execution vulnerability in multiple versions of Microsoft Office (CVE-2014-1761). A Technet blog was released at the same time which contained excellent information on how a typical malicious document would be constructed. NCC Group's Cyber Defence Operations team used the information in the Technet blog to identify a malicious document within our malware zoo that exploited this vulnerability which... --------------------------------------------- https://www.nccgroup.com/en/blog/2014/06/extracting-the-payload-from-a-cve-… *** Weve Set Up a One-Click Test For GameOver ZeuS *** --------------------------------------------- Today weve published a new, quick way to check if your computer is infected by GameOver ZeuS (GOZ). Last week the GOZ botnet was disrupted by international law enforcement together with industry partners, including ourselves.It is of critical importance to realize GOZ was disrupted - not dismantled. Its not technically impossible for the botnet administrators to reclaim control in the near future. More than one million computers are infected by GOZ, time is of the essence.To assist with... --------------------------------------------- http://www.f-secure.com/weblog/archives/00002712.html *** Cyber-Kriminalität kostet laut Studie weltweit über 400 Mrd. Dollar *** --------------------------------------------- In Österreich beträgt der Schaden 0,41 Prozent des Bruttoinlandsproduktes --------------------------------------------- http://derstandard.at/2000001878950 *** "Red Button" Attack Could Compromise Some Smart TVs *** --------------------------------------------- A vulnerability in an emerging interactive television standard could open up number of smart TVs to untraceable drive-by attacks. --------------------------------------------- http://threatpost.com/red-button-attack-could-compromise-some-smart-tvs/106… *** Chrome OS leaks data to Google before switching on a VPN, says GCHQ *** --------------------------------------------- UK spy-base wing in new advice for BlackBerry, and Google OSes The sexy-named Communications Electronics Security Group (CESG) - the bit of GCHQ that helps Brits protect secrets from foreign spies (never mind GCHQ) - has issued new advice for securing BlackBerry OS 10, Android and Chrome OS 32. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/06/10/security_gu… *** Zeus Alternative "Pandemiya" Emerges in Cybercrime Underground *** --------------------------------------------- Pandemiya has all the capabilities that are typical among banking Trojans, such as injecting fake elements into websites, capturing screenshots of the users computer screen, and encrypting its communications with the control panel. What sets Pandemiya apart from all other banking Trojans is the fact that it has been written from scratch without sharing any source code with Zeus, Fleyder said. --------------------------------------------- https://www.securityweek.com/zeus-alternative-pandemiya-emerges-cybercrime-… *** iOS Malware Does Exist *** --------------------------------------------- Before somebody asks me (again) whether there are any iOS malware or not, I decided to consolidate the information for you. --------------------------------------------- https://blog.fortinet.com/iOS-malware-do-exist/ *** Cisco Wireless LAN Controller Cisco Discovery Protocol Denial of Service Vulnerability *** --------------------------------------------- CVE-2014-3291 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Citrix Security Advisory for OpenSSL Vulnerabilities (June 2014) *** --------------------------------------------- Severity: High Overview The OpenSSL security advisory released on the 5 th of June 2014 disclosed six security vulnerabilities in this open source component; these are described below: --------------------------------------------- http://support.citrix.com/article/CTX140876 *** SAP Hard-Coded Credentials *** --------------------------------------------- Topic: SAP Hard-Coded Credentials Risk: Medium Text: Onapsis Security Advisories:Multiple Hard-coded Usernames (CWE-798) have been found and patched in a variety of SAP componen... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060046 *** MediaWiki Input Validation Flaw in Special:PasswordReset Permits Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1030364 *** VU#758382: Unauthorized modification of UEFI variables in UEFI systems *** --------------------------------------------- Vulnerability Note VU#758382 Unauthorized modification of UEFI variables in UEFI systems Original Release date: 09 Jun 2014 | Last revised: 09 Jun 2014 Overview Certain firmware implementations may not correctly protect and validate information contained in certain UEFI variables. Exploitation of such vulnerabilities could potentially lead to bypass of security features and/or denial of service for the platform. Description According to Corey Kallenberg, Xeno Kovah, John Butterworth, and Sam... --------------------------------------------- http://www.kb.cert.org/vuls/id/758382 *** Cisco Unified Communications Manager Java Interface SQL Injection Vulnerability *** --------------------------------------------- CVE-2014-3287 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** WebEx Meeting Server Sensitive Information Disclosure Vulnerability *** --------------------------------------------- CVE-2014-3294 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Vuln: Cisco Wireless LAN Controller CVE-2014-3291 Denial of Service Vulnerability *** --------------------------------------------- Cisco Wireless LAN Controller CVE-2014-3291 Denial of Service Vulnerability --------------------------------------------- http://www.securityfocus.com/bid/67926 *** IBM Security Bulletin: Denial of Service attack possible on Cúram instances using Apache Commons FileUpload (CVE-2014-0050) *** --------------------------------------------- A version of Apache Commons FileUpload shipped with Cúram is vulnerable to a denial of service attack. CVE(s): CVE-2014-0050 Affected product(s) and affected version(s): Cúram Social Program Management All products are affected when running code releases 4.5 SP10, 5.0, 5.2, 5.2 SP1, 5.2 SP4, 5.2 SP4 DE, 5.2 SP5, 5.2 SP6, 6.0 SP2, 6.0.3.0, 6.0.4.0, 6.0.4.3, 6.0.4.4, 6.0.4.5, 6.0.5.2, 6.0.5.3, 6.0.5.4. Refer to the following reference URLs for remediation and additional... --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** WebTitan: Multiple critical vulnerabilities *** --------------------------------------------- product: WebTitan vulnerable version: 4.01 (Build 68) fixed version: 4.04 impact: critical ... 1) SQL Injection 2) Remote command execution 3) Path traversal 4) Unprotected Access --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014…

1 0

Tageszusammenfassung - Freitag 6-06-2014
by Daily end-of-shift report 06 Jun '14

06 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 05-06-2014 18:00 − Freitag 06-06-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Hunderttausende Server über Fernwartungsprotokolle angreifbar *** --------------------------------------------- Das Fernwartungsprotokoll IPMI, mit dem Server über die Firmware des Motherboards gewartet werden können, hat gravierende Sicherheitslücken. Forscher haben bei einem Scan des Internets haufenweise Server gefunden, die angreifbar sind. --------------------------------------------- http://www.heise.de/security/meldung/Hunderttausende-Server-ueber-Fernwartu… *** Microsoft Security Bulletin Advance Notification for June 2014 - Version: 1.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS14-JUN *** Microsoft to Patch Critical Internet Explorer Zero-Day Vulnerability Next Tuesday *** --------------------------------------------- Today Microsoft has released its Advance Notification for the month of June 2014 Patch Tuesday releasing seven security Bulletins, which will address several vulnerabilities in its products, out of which two are marked critical and rest are important in severity. This Tuesday, Microsoft will issue Security Updates to .. --------------------------------------------- http://thehackernews.com/2014/06/microsoft-to-patch-critical-internet.html *** Linux Kernel futex privilege escalation *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/93593 *** Linux: Kernel-Bug erlaubt Sandbox-Ausbrüche *** --------------------------------------------- Ein Fehler im Futex-Code von Linux erlaubt Nutzern vollen Zugriff auf den Kernel. Damit liesse sich etwa aus der Chrome-Sandbox ausbrechen. Patches sind bereits verfügbar. --------------------------------------------- http://www.golem.de/news/linux-kernel-bug-erlaubt-sandbox-ausbrueche-1406-1… *** Bugtraq: ESA-2014-046: EMC Documentum Content Server Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/532311 *** Hacking Apple ID? *** --------------------------------------------- The many announcements at Apple's 2014 Worldwide Developers Conference (WWDC) this week was welcome news to the throngs of Apple developers and enthusiasts. It was also welcome news for another group of people with less than clean motives: cybercriminals. Last week we got a concrete example of how some .. --------------------------------------------- blog.trendmicro.com/trendlabs-security-intelligence/hacking-apple-id/ *** Daktronics Vanguard Hardcoded Credentials (Update A) *** --------------------------------------------- http://ics-cert.us-cert.gov//alerts/ICS-ALERT-14-155-01A *** Noch mehr Herzbluten bei OpenSSL *** --------------------------------------------- Der Verursacher der Heartbleed-Lücke hat weiteren Code zum Open-Source-Projekt beigetragen. Und auch der hat offensichtliche Sicherheitslücken. --------------------------------------------- http://www.heise.de/security/meldung/Noch-mehr-Herzbluten-bei-OpenSSL-22172… *** Phish or legit - Can you tell the difference? *** --------------------------------------------- I recently received two emails, sent to two different addresses and both from different senders. The first email was allegedly from Apple and was sent to my work account. The second email was allegedly from the Bank of Montreal (BMO) and was sent to my personal account. Both were unsolicited and were asking me to click on links contained in the body of the email. --------------------------------------------- http://nakedsecurity.sophos.com/2014/06/06/phish-or-legit-can-you-tell-the-… *** Web-Browser: Neues History-Leck schwer zu stopfen *** --------------------------------------------- Eine Javascript-Funktion erlaubt es indirekt, die Ladezeiten einer Webseite zu messen. Damit lässt sich herausfinden, ob ein Besucher bestimmte Links schon einmal aufgerufen hat. --------------------------------------------- http://www.heise.de/security/meldung/Web-Browser-Neues-History-Leck-schwer-… *** [2014-06-06] Multiple critical vulnerabilities in WebTitan *** --------------------------------------------- Multiple critical security vulnerabilities have been identified in the WebTitan web filtering solution. Exploiting these vulnerabilities potential attackers could take control over the entire appliance. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014…

1 0

Tageszusammenfassung - Donnerstag 5-06-2014
by Daily end-of-shift report 05 Jun '14

05 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 04-06-2014 18:00 − Donnerstag 05-06-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** Peek Inside a Professional Carding Shop *** --------------------------------------------- Over the past year, Ive spent a great deal of time trolling a variety of underground stores that sell "dumps" -- street slang for stolen credit card data that buyers can use to counterfeit new cards and go shopping in big-box stores for high-dollar merchandise that can be resold quickly for cash. --------------------------------------------- http://krebsonsecurity.com/2014/06/peek-inside-a-professional-carding-shop/ *** Daktronics Vanguard Hardcoded Credentials *** --------------------------------------------- NCCIC/ICS-CERT is aware of a public report of a hardcoded password vulnerability affecting Daktronics Vanguard highway notification sign configuration software. According to this report, the vulnerability is a hardcoded password that could allow unauthorized access to the highway sign. --------------------------------------------- http://ics-cert.us-cert.gov//alerts/ICS-ALERT-14-155-01 *** New Apple operating systems bring security mysteries *** --------------------------------------------- Apples march toward seamless integration between the Mac, iPhone and iPad worries some security experts who say companies may find it more difficult to prevent data leakage on the devices.On Monday, Apple introduced Handoff, a feature in upcoming iOS 8 and Mac OS X Yosemite that would let a person start a task on one device and complete it on another. For example, an email started on the Mac could be completed later on the iPad. --------------------------------------------- http://www.csoonline.com/article/2360161/data-protection/new-apple-operatin… *** Android-Trojaner verschlüsselt Speicherkarte *** --------------------------------------------- Ein weiter Malware-Trend erreicht Android: Nach den Erpressungstrojanern, die das Gerät sperren, gibt es nun auch einen Schädling, der das digitale Hab und Gut seines Opfers verschlüsselt. Für die Entschlüsselung der Daten verlangen die Ganoven Geld. --------------------------------------------- http://www.heise.de/security/meldung/Android-Trojaner-verschluesselt-Speich… *** Sicherheitsprobleme mit OpenSSL *** --------------------------------------------- Das OpenSSL-Projekt hat eine Warnung bezüglich mehrerer sicherheitsrelevanter Schwachstellen veröffentlicht. Es besteht die Möglichkeit von Remote Code Execution, Denial Of Service und Man-in-the-middle Attacken. Diese können sowohl OpenSSL Clients als auch Server betreffen. --------------------------------------------- http://cert.at/warnings/all/20140605.html *** IBM Security Bulletin: Vulnerability which could allow for unauthorized access to an IBM API Management topology *** --------------------------------------------- There is a vulnerability which could allow for unauthorized access to an IBM API Management topology, when a user secures APIs with basic authentication CVE(s): CVE-2014-3036 Affected product(s) and affected version(s): IBM API Management V3.0.0.0 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** They're ba-ack: Browser-sniffing ghosts return to haunt Chrome, IE, Firefox *** --------------------------------------------- Privacy threat that allows websites to know what sites youve viewed is revived. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/mZ97m15Wo_M/ *** Security-Experten isolierten über 2 Millionen Gameover-Bots *** --------------------------------------------- Im Rahmen der Aktionen gegen das Botnetz Gameover Zeus musste ein riesige Peer-to-Peer-Netz ausgeschaltet werden. Über zwei Millionen infizierte Rechner mussten dazu manipuliert werden. --------------------------------------------- http://www.heise.de/security/meldung/Security-Experten-isolierten-ueber-2-M… *** Security Notice-Statement About the CSRF Vulnerability on Multiple Huawei 3G Wi-Fi Devices *** --------------------------------------------- Huawei has noticed that several websites reported the CSRF vulnerability on Huawei E355, E5331, E303, B593 3G Mobile Wi-Fi Devices. --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices… *** Webfwlog - Firewall Log Analyzer *** --------------------------------------------- Webfwlog is a flexible web-based firewall log analyzer and reporting tool. It supports standard system logs for linux, FreeBSD, OpenBSD, NetBSD, Solaris, Irix, OS X, etc. as well as Windows XP. Supported log file formats are netfilter, ipfilter, ipfw, ipchains and Windows XP. ... You can sort a report with a single click, 'drill-down' on the reports all the way to the packet level, and save your reports for later use. --------------------------------------------- http://hack-tools.blackploit.com/2014/06/webfwlog-firewall-log-analyzer.html

1 0

Tageszusammenfassung - Mittwoch 4-06-2014
by Daily end-of-shift report 04 Jun '14

04 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 03-06-2014 18:00 − Mittwoch 04-06-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** GameOver Zeus Takedown Shows Good Early Returns *** --------------------------------------------- The effect of the takedown of the GameOver Zeus botnet this week has been immediate and significant. Researchers who track the activity of the peer-to-peer botnet's activity say that the volume of packets being sent out by infected machines has dropped to almost zero. On Friday, the FBI and Europol, .. --------------------------------------------- http://threatpost.com/gameover-zeus-takedown-shows-good-early-returns/106429 *** Phishing Tale: An Analysis of an Email Phishing Scam *** --------------------------------------------- Phishing scams are always bad news, and in light of the Google Drive scam that made the rounds again last week, we thought we'd tell the story of some spam that was delivered into my own inbox because even security researchers, .. --------------------------------------------- http://blog.sucuri.net/2014/06/phishing-tale-an-analysis-of-an-email-phishi… *** Making end-to-end encryption easier to use *** --------------------------------------------- While end-to-end encryption tools like PGP and GnuPG have been around for a long time, they require a great deal of technical know-how and manual effort to use. To help make this kind of encryption a bit easier, we're releasing code for a new Chrome extension that uses OpenPGP, an open standard supported by many existing encryption tools. However, .. --------------------------------------------- http://googleonlinesecurity.blogspot.co.at/2014/06/making-end-to-end-encryp… *** The Best Of Both Worlds - Soraya *** --------------------------------------------- Arbor Networks' ASERT has recently discovered a new malware family that combines several techniques to steal payment card information. Dubbed Soraya, meaning 'rich', this malware uses memory scraping techniques similar to those found in Dexter to target point-of-sale terminals. Soraya also intercepts form data sent from web browsers, similar to the Zeus family of malware. Neither of these two techniques are new, but we have not seen them used together in the same piece of malware. --------------------------------------------- http://www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/ *** COPA-DATA Improper Input Validation *** --------------------------------------------- http://ics-cert.us-cert.gov//advisories/ICSA-14-154-01 *** DSA-2945 chkrootkit *** --------------------------------------------- http://www.debian.org/security/2014/dsa-2945 *** Adobe Acrobat / Reader XI-X AcroBroker Sandbox Bypass *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060030 *** FreeBSD PAM Policy Parser Remote Authentication Bypass *** --------------------------------------------- http://www.securitytracker.com/id/1030330

1 0

Tageszusammenfassung - Dienstag 3-06-2014
by Daily end-of-shift report 03 Jun '14

03 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 02-06-2014 18:00 − Dienstag 03-06-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Energy Bill Spam Campaign Serves Up New Crypto Malware *** --------------------------------------------- Everyone hates getting bills, and with each new one it seems like the amount due just keeps getting higher and higher. However, Symantec recently discovered an energy bill currently being .. --------------------------------------------- http://www.symantec.com/connect/blogs/energy-bill-spam-campaign-serves-new-… *** Writing robust Yara detection rules for Heartbleed *** --------------------------------------------- This blog walks through the methodology and process of writing robust Yara rules to detect either Heartbleed vulnerable OpenSSL statically linked or shared libraries which omit version information. Although Yara is designed for pattern matching and typically used by malware researchers we'll show how we can also use it to detect vulnerable binaries. --------------------------------------------- https://www.nccgroup.com/en/blog/2014/06/writing-robust-yara-detection-rule… *** Huawei-Router lassen sich aus dem Internet kapern *** --------------------------------------------- Eine Reihe von Schwachstellen in zwei Mobilnetz-Routern von Huawei ermglichen es, die Geräte aus dem Internet zu kapern. Eine der Schwachstellen hatte Huawei schon einmal geschlossen - offensichtlich nicht gründlich genug. --------------------------------------------- http://www.heise.de/security/meldung/Huawei-Router-lassen-sich-aus-dem-Inte… *** TYPO3-EXT-SA-2014-009: Cross-Site Scripting in news *** --------------------------------------------- It has been discovered that the extension "News system" (news) is susceptible to Cross-Site Scripting --------------------------------------------- https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-… *** Vulnerabilities in All in One SEO Pack Wordpress Plugin Put Millions of Sites At Risk *** --------------------------------------------- Multiple Serious vulnerabilities have been discovered in the most famous "All In One SEO Pack" plugin for WordPress, that put millions of Wordpress websites at risk. --------------------------------------------- https://thehackernews.com/2014/05/vulnerabilities-in-all-in-one-seo-pack.ht… *** (0Day) Rocket Servergraph Admin Center for TSM userRequest save_server_groups Command Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Rocket Servergraph Admin Center for Tivoli Storage Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the userRequest servlet. It is possible to inject arbitrary operating system commands when the servlet .. --------------------------------------------- http://zerodayinitiative.com/advisories/ZDI-14-166/ *** Using nmap to scan for DDOS reflectors *** --------------------------------------------- As we have seen in past diaries about reflective DDOS attacks they are certainly the flavor of the day. US-CERT claims there are several UDP based protocols that are potential attack vectors. In my experience the most prevalent ones are DNS, NTP, SNMP, and CharGEN. Assuming you have permission; Is there an easy way to do good data gathering for these ports on your network? Yes, as a matter of a fact it can be done in one simple nmap command. --------------------------------------------- https://isc.sans.edu/diary/Using+nmap+to+scan+for+DDOS+reflectors/18193 *** dbus-glib pam_fprintd Local Root Exploit *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060009 *** DCMTK Privilege Escalation *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060011

1 0

Tageszusammenfassung - Montag 2-06-2014
by Daily end-of-shift report 02 Jun '14

02 Jun '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 30-05-2014 18:00 − Montag 02-06-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Play Store ermöglicht Apps mehr Rechte ohne Nachfragen *** --------------------------------------------- Der Play Store wird mal wieder renoviert, doch dabei sägt Google auch an tragenden Wänden. In der aktuellen Version werden App-Berechtigungen in Gruppen zusammengefasst, weshalb neue Rechte nicht immer genehmigt werden müssen. --------------------------------------------- http://www.heise.de/security/meldung/Play-Store-ermoeglicht-Apps-mehr-Recht… *** CVE-2014-2120 - A Tale of Cisco ASA 'Zero-Day' *** --------------------------------------------- A few months ago I was trying to PoC a known cross-site scripting vulnerability in the Cisco ASA WebVPN portal (CVE-2013-3414) for inclusion in the TrustKeeper Scan Engine. I tried a number of different techniques on multiple different ASA versions/branches and I simply could not tease out a viable PoC. At my wits end, I .. --------------------------------------------- http://blog.spiderlabs.com/2014/05/cve-2014-2120-a-tale-of-cisco-asa-0-day.… *** FTP Zugangsdaten kompromittiert *** --------------------------------------------- Wie Heise berichtet, hat das BSI/CERT-Bund viele Provider informiert, dass Zugangsdaten zu FTP-Accounts gefunden wurden.Das betraf nicht nur Deutschland; die gleiche Quelle hat auch andere CERTs und Sicherheitsteams informiert. Wir bekamen die gleichen Daten wie unsere deutschen Kollegen, .. --------------------------------------------- http://www.cert.at/services/blog/20140530100952-1151.html *** WordPress iMember360is 3.9.001 XSS Disclosure Code Execution *** --------------------------------------------- WordPress iMember360is 3.9.001 XSS Disclosure Code Execution --------------------------------------------- http://cxsecurity.com/issue/WLB-2014060001 *** Security: Heartbleed in WLAN-Routern gefunden *** --------------------------------------------- Der Heartbleed-Fehler ist offenbar noch in zahlreichen WLAN-Routern vorhanden, genauer im Authentifizierungsprotokoll EAP. Das berichtet der Sicherheitsexperte Luis Grangeia. --------------------------------------------- http://www.golem.de/news/security-heartbleed-in-wlan-routern-gefunden-1406-… *** CVE-2014-3466 gnutls: insufficient session id length check in _gnutls_read_server_hello (GNUTLS-SA-2014-3) *** --------------------------------------------- A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code. --------------------------------------------- https://bugzilla.redhat.com/show_bug.cgi?id=1101932 *** DSA-2943-1 php5 -- security update *** --------------------------------------------- Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development .. --------------------------------------------- https://www.debian.org/security/2014/dsa-2943 *** Huawei: SMS verschicken auf fremde Kosten *** --------------------------------------------- Eine Sicherheitslücke in einem weit verbreiteten USB-UMTS-Stick ermöglicht es Angreifern, mit einer manipulierten Webseite SMS zu verschicken. Ein Update gibt es bisher nicht. (UMTS, Technologie) --------------------------------------------- http://www.golem.de/news/huawei-sms-verschicken-auf-fremde-kosten-1406-1068… *** 'Operation Tovar' Targets 'Gameover' ZeuS Botnet, CryptoLocker Scourge *** --------------------------------------------- The U.S. Justice Department is expected to announce today an international law enforcement operation to seize control over the Gameover ZeuS botnet, a sprawling network of hacked Microsoft Windows computers that currently infects an estimated 500,000 to 1 million compromised systems globally. Experts say PCs infected with Gameover are being harvested for sensitive financial and personal data, .. --------------------------------------------- http://krebsonsecurity.com/2014/06/operation-tovar-targets-gameover-zeus-bo…

1 0

Tageszusammenfassung - Freitag 30-05-2014
by Daily end-of-shift report 30 May '14

30 May '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 29-05-2014 18:00 − Freitag 30-05-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Third-Party Auth Token Theft: The Big Picture *** --------------------------------------------- Nothing sets the technical journalists abuzz like the prospect of a catastrophic, Internet-wide vulnerability. Fresh off the very legitimate excitement over Heartbleed, some media outlets were hoping for a new scoop with "Covert Redirections". Spoiler alert: there's no catastrophe. For those that haven't heard, this started with a paper and series of blog posts by Wang Jing. Wang describes an attack against websites that use third-party authentication services and are... --------------------------------------------- http://blog.spiderlabs.com/2014/05/third-party_auth_token_theft_the_big_pic… *** Ende von Truecrypt: Entwickler hat angeblich Interesse verloren *** --------------------------------------------- Einer der Entwickler von Truecrypt hat sich angeblich zu Wort gemeldet und die Beweggründe für das plötzliche Aus erklärt: Man habe das Interesse verloren. Einer Weiterentwicklung durch die Community steht er demnach kritisch gegenüber. --------------------------------------------- http://www.heise.de/security/meldung/Ende-von-Truecrypt-Entwickler-hat-ange… *** Hintergrund: Truecrypt ist unsicher - und jetzt? *** --------------------------------------------- Sollten wir jetzt wirklich alle auf Bitlocker umsteigen, wie es die Truecrypt-Entwickler vorschlagen? Einen echten Nachfolger wird es jedenfalls so bald nicht geben - und daran sind nicht zu letzt auch die Truecrypt-Entwickler schuld. --------------------------------------------- http://www.heise.de/security/artikel/Truecrypt-ist-unsicher-und-jetzt-22114… *** ThreadFix v2.1M1 Released *** --------------------------------------------- ThreadFix is a software vulnerability aggregation and management system that reduces the time it takes to fix software vulnerabilities. ThreadFix imports the results from dynamic, static and manual testing to provide a centralized view of software security defects across development teams and applications. ThreadFix is licensed under the Mozilla Public License (MPL) version 2.0. --------------------------------------------- http://www.toolswatch.org/2014/05/threadfix-v2-1m1-released/ *** New Attack Methods Can brick Systems, Defeat Secure Boot, Researchers Say *** --------------------------------------------- IDG News Service - The Secure Boot security mechanism of the Unified Extensible Firmware Interface (UEFI) can be bypassed on around half of computers that have the feature enabled in order to install bootkits, according to a security researcher. --------------------------------------------- http://www.cio.com/article/753439/New_Attack_Methods_Can_39_brick_39_System… *** Thieves Planted Malware to Hack ATMs *** --------------------------------------------- A recent ATM skimming attack in which thieves used a specialized device to physically insert malicious software into a cash machine may be a harbinger of more sophisticated scams to come. --------------------------------------------- http://krebsonsecurity.com/2014/05/thieves-planted-malware-to-hack-atms/ *** Heartbleed-Bug: OpenSSL bekommt Security-Audit und zwei Festangestellte *** --------------------------------------------- Die Linux-Foundation sammelt Geld für Kern-Infrastruktur wie OpenSSL und gibt nun erste Pläne bekannt. Beraten sollen das Projekt Linux-Kernel-Hacker und Bruce Schneier sowie Eben Moglen. --------------------------------------------- http://www.golem.de/news/heartbleed-bug-openssl-bekommt-security-audit-und-… *** When Networks Turn Hostile *** --------------------------------------------- We've previously discussed how difficult it is to safely connect to networks when on the go. This is particularly true on vacations and holidays, where the availability of Internet access is one of the most important factors when looking for a place to stay. In fact, many holiday lodges and hotels today have made Wi-Fi access an... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/CL6K-SnbQJQ/ *** Triangle MicroWorks Uncontrolled Resource Consumption *** --------------------------------------------- Adam Crain of Automatak and Chris Sistrunk of Mandiant have identified an uncontrolled resource consumption vulnerability in Triangle MicroWorks products and third-party components. Triangle MicroWorks has produced an update that mitigates this vulnerability. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-149-01 *** Cogent Datahub Vulnerabilities *** --------------------------------------------- Independent researcher Alain Homewood has identified four vulnerabilities in the Cogent Real-Time Systems DataHub application. Cogent Real-Time Systems has produced a new version that mitigates three of the four identified vulnerabilities; they have recommended a mitigation for the unresolved vulnerability. The researcher has tested the new version to validate that it resolves three of the four vulnerabilities. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-149-02 *** VMSA-2014-0005 *** --------------------------------------------- VMware Workstation, Player, Fusion, and ESXi patches address a guest privilege escalation --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0005.html *** VMSA-2014-0002.3 *** --------------------------------------------- VMware vSphere updates to third party libraries --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0002.html *** ElasticSearch Dynamic Script Arbitrary Java Execution *** --------------------------------------------- Topic: ElasticSearch Dynamic Script Arbitrary Java Execution Risk: High Text:## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-fr... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014050154 *** VU#325636: Huawei E303 contains a cross-site request forgery vulnerability *** --------------------------------------------- Vulnerability Note VU#325636 Huawei E303 contains a cross-site request forgery vulnerability Original Release date: 30 May 2014 | Last revised: 30 May 2014 Overview The built-in web interface of Huawei E303 devices contains a cross-site request forgery vulnerability. Description Huawei E303 wireless broadband modems include a web interface for administration and additional services. The web interface allows users to send and receive SMS messages using the connected cellular network. CWE-352: --------------------------------------------- http://www.kb.cert.org/vuls/id/325636 *** VU#124908: Dell ML6000 and Quantum Scalar i500 tape backup system command injection vulnerability *** --------------------------------------------- Vulnerability Note VU#124908 Dell ML6000 and Quantum Scalar i500 tape backup system command injection vulnerability Original Release date: 30 May 2014 | Last revised: 30 May 2014 Overview Dell ML6000 and Quantum Scalar i500 tape backup system contain a command injection vulnerability. Description CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)Dells and Quantums advisories state the following:The tape librarys remote user interface... --------------------------------------------- http://www.kb.cert.org/vuls/id/124908

1 0

Tageszusammenfassung - Mittwoch 28-05-2014
by Daily end-of-shift report 28 May '14

28 May '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 27-05-2014 18:00 − Mittwoch 28-05-2014 18:00 Handler: Christian Wojner Co-Handler: Stephan Richter *** Spam Campaign Spreading Malware Disguised as HeartBleed Bug Virus Removal Tool *** --------------------------------------------- At the beginning of April, a vulnerability in the OpenSSL cryptography library, also known as the Heartbleed bug, made headlines around the world.read more --------------------------------------------- http://www.symantec.com/connect/blogs/spam-campaign-spreading-malware-disgu… *** [2014-05-28] Root Backdoor & Unauthenticated access to voice recordings in NICE Recording eXpress *** --------------------------------------------- Attackers are able to completely compromise the voice recording / surveillance solution "NICE Recording eXpress" as they can gain access to the system and database level and listen to recorded calls without prior authentication or exploit a root backdoor account. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Apple Ransomware Targeting iCloud Users Hits Australia *** --------------------------------------------- A handful of iPhone, iPad and Mac users, largely confined to Australia, awoke Tuesday to discover their devices had been taken hostage by ransomware. --------------------------------------------- http://threatpost.com/apple-ransomware-targeting-icloud-users-hits-australi… *** iPhone-"Entführung" per Fernzugriff: Apple betont, dass iCloud sicher ist *** --------------------------------------------- In einem Statement heißt es, die derzeit in Australien die Runde machenden Erpressungsversuche, bei denen Angreifer Apple-Hardware aus der Ferne sperren, hätten nichts mit Sicherheitsproblemen in der iCloud zu tun. Schlechte Passwörter seien schuld. --------------------------------------------- http://www.heise.de/security/meldung/iPhone-Entfuehrung-per-Fernzugriff-App… *** Bugtraq: LSE Leading Security Experts GmbH - LSE-2014-05-21 - Check_MK - Arbitrary File Disclosure Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/532224 *** Kali-Linux: Pentesting-Stick mit Verschlüsselung und Notfallknopf *** --------------------------------------------- Wer Kali Linux auf einen USB-Stick installiert, kann die Datenpartition mit Version 1.0.7 endlich verschlüsseln. Das schützt brisante Daten vor neugierigen Blicken. Darüber hinaus gibt es einen Selbstzerstörungs-Mechanismus. --------------------------------------------- http://www.heise.de/security/meldung/Kali-Linux-Pentesting-Stick-mit-Versch… Next End-of-Shift report on 2015-05-30

1 0

Tageszusammenfassung - Dienstag 27-05-2014
by Daily end-of-shift report 27 May '14

27 May '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 26-05-2014 18:00 − Dienstag 27-05-2014 18:00 Handler: Christian Wojner Co-Handler: Stephan Richter *** Mac OS X: VirusTotal veröffentlicht Uploader *** --------------------------------------------- Der von Google aufgekaufte Viren-Scan-Dienst hat ein Tool veröffentlicht, mit dem Mac-Nutzer suspekte Dateien und Programme zur Prüfung hochladen können. VirusTotal erhofft sich tieferen Einblick in OS-X-Schadsoftware. --------------------------------------------- http://www.heise.de/security/meldung/Mac-OS-X-VirusTotal-veroeffentlicht-Up… *** Malicious Redirections to Porn Websites *** --------------------------------------------- The past week has brought about a large number of cases where compromised websites had hidden redirections to porn injected into their code. All the infections had a similar pattern where they only targeted mobile devices. They are highly conditional as well making it challenging for webmasters to detect. Lets take a minute to explain... --------------------------------------------- http://feedproxy.google.com/~r/sucuri/blog/~3/aMQhA3--dfg/website-infection… *** Unsafe cookies leave WordPress accounts open to hijacking, 2-factor bypass *** --------------------------------------------- Accounts accessed from Wi-Fi hotspots and other unsecured networks are wide open. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/yKbonlXYDrk/ *** Youve got Mail! But someone else is reading it in Outlook for Android *** --------------------------------------------- Researchers say Redmond forgot to encrypt messages stored on Android SD cards Researchers have plucked privacy holes in Microsofts Outlook Android app that expose user data when user security setting screws were not tightened. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/05/27/prying_priv… *** Mt. Gox: Bitcoin-Preise angeblich durch Bots manipuliert *** --------------------------------------------- Neue Spekulation um die insolvente Bitcoin-Börse Mt. Gox: Laut einer Analyse sollen Bots die Preise an der Börse getrieben und mindestens rund 570.000 Bitcoins aufgekauft haben. --------------------------------------------- http://www.heise.de/newsticker/meldung/Mt-Gox-Bitcoin-Preise-angeblich-durc… *** Fernwartungsfunktion: Onlineganoven entführen Macs und iPhones *** --------------------------------------------- Mit "Find My iPhone" und "Find My Mac" können Nutzer geklaute Hardware über ihre Apple ID sperren. Gerät diese in falsche Hände, können das aber auch Erpresser. In Australien sollen solche "Entführungen" gerade öfter vorkommen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Fernwartungsfunktion-Onlineganoven-e… *** cPanel cgiemail Character Injection Flaw Lets Remote Users Send SPAM via the System *** --------------------------------------------- A remote user can inject newline characters via certain parameters to modify email fields and send SPAM to arbitrary destination addresses via cgiemail. --------------------------------------------- http://www.securitytracker.com/id/1030287 *** Avast-Forum fällt Hackerangriff zum Opfer *** --------------------------------------------- Unbekannten gelang es, Nutzernamen, E-Mail-Adressen und verschlüsselte Passwörter von 350.000 Nutzern zu kopieren. Der Firmenchef des Antivirenherstellers hält es für möglich, dass die Hacker an Klartext-Passwörter kommen. --------------------------------------------- http://www.heise.de/security/meldung/Avast-Forum-faellt-Hackerangriff-zum-O… *** Multiple Vulnerabilities in TYPO3 CMS *** --------------------------------------------- It has been discovered that TYPO3 CMS is vulnerable to Cross-Site Scripting, Insecure Unserialize, Improper Session Invalidation, Authentication Bypass, Information Disclosure and Host Spoofing. --------------------------------------------- http://typo3.org/news/article/multiple-vulnerabilities-in-typo3-cms-1/ *** Amazons AWS bietet Verschlüsselung auf Blockebene *** --------------------------------------------- Nutzer von Amazons Cloud-Angeboten können ihre auf virtuellen Laufwerken gespeicherten Daten verschlüsseln. --------------------------------------------- http://www.heise.de/security/meldung/Amazons-AWS-bietet-Verschluesselung-au… *** Top 10 Windows Server Security Misconfigurations *** --------------------------------------------- Introduction According to Wikipedia, 32.6% of servers on the Internet are running Microsoft Windows. The purpose of this article is to create awareness among system administrators and managers about some of the areas on which it is important to focus when implementing a new Windows build or when hardening the security of an existing server. The Survey One of the activities of the @NCCGroupInfosec team is to perform build reviews on clients' systems, looking for any misconfigurations that... --------------------------------------------- https://www.nccgroup.com/en/blog/2014/05/top-10-windows-server-security-mis… *** Zeus-Carberp Hybrid Trojan Pops Up *** --------------------------------------------- Researchers have discovered a new hybrid Trojan that combines elements of two of the more notorious crimeware strains of the last few years: Zeus and Carberp. It's not uncommon for malware writers to steal bits and pieces of code from one another, but both Zeus and Carberp were once exclusively private tools, but the source... --------------------------------------------- http://threatpost.com/zeus-carberp-hybrid-trojan-pops-up/106283

1 0

Tageszusammenfassung - Montag 26-05-2014
by Daily end-of-shift report 26 May '14

26 May '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 23-05-2014 18:00 − Montag 26-05-2014 18:00 Handler: Christian Wojner Co-Handler: Stephan Richter *** Long run compromised accounting data based type of managed iframe-ing service spotted in the wild *** --------------------------------------------- In a cybercrime ecosystem dominated by DIY (do-it-yourself) malware/botnet generating releases, populating multiple market segments on a systematic basis, cybercriminals continue seeking new ways to acquire and efficiently monetize fraudulently obtained accounting data, for the purpose of achieving a positive ROI (Return on Investment) on their fraudulent operations. In a series of blog posts, we've been detailing the existence of commercially available server-based malicious... --------------------------------------------- http://feedproxy.google.com/~r/WebrootThreatBlog/~3/HvVQ_hnfyXQ/ *** RAT in a jar: A phishing campaign using Unrecom + IOC's *** --------------------------------------------- In the past two weeks, we have observed an increase in attack activity against the U.S. state and local government, technology, advisory services, health, and financial sectors through phishing emails with what appears to be a remote access trojan (RAT) known as Unrecom. The attack has also been observed against the financial sector in Saudi Arabia and Russia. --------------------------------------------- http://www.fidelissecurity.com/webfm_send/382 (PDF) http://www.fidelissecurity.com/files/files/FTA1013_RAT_in_a_jar_IOCs.xlsx *** Hackers claim MitM attack enables iCloud security feature bypass *** --------------------------------------------- Hackers claim that the iOS Activation Lock, a feature that makes it harder for crooks to use and sell lost or stolen Apple mobile devices, can be bypassed in a MitM attack. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/kJtdTS-KQeU/ *** US may block visas for Chinese hackers attending DefCon, Black Hat *** --------------------------------------------- Organizers of those conferences skeptical of the move to exclude Chinese nationals. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/Cny7FF2H8rU/ *** Warnung vor Update-Hack für Windows XP *** --------------------------------------------- Mit einem Trick kann man dem Update-Server von Microsoft vormachen, man betreibe eine Spezialversion von Windows XP, die noch bis April 2019 mit Updates versorgt wird. Das ist allerdings nicht ganz ungefährlich. --------------------------------------------- http://www.heise.de/newsticker/meldung/Warnung-vor-Update-Hack-fuer-Windows…

1 0

Tageszusammenfassung - Freitag 23-05-2014
by Daily end-of-shift report 23 May '14

23 May '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 22-05-2014 18:00 − Freitag 23-05-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** (0Day) SAP Sybase ESP Remote Code Execution Vulnerabilities *** --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-14-142/ http://www.zerodayinitiative.com/advisories/ZDI-14-143/ http://www.zerodayinitiative.com/advisories/ZDI-14-144/ http://www.zerodayinitiative.com/advisories/ZDI-14-145/ http://www.zerodayinitiative.com/advisories/ZDI-14-146/ http://www.zerodayinitiative.com/advisories/ZDI-14-147/ http://www.zerodayinitiative.com/advisories/ZDI-14-148/ ... http://www.zerodayinitiative.com/advisories/ZDI-14-158/ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-14-141/ *** SBA Research: Heartbleed-Betroffene in Österreich beheben Problem unzureichend *** --------------------------------------------- Das österreichische COMET-Kompetenzzentrum SBA Research hat aufgrund der aktuellen Bedrohungslage durch die Heartbleed-Schwachstelle eine Analyse über die Behebung der Schwachstelle durchgeführt. Dabei ist es für die Administratoren der betroffenen Server nicht nur wichtig, die OpenSSL-Bibliothek zu aktualisieren, sondern auch, Benutzer der Seite zur Passwort-Anderung aufzufordern und die SSL-Zertifikate inklusive kryptografischer Schlüssel zu erneuern. --------------------------------------------- http://www.sba-research.org/2014/05/23/heartbleedpresse/ *** Multiple D-Link Routers Cross Site Scripting / Information Disclosure *** --------------------------------------------- Topic: Multiple D-Link Routers Cross Site Scripting / Information Disclosure Risk: High Text:The following five D-Link model routers suffer from several vulnerabilities including Clear Text Storage of Passwords, Cross S... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014050127 *** Redmond reversal pops IE8 patch in pipeline *** --------------------------------------------- Bug not so bad, Microsoft says, but if you wont upgrade well get around to it eventually Microsoft has announced it will now patch a zero day Internet Explorer 8 vulnerability seven months after it was reported. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/05/23/redmond_rev… *** Cookie-Klau durch zwei Monate alte eBay-Lücke *** --------------------------------------------- In Auktionen eingeschleuste Skripte können Sitzungs-Cookies angreifen oder auch Malware verbreiten. eBay ist offenbar seit zwei Monaten informiert, hat das Problem aber bislang nicht behoben. --------------------------------------------- http://www.heise.de/newsticker/meldung/Cookie-Klau-durch-zwei-Monate-alte-e…

1 0

Tageszusammenfassung - Donnerstag 22-05-2014
by Daily end-of-shift report 22 May '14

22 May '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 21-05-2014 18:00 − Donnerstag 22-05-2014 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** 145 Millionen Kunden von eBay-Hack betroffen *** --------------------------------------------- Unbekannte haben einen grossen Teil der Kundendatenbank der Online-Handelsplattform kopiert. Während der Druck auf eBay steigt, gibt es erste Hinweise, dass die gestohlenen Daten schon missbraucht werden. --------------------------------------------- http://www.heise.de/security/meldung/145-Millionen-Kunden-von-eBay-Hack-bet… *** Multiple Vulnerabilities in Cisco NX-OS-Based Products *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** SA-CONTRIB-2014-057 - Password policy - General logic error *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-057, Project: Password policy (third-party module), Version: 7, Security risk: Moderately critical; This module enables you to define password policies with various constraints on allowable user passwords. The history constraint, when enabled, disallows a users password from being changed to match a specified number of their .. --------------------------------------------- https://drupal.org/node/2271839 *** SA-CONTRIB-2014-055 - Require Login - Access bypass *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-055, Project: Require Login (third-party module), Version: 7, Security risk: Moderately critical; This module enables you to restrict access to a site for all non-authenticated users.The module does not protect the front page, thereby exposing any sensitive information on the front page to anonymous users.This vulnerability is mitigated by the fact that private/sensitive information .. --------------------------------------------- https://drupal.org/node/2271837 *** SA-CONTRIB-2014-056 - Commerce Moneris - Information Disclosure *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-056, Project: Commerce Moneris (third-party module), Version: 7, Security risk: Critical; Commerce Moneris is a payment module that integrates the Moneris payment system with Drupal Commerce.The module stores credit card data in a commerce order object unnecessarily for the purpose of passing the credit card information to the payment gateway. The credit card information is .. --------------------------------------------- https://drupal.org/node/2271823 *** SA-CONTRIB-2014-054 - Views - Access Bypass *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-054, Project: Views (third-party module), Version: 7, Security risk: Moderately critical; The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented.The module doesnt sufficiently check handler access when returning the list of handlers .. --------------------------------------------- https://drupal.org/node/2271809 *** IBM Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM WebSphere Portal *** --------------------------------------------- IBM WebSphere Application Server is shipped as a component of IBM WebSphere Portal. Information about a security vulnerabilities affecting IBM WebSphere Application Server has been published in security bulletins. CVE(s): CVE-2014-0963 Affected product(s) .. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** A peek inside a newly launched all-in-one E-shop for cybercrime-friendly services *** --------------------------------------------- Cybercriminals continue diversifying their portfolios of standardized fraudulent services, in an attempt to efficiently monetize their malicious 'know-how', further contributing to the growth of the cybercrime ecosystem. In a series of blog posts highlighting the emergence of the boutique cybercrime-friendly E-shops, we've been emphasizing on the over-supply of compromised/stolen accounting data, efficiently aggregated .. --------------------------------------------- http://www.webroot.com/blog/2014/05/21/peek-inside-newly-launched-one-e-sho… *** Redmond wont fix IE 8 zero day, says harden up instead *** --------------------------------------------- Phishers get fresh code execution bait Microsoft has decided not to fix an IE 8 zero-day first identified seven months ago, instead telling users to harden up their browsers. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/05/22/ie_8_zero_d… *** Hacker wollen Apples iOS-Aktivierungssperre geknackt haben *** --------------------------------------------- Eine Team aus den Niederlanden und Marokko behauptet, die in iCloud integrierte Funktion ausgehebelt zu haben, mit der Apple die Nutzung geklauter iPhones und iPads verhindern will - angeblich per Man-in-the-Middle-Angriff. Bislang fehlen viele Details. --------------------------------------------- http://www.heise.de/security/meldung/Hacker-wollen-Apples-iOS-Aktivierungss… *** Multiple Vulnerabilities in TYPO3 CMS *** --------------------------------------------- It has been discovered that TYPO3 CMS is vulnerable to Cross-Site Scripting, Insecure Unserialize, Improper Session Invalidation, Authentication Bypass, Information Disclosure and Host Spoofing. Vulnerability Types: Cross-Site Scripting, Insecure Unserialize, Improper Session Invalidation, Authentication Bypass, Information Disclosure and Host Spoofing. Overall Severity: Medium --------------------------------------------- https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-s… *** XML Schema, DTD, and Entity Attacks - A Compendium of Known Techniques *** --------------------------------------------- The eXtensible Markup Language (XML) is an extremely pervasive technology used in countless software projects. ... When used incorrectly, certain aspects of these document definition and validation features can lead to security vulnerabilities in applications that use XML. This document attempts to provide an up to date reference on these attacks, enumerating all publicly known techniques applicable to the most popular XML parsers in use while exploring a few novel attacks as well. --------------------------------------------- http://packetstorm.interhost.co.il/papers/general/XMLDTDEntityAttacks.pdf

1 0

Tageszusammenfassung - Mittwoch 21-05-2014
by Daily end-of-shift report 21 May '14

21 May '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 20-05-2014 18:00 − Mittwoch 21-05-2014 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Ebay: Kundendaten bei Hackerangriff gestohlen *** --------------------------------------------- Hacker hatten im Februar und März Zugriff auf Kundendaten --------------------------------------------- http://derstandard.at/2000001422781 *** Enterprises Still Lax on Privileged User Access Controls *** --------------------------------------------- The results of a survey commissioned by Raytheon demonstrate that enterprises still dont have a firm grasp on privileged users and their activities on corporate networks. --------------------------------------------- http://threatpost.com/enterprises-still-lax-on-privileged-user-access-contr… *** iBanking: Exploiting the Full Potential of Android Malware *** --------------------------------------------- http://www.symantec.com/connect/blogs/ibanking-exploiting-full-potential-an… *** World's most pricey trojan is veritable Swiss Army knife targeting Android *** --------------------------------------------- Malicious Android app contains remote bugging, SMS interception, and much more. --------------------------------------------- http://arstechnica.com/security/2014/05/worlds-most-pricey-trojan-is-verita… *** Siemens Industrial Products OpenSSL Heartbleed Vulnerability (Update B) *** --------------------------------------------- http://ics-cert.us-cert.gov//advisories/ICSA-14-105-03B *** [2014-05-21] Multiple critical vulnerabilities in CoSoSys Endpoint Protector 4 *** --------------------------------------------- The software CoSoSys Endpoint Protector is affected by critical, unauthenticated SQL injection vulnerabilities and backdoor accounts. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Security App of the Week: WP Security Audit Log *** --------------------------------------------- WP Security Audit Log is a WordPress plugin that logs all the actions and events that take place under your website's hood. The plugin is useful not only in case of a data breach, but also for preventing one. The plugin is designed to generate a security alert when certain actions are detected. For instance, .. --------------------------------------------- http://news.softpedia.com/news/Security-App-of-the-Week-WP-Security-Audit-L… *** Hook Analyser 3.1 - Malware Analysis Tool *** --------------------------------------------- Hook Analyser is a freeware application which allows an investigator/analyst to perform 'static & run-time / dynamic' analysis of suspicious applications, also gather (analyse & co-related) threat intelligence related information (or data) from various open sources on the Internet. --------------------------------------------- http://www.darknet.org.uk/2014/05/hook-analyser-3-1-malware-analysis-tool/ *** Why You Should Ditch Adobe Shockwave *** --------------------------------------------- This author has long advised computer users who have Adobes Shockwave Player installed to junk the product, mainly on the basis that few sites actually require the browser plugin, and because its yet another plugin that requires constant updating. But I was positively shocked this week to learn that this software introduces a far more pernicious problem: Turns out, .. --------------------------------------------- http://krebsonsecurity.com/2014/05/why-you-should-ditch-adobe-shockwave/ *** LSE stellt Authentifizierungs-Tool LinOTP unter Open-Source-Lizenz *** --------------------------------------------- Das Authentifizierungswerkzeug LinOTP steht ab sofort als Open-Source-Produkt zum kostenlosen Download bereit. --------------------------------------------- http://www.heise.de/newsticker/meldung/LSE-stellt-Authentifizierungs-Tool-L… *** Bugs in your TV *** --------------------------------------------- Introduction As part of our research into the Internet of Things (IoT), we were asked to look at the current generation of Smart TVs and see whether they posed any new issues when used in the home or office. In particular, the latest sets come with built-in cameras (for use with video chat applications, .. --------------------------------------------- https://www.nccgroup.com/en/blog/2014/05/bugs-in-your-tv/

1 0

Tageszusammenfassung - Dienstag 20-05-2014
by Daily end-of-shift report 20 May '14

20 May '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 19-05-2014 18:00 − Dienstag 20-05-2014 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Blackshades - Coordinated Takedown Leads to Multiple Arrests *** --------------------------------------------- The FBI, Europol and several other law enforcement agencies have arrested dozens of individuals suspected of cybercriminal activity centered around the malware known as Blackshades (a.k.a. W32.Shadesrat).read more --------------------------------------------- http://www.symantec.com/connect/blogs/blackshades-coordinated-takedown-lead… *** Moodle Bugs Permit Cross-Site Scripting, Cross-Site Request Forgery, and Information Disclosure Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1030256 *** Silverlight finally becomes popular ... with criminals *** --------------------------------------------- Angler exploit kit targets Redmonds unloved rich web application kit Silverlight has become a choice target for VXers who are foisting nasty exploit kits on users through hacked advertising networks. --------------------------------------------- http://www.theregister.co.uk/2014/05/20/silverlight_attacks_spike_as_ekers_… *** Cisco IOS XR DHCPv6 Processing Flaw Lets Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1030259 *** Bugtraq: t214: Call for Papers 2014 (Helsinki / Finland) *** --------------------------------------------- http://www.securityfocus.com/archive/1/532154 *** When Networks Turn Hostile *** --------------------------------------------- We've previously discussed how difficult it is to safely connect to networks when on the go. This is particularly true on vacations and holidays, where the availability of Internet access is one of the most important factors when looking for a place to stay. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/when-networks-tu… *** Cisco IOS Software IPv6 Denial of Service Vulnerability *** --------------------------------------------- cisco-sa-20110928-ipv6 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Sicherheitslücke in iTunes: BSI drängt zum Update *** --------------------------------------------- Eine durch Apples Medien-Software verursachte Schwachstelle erlaubt lokalen Nutzern einen umfassenden Zugriff auf andere Benutzerkonten - das Bundesamt für Sicherheit in der Informationstechnik rät zum Update auf Version 11.2.1. --------------------------------------------- http://www.heise.de/security/meldung/Sicherheitsluecke-in-iTunes-BSI-draeng…

1 0

Tageszusammenfassung - Montag 19-05-2014
by Daily end-of-shift report 19 May '14

19 May '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 16-05-2014 18:00 − Montag 19-05-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** January-April 2014 *** --------------------------------------------- The 'NCCIC/ICS-CERT Monitor' newsletter offers a means of promoting preparedness, information sharing, and collaboration with the 16 critical infrastructure sectors. ICS-CERT accomplishes this on a day-to-day basis through sector briefings, meetings, conferences, and information product releases. This publication highlights recent activities and information products affecting industrial control systems (ICSs), and provides a look ahead at upcoming ICS-related events. --------------------------------------------- http://ics-cert.us-cert.gov//monitors/ICS-MM201404 *** IBM Security Bulletin: Fixes available for vulnerability in Apache Commons FileUpload contained in IBM WebSphere Portal (CVE-2014-0050) *** --------------------------------------------- Fixes available for a denial of service vulnerability in the open source library Apache Commons FileUpload which affects IBM WebSphere Portal. CVE(s): CVE-2014-0050 Affected product(s) and affected version(s): WebSphere Portal 8 WebSphere Portal 7 WebSphere Portal 6.1.x --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** IBM Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with Rational ClearCase *** --------------------------------------------- IBM WebSphere Application Server is shipped as a component of IBM Rational ClearCase. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. CVE(s): CVE-2014-0964 Affected product(s) and affected version(s): IBM Rational ClearCase, CM Server component, release 7.1.x (7.1.0.x, 7.1.1.x, and 7.1.2.x). --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** Mozilla gründet "Winter of Security" *** --------------------------------------------- Studenten können bei Mozillas Programm für ihr Studium ein Projekt durchführen, das eine Bedeutung auch außerhalb der Universität hat. Begleitet wird die Arbeit von einem Entwickler. --------------------------------------------- http://www.heise.de/security/meldung/Mozilla-gruendet-Winter-of-Security-21… *** Malvertising Up By Over 200% *** --------------------------------------------- An anonymous reader writes "Online Trust Alliance (OTA) Executive Director and President Craig Spiezle testified before the U.S. Senates Homeland Security and Governmental Affairs Permanent Subcommittee on Investigations, outlining the risks of malicious advertising, and possible solutions to stem the rising tide. According to OTA research, malvertising increased by over 200% in 2013 to over 209,000 incidents, generating over 12.4 billion malicious ad impressions. --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/ZUq6VAva50Y/story01.htm *** DDoS Trojans attack Linux *** --------------------------------------------- May 15, 2014 The fallacy that Linux is fully protected against malware thanks to the specific features of its architecture makes life much easier for intruders distributing such software. In May 2014, Doctor Webs security analysts identified and examined a record-high number of Trojans for Linux, a large portion of which is designed to (distributed denial of service) attacks. These programs share common features: first, they carry out DDoS attacks via various protocols, and second, they appear .. --------------------------------------------- http://news.drweb.com/show/?i=5760&lng=en&c=9 *** Security: Datenbank informiert über Identitätsklau *** --------------------------------------------- Eine Datenbank gibt Informationen darüber, ob Passwörter oder Kontodaten eines Nutzers auf einschlägigen Foren zu finden sind. Die vom Hasso-Plattner-Institut bereitgestellten Informationen unterscheiden sich von denen des BSI. --------------------------------------------- http://www.golem.de/news/security-datenbank-informiert-ueber-identitaetskla… *** Cisco ASA Crafter RADIUS Packets Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the implementation of the Remote Authentication Dial-in User Services (RADIUS) code of Cisco ASA Software could allow an authenticated, remote attacker to cause an affected system to reload. The vulnerability is due to insufficient validation of RADIUS packets including crafted attributes. An attacker could exploit this vulnerability by sending crafted RADIUS packets to the affected system. The attacker must know the RADIUS shared secret and inject the crafted packet while a RADIUS exchange is in progress. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Mid-2014 Tech Security Rundown: 5 Current Exploits Worth Knowing About *** --------------------------------------------- Here are just a few of the security threats that have risen to prominence in recent months. ... Rotbrow Mobile Side Channel Leakage IoT Hardware & Software Ad Network Intrusion Out of Harm's Way Besides these exploits, web users must contend with on-going threats like SQL injection and cross-site scripting. --------------------------------------------- http://hackersnewsbulletin.com/2014/05/mid-2014-tech-security-rundown-5-cur… *** Online-Banking: Verstärkte Angriffe auf das mTAN-Verfahren *** --------------------------------------------- Experten warnen vor verstärkten Infektionen mit dem Android-Trojaner FakeToken. Die Software kopiert empfangene SMS, die TANs enthalten. Ganoven können dann das Konto des Opfers leer räumen. --------------------------------------------- http://www.heise.de/security/meldung/Online-Banking-Verstaerkte-Angriffe-au… *** Kryptographie: Schnellerer Algorithmus für das diskrete Logarithmusproblem *** --------------------------------------------- Auf der Eurocrypt-Konferenz ist ein schnellerer Algorithmus für eine spezielle Variante des diskreten Logarithmusproblems vorgestellt worden. Dieses Problem ist die Grundlage zahlreicher kryptographischer Verfahren, doch eine direkte Bedrohung für real eingesetzte Algorithmen gibt es zur Zeit nicht. --------------------------------------------- http://www.golem.de/news/kryptographie-schnellerer-algorithmus-fuer-das-dis…

1 0

Tageszusammenfassung - Freitag 16-05-2014
by Daily end-of-shift report 16 May '14

16 May '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 15-05-2014 18:00 − Freitag 16-05-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** CSWorks Software SQL Injection Vulnerability *** --------------------------------------------- Researcher John Leitch, working with HP's Zero Day Initiative (ZDI), has identified an SQL injection vulnerability in CSWorks' CSWorks software framework. CSWorks has produced an updated version that mitigates this vulnerability. This vulnerability could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov//advisories/ICSA-14-135-01 *** Statistik: Verschlüsselter Datenverkehr nimmt zu *** --------------------------------------------- Laut einer Studie steigt seit Beginn der Enthüllungen des Whistleblowsers Edward Snowden der Anteil an SSL-verschlüsselten Verbindungen im Internet. Die Zunahmen in den USA und Europa unterscheiden sich aber. --------------------------------------------- http://www.heise.de/security/meldung/Statistik-Verschluesselter-Datenverkeh… *** Torque 2.5.13 Buffer Overflow *** --------------------------------------------- Topic: Torque 2.5.13 Buffer Overflow Risk: High Text:A buffer overflow exists in versions of TORQUE which can be exploited in order to remotely execute code from an unauthenticated... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014050086 *** Apple Releases OS X 10.9.3, Fixes Serious Flaw in iTunes *** --------------------------------------------- Apple has released a new version of OS X Mavericks, which includes all of the security fixes it pushed out last month. OS X 10.9.3 includes the patches for the so-called triple handshake SSL vulnerability, as well as fixes for several remote code-execution vulnerabilities. --------------------------------------------- http://threatpost.com/apple-releases-os-x-10-9-3-fixes-serious-flaw-in-itun… *** Understanding how Fuzzing Relates to a Vulnerability like Heartbleed *** --------------------------------------------- Fuzzing is a security-focused testing technique in which a compiled program is executed so that the attack surface can be tested as it actually runs. The attack surfaces are the components of code that accept user input. Since this is the most vulnerable part of code, it should be rigorously tested with anomalous data. --------------------------------------------- http://labs.bromium.com/2014/05/14/understanding-how-fuzzing-relates-to-a-v… *** iTunes: Apple schließt problematische Lücke in PC-Version *** --------------------------------------------- Das Update 11.2 stopft ein Leck, über das es unter Windows XP SP3 bis 8 möglich war, iTunes-Zugangsdaten zu stehlen. --------------------------------------------- http://www.heise.de/security/meldung/iTunes-Apple-schliesst-problematische-… *** PayPal Fixes Serious Account Hijacking Bug in Manager *** --------------------------------------------- PayPal patched a hole in its Manager functionality this week that could have made it easy for an attacker to hijack an admin's account, change their password and steal their personal information -- not to mention their savings. --------------------------------------------- http://threatpost.com/paypal-fixes-serious-account-hijacking-bug-in-manager…

1 0

Tageszusammenfassung - Donnerstag 15-05-2014
by Daily end-of-shift report 15 May '14

15 May '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 14-05-2014 18:00 − Donnerstag 15-05-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** VOBFUS Evolves, Adds Multiple Languages *** --------------------------------------------- VOBFUS malware is known for its polymorphic abilities, which allow for easy generation of new variants. We recently came across one variant that replaces these abilities for one never seen in VOBFUS malware before - the ability to 'speak' .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/vobfus-evolves-a… *** Zeus - Reach Expands With New Webinjects *** --------------------------------------------- The peer-to-peer version of Zeus was especially busy in the first quarter with infections reported by banks in 10 countries that previously had .. --------------------------------------------- http://threatpost.com/zeus-reach-expands-with-new-webinjects/106092 *** Blog: Fake antivirus - attack of the clones *** --------------------------------------------- http://www.securelist.com/en/blog/8221/Fake_antivirus_attack_of_the_clones *** Placebo-Virenschutz jetzt auch für Windows Phone *** --------------------------------------------- Augen auf beim Virenscanner-Kauf: Auch im Windows-Phone-Store wimmelt es nur so von Apps, die rein gar nichts tun - ausser Geld zu kosten. --------------------------------------------- http://www.heise.de/security/meldung/Placebo-Virenschutz-jetzt-auch-fuer-Wi… *** Facebook-Virus schürft verdeckt Kryptomünzen *** --------------------------------------------- Der zuerst in Norwegen aufgetauchte Schadcode verbreitet sich über Facebook-Nachrichten und infiziert seine Opfer, wenn diese eine angehängte Datei öffnen. Ist der Schadcode auf dem System, wird dieses deutlich .. --------------------------------------------- http://www.heise.de/security/meldung/Facebook-Virus-schuerft-verdeckt-Krypt… *** Firms must protect against malicious ads *** --------------------------------------------- The Senate warned Google, Yahoo and other leading technology companies Thursday they need to better protect consumers from hackers exploiting their lucrative online advertising networks or risk new legislation that would force them to do so. --------------------------------------------- http://m.apnews.com/ap/db_15897/contentdetail.htm?contentguid=8dJLuw6G *** Bugtraq: CSRF and Remote Code Execution in EGroupware *** --------------------------------------------- http://www.securityfocus.com/archive/1/532103 *** SSA-839231: Incorrect Certificate Verification in Ruggedcom ROX-based Devices *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… Multiple vulnerabilities in Juniper products --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10627 http://kb.juniper.net/index?page=content&id=JSA10626 http://kb.juniper.net/index?page=content&id=JSA10625 Multiple vulnerabilities in Drupal third-party-modules --------------------------------------------- https://drupal.org/node/2267539 https://drupal.org/node/2267485 https://drupal.org/node/2267381 https://drupal.org/node/2267481

1 0

Tageszusammenfassung - Mittwoch 14-05-2014
by Daily end-of-shift report 14 May '14

14 May '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 13-05-2014 18:00 − Mittwoch 14-05-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Microsoft Security Bulletin Summary for May 2014 - Version: 2.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS14-MAY *** Assessing risk for the May 2014 security updates *** --------------------------------------------- Today we released eight security bulletins addressing 13 unique CVEs. Two bulletins have a maximum severity rating of Critical while the other six have a maximum severity rating of Important. The table is designed to help you prioritize the deployment of updates appropriately for your .. --------------------------------------------- http://blogs.technet.com/b/srd/archive/2014/05/13/assessing-risk-for-the-ma… *** Operation Saffron Rose *** --------------------------------------------- There is evolution and development underway within Iranian-based hacker groups that coincides with Iran's efforts at controlling political dissent and expanding offensive cyber capabilities. The capabilities of .. --------------------------------------------- http://www.fireeye.com/blog/technical/malware-research/2014/05/operation-sa… *** Yokogawa Multiple Products Vulnerabilities *** --------------------------------------------- http://ics-cert.us-cert.gov//advisories/ICSA-14-133-01 *** DSA-2927 libxfont *** --------------------------------------------- http://www.debian.org/security/2014/dsa-2927 *** WordPress Formidable Forms Remote Code Execution *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014050069 *** Patchday: Adobe flickt Flash und Illustrator *** --------------------------------------------- Adobe hat am Mai-Patchday Sicherheitsupdates für Lücken im Flash-Player und in Adobe Illustrator CS6 herausgegeben. Die Updates für beide Programme werden von der Firma als kritisch eingeschätzt. --------------------------------------------- http://www.heise.de/security/meldung/Patchday-Adobe-flickt-Flash-und-Illust… *** Security updates available for Adobe Flash Player *** --------------------------------------------- Adobe has released security updates for Adobe Flash Player 13.0.0.206 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.356 and earlier versions for Linux. These updates address vulnerabilities that could .. --------------------------------------------- https://helpx.adobe.com/security/products/flash-player/apsb14-14.html *** Security hotfix available for Adobe Illustrator (CS6) *** --------------------------------------------- Adobe has released a security hotfix for Adobe Illustrator (CS6) for Windows and Macintosh. This hotfix addresses a vulnerability that could be exploited to gain remote code execution on the affected system. Adobe recommends users .. --------------------------------------------- https://helpx.adobe.com/security/products/illustrator/apsb14-11.html *** Heartbleed-Betroffene stecken Kopf in den Sand *** --------------------------------------------- Wer einen Server mit einer für Heartbleed anfälligen OpenSSL-Version betrieben hat, muss damit rechnen, dass seine Private Keys kompromittiert wurden. Trotzdem sind diese in den meisten Fällen immer noch im Einsatz. --------------------------------------------- http://www.heise.de/security/meldung/Heartbleed-Betroffene-stecken-Kopf-in-…

1 0

Tageszusammenfassung - Dienstag 13-05-2014
by Daily end-of-shift report 13 May '14

13 May '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 12-05-2014 18:00 − Dienstag 13-05-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** NSA manipuliert per Post versandte US-Netzwerktechnik *** --------------------------------------------- Bereits Anfang des Jahres hatte Jacob Appelbaum behauptet, die NSA fange per Post versandte Geräte ab, um darauf Spyware zu installieren. Nun untermauert Glenn Greenwald diese Anschuldigung: Betroffen seien unter anderem Router und Server von Cisco. --------------------------------------------- http://www.heise.de/security/meldung/NSA-manipuliert-per-Post-versandte-US-… *** AV-Firma warnt wieder vor Adware-Trojaner für OS X *** --------------------------------------------- Nach Angabe von Doctor Web ist aktuell neue Adware im Umlauf, die auf Mac-Nutzer abzielt. Die unerwünschten Browser-Plugins werden bei der Installation von OS-X-Software mit eingespielt. --------------------------------------------- http://www.heise.de/security/meldung/AV-Firma-warnt-wieder-vor-Adware-Troja… *** Zertifikate: DANE und DNSSEC könnten mehr Sicherheit bringen *** --------------------------------------------- DANE könnte die Echtheitsprüfung von Zertifikaten bei TLS-Verbindungen verbessern. Allerdings benötigt das System DNSSEC - und das ist bislang kaum verbreitet. Der Mailanbieter Posteo prescht jetzt voran und will das System etablieren. --------------------------------------------- http://www.golem.de/news/zertifikate-dane-und-dnssec-koennten-mehr-sicherhe… *** Lücken in AVG Remote Administration bleiben offen *** --------------------------------------------- Auf Anfrage teilte die Firma mit, dass sie Angriffe aus dem LAN heraus nicht verhindern könne und deswegen drei Lücken in der Software nicht schliessen wolle. Durch die Lücken können Angreifer den Virenschutz einer Organisation von innen abschalten. --------------------------------------------- http://www.heise.de/security/meldung/Luecken-in-AVG-Remote-Administration-b… *** Proactively Hardening Systems Against Intrusion: Configuration Hardening *** --------------------------------------------- The concept of 'hardening' has nice imagery to it. When we use it to describe battle-hardened soldiers who have been tested in combat a grim, determined image invariably leaps to mind. The same thing happens when we speak of hardened steel that's been repeatedly quenched and tempered, or .. --------------------------------------------- http://www.tripwire.com/state-of-security/security-data-protection/automati… *** Adobe Security Bulletins Posted *** --------------------------------------------- http://blogs.adobe.com/psirt/?p=1100 *** Linux Kernel raw_cmd_copyin() privilege escalation *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/93050 *** RSA Security Analytics Lets Remote Users Bypass Authentication *** --------------------------------------------- http://www.securitytracker.com/id/1030220 *** RSA NetWitness Lets Remote Users Bypass Authentication *** --------------------------------------------- http://www.securitytracker.com/id/1030219 *** Flag Module for importer code execution *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/93086 *** grub-mkconfig local access to password *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014050063

1 0

Tageszusammenfassung - Montag 12-05-2014
by Daily end-of-shift report 12 May '14

12 May '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 09-05-2014 18:00 − Montag 12-05-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** Collabtive folder SQL injection *** --------------------------------------------- Collabtive is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the managefile.php script using the folder parameter, which could allow the attacker to view, add, modify or delete information in the back-end database. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/93029 *** Cobbler kickstart value file include *** --------------------------------------------- Cobbler could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted URL request using the Kickstart value when creating new profiles, to specify a malicious file from the local system, which could allow the attacker to obtain sensitive information or execute arbitrary code on the vulnerable Web server. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/93033 *** Bitcoin Miner Utilizing IRC Worm *** --------------------------------------------- Bitcoin miners have given a new reason for attackers to communicate en mass with infected users. IRC worms are not exactly the most hip way to communicate, but they remain effective at sending and receiving commands. I recently came across several samples which bit coin mining examples leveraging IRC. The malicious binary, once installed, queries for the network shares connected to the --------------------------------------------- http://feedproxy.google.com/~r/zscaler/research/~3/2xQ7VPxF-ms/bitcoin-mine… *** strongSwan Null Pointer Dereference in Processing ID_DER_ASN1_DN ID Payloads Lets Remote Users Deny Service *** --------------------------------------------- A vulnerability was reported in strongSwan. A remote user can cause denial of service conditions. A remote user can send a specially crafted ID_DER_ASN1_DN ID payload to trigger a null pointer dereference and cause the target IKE service to crash. --------------------------------------------- http://www.securitytracker.com/id/1030209 *** G Data: Symantecs "Ende der Antivirensoftware" verunsichert Nutzer *** --------------------------------------------- Nicht verunsichern lassen und weiter Antivirensoftware kaufen - so lautet ein Aufruf von G Data. Symantec hatte zuvor erklärt, dass nur noch durchschnittlich 45 Prozent aller Angriffe von Antivirensoftware erkannt werden. --------------------------------------------- http://www.golem.de/news/g-data-symantecs-ende-der-antivirensoftware-veruns… *** Drupal Flag 7.x-3.5 Command Execution *** --------------------------------------------- Topic: Drupal Flag 7.x-3.5 Command Execution Risk: High Text:Drupal Flag 7.x-3.5 Module Vulnerability Report Author: Ubani Anthony Balogun Reported: May 07, 2014 ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014050054 *** Nach Heartbleed: Neues Zertifikat, alter Key *** --------------------------------------------- Nach dem Heartbleed-Bug haben viele Administratoren Zertifikate für TLS-Verbindungen ausgetauscht. Viele haben dabei jedoch einen fatalen Fehler begangen: Sie erstellten zwar ein neues Zertifikat, aber keinen neuen Schlüssel. (Technologie, Applikationen) --------------------------------------------- http://www.golem.de/news/nach-heartbleed-neues-zertifikat-alter-key-1405-10… *** Backdoor Xtrat Continues to Evade Detection *** --------------------------------------------- While reviewing recent reports scanned by ZULU, we came across a malicious report that drew our attention. It was notable as the final redirection downloaded ZIP content by accessing a PHP file on the domain www.stisanic.com. URL: hxxp://www[.]stisanic[.]com/wp-content/coblackberrycomnotasdevozdate07052014[.]php ZULUs virustotal check scored the file as higher risk. At the time 10 --------------------------------------------- http://feedproxy.google.com/~r/zscaler/research/~3/OqS4L1x6ebQ/backdoor-xtr… *** Link-shortening service Bit.ly suffers data breach *** --------------------------------------------- We have reason to believe that Bitly account credentials have been compromised; specifically, users' email addresses, encrypted passwords, API keys and OAuth tokens. We have no indication at this time that any accounts have been accessed without permission. We have taken steps to ensure the security of all accounts, including disconnecting all users' Facebook and Twitter accounts. All users can safely reconnect these accounts at their next login. --------------------------------------------- http://blog.bitly.com/post/85169217199/urgent-security-update-regarding-you… *** Falsche Zertifikate unterwandern HTTPS-Verbindungen *** --------------------------------------------- Forscher sprechen von signifikantem Teil der verschlüsselten Kommunikation - Vor allem Firewalls und Antivirensoftware verantwortlich --------------------------------------------- http://derstandard.at/1399507237936 *** Linux-Kernel: Root-Rechte für Nutzer *** --------------------------------------------- Durch einen Fehler im Linux-Kernel kann ein einfacher Nutzer Root-Rechte erlangen. Bekannt ist der Fehler schon seit gut einer Woche, aber jetzt gibt es einen öffentlichen Exploit. --------------------------------------------- http://www.golem.de/news/linux-kernel-root-rechte-fuer-nutzer-1405-106407-r… *** Race Condition in the Linux kernel *** --------------------------------------------- The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings. --------------------------------------------- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196 *** Unbekannte bieten 33 Millionen E-Mail-Adressen feil *** --------------------------------------------- Das könnte die nächste Spam-Welle auslösen: Unbekannte bieten per E-Mail mehrere Millionen Mailadressen von deutschen Providern zum Kauf an. Angeblich handelt es sich um 100 Prozent gültige Adressen. --------------------------------------------- http://www.heise.de/security/meldung/Unbekannte-bieten-33-Millionen-E-Mail-… *** HPSBST03038 rev.1 - HP H-series Fibre Channel Switches, Remote Disclosure of Information *** --------------------------------------------- A potential security vulnerability has been identified with certain HP H-series Fibre Channel Switches. This vulnerability could be exploited remotely to disclose information. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** Bugtraq: ESA-2014-027: RSA NetWitness and RSA Security Analytics Authentication Bypass Vulnerability *** --------------------------------------------- RSA NetWitness and RSA Security Analytics each contain a security fix for an authentication bypass vulnerability that could potentially be exploited to compromise the affected system. When PAM for Kerberos is enabled, an attacker can authenticate to the vulnerable system with a valid user name and without specifying a password. This issue does not affect other authentication methods. --------------------------------------------- http://www.securityfocus.com/archive/1/532077

1 0

Tageszusammenfassung - Freitag 9-05-2014
by Daily end-of-shift report 09 May '14

09 May '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 08-05-2014 18:00 − Freitag 09-05-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Advance Notification Service for the May 2014 Security Bulletin Release *** --------------------------------------------- Today we provide Advance Notification Service (ANS) for the release of eight bulletins, two rated Critical and six rated Important in severity. These updates will address vulnerabilities for .NET Framework, Office, Internet Explorer, and Windows. As we do every month, we've scheduled the security bulletin release for the second Tuesday of the month, May 13, 2014, at approximately 10:00 a.m. PDT. Revisit this blog then for deployment guidance and further analysis together with a brief --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2014/05/08/advance-notification-ser… *** Prenotification Security Advisory for Adobe Reader and Acrobat *** --------------------------------------------- Adobe is planning to release security updates on Tuesday, May 13, 2014 for Adobe Reader and Acrobat XI (11.0.06) and earlier versions for Windows and Macintosh. --------------------------------------------- https://helpx.adobe.com/security/products/reader/apsb14-15.html *** SQL Injection In Insert, Update, And Delete *** --------------------------------------------- This is a brief whitepaper that goes over different payloads that can be leveraged in SQL injection attacks. --------------------------------------------- http://packetstormsecurity.com/files/126527/SQL-Injection-In-Insert-Update-… *** SNMP: The next big thing in DDoS Attacks? *** --------------------------------------------- It started with DNS: Simple short DNS queries are easily spoofed and the replies can be much larger then the request, leading to an amplification of the attack by orders of magnitude. Next came NTP. Same game, different actors: NTPs "monlist" feature allows for small requests (again: UDP, so trivially spoofed) and large responses. Today, we received a packet capture from a reader showing yet another reflective DDoS mode: SNMP. The "reflector" in this case... --------------------------------------------- https://isc.sans.edu/diary/SNMP%3A+The+next+big+thing+in+DDoS+Attacks%3F/18… *** Heartbleed, IE Zero Days, Firefox vulnerabilities - Whats a System Administrator to do? *** --------------------------------------------- With the recent headlines, weve seen heartbleed (which was not exclusive to Linux, but was predominately there), an IE zero day that had folks over-reacting with headlines of "stop using IE", but Firefox and Safari vulnerabilities where not that far back in the news either. So what is "safe"? And as an System Administrator or CSO what should you be doing to protect your organization? --------------------------------------------- https://isc.sans.edu/diary/Heartbleed%2C+IE+Zero+Days%2C+Firefox+vulnerabil… *** Exploit Kit Roundup: Best of Obfuscation Techniques *** --------------------------------------------- The world of exploit kits is an ever-changing one, if you happen to look away even just for one month, you'll come back to find that most everything has changed around you. Because of this, people like us, who work on a secure web gateway product, are continuously immersed in the world of exploit kits. Every once in a while it's a good idea to stop, take a look around us, and review what's changed. We would like to share some of the more interesting obfuscation techniques --------------------------------------------- http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/R9KtNDgyouY/exploit-ki… *** Surge in Viknok infections bolsters click fraud campaign *** --------------------------------------------- Researchers detected over 16,500 Viknok infections in the first week of May alone. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/6mC7Lf47bgY/ *** Malicious DIY Java applet distribution platforms going mainstream - part two *** --------------------------------------------- In a cybercrime ecosystem, dominated by client-side exploits serving Web malware exploitation kits, cybercriminals continue relying on good old fashioned social engineering tricks in an attempt to trick gullible end users into knowingly/unknowingly installing malware. In a series of blog posts, we've been highlighting the existence of DIY (do-it-yourself), social engineering driven, Java drive-by type of Web based platforms, further enhancing the current efficient state of social... --------------------------------------------- http://feedproxy.google.com/~r/WebrootThreatBlog/~3/6wG1i4Gl5HQ/ *** Bitly shortens life of users passwords after credential compromise *** --------------------------------------------- OAuth tentacles mean its time to change ANOTHER password URL-shortening and online marketing outfit Bit.ly has warned its systems have been accessed by parties unknown and suggested users change their passwords. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/05/09/bitly_short… *** Weekly Metasploit Update: Disclosing Usernames, More Flash Bugs, and Wireshark Targets *** --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/05/08/weekly-me… *** Heartbleed: Noch immer 300.000 Server verwundbar *** --------------------------------------------- Vier Wochen nach Auftauchen der Lücke zeigt Untersuchung nur wenig Fortschritte --------------------------------------------- http://derstandard.at/1399507030882 *** Cyber Security Challenge sucht österreichische IT-Talente *** --------------------------------------------- Bereits zum dritten Mal wird im Rahmen der Cyber Security Challenge Austria nach jungen Hacker-Talenten gesucht. Dieses Jahr gibt es auch einen europaweiten Wettbewerb. --------------------------------------------- http://futurezone.at/netzpolitik/cyber-security-challenge-sucht-oesterreich… *** CVE-2014-3214: A Defect in Prefetch Can Cause Recursive Servers to Crash *** --------------------------------------------- A defect in the pre-fetch feature (which is enabled by default) can cause BIND 9.10.0 to terminate with a "REQUIRE" assertion failure if it processes queries whose answers have particular attributes. This can be triggered as the result of normal query processing. --------------------------------------------- https://kb.isc.org/article/AA-01161 *** QNAP-Photostation V.3.2 XSS *** --------------------------------------------- XSS-Lücke in QNAP-Photostation V.3.2 (auf QNAP NAS TS259+ Pro - Firmware 4.0.7 vom 12.04.2014) --------------------------------------------- http://sdcybercom.wordpress.com/2014/04/25/qnap-cross-site-scripting-nicht-… *** Digi International OpenSSL Vulnerability *** --------------------------------------------- Digi International has identified five products that are vulnerable to the OpenSSL Heartbleed bug. Digi International has produced downloadable firmware upgrade versions that mitigate this vulnerability. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-128-01 *** IBM Security Bulletins for TADDM *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** Kaspersky Internet Security Null Pointer Dereference in prremote.dll Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1030203 *** Multiple BIG-IP products iControl command execution *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/93015 *** Security Bulletin: IBM iNotes Cross-Site Scripting Vulnerability (CVE-2014-0913) *** --------------------------------------------- IBM iNotes versions 9.0.1 and 8.5.3 Fix Pack 6 contain a cross-site scripting vulnerability. The fixes for these issues were introduced in IBM Domino and IBM iNotes versions 9.0.1 Fix Pack 1 and 8.5.3 Fix Pack 6 Interim Fix 2. --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21671981 *** HPSBMU03035 rev.1 - HP Network Node Manager I (NNMi) for HP-UX, Linux, Solaris, and Windows, Remote Cross-Site Scripting (XSS) *** --------------------------------------------- A potential security vulnerability has been identified with HP Network Node Manager I (NNMi) on HP-UX, Linux, Solaris, and Windows. This vulnerability could be exploited remotely to allow cross-site scripting (XSS). --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** HPSBGN03008 rev.2 - HP Software Service Manager, "HeartBleed" OpenSSL Vulnerability, Remote Disclosure of Information *** --------------------------------------------- The Heartbleed vulnerability was detected in specific OpenSSL versions. OpenSSL is a 3rd party product that is embedded with some of HP Software products. This bulletin objective is to notify HP Software customers about products affected by the Heartbleed vulnerability. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** R7-2013-19.2 Disclosure: Yokogawa CENTUM CS 3000 BKESimmgr.exe Buffer Overflow (CVE-2014-0782) *** --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/05/09/r7-2013-1…

1 0

Tageszusammenfassung - Donnerstag 8-05-2014
by Daily end-of-shift report 08 May '14

08 May '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 07-05-2014 18:00 − Donnerstag 08-05-2014 18:00 Handler: L. Aaron Kaplan Co-Handler: Stephan Richter *** The State of Cryptography in 2014, Part 2: Hardware, Black Swans, and What To Do Now *** --------------------------------------------- We continue our look into the state of cryptography in 2014; Part 1 was posted earlier this week. Is Hardware Security Any Better? We closed the first post by asking: is hardware any more trustworthy? One would think that it is - but it's not. Recently, chip vendors have been incorporating cryptography into their CPUs or chipsets. Usually,... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/5erAjAwWMmU/ *** SIRv16: Cybercriminal tactics trend toward deceptive measures *** --------------------------------------------- Microsoft's Security Intelligence Report volume 16 (SIRv16) was released today, providing threat trends on malware encounter rates, infection rates, vulnerabilities, exploits, and more for 110 countries/regions worldwide. The report is designed to help IT and security professionals better protect themselves and their organizations from cyberattacks. Malware data is gathered from the Malicious Software Removal Tool (MSRT), which is used to calculate the infection rate... --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/05/07/sirv16-cybercriminal-tac… *** Case Study: Analyzing the Origins of a DDoS Attack *** --------------------------------------------- Recently a client was experiencing a massive layer 7 DDOS attack, generating tens of thousands of random HTTP requests per second to the server. The architecture of the website included a cluster of three web servers responsible for handling all incoming traffic, which did little to alleviate the pressures brought about the attack. An interestingRead More --------------------------------------------- http://feedproxy.google.com/~r/sucuri/blog/~3/7nrfa2OwFuo/map-of-a-ddos-att… *** Systemkamera Samsung NX300 öffnet Hackern Tür und Tor *** --------------------------------------------- Die Kamera enthält eine ganze Reihe von Sicherheitslücken, inklusive einem weit offen stehenden X-Server und einem reprogrammierbaren NFC-Chip. Angreifer könnten diese nutzen, um Schadcode auf dem Gerät auszuführen. --------------------------------------------- http://www.heise.de/security/meldung/Systemkamera-Samsung-NX300-oeffnet-Hac… *** April 2014 virus activity review from Doctor Web *** --------------------------------------------- April 30, 2014 April 2014 proved to be quite fruitful in terms of the emergence of new threats. In particular, Doctor Webs security researchers discovered a new multi-purpose backdoor targeting Windows. Also registered were numerous incidents involving adware browser extensions for Mac OS X. In addition, a variety of signatures for Android malware were added to the virus databases. --------------------------------------------- http://news.drweb.com/show/?i=4376&lng=en&c=9 *** Volafox Mac OS X Memory Analysis Toolkit *** --------------------------------------------- Volafox is an open source toolkit that you can use for Mac OS X and BSD forensics. The tool is a python based and allows investigating security incidents and finding information for malwares and any malicious program on the system. Security analyst can have the following information using this tool:... --------------------------------------------- http://www.sectechno.com/2014/05/04/volafox-mac-os-x-memory-analysis-toolki… *** Security: Gravierende Lücke in AVG Remote Administration *** --------------------------------------------- Nutzer, die das Fernwartungspaket AVG Remote Administration nutzen, sollten dringend einen aktuellen Patch installieren. Bisher war es möglich, dass Angreifer über das Programm Code einschleusen konnten - aber das ist nicht die einzige Lücke, weitere stehen noch offen. --------------------------------------------- http://www.golem.de/news/security-gravierende-luecke-in-avg-remote-administ… *** [2014-05-08] Multiple critical vulnerabilities in AVG Remote Administration *** --------------------------------------------- Attackers are able to completely compromise the AVG Admin server (part of AVG Remote Administration) system as they can gain full access at the application and system level by exploiting remote code execution, authentication bypass, missing entity authentication and insecure encryption vulnerabilities. Attackers can also manage endpoints and possibly deploy attacker-controlled code on endpoints. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Multiple Vulnerabilities in the Cisco WebEx Recording Format and Advanced Recording Format Players *** --------------------------------------------- Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players. Exploitation of these vulnerabilities could allow a remote attacker to cause an affected player to crash and, in some cases, could allow a remote attacker to execute arbitrary code on the system of a targeted user. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** SA-CONTRIB-2014-049 - Organic Groups (OG) - Access Bypass *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-049Project: Organic groups (third-party module)Version: 7.xDate: 2014-May-07Security risk: Moderately criticalExploitable from: RemoteVulnerability: Access bypassDescriptionOrganic groups (OG) enables users to create and manage their own groups. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves.OG doesnt sufficiently check the permissions when a group member is pending or blocked status within... --------------------------------------------- https://drupal.org/node/2261245 *** Ruby on Rails Implicit Render Bug Lets Remote Users Obtain Files From the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1030210 *** HP Security Bulletins *** --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** Vuln: vBulletin Multiple Cross Site Scripting Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/66972 *** Vuln: SAP Solution Manager Background Processing Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/67107 *** Vuln: SAP NetWeaver Portal WD Information Disclosure Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/67104 *** Security Advisory-Radius Vulnerability on Some Huawei Devices *** --------------------------------------------- On huawei Campus Switch, AR, SRG,WLAN devices, the RADIUS component cannot handle malformed RADIUS packets. This vulnerability allows attackers to repeatedly restart the device, causing a DoS attack (Vulnerability ID: HWPSIRT-2014-0307). --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…

1 0

Tageszusammenfassung - Mittwoch 7-05-2014
by Daily end-of-shift report 07 May '14

07 May '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 06-05-2014 18:00 − Mittwoch 07-05-2014 18:00 Handler: L. Aaron Kaplan Co-Handler: Stephan Richter *** TLS 1.3 Working Group Has Consensus to Deprectate RSA Key Transport *** --------------------------------------------- RSA key transport cipher suites could be deprecated in TLS 1.3 in favor of Diffie-Hellman Exchange or Elliptic curve Diffie-Hellman. --------------------------------------------- http://threatpost.com/tls-1-3-working-group-has-consensus-to-deprectate-rsa… *** Antivirus is Dead: Long Live Antivirus! *** --------------------------------------------- An article in The Wall Street Journal this week quoted executives from antivirus pioneer Symantec uttering words that would have been industry heresy a few years ago, declaring antivirus software "dead" and stating that the company is focusing on developing technologies that attack online threats from a different angle. This hardly comes as news for anyone in the security industry whos been paying attention over the past few years, but Im writing about it because this is a great --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/INOFThmd17Q/ *** Sicherheit im Fokus der Linuxwochen in Wien *** --------------------------------------------- Von 8. bis 10. Mai finden auf der FH Technikum Wien zahlreiche Vorträge und Workshops zu Linux, Open Data und Open Source statt. --------------------------------------------- http://futurezone.at/digital-life/sicherheit-im-fokus-der-linuxwochen-in-wi… *** Video: NEXT Berlin *** --------------------------------------------- Mikko spoke at NEXT Berlin yesterday:And the video is now online: Arms Race. [24m15s] On 06/05/14 At 12:31 PM --------------------------------------------- http://www.f-secure.com/weblog/archives/00002701.html *** Erpressungstrojaner drohen Android-Nutzern *** --------------------------------------------- Sicherheitsforscher haben den ersten Trojaner entdeckt, der Android-Geräte befällt und von seinen Opfern Lösegeld erpresst. Der Schadcode mit dem Namen Koler.A befällt bereits Smartphones weltweit. --------------------------------------------- http://www.heise.de/security/meldung/Erpressungstrojaner-drohen-Android-Nut… *** Security: Gegen die Angst vor Angriffen aufs Smartphone *** --------------------------------------------- Für das Re:publica-Publikum haben die Sicherheitsexperten Linus Neumann und Ben Schlabs ein paar Tipps parat, wie Smartphones gesichert werden können. Und sie zeigen, wie Siri als Einbruchhelfer missbraucht werden kann. --------------------------------------------- http://www.golem.de/news/security-gegen-die-angst-vor-angriffen-aufs-smartp… *** Hintergrund: SSL-Fuzzing mit "Frankencerts" *** --------------------------------------------- Durch das Zusammenstückeln von Tausenden von echten SSL-Zertifikaten zu über acht Millionen "Frankencerts" haben Forscher Lücken in gängigen SSL-Bibliotheken gefunden. --------------------------------------------- http://www.heise.de/security/artikel/SSL-Fuzzing-mit-Frankencerts-2166135.h… *** New DNS Spoofing Technique: Why we havent covered it., (Wed, May 7th) *** --------------------------------------------- The last couple of days, a lot of readers sent us links to articles proclaiming yet another new flaw in DNS. "Critical Vulnerability in BIND Software Puts DNS Protocol Security At Risk" [1] claimed one article, going forward to state: "The students have found a way to compel DNS servers to connect with a specific server controlled by the attacker that could respond with a false IP address. “ So how bad is this really? First of all, here is a the --------------------------------------------- http://isc.sans.edu/diary.html?storyid=18079&rss *** OpenBSD-Entwickler bezweifeln angebliche OpenSSH-Schwachstelle *** --------------------------------------------- Der Exploit soll so schlimm wie der SSL-GAU Heartbleed sein und die wichtige Unix-Bibliothek OpenSSH betreffen. Allerdings sagen viele Entwickler, dass die Lücke wahrscheinlich nicht existiert. --------------------------------------------- http://www.heise.de/security/meldung/OpenBSD-Entwickler-bezweifeln-angeblic… *** Advanced Evasion Techniques (AET) a Major Concern for CIOs *** --------------------------------------------- According to a new Vanson Bourne study sponsored by McAfee, CIOs are adding yet another threat to their ever-growing list of network security concerns: Advanced Evasion Techniques, or AETs. Unlike Advanced Persistent Threats (APTs) and other advanced malware, Advanced Evasion Techniques are not types of malicious software. Rather, they are a technique used by threat [...]The post Advanced Evasion Techniques (AET) a Major Concern for CIOs appeared first on Seculert Blog on Advanced Threats and --------------------------------------------- http://www.seculert.com/blog/2014/05/advanced-evasion-techniques-aet-a-majo… *** ABB Relion 650 Series OpenSSL Vulnerability *** --------------------------------------------- ABB has identified an OpenSSL vulnerability in its Relion 650 series application. ABB is in the process of creating a patch that mitigates this vulnerability. This vulnerability could be exploited remotely. Exploits that target this vulnerability are known to be publicly available. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-126-01 *** Security Advisory- BootRom Menu and Boot Menu Vulnerabilities on Huawei Campus Switches *** --------------------------------------------- Some versions of Huawei Campus S7700/S9300/S9700 switches are affected by the BootRom and Boot Menu vulnerability. --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** VU#902790: Fortinet Fortiweb 5.1 contains a cross-site request forgery vulnerability *** --------------------------------------------- Vulnerability Note VU#902790 Fortinet Fortiweb 5.1 contains a cross-site request forgery vulnerability Original Release date: 07 May 2014 | Last revised: 07 May 2014 Overview Fortinet Fortiweb prior to version 5.2.0 do not sufficiently verify whether a valid request was intentionally provided by the user, which results in a cross-site request forgery (CSRF) vulnerability. (CWE-352) Description CWE-352: Cross-Site Request Forgery (CSRF)Fortinet Fortiweb prior to version 5.2.0 do not... --------------------------------------------- http://www.kb.cert.org/vuls/id/902790 *** HPSBMU02994 rev.4 - HP BladeSystem c-Class Onboard Administrator (OA) running OpenSSL, Remote Disclosure of Information *** --------------------------------------------- A potential security vulnerability has been identified in HP BladeSystem c-Class Onboard Administrator (OA) running OpenSSL. This is the OpenSSL vulnerability known as "Heartbleed" which could be exploited remotely resulting in disclosure of information. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…

1 0

Tageszusammenfassung - Dienstag 6-05-2014
by Daily end-of-shift report 06 May '14

06 May '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 05-05-2014 18:00 − Dienstag 06-05-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** NIST updates Transport Layer Security (TLS) guidelines *** --------------------------------------------- The National Institute of Standards and Technology (NIST) has released an update to a document that helps computer administrators maintain the security of information traveling across their networks. --------------------------------------------- http://www.net-security.org/secworld.php?id=16794 *** Finding Weak Remote Access Passwords on POS Devices *** --------------------------------------------- One of my key take-aways in the Verizon Data Breach Incident Report was that credentials are a major attack vector in 2013. Especially within the POS Intrusions, brute forcing and use of stolen creds was a major problem. --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/05/05/finding-w… *** Analyzing CVE-2014-0515 - The Recent Flash Zero-Day *** --------------------------------------------- Last week, Adobe released an advisory disclosing a new zero-day vulnerability in Flash Player. Looking into the exploit code used in attacks targeting this vulnerability, we found several interesting ties to other vulnerabilities - not all of them for Flash Player, either. To explain this, we will discuss the highlights of how this exploit was performed. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/H6laAIdlckU/ *** Live from InfoSecurity Europe 2014: The Nitty Gritty of Sandbox Evasion *** --------------------------------------------- Infosecurity Europe 2014 was a great gathering of the top minds in cybersecurity, and in case you missed the event, we were excited to capture live content from the show floor to share with our readers. Over the next few... --------------------------------------------- http://www.fireeye.com/blog/corporate/2014/05/live-from-infosecurity-europe… *** And the Web it keeps Changing: Recent security relevant changes to Browsers and HTML/HTTP Standards, (Tue, May 6th) *** --------------------------------------------- As we all know, web standards are only leaving "draft" status once they start becoming irrelevant. It is a constant challenge to keep up with how web browsers interpret standards and how the standards themselves keep changing. We are just going through one of the perpetual updates for our "Defending Web Applications" class, and I got reminded again about some of the changes we had to make over the last year or so. Autocomplete=Off This weekend we just had yet another post... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=18075&rss *** Watch a bank-raiding ZeuS bot command post get owned in 60 seconds *** --------------------------------------------- RC4? Shoddy PHP coding? You VXers should try a little harder Vid Web thieves may get more than they bargained for if tech pros follow the lead of one researcher - who demonstrated how to hack the systems remote-controlling the infamous ZeuS crime bot in 60 seconds. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/05/06/zeus_pwned_… *** The State of Cryptography in 2014, Part 1: On Fragility and Heartbleed *** --------------------------------------------- It seems like cryptography has been taking a knock recently. This is both good and bad, but is not actually true: cryptography is always under attack, and for that reason constantly evolves. That's bad, but it's good to realize that cryptography needs constant attention. The threat to cryptography can be very disruptive, as we most recently... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/kwDfInwBFvo/ *** Dropbox schließt Referer-Lücke *** --------------------------------------------- In begrenzten Rahmen geteilte Dropbox-Dokumente können beim Klick auf darin enthaltene Links enttarnt werden. Durch den Fix macht der Cloud-Dienstleister allerdings alle existierenden Dokumente unerreichbar. Diese müssen neu geteilt werden. --------------------------------------------- http://www.heise.de/security/meldung/Dropbox-schliesst-Referer-Luecke-21835… *** Security Bulletin: Multiple Vulnerabilities in IBM iNotes (CVE-2013-0589, CVE-2013-0592, CVE-2013-0594, CVE-2013-0595) *** --------------------------------------------- IBM iNotes versions prior to 8.5.3 Fix Pack 6 and 9.0.1 contain multiple security vulnerabilities: CVE-2013-0589, CVE-2013-0592, CVE-2013-0594 and CVE-2013-0595. --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21671622 *** Update for Vulnerability in Juniper Networks Windows In-Box Junos Pulse Client - Version: 1.0 *** --------------------------------------------- Microsoft is announcing the availability of an update for the Juniper Networks Windows In-Box Junos Pulse Client for Windows 8.1 and Windows RT 8.1. The update addresses a vulnerability in the Juniper VPN client by updating the affected Juniper VPN client libraries contained in affected versions of Microsoft Windows. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/2962393 *** Bugtraq: ESA-2014-028: EMC Cloud Tiering Appliance XML External Entity (XXE) and Information Disclosure Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/532031 *** Bugtraq: [security bulletin] HPSBGN03010 rev.4 - HP Software Server Automation running OpenSSL, Remote Disclosure of Information *** --------------------------------------------- http://www.securityfocus.com/archive/1/532037 *** Cisco Nexus 1000V Access Control List Bypass Vulnerability *** --------------------------------------------- A vulnerability in Cisco Nexus 1000V switches could allow an unauthenticated, remote attacker to bypass deny statements in access control lists (ACLs) with certain types of Internet Group Management Protocol version 2 (IGMPv2) or IGMP version 3 (IGMPv3) traffic. IGMP version 1 (IGMPv1) is not affected. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Cisco Broadcast Access Center for Telco and Wireless Cross-Site Request Forgery Vulnerability *** --------------------------------------------- A vulnerability in the web framework of the Cisco Broadcast Access Center for Telco and Wireless (BAC-TW) could allow an unauthenticated, remote attacker to perform a cross-site request forgery (CSRF) attack against the Cisco BAC-TW web interface. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Cisco Broadcast Access Center for Telco and Wireless Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability in the web framework of the Cisco Broadcast Access Center for Telco and Wireless (BAC-TW) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the Cisco BAC-TW web interface. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Struts 2.3.16.3 Manipulation Fix *** --------------------------------------------- Topic: Struts 2.3.16.3 Manipulation Fix Risk: Medium Text:The Apache Struts group is pleased to announce that Struts 2.3.16.3 is available as a "General Availability" release.The GA de... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014050026

1 0

Tageszusammenfassung - Montag 5-05-2014
by Daily end-of-shift report 05 May '14

05 May '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 02-05-2014 18:00 − Montag 05-05-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Lnk files in Email Malware Distribution *** --------------------------------------------- Recently I have noticed more use of .lnk files used in malware distribution via email. These files are Windows Shortcut files, typically used for shortcuts on your system, such as on your desktop. The use of .lnk files in emails is not new, but a recent sample caught my eye and I took a closer look. The original email, as it would appear to the recipient, looked like this, purporting to be from an individual at Automatic Data Processing, and containing what looks to be a PDF document and a ZIP --------------------------------------------- http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/VEYzrNB7xos/lnk-files-… *** PHP Updated to Fix OpenSSL Flaws, Other Bugs *** --------------------------------------------- The maintainers of PHP have released two new versions of the scripting language that fix a number of bugs, including a pair of vulnerabilities related to OpenSSL. Versions 5.4.28 and 5.5.12 both contain that important patch, as well as fixes for more than a dozen other vulnerabilities. The fix for the OpenSSL flaws is in both... --------------------------------------------- http://threatpost.com/php-updated-to-fix-heartbleed-other-bugs/105867 *** iOS 7 Update Silently Removes Encryption For Email Attachments *** --------------------------------------------- An anonymous reader writes "Apple has removed encrypted email attachments from iOS 7. Apple said back in June 2010 in regards to iOS 4.0: Data protection is available for devices that offer hardware encryption, including iPhone 3GS and later, all iPad models, and iPod touch (3rd generation and later). Data protection enhances the built-in hardware encryption by protecting the hardware encryption keys with your passcode. This provides an additional layer of protection for your email --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/FyN_d8fBQgo/story01.htm *** Attack Prediction: Malicious gTLD Squatting May Be The Next Big Threat *** --------------------------------------------- Late last year, ICANN began expanding the generic Top-Level Domains (gTLDs). In addition to the standard .COM, .ORG, and .NET TLDs, over 1,300 new names could become available in the next few years. These new gTLDs and internationalized domain names (IDNs) are awesome ideas if you think about the creativity sparked around the names one can possibly register. --------------------------------------------- http://labs.opendns.com/2014/04/23/malicious-gtld-squatting/ *** Spear Phishing Emails: A Psychological Tactic of Threat Actors *** --------------------------------------------- By exploiting network security vulnerabilities, today's generation of threat actors are able to install advanced polymorphic malware to steal data and damage reputations. But their manipulation efforts aren't limited to codes and machines - they extend to people, too. --------------------------------------------- http://www.seculert.com/blog/2014/05/spear-phishing-emails-a-psychological-… *** Evolution of Encrypting Ransomware *** --------------------------------------------- Recently we've seen a big change in the encrypting ransomware family and we're going to shed light on some of the newest variants and the stages of evolution that have led the high profile malware to where it is today. For those that aren't aware of what encrypting ransomware is, its a cryptovirus that encrypts all your data from local hard drives, network shared drives, removable hard drives and USB. The encryption is done using an RSA -2048 asymmetric public key which makes... --------------------------------------------- http://feedproxy.google.com/~r/WebrootThreatBlog/~3/hp9iym0nxN0/ *** Symantec Critical System Protection for Windows Default Policy Bypass *** --------------------------------------------- Revisions None Severity Symantec does not believe that this bypass represents Symantec Critical System Protection (SCSP) vulnerability. The policy bypass ... --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** Bugtraq: [ANN][SECURITY] Struts 1 - CVE-2014-0114 -Mitigation Advice Available, Possible RCE Impact *** --------------------------------------------- http://www.securityfocus.com/archive/1/532008 *** Vuln: F5 Networks BIG-IQ Remote Privilege Escalation Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/67191 *** F5 BIG-IQ 4.1.0.2013.0 Password Change Exploit *** --------------------------------------------- Topic: F5 BIG-IQ 4.1.0.2013.0 Password Change Exploit Risk: High Text:## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-fr... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014050012 *** OpenSSL Null Pointer Dereference in do_ssl3_write() Lets Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1030188 *** [webapps] - Seagate BlackArmor NAS - Multiple Vulnerabilities *** --------------------------------------------- http://www.exploit-db.com/exploits/33159 *** Vuln: WordPress NextCellent Gallery Plugin CVE-2014-3123 Multiple Cross Site Scripting Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/67085 *** IBM Tivoli Netcool/Portal vulnerable to CVE-2014-0160 & CVE-2014-0076 *** --------------------------------------------- Security vulnerabilities have been discovered in OpenSSL. CVE(s): CVE-2014-0160 and CVE-2014-0076 Affected product(s) and affected version(s): IBM Tivoli Netcool/Portal 2.1.2 Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21671783 X-Force Database: http://xforce.iss.net/xforce/xfdb/92322 X-Force Database: http://xforce.iss.net/xforce/xfdb/91990 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_tivoli_netcool_po… *** IBM Security Bulletin: Multiple OpenSSL vulnerabilities in Tivoli Endpoint Manager for Remote Control. (CVE-2013-4353,CVE-2013-6449) *** --------------------------------------------- Security vulnerabilities exist in the version of OpenSSL shipped with Tivoli Endpoint Manager for Remote Control. CVE(s): CVE-2013-4353 and CVE-2013-6449 Affected product(s) and affected version(s): Tivoli Endpoint Manager for Remote Control version 8.2.1. Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: http://www.ibm.com/support/docview.wss?uid=swg21669040 X-Force Database: http://xforce.iss.net/xforce/xfdb/90201 X-Force --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** Bugtraq: [HP security bulletins] *** --------------------------------------------- http://www.securityfocus.com/archive/1/532002 http://www.securityfocus.com/archive/1/532001 http://www.securityfocus.com/archive/1/532003 http://www.securityfocus.com/archive/1/532004 http://www.securityfocus.com/archive/1/532007 http://www.securityfocus.com/archive/1/532010 http://www.securityfocus.com/archive/1/532011 http://www.securityfocus.com/archive/1/532012 http://www.securityfocus.com/archive/1/532013 http://www.securityfocus.com/archive/1/532014 http://www.securityfocus.com/archive/1/532022 http://www.securityfocus.com/archive/1/532023

1 0

Tageszusammenfassung - Freitag 2-05-2014
by Daily end-of-shift report 02 May '14

02 May '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 30-04-2014 18:00 − Freitag 02-05-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Serious security flaw in OAuth, OpenID discovered *** --------------------------------------------- Attackers can use the "Covert Redirect" vulnerability in both open-source login systems to steal your data and redirect you to unsafe sites. --------------------------------------------- http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discover… *** Ubuntu schließt weitere Lücken im Unity-Sperrbildschirm *** --------------------------------------------- Mit zwei Updates für ihren Unity-Desktop haben die Entwickler der Linux-Distribution weitere Sicherheitsprobleme behoben. Diese hätten es ermöglicht, den Sperrbildschirm unter bestimmten Umständen zu umgehen. --------------------------------------------- http://www.heise.de/security/meldung/Ubuntu-schliesst-weitere-Luecken-im-Un… *** Security Update Released to Address Recent Internet Explorer Vulnerability *** --------------------------------------------- Today, we released a security update to address the Internet Explorer (IE) vulnerability first described in Security Advisory 2963983. This security update addresses every version of Internet Explorer. While we've seen only a limited number of targeted attacks, customers are advised to install this update promptly. The majority of our customers have automatic updates enabled and so will not need to take any action as protections will be downloaded and installed automatically. If... --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2014/05/01/security-update-released… *** Sefnit Botnet Swaps Tor for SSH *** --------------------------------------------- Facebook security researchers spot a Sefnit/Mevade click-fraud and Bitcoin-mining botnet returning to its previous SSH command-and-control communications infrastructure. --------------------------------------------- http://www.darkreading.com/attacks-breaches/sefnit-botnet-swaps-tor-for-ssh… *** Factsheet DNS Amplification *** --------------------------------------------- DDoS-attacks have been hitting headlines the last year. In some of these attacks, attackers use a technique called DNS amplification. This factsheet will help network administrators in preventing DNS amplification attacks via their systems. --------------------------------------------- http://www.ncsc.nl/english/current-topics/news/factsheet-dns-amplification.… *** Apple Fixes Critical Hole in Developer Center *** --------------------------------------------- Apple patched a potentially serious hole in its Developer Center that could have given anyone unfettered access to personal contact information for Apple employees and partners. --------------------------------------------- http://threatpost.com/apple-fixes-critical-hole-in-developer-center/105848 *** All About Windows Tech Support Scams *** --------------------------------------------- *Editors Notes: The purpose of this research was to see exactly how this scam is carried out, and the extent to which it is done. DO NOT TRY THIS AT HOME. We used a clean machine, off network, to monitor the activity of the scammer. Have you ever received a phone call from a tech support person claiming to be from Microsoft, and that your Windows based machine has been found to have a virus on it? These cold calls typically come from loud call centers, and are targeting the uninformed and... --------------------------------------------- http://feedproxy.google.com/~r/WebrootThreatBlog/~3/qw_08fRmr5o/ *** SA-CONTRIB-2014-047 - Zen - Cross Site Scripting *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-047Project: Zen (third-party theme)Version: 7.xDate: 2014-April-30Security risk: Moderately criticalExploitable from: RemoteVulnerability: Cross Site ScriptingDescriptionThe Zen theme is a powerful, yet simple, HTML5 starting theme with a responsive, mobile-first grid design.The theme does not properly sanitize theme settings before they are used in the output of a page. Custom themes that have copied Zens template files (e.g. subthemes) may suffer from this --------------------------------------------- https://drupal.org/node/2254925 *** Cross-Site Scripting Vulnerability in Citrix NetScaler Gateway, formerly Citrix Access Gateway Enterprise Edition *** --------------------------------------------- Severity: Medium Description of Problem A Cross-Site Scripting (XSS) vulnerability has been identified in Citrix NetScaler Gateway, formerly known as Citrix Access Gateway Enterprise Edition... --------------------------------------------- http://support.citrix.com/article/CTX140291 *** Cisco TelePresence TC and TE Bugs Let Remote Users Execute Arbitrary Code and Deny Service and Let Local Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1030181 *** AMTELCO miSecure Vulnerabilities *** --------------------------------------------- Researcher Jared Bird of Allina Health reported multiple vulnerabilities in the AMTELCO miSecureMessage (MSM) medical messaging system. AMTELCO has an update available to all customers that mitigates the vulnerabilities. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-121-01 *** WordPress plugin EZPZ One Click Backup Command Injection *** --------------------------------------------- Topic: WordPress plugin EZPZ One Click Backup Command Injection Risk: High Text:Product: WordPress plugin EZPZ One Click Backup Vulnerability type: CWE-78 OS Command Injection Vulnerable versions: 12.03.10... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014050008 *** WordPress leaflet maps marker plugin SQL Injection Vulnerability *** --------------------------------------------- Topic: WordPress leaflet maps marker plugin SQL Injection Vulnerability Risk: Medium Text: # # Exploit Title: WordPress leaflet maps marker plugin SQL Injection Vulnerability # # Author: neo.hapsis #memb... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014050010

1 0

Tageszusammenfassung - Mittwoch 30-04-2014
by Daily end-of-shift report 30 Apr '14

30 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 29-04-2014 18:00 − Mittwoch 30-04-2014 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** PHP Callback Functions: Another Way to Hide Backdoors *** --------------------------------------------- We often find new techniques employed by malware authors. Some are very interesting, others are pretty funny, and then there are those that really stump us in their creativity and effectiveness. This post is about the latter. Everyone who writes code in PHP knows what the eval() function is .. --------------------------------------------- http://blog.sucuri.net/2014/04/php-callback-functions-another-way-to-hide-b… *** [papers] - Introduction to Android Malware Analysis *** --------------------------------------------- http://www.exploit-db.com/download_pdf/33093 *** Xen HVMOP_set_mem_type Page Transition Flaw Lets Local Users on the Guest System Cause Denial of Service Conditions on the Host System *** --------------------------------------------- http://www.securitytracker.com/id/1030160 *** "Bypassing endpoint protections" @ BSides London *** --------------------------------------------- This week I presented at BSides London. The talk is titled "Layers on layers: bypassing endpoint protection". The purpose of this talk is to reiterate on the (well-known) common weakness of most endpoint protection products - their reliance on kernel integrity. Once the attacker achieves arbitrary code execution in the kernel, there .. --------------------------------------------- http://labs.bromium.com/2014/04/29/bypassing-endpoint-protections-bsides-lo… *** Cisco WebEx Meetings Server Cross-Site Request Forgery Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Be on the Lookout: Odd DNS Traffic, Possible C&C Traffic, (Wed, Apr 30th) *** --------------------------------------------- We got an email from one of our readers, including an interesting port 53 packet. While Wireshark and TCPDump try to decode it as DNS, it is almost certainly not DNS. The payload of the packet is .. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=18047&rss *** Mozilla Thunderbird Multiple Flaws Let Remote Users Execute Arbitrary Code, Deny Service, and Conduct Cross-Site Scripting Attacks and Local Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1030165 *** Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Deny Service, and Conduct Cross-Site Scripting Attacks and Local Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1030163 *** [2014-04-30] SQL injection and XSS vulnerabilities in Typo3 si_bibtex extension *** --------------------------------------------- By exploiting the SQL injection vulnerability in the Typo3 extension "si_bibtex", an attacker is able to gain full access to the Typo3 database. Depending on the location where the extension is used in the web application, this may be possible by an unauthenticated attacker. Furthermore, it is affected by persistent XSS. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Symantec Encryption Desktop (PGP) Memory Access Flaws Let Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1030170 *** Friends dont let friends use Internet Explorer - advice from US, UK, EU *** --------------------------------------------- IE 6 to 11 at risk of hijacking, patch coming - but not for XP Microsoft has warned of a new security flaw in all versions of its Internet Explorer web browser for Windows PCs. A patch has yet to be released for the crocked code. --------------------------------------------- www.theregister.co.uk/2014/04/27/oops_we_did_it_again_microsoft_warns_of_ie… *** Botnetz für Altcoin-Mining nutzt Lücke in Nagiosüberwachung aus *** --------------------------------------------- Eine kürzlich veröffentlichte Sicherheitslücke im Netzwerkmonitor Nagios wird offenbar bereits ausgenutzt. Betroffen sind weit über 1000 weltweit verteilte Server, die für Mining-Zwecke missbraucht werden. --------------------------------------------- http://www.heise.de/newsticker/meldung/Botnetz-fuer-Altcoin-Mining-nutzt-Lu… *** Neuer Erpressungs-Trojaner verschlüsselt mit RSA-2048 *** --------------------------------------------- Es häufen sich Berichte über infizierte Windows-Systeme, auf denen ein Schadprogramm Dateien verschlüsselt und nur gegen Zahlung eines Lösegelds von 500 Euro wieder freigibt. Die sind via Tor in Bitcoins zu entrichten. --------------------------------------------- http://www.heise.de/security/meldung/Neuer-Erpressungs-Trojaner-verschluess… *** Protection strategies for the Security Advisory 2963983 IE 0day *** --------------------------------------------- We've received a number of customer inquiries about the workaround steps documented in Security Advisory 2963983 published on Saturday evening. We hope this blog post answers those questions. Steps you can take to stay safe The security advisory lists several options customers can take to stay safe. Those options are .. --------------------------------------------- http://blogs.technet.com/b/srd/archive/2014/04/30/protection-strategies-for… *** Six infosec tips I learned from Game of Thrones *** --------------------------------------------- In Westeros - the land of dark knights, backstabbing royals, dragons, wildings, wargs, red witches, and White Walkers - even the youngest ones have to learn basic self-defense if they're to have any hope of surviving the cruel fictional world imagined by A Game of Thrones (GOT) author, George R. R. Martin. And so too, must every CISO and security pro learn the latest information security best practices if they're to survive today's Internet threat landscape. --------------------------------------------- http://www.net-security.org/article.php?id=2001&p=1

1 0

Tageszusammenfassung - Dienstag 29-04-2014
by Daily end-of-shift report 29 Apr '14

29 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 28-04-2014 18:00 − Dienstag 29-04-2014 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Update for Vulnerabilities in Adobe Flash Player in Internet Explorer - Version: 23.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/2755801 *** Ubuntu 14.04 lockscreen bypass, (Mon, Apr 28th) *** --------------------------------------------- Upgraded to Ubuntu 14.04? Hold down enter to bypass the lockscreen (what is old is new again): https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1308572 …" The reporter indicates that he was running Ubuntu 14.04 with all the packages updated. When the screen is locked with password, if holding ENTER, after some seconds the screen freezes and the lock screen .. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=18039 *** Cisco ASA DHCPv6 Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Researchers warn of resurgent Sefnit malware *** --------------------------------------------- Botnet returns using new tactics A malware infection which drew headlines January has returned and is using new techniques to infect and spread amongst users. --------------------------------------------- www.theregister.co.uk/2014/04/29/researchers_warn_of_resurgent_sefnit_malwa… *** Citrix NetScaler Application Delivery Controller and NetScaler Gateway Multiple Security Updates *** --------------------------------------------- A number of security vulnerabilities have been identified in the management component of the Citrix NetScaler Application Delivery Controller .. --------------------------------------------- http://support.citrix.com/article/CTX140651 *** Massenhack bei AOL: Millionen Nutzer betroffen *** --------------------------------------------- Unbekannte verschaffen sich Zugang zu privaten Informationen - Unternehmen fordert zum ändern des Passworts auf --------------------------------------------- http://derstandard.at/1397521927406 *** The FireEye Advanced Threat Report 2013: European Edition *** --------------------------------------------- We recently published the 2013 FireEye Advanced Threat Report during RSA Conference, providing a global overview of the advanced attacks that FireEye discovered last year. We are now drilling that global analysis down into the European threat .. --------------------------------------------- http://www.fireeye.com/blog/corporate/2014/04/the-fireeye-advanced-threat-r… *** Cybercriminals Take Advantage Of Heartbleed With Spam *** --------------------------------------------- Since news about Heartbleed broke out earlier this month, the Internet has been full of updates, opinions and details about the vulnerability, with personalities ranging from security experts to celebrities talking about it. Being as opportunistic as they are, cybercriminals have taken notice of this and .. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/RKpGQ6-RSA8/ *** Q1 2014 Mobile Threat Report *** --------------------------------------------- Our Mobile Threat Report for Q1 2014 is out! Heres a couple of the things we cover in it:The vast majority of the new threats found was on Android (no surprise there), which accounted for 275 out of 277 new families we saw in this period, leaving 1 new malware apiece on iOS and Symbian.In Q1, .. --------------------------------------------- http://www.f-secure.com/weblog/archives/00002699.html *** 6 free network vulnerability scanners *** --------------------------------------------- Vulnerability scanners can help you automate security auditing and can play a crucial role in your IT security. They can scan your network and websites for up to thousands of different security risks, produce a prioritized list of those you should patch, describe the vulnerabilities, and give steps on how to remediate them. Some can even automate the patching process. While these tools can .. --------------------------------------------- http://www.csoonline.com/article/2148841/data-protection/6-free-network-vul… *** Hashcat-Utils v1.0 Released *** --------------------------------------------- Hashcat-utils are a set of small utilities that are useful in advanced password cracking. They all are packed into multiple stand-alone binaries. All of these utils are designed to execute only one specific function. Since they all work with STDIN and STDOUT you can group them into chains. The programs are available for Linux and Windows on both 32 bit and 64 bit architectures. The programs are also available as open source. --------------------------------------------- http://www.toolswatch.org/2014/04/hashcat-utils-v1-0-released/

1 0

Tageszusammenfassung - Montag 28-04-2014
by Daily end-of-shift report 28 Apr '14

28 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 25-04-2014 18:00 − Montag 28-04-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Using Facebook Notes to DDoS any website *** --------------------------------------------- Facebook Notes allows users to include tags. Whenever a tag is used, Facebook crawls the image from the external server and caches it. Facebook will only cache the image once however using random get parameters the cache can be by-passed and the feature can be abused to cause a huge HTTP GET flood. --------------------------------------------- http://chr13.com/2014/04/20/using-facebook-notes-to-ddos-any-website/ *** Mozilla entschlackt Zertifkats-Überprüfung *** --------------------------------------------- Statt 81.865 sind jetzt nur noch 4167 Zeilen Code zum überprüfen von SSL-Zertifikaten nötig. Wer Sicherheitslücken in darin findet, erhält einen üppigen Finderlohn. --------------------------------------------- http://www.heise.de/security/meldung/Mozilla-entschlackt-Zertifkats-Ueberpr… *** Examining the Heartbleed-based FUD thats pitched to the public *** --------------------------------------------- The Heartbleed vulnerability has created a massive news cycle, and generated technical risk-based discussions that might actually do some good. But some of these discussions boggle the mind, spreading misinformation in order to generate clicks or sales.When security issues hit the mass media, such as Heartbleed, there is a good deal of Fear, Uncertainty, and Doubt - better known as FUD - that gets promoted on the airwaves and in print. --------------------------------------------- http://www.csoonline.com/article/2148461/application-security/examining-the… *** Sicherheitslücke bei Messaging-App Viber aufgedeckt *** --------------------------------------------- Bilder, Videos und Standortdaten, die man mit der Messaging-App Viber übermittelt, werden unverschlüsselt auf Servern gespeichert. Der Zugang dazu ist äußerst einfach. --------------------------------------------- http://futurezone.at/digital-life/sicherheitsluecke-bei-messaging-app-viber… *** Microsoft Warns of Attacks on IE Zero-Day *** --------------------------------------------- Microsoft is warning Internet Explorer users about active attacks that attempt to exploit a previously unknown security flaw in every supported version of IE. The vulnerability could be used to silently install malicious software without any help from users, save for perhaps merely browsing to a hacked or malicious site. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/PUm3t0AZZzc/ *** Neue Internet-Explorer-Lücke wird zum Ernstfall für Windows XP *** --------------------------------------------- Wird bereits aktiv ausgenutzt - Kein Update mehr für XP, andere Betriebssystemversion derzeit ebenfalls noch ungeschützt --------------------------------------------- http://derstandard.at/1397521804143 *** Biggest EU cyber security exercise to date: Cyber Europe 2014 taking place today *** --------------------------------------------- Today, 28 April 2014, European countries kick off the Cyber Europe 2014 (CE2014). CE2014 is a highly sophisticated cyber exercise, involving more than 600 security actors across Europe. --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/biggest-eu-cyber-security-e… *** Cisco IOS XE Software Malformed L2TP Packet Vulnerability *** --------------------------------------------- A vulnerability in the Layer 2 Tunneling Protocol (L2TP) module of Cisco IOS XE on Cisco ASR 1000 Series Routers could allow an authenticated, remote attacker to cause a reload of the processing ESP card. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Security updates available for Adobe Flash Player (APSB14-13) *** --------------------------------------------- A Security Bulletin (APSB14-13) has been published regarding security updates for Adobe Flash Player. These updates address a critical vulnerability, and Adobe recommends users update their product installations to the latest versions --------------------------------------------- http://blogs.adobe.com/psirt/?p=1093

1 0

Tageszusammenfassung - Freitag 25-04-2014
by Daily end-of-shift report 25 Apr '14

25 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 24-04-2014 18:00 − Freitag 25-04-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Number of Sites Vulnerable to Heartbleed Plunges by Two-Thirds *** --------------------------------------------- Two weeks ago, we talked about how many sites in the top 1 million domains (as judged by Alexa) were vulnerable to the Heartbleed SSL vulnerability. How do things stand today? Figure 1. Sites vulnerable to Heartbleed as of April 22 Globally, the percentage of sites that is vulnerable to Heartbleed has fallen by two-thirds,... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/qyKz0tQVjAY/ *** Fareit trojan observed spreading Necurs, Zbot and CryptoLocker *** --------------------------------------------- The Necurs and Zbot trojans, as well as CryptoLocker ransomware, has been observed by researchers as being spread through another trojan, known as Fareit. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/XrcbQ8kwwQo/ *** It's Insanely Easy to Hack Hospital Equipment *** --------------------------------------------- When Scott Erven was given free reign to roam through all of the medical equipment used at a chain of large midwest health care facilities, he knew he would find security problems with the systems -- but he wasnt prepared for just how bad it would be. --------------------------------------------- http://feeds.wired.com/c/35185/f/661467/s/39be98e1/sc/36/l/0L0Swired0N0C20A… *** Update für Windows 7 außer der Reihe *** --------------------------------------------- Windows-7-Nutzer bekommen von der Update-Funktion derzeit ein Update mit der Nummer 2952664 angeboten. Irritierend daran: Es erscheint außer der Reihe und Microsoft verrät auch nicht, welche Probleme das Update genau behebt. --------------------------------------------- http://www.heise.de/newsticker/meldung/Update-fuer-Windows-7-ausser-der-Rei… *** Acunetix 8 Scanner Buffer overflow *** --------------------------------------------- Topic: Acunetix 8 Scanner Buffer overflow Risk: High Text:#!/usr/bin/python # Title: Acunetix Web Vulnerability Scanner Buffer Overflow Exploit # Version: 8 # Build: 20120704 # Test... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040162 *** Security Notice-Statement on Patch Bypassing of Apache Struts2 *** --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices… *** Hitachi Multiple Products OpenSSL TLS/DTLS Heartbeat Two Information Disclosure Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/58022 *** Global Technology Associates GB-OS OpenSSL TLS/DTLS Heartbeat Two Information Disclosure Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/58007 *** Certec atvise scada OpenSSL Heartbleed Vulnerability *** --------------------------------------------- Researcher Bob Radvanovsky of Infracritical has notified NCCIC/ICS-CERT that Certec has released new libraries that mitigate the OpenSSL Heartbleed vulnerability in atvise scada.This vulnerability could be exploited remotely. Exploits that target the OpenSSL Heartbleed vulnerability are known to be publicly available. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-114-01 *** Siemens SIMATIC S7-1200 CPU Web Vulnerabilities *** --------------------------------------------- Siemens ProductCERT and Ralf Spenneberg, Hendrik Schwartke, and Maik Brüggemann from OpenSource Training have reported two vulnerabilities in the Siemens SIMATIC S7-1200 CPU family. Siemens has produced a new product release that mitigates these vulnerabilities. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-114-02 *** InduSoft Web Studio Directory Traversal Vulnerability *** --------------------------------------------- This advisory was originally posted to the US-CERT secure Portal library on April 17, 2014, and is now being released to the NCCIC/ICS-CERT web site. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-107-02 *** Festo CECX-X-(C1/M1) Controller Vulnerabilities *** --------------------------------------------- K. Reid Wightman of IOActive, Inc. has identified vulnerabilities in Festo’s CECX-X-C1 and CECX-X-M1 controllers. Festo has decided not to resolve these vulnerabilities because of compatibility reasons with existing engineering tools. This places critical infrastructure asset owners using this product at risk. This advisory is being published to alert critical infrastructure asset owners of the risk of using this equipment and for them to increase compensating measures if possible. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-084-01 *** Oracle Solaris ntpd Query Function Lets Remote Users Conduct Amplified Denial of Service Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1030142 *** Synology DiskStation Manager cUrl Connection Re-use and Certificate Verification Security Issues *** --------------------------------------------- https://secunia.com/advisories/58145 *** SSA-635659 (Last Update 2014-04-25): Heartbleed Vulnerability in Siemens Industrial Products *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** Halon Security Router Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/57507 *** HP Security Bulletins *** --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…

1 0

Tageszusammenfassung - Donnerstag 24-04-2014
by Daily end-of-shift report 24 Apr '14

24 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 23-04-2014 18:00 − Donnerstag 24-04-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** NetSupport Information Leakage Using Nmap Script *** --------------------------------------------- NetSupport allows corporations to remotely manage and connect to PCs and servers from a central location for the purposes of desktop support. In my last post I discussed how I wrote a script using the NetSupport scripting language to find versions of NetSupport running on clients with default installations that didnt require authentication to remotely connect to them. Essentially you could use NetSupport to bypassany Domain or local credentials to remotely connect to the PC and... --------------------------------------------- http://blog.spiderlabs.com/2014/04/netsupport-information-leakage-using-nma… *** DHCPv6 and DUID Confusion, (Wed, Apr 23rd) *** --------------------------------------------- In IPv6, DHCP is taking somewhat a back seat to router advertisements. Many smaller networks are unlikely to use DHCP. However, in particular for Enterprise/larger networks, DHCPv6 still offers a lot of advantages when it comes to managing hosts and accounting for IP addresses in use. One of the big differences when it comes to DHCPv6 is that a host identifies itself with a DUID (DHCP Unique Identifier) which can be different from a MAC address. There are essentially three ways to come up with... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=18015&rss *** Cisco: Hey, IT depts. Youre all malware hosts *** --------------------------------------------- Security report also notes skills shortage Everybody - at least every multinational that Cisco checked out for its 2014 Annual Security Report - is hosting malware of some kind, and there arent enough security professionals to go around. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/04/24/cisco_youre… *** DrDoS attacks to reach 800 Gbps in 2015 *** --------------------------------------------- While the network time protocol (NTP) DrDoS threats that became prevalent in early 2014 have been contained, new distributed reflected denial of service threats will lead to attacks in excess of 800 Gbps during the next 12 to 18 months. --------------------------------------------- http://www.net-security.org/secworld.php?id=16733 *** Zero-Day-Lücke in Apache Struts 2 *** --------------------------------------------- Durch eine kleine Abwandlung einer bereits gepatchten Lücke können Angreifer wieder Code in den Server einschleusen. --------------------------------------------- http://www.heise.de/security/meldung/Zero-Day-Luecke-in-Apache-Struts-2-217… *** Situational Awareness Alert for OpenSSL Vulnerability (Update D) *** --------------------------------------------- This alert update is a follow-up to the updated NCCIC/ICS-CERT Alert titled ICS-ALERT-14-009-01C Situational Awareness Alert for OpenSSL Vulnerability that was published April 17, 2014, on the ICS-CERT web site. --------------------------------------------- http://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-099-01D *** Drupal - Vulnerabilities in Third-Party Modules *** --------------------------------------------- https://drupal.org/node/2248073 https://drupal.org/node/2248077 https://drupal.org/node/2248145 https://drupal.org/node/2248171 *** Attachmate Reflection OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information *** --------------------------------------------- http://www.securitytracker.com/id/1030144 *** Bugtraq: Weak firmware encryption and predictable WPA key on Sitecom routers *** --------------------------------------------- http://www.securityfocus.com/archive/1/531920 *** SSA-892012 (Last Update 2014-04-24): Web Vulnerabilities in SIMATIC S7-1200 CPU *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** Vuln: Check_MK Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/66389 http://www.securityfocus.com/bid/66391 http://www.securityfocus.com/bid/66394 http://www.securityfocus.com/bid/66396 *** Notice: (Revision) CUSTOMER ATTENTION REQUIRED: HP Integrated Lights-Out and Integrated Lights-Out 2 - Scanning First-Generation iLO or iLO 2 Devices for the Heartbleed Vulnerability Results in iLO Lockup Requiring Power to be PHYSICALLY Removed *** --------------------------------------------- The first-generation iLO and iLO 2 products use the RSA SSL libraries and there is a bug in these libraries that will cause first-generation iLO and iLO 2 devices to enter a live lockup situation when a vulnerability scanner runs to check for the Heartbleed vulnerability. Although the servers operating system will continue to function normally, first-generation iLO and iLO 2 will no longer be responsive over the management network. --------------------------------------------- http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDispl… *** HPSBHF03006 rev.1 - HP Integrated Lights-Out 2 (iLO 2) Denial of Service *** --------------------------------------------- A potential security vulnerability has been identified in HP Integrated Lights-Out 2 (iLO 2) servers that allows for a Denial of Service. The denial of service condition occurs only when the iLO 2 is scanned by vulnerability assessment tools that test for CVE-2014-0160 (Heartbleed vulnerability). --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** HP Security Bulletins for CVE 2014-0160 *** --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** Vuln: EMC Connectrix Manager Converged Network Edition Remote Information Disclosure Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/66308

1 0

Tageszusammenfassung - Mittwoch 23-04-2014
by Daily end-of-shift report 23 Apr '14

23 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 22-04-2014 18:00 − Mittwoch 23-04-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Wartungsarbeiten Mailing-Listen-Server 24. April 2014 *** --------------------------------------------- Am Nachmittag des 24. April werden wir Wartungsarbeiten an unserem Mailing-Listen-Server (lists.cert.at) durchführen. Auswirkungen: verzögerte Zustellung von Listen-Mails Administrations-Interface (Subscribe/Unsubscribe etc.) der Mailing-Listen nicht verfügbar Mailing-Listen-Archive nicht verfügbar. Wir werden uns bemühen, die Ausfälle so kurz wie möglich zu halten, können jedoch keine genaue... --------------------------------------------- http://www.cert.at/services/blog/20140423085410-1134.html *** DBIR: Poor Patching, Weak Credentials Open Door to Data Breaches *** --------------------------------------------- Weak or default credentials, poor configurations and a lack of patching are common denominators in most data breaches, according to the 2014 Verizon Data Breach Investigations Report. --------------------------------------------- http://threatpost.com/dbir-poor-patching-weak-credentials-open-door-to-data… *** Millions Feedly users vulnerable to Javascript Injection attack *** --------------------------------------------- A security researcher discovered a serious Javascript Injection vulnerability in the popular Feedly Android App impacting Millions Users. --------------------------------------------- http://securityaffairs.co/wordpress/24209/hacking/feedly-javascript-vulnera… *** Apple stopft Sicherheitslücken in iOS, OS X und WLAN-Basisstationen *** --------------------------------------------- Die Updates sollen kritische Schwachstellen in Apples Betriebssystemen beseitigen - darunter eine weitere Lücke, die das Ausspähen von SSL-Verbindungen erlaubt. Für die AirPort-Stationen steht ein Heartbleed-Fix bereit. --------------------------------------------- http://www.heise.de/security/meldung/Apple-stopft-Sicherheitsluecken-in-iOS… *** Operation Francophoned: The Persistence and Evolution of a Dual-Pronged Social Engineering Attack *** --------------------------------------------- Operation Francophoned, first uncovered by Symantec in May 2013, involved organizations receiving direct phone calls and spear phishing emails impersonating a known telecommunication provider in France, all in an effort to install malware and steal information and ultimately money from targets. --------------------------------------------- http://www.symantec.com/connect/blogs/operation-francophoned-persistence-an… *** Blog: An SMS Trojan with global ambitions *** --------------------------------------------- Recently, we’ve seen SMS Trojans starting to appear in more and more countries. One prominent example is Trojan-SMS.AndroidOS.Stealer.a: this Trojan came top in Kaspersky Lab's recent mobile malware ТОР 20. It can currently send short messages to premium-rate numbers in 14 countries around the world. --------------------------------------------- http://www.securelist.com/en/blog/8209/An_SMS_Trojan_with_global_ambitions *** ISC stellt Entwicklung an seinem BIND10-DNS-Server ein *** --------------------------------------------- Das Unternehmen hat die letzte von ihm entwickelte Version veröffentlicht und zieht sich aus der weiteren Entwicklung zurück. Dabei sollte BIND10 ursprünglich BIND9 ablösen, das seinerzeit Hochleistungs-Server nur unzureichend ausschöpfen konnte. --------------------------------------------- http://www.heise.de/newsticker/meldung/ISC-stellt-Entwicklung-an-seinem-BIN… *** Nine patterns make up 92 percent of security incidents *** --------------------------------------------- Verizon security researchers have found that 92 percent of the 100,000 security incidents analyzed over the past ten years can be traced to nine basic attack patterns that vary from industry to industry. --------------------------------------------- http://www.net-security.org/secworld.php?id=16725 *** Dissecting the unpredictable DDoS landscape *** --------------------------------------------- DDoS attacks are now more unpredictable and damaging than ever, crippling websites, shutting down operations, and costing millions of dollars in downtime, customer support and brand damage, according to Neustar. --------------------------------------------- http://www.net-security.org/secworld.php?id=16726 *** Special Edition of OUCH: Heartbleed - Why Do I Care? http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-2014-special_e…, (Wed, Apr 23rd) *** --------------------------------------------- -- Alex Stanford - GIAC GWEB, Research Operations Manager, SANS Internet Storm Center (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=18013&rss *** Apple splats new SSL snooping bug in iOS, OS X - but its no Heartbleed *** --------------------------------------------- Triple-handshake flaw stalks Macs and iThings Apple has squashed a significant security bug in its SSL engine for iOS and OS X as part of a slew of patches for iThings and Macs. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/04/23/apple_ssl_u… *** Joomla Plugin Constructor Backdoor *** --------------------------------------------- We recently wrote about backdoors in pirated commercial WordPress plugins. This time it will be a short post about an interesting backdoor we found in a Joomla plugin. It was so well organized that at first we didn't realize there was a backdoor even though we knew something was wrong. That's how the code of... --------------------------------------------- http://blog.sucuri.net/2014/04/joomla-plugin-constructor-backdoor.html *** Citrix Security Advisory for CVE-2014-0160, aka the Heartbleed vulnerability *** --------------------------------------------- A vulnerability has been recently disclosed in OpenSSL that could result in remote attackers being able to obtain sensitive data from the process address space of a vulnerable OpenSS... --------------------------------------------- http://support.citrix.com/article/CTX140605 *** IBM PSIRT - OpenSSL Heartbleed (CVE-2014-0160) *** --------------------------------------------- We will continue to update this blog to include information about products. The following is a list of products affected by the Heartbleed vulnerability. Please follow the links below to view the security bulletins for the affected products. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/openssl_heartbleed_cv… *** Information on Norton products and the Heartbleed vulnerability *** --------------------------------------------- This article answers many of the questions that are currently being asked about the Heartbleed bug and the role that Norton products play in defending against this attack. --------------------------------------------- https://support.norton.com/sp/en/us/home/current/solutions/v98431836_EndUse… *** OpenSSL Security Vulnerability - aka. "Heartbleed Bug" - CVE-2014-0160 - Security Incident Response for D-Link Devices and Services *** --------------------------------------------- D-Link is investigating all devices and systems that utilize the OpenSSL software library to determine if our devices and customers are affected by this security vulnerability. You will find current status below and can contact us at security(a)dlink.com about specific questions. --------------------------------------------- http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10022 *** Heartbleed Vulnerability in Various Products *** --------------------------------------------- http://tomcat.apache.org/native-doc/news/2014.html http://tomcat.apache.org/native-doc/miscellaneous/changelog.html http://www.fortiguard.com/advisory/FG-IR-14-011/ http://www.sybase.com/detail?id=1099387 https://secunia.com/advisories/58188 (Symantec Multiple Products) https://secunia.com/advisories/58148 (Xerox WorkCentre 3315/3325) *** VU#350089: IBM Notes and Domino on x86 Linux specify an executable stack *** --------------------------------------------- Vulnerability Note VU#350089 IBM Notes and Domino on x86 Linux specify an executable stack Original Release date: 22 Apr 2014 | Last revised: 22 Apr 2014 Overview IBM Notes and Domino on x86 Linux are incorrectly built requesting an executable stack. This can make it easier for attackers to exploit vulnerabilities in Notes, Domino, and any of the child processes that they may spawn. Description The build environment for the x86 Linux versions of IBM Notes and Domino incorrectly specified the... --------------------------------------------- http://www.kb.cert.org/vuls/id/350089 *** Cisco ASA SIP Inspection Memory Leak Vulnerability *** --------------------------------------------- A vulnerability in the Session Initiation Protocol (SIP) inspection engine code could allow an unauthenticated, remote attacker to cause a slow memory leak, which may cause instability on the affected system. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** AirPort Extreme and AirPort Time Capsule OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information *** --------------------------------------------- http://www.securitytracker.com/id/1030132 *** Apple OS X Multiple Bugs Let Remote Users Execute Arbitrary Code and Deny Service and Local Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1030133 *** Sixnet Sixview 2.4.1 Directory Traversal *** --------------------------------------------- Topic: Sixnet Sixview 2.4.1 Directory Traversal Risk: Medium Text:#Exploit Title: Sixnet sixview web console directory traversal #Date: 2014-04-21 #Exploit Author: daniel svartman #Vendor Ho... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040150 *** Parallels Plesk Panel 12.x Key Disclosure *** --------------------------------------------- Topic: Parallels Plesk Panel 12.x Key Disclosure Risk: High Text:While auditing the source code for Parallels Plesk Panel 12.x on Linux I noticed the following feature that leads to leakage o... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040151 *** [2014-04-23] Path Traversal/Remote Code Execution in WD Arkeia Network Backup Appliances *** --------------------------------------------- An unauthenticated remote attacker can exploit the identified Path Traversal vulnerability in order to retrieve arbitrary files from the affected WD Arkeia Network Backup appliances and execute system commands. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Security Advisory-Improper Input Validation Vulnerability on Multiple Quidway Switch Products *** --------------------------------------------- Once exploited, the vulnerability might cause a excessive resource (e.g. memory) consumption of the vulnerable system and even cause the system to restart in serious cases. --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** HP Security Bulletins *** --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** Security Advisories Relating to Symantec Products - Symantec Messaging Gateway Management Console Reflected XSS *** --------------------------------------------- Symantec's Messaging Gateway management console is susceptible to a reflected cross-site scripting (XSS) issue found in one of the administrative interface pages. Successful exploitation could result in potential session hijacking or unauthorized actions directed against the console with the privileges of the targeted user's browser. --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** Security Bulletin: IBM Sterling Order Management is affected by Cross Site Scripting (XSS) Vulnerability (CVE-2014-0932) *** --------------------------------------------- IBM Sterling Order Management is vulnerable to a cross-site scripting attack which could lead to unauthorized access through the injected scripts. --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21670912 *** Django Security Issue and Multiple Vulnerabilities *** --------------------------------------------- A security issue and multiple vulnerabilities have been reported in Django, which can be exploited by malicious people to potentially disclose certain sensitive information, manipulate certain data, and compromise a vulnerable system. --------------------------------------------- https://secunia.com/advisories/58201 *** Hitachi Multiple Cosminexus / uCosminexus Products Java Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/58197 *** Hitachi Multiple Cosminexus / uCosminexus Products SSL/TLS Initialization Vector Selection Weakness *** --------------------------------------------- https://secunia.com/advisories/58240

1 0

Tageszusammenfassung - Dienstag 22-04-2014
by Daily end-of-shift report 22 Apr '14

22 Apr '14

======================= = Heartbleed Report = = a.k.a = = End-of-Shift report = ======================= Timeframe: Freitag 18-04-2014 18:00 − Dienstag 22-04-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Amplification, reflection DDoS attacks increase 35 percent in Q1 2014 *** --------------------------------------------- The Q1 2014 Global DDoS Attack Report reveals that amplification and reflection distributed denial-of-service attacks are on the rise. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/GljZsrx9WMs/ *** Das Router-Desaster: Fritzbox-Update gerät ins Stocken *** --------------------------------------------- Aktuelle Scan-Ergebnisse belegen, dass die Verbreitung des kritischen Sicherheits-Updates kaum voranschreitet. In vielen Fällen werden verwundbare Fritzboxen sogar noch mit aktivem Fernzugriff betrieben - eine gefährliche Mischung. --------------------------------------------- http://www.heise.de/security/meldung/Das-Router-Desaster-Fritzbox-Update-ge… *** Home entertainment implementations are pretty appaling *** --------------------------------------------- I picked up a Panasonic BDT-230 a couple of months ago. Then I discovered that even though it appeared fairly straightforward to make it DVD region free (I have a large pile of PAL region 2 DVDs), the US models refuse to play back PAL content. We live in an era of software-defined functionality. While Panasonic could have designed a separate hardware SKU with a hard block on PAL output, that would seem like unnecessary expense. So, playing with the firmware seemed like a reasonable... --------------------------------------------- http://mjg59.dreamwidth.org/31178.html *** OpenSSL Rampage, (Mon, Apr 21st) *** --------------------------------------------- OpenSSL, in spite of its name, isnt really a part of the OpenBSD project. But as one of the more positive results of the recent Heartbleed fiasco, the OpenBSD developers, who are known for their focus on readable and secure code, have now started a full-scale review and cleanup of the OpenSSL codebase. If you are interested in writing secure code in C (not necessarily a contradiction in terms), I recommend you take a look at http://opensslrampage.org/archive/2014/4, where the OpenBSD-OpenSSL... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17997&rss *** Mysterious iOS malware campaign has Chinese origins *** --------------------------------------------- The threat, dubbed "Unflod Baby Panda," was discovered by Reddit users and analyzed by researchers at the German-based security firm, SektionEins. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/_EB9Qixb5Vk/ *** Easter egg: DSL router patch merely hides backdoor instead of closing it *** --------------------------------------------- Researcher finds secret "knock" opens admin for some Linksys, Netgear routers. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/MBqOOgJa9Ng/ *** Feedly fixes Android JavaScript code injection flaw, deems it "harmless" *** --------------------------------------------- A researcher wrote about a bug in the Android app for news aggregator Feedly that could enable JavaScript code injection, but even though it was fixed, the company did not really consider it a vulnerability. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/lZyhHF8qR8o/ *** Report: Google looks to integrate PGP with Gmail *** --------------------------------------------- Pretty Good Privacy, or PGP, is an encryption method that was created in the early 90s. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/pxVEyRndi7A/ *** Weekly Metasploit Update: Heartbleed and Firefox Passwords *** --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/04/17/weekly-me… *** Critical update makes P2P Zeus trojan even tougher to remove *** --------------------------------------------- An update to the P2P Zeus banking trojan results in the installation of a rootkit driver that makes deleting the malware even tougher. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/EIQ5YrV1__8/ *** Sicherheitslücke beim Netzwerkmonitor Nagios *** --------------------------------------------- Der "Nagios Remote Plugin Executor" führt unter Umständen eingeschleuste Befehle aus. Diese Umstände deuten allerdings schon auf eine generell unsichere Konfiguration hin. --------------------------------------------- http://www.heise.de/security/meldung/Sicherheitsluecke-beim-Netzwerkmonitor… *** Ein Viertel der Internetnutzer wechselt nie die Passwörter *** --------------------------------------------- Trotz Heartbleed wechselt weiterhin rund ein Viertel aller deutschen Internetnutzer nie ihr Passwort. Ein Drittel der Befragten verwendet ein Passwort auf mehreren Plattformen. --------------------------------------------- http://futurezone.at/digital-life/ein-viertel-der-internetnutzer-wechselt-n… *** Heartbleed und das Sperrproblem von SSL *** --------------------------------------------- Nach dem Beseitigen des Heartbleed-Problems sperrten viele Admins vorsorglich ihre SSL-Zertifikate und besorgten sich neue. Trotzdem bedeuten geklaute Server-Schlüssel auch weiterhin ein Problem - denn das Sperren funktioniert eigentlich nicht. --------------------------------------------- http://www.heise.de/security/meldung/Heartbleed-und-das-Sperrproblem-von-SS… *** OpenSSL ssl3_read_bytes denial of service *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/92632 *** Alert for CVE-2014-0160 *** --------------------------------------------- This Security Alert addresses CVE-2014-0160 ('Heartbleed'), a publicly disclosed vulnerability which affects multiple OpenSSL versions implemented by various vendors in their products. This vulnerability affects multiple Oracle products. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the confidentiality of systems that are running affected versions of OpenSSL. According to http://heartbleed.com, the compromised data may contain passwords, private keys, and other sensitive information. In some instances, this information could be used by a malicious attacker to log into systems using a stolen identity or decrypt private information that was sent months or years ago. --------------------------------------------- http://www.oracle.com/technetwork/topics/security/alert-cve-2014-0160-21907… *** Winamp Buffer Overflow and Pointer Dereference Bugs Let Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1030107 *** VMSA-2014-0004.6 *** --------------------------------------------- VMware product updates address OpenSSL security vulnerabilities --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0004.html *** F5 - Various Vulnerabilities in Multiple Products *** --------------------------------------------- https://secunia.com/advisories/58157 https://secunia.com/advisories/58159 https://secunia.com/advisories/58154 https://secunia.com/advisories/58160 *** Check Point Mobile VPN for iOS and for Android OpenSSL Heartbeat Two Information Disclosure Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/57947 *** VU#622950: Toshiba Global Commerce Solutions 4690 Point of Sale operating system contains a password hashing algorithm that can be reversed *** --------------------------------------------- Vulnerability Note VU#622950 Toshiba Global Commerce Solutions 4690 Point of Sale operating system contains a password hashing algorithm that can be reversed Original Release date: 21 Apr 2014 | Last revised: 21 Apr 2014 Overview Toshiba Global Commerce Solutions 4690 Point of Sale operating system contains a password hashing algorithm that can be reversed. (CWE-328) Description Toshiba Global Commerce Solutions 4690 Point of Sale operating system contains a password hashing algorithm that --------------------------------------------- http://www.kb.cert.org/vuls/id/622950 *** Bugzilla Input Validation Flaw Permits Cross-Site Request Forgery Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1030128 *** SonicWALL Multiple Products OpenSSL TLS/DTLS Heartbeat Two Information Disclosure Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/58146 *** CA Multiple Products OpenSSL TLS/DTLS Heartbeat Information Disclosure Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/58019 *** Tenable SecurityCenter OpenSSL TLS/DTLS Heartbeat Two Information Disclosure Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/58182 *** IBM OS/400 Weakness and Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/57826 *** ADTRAN Multiple Products OpenSSL TLS/DTLS Heartbeat Two Information Disclosure Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/58172 *** Vulnerabilities in multiple HP Products *** --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** BlackBerry Enterprise Service OpenSSL TLS/DTLS Heartbeat Two Information Disclosure Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/58244 *** IBM Security Bulletins *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ds8… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ope… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/title_ibm_endpoint_ma… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_pow… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entryhttps://www-304.ibm.co… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_fle… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ts3… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_pow… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_san…

1 0

Tageszusammenfassung - Freitag 18-04-2014
by Daily end-of-shift report 18 Apr '14

18 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 17-04-2014 18:00 − Freitag 18-04-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Looking for malicious traffic in electrical SCADA networks - part 2 - solving problems with DNP3 Secure Authentication Version 5, (Thu, Apr 17th) *** --------------------------------------------- I received this week a very valuable e-mail from the DNP Technical Committee Chair, Mr. Adrew West, who pointed an excellent observation and its the very slow adoption of DNP3 Secure Authentication Version 5, which is the latest security enhancement for the DNP3 protocol. I want to talk today about this standard and the advantages of adopting it into your DNP3 SCADA system. This standard has two specific objectives: Help DNP3 outstation to determine beyond any reasonable doubt that its... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17981&rss *** Heartbleed Bug Sends Bandwidth Costs Skyrocketing *** --------------------------------------------- The exposure of the Heartbleed vulnerability last week had a number of repercussions, one of which was to set off a mad scramble by companies to revoke the SSL certificates for their domains and services and obtain new ones. The total costs of Heartbleed are yet to be calculated, but CloudFlare has come up with... --------------------------------------------- http://feeds.wired.com/c/35185/f/661467/s/397cb2f7/sc/5/l/0L0Swired0N0C20A1… *** Heartbleed bereitet Anonymisierungsnetzwerk Tor Schwierigkeiten *** --------------------------------------------- Rund ein Fünftel der Exit Nodes von OpenSSL-Lücke betroffen - Vorschlag diese aus dem Netz zu werfen... --------------------------------------------- http://derstandard.at/1397520979826 *** Mac OS X Trojans display ads *** --------------------------------------------- April 16, 2014 Malicious programs designed to generate a profit for intruders by displaying annoying ads are very common, but until recently they have mostly been a nuisance for Windows users. Thats why a few Trojans that were recently examined by Doctor Webs security researchers stand out among such applications... --------------------------------------------- http://news.drweb.com/show/?i=4352&lng=en&c=9 *** Heartbleed Update *** --------------------------------------------- Adobe has evaluated the Creative Cloud and its related services (including Behance and Digital Publishing Suite), the Marketing Cloud solutions and products (including Analytics, Analytics Premium and Experience Manager), EchoSign, Acrobat.com, the Adobe.com store, and other Adobe services. All Adobe internet-facing services known to have been using a version of OpenSSL containing the Heartbleed vulnerability have been mitigated. We are continuing our analysis of Adobe internet-facing servers to identify and remediate any remaining Heartbleed-related risks. --------------------------------------------- http://blogs.adobe.com/psirt/?p=1085 *** Security Advisory-OpenSSL Heartbeat Extension vulnerability (Heartbleed bug) on Huawei multiple products *** --------------------------------------------- Some OpenSSL software versions used in multiple Huawei products have the following OpenSSL vulnerability. Unauthorized remote attackers can dump 64 Kbytes of memory of the connected server or client in each attack. The leaked memory may contain sensitive information, such as passwords and private keys (Vulnerability ID: HWPSIRT-2014-0414). --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** McAfee Security Bulletin - OpenSSL Heartbleed vulnerability patched in McAfee products *** --------------------------------------------- Several McAfee products are vulnerable to OpenSSL Heartbleed. See the McAfee Product Vulnerability Status lists below for the status of each product. --------------------------------------------- https://kc.mcafee.com/corporate/index?page=content&id=SB10071 *** Nagios Remote Plugin Executor 2.15 Remote Command Execution *** --------------------------------------------- Topic: Nagios Remote Plugin Executor 2.15 Remote Command Execution Risk: High Text: - Release date: 17.04.2014 - Discovered by: Dawid Golunski - Severity: High I. VULNER... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040126 *** MariaDB Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/58106 *** Debian update for qemu and qemu-kvm *** --------------------------------------------- https://secunia.com/advisories/58088 *** OpenVZ update for kernel *** --------------------------------------------- https://secunia.com/advisories/58060

1 0

Tageszusammenfassung - Donnerstag 17-04-2014
by Daily end-of-shift report 17 Apr '14

17 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 16-04-2014 18:00 − Donnerstag 17-04-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** Entwickler-Modus gefährdet Blackberries *** --------------------------------------------- Bei aktiviertem Entwickler-Modus können Angreifer über das WLAN oder die USB-Verbindung Schadcode mit vollen Root-Rechten ausführen. Wird der Modus wieder abgeschaltet, ist das Gerät immer noch bis zum nächsten Neustart angreifbar. --------------------------------------------- http://www.heise.de/security/meldung/Entwickler-Modus-gefaehrdet-Blackberri… *** Heartbleed: BSI sieht keinen Grund für Entwarnung *** --------------------------------------------- Das Bundesamt für Sicherheit in der Informationstechnik sieht beim "Heartbleed Bug" weiteren Handlungsbedarf. Kleinere Websites sind nach wie vor verwundbar, auch nehmen Angreifer jetzt andere Dienste ins Visier. --------------------------------------------- http://www.heise.de/security/meldung/Heartbleed-BSI-sieht-keinen-Grund-fuer… *** Bugtraq: [SECURITY] [DSA 2907-1] Announcement of long term support for Debian oldstable *** --------------------------------------------- http://www.securityfocus.com/archive/1/531856 *** mAdserve id SQL injection *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/92545 *** SA-CONTRIB-2014-041 - Block Search - SQL Injection *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-041 Project: Block Search (third-party module) Version: 6.x Date: 2014-April-16 Security risk: Highly critical Exploitable from: Remote Vulnerability: SQL Injection Description: Block Search module provides an alternative way of managing blocks.The module doesnt properly use Drupals database API resulting in user-provided strings being passed directly to the database allowing SQL Injection.This vulnerability is mitigated by the fact that an attacker must either use a --------------------------------------------- https://drupal.org/node/2242463 *** SA-CORE-2014-002 - Drupal core - Information Disclosure *** --------------------------------------------- Advisory ID: DRUPAL-SA-CORE-2014-002 Project: Drupal core Version: 6.x, 7.x Date: 2014-April-16 Security risk: Moderately critical Exploitable from: Remote Vulnerability: Information Disclosure Description: Drupals form API has built-in support for temporary storage of form state, for example user input. This is often used on multi-step forms, and is required on Ajax-enabled forms in order to allow the Ajax calls to access and update interim user input on the server.When pages are cached for anonymous --------------------------------------------- https://drupal.org/SA-CORE-2014-002 *** Heartbleed CRL Activity Spike Found, (Wed, Apr 16th) *** --------------------------------------------- It looks like, as I had suspected, the CRL activity numbers we have been seeing did not reflect the real volume caused by the OpenSSL Heartbleed bug. This evening I noticed a massive spike in the amount of revocations being reported by this CRL: http://crl.globalsign.com/gs/gsorganizationvalg2.crl The spike is so large that we initially thought it was a mistake, but we have since confirmed that its real! Were talking about over 50,000 unique recovations from a single CRL: This is by an order --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17977&rss *** Confirmed: Nasty Heartbleed bug exposes OpenVPN private keys, too *** --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/cz_Y-Ayd5tw/ *** OpenSSL-Bug Heartbleed: Die meisten Router sind laut Herstellerangaben nicht verwundbar *** --------------------------------------------- Die meisten Router-Hersteller geben an, ältere OpenSSL-Versionen zu nutzen. Etliche liefern aber keine Belege dafür, dass ihre Geräte nicht verwundbar sind. Sicherheitsbewusste Nutzer müssen also die Ärmel hochkrempeln und die Geräte selbst testen. --------------------------------------------- http://www.heise.de/security/meldung/OpenSSL-Bug-Heartbleed-Die-meisten-Rou… *** SAP Router Password Timing Attack *** --------------------------------------------- Topic: SAP Router Password Timing Attack Risk: High Text:Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ SAP Router Password Timing Attack 1. *Advisory Inf... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040118 *** Whats worse than Heartbleed? Bugs in Heartbleed detection scripts. *** --------------------------------------------- As of the writing of this blog post, Nessus, Metasploit, Nmap, and others have released methods for detecting whether your systems are affected. The problem is, most of them have bugs themselves which lead to false negatives results, that is, a result which says a system is not vulnerable when in reality it is. With many people likely running detection scripts or other scans against hosts to check if they need to be patched, it is important that these bugs be addressed before too many people --------------------------------------------- http://www.hut3.net/blog/cns---networks-security/2014/04/14/bugs-in-heartbl… *** Definitionsupdate für Microsoft-Virenscanner bremst Windows XP aus *** --------------------------------------------- http://derstandard.at/1397520906230 *** Zugriff auf SMS-Nachrichten und Tor-Traffic dank Heartbleed *** --------------------------------------------- Hackern ist es gelungen, die von SMS-Gateways verschickten Nachrichten auszulesen - Tokens zur Zwei-Faktor-Authentisierung inklusive. Und auch Tor-Exitnodes geben beliebige Speicherinhalte preis. --------------------------------------------- http://www.heise.de/security/meldung/Zugriff-auf-SMS-Nachrichten-und-Tor-Tr… *** Bleichenbacher-Angriff: TLS-Probleme in Java *** --------------------------------------------- In der TLS-Bibliothek von Java wurde ein Problem gefunden, welches unter Umständen das Entschlüsseln von Verbindungen erlaubt. Es handelt sich dabei um die Wiederbelebung eines Angriffs, der bereits seit 1998 bekannt ist. (Java, Technologie) --------------------------------------------- http://www.golem.de/news/bleichenbacher-angriff-tls-probleme-in-java-1404-1…

1 0

Tageszusammenfassung - Mittwoch 16-04-2014
by Daily end-of-shift report 16 Apr '14

16 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 15-04-2014 18:00 − Mittwoch 16-04-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** Phishing-Mail: BSI warnt vor BSI-Warnung *** --------------------------------------------- Die regelmäßigen Warnungen des BSI vor gehackten Online-Konten haben offenbar Kriminelle zu einer Phishing-Attacke animiert. Von "verdachtigen Aktivitäten" und "anwaltlichen Schritten" ist darin die Rede. (Phishing, Internet) --------------------------------------------- http://www.golem.de/news/phishing-mail-bsi-warnt-vor-bsi-warnung-1404-10589… *** RSA BSAFE Micro Edition Suite security bypass *** --------------------------------------------- RSA BSAFE Micro Edition Suite (MES) could allow a remote attacker to bypass security restrictions, caused by an error within the certificate chain processing logic. An attacker could exploit this vulnerability to create an improperly authenticated SSL connection. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/92408 *** Chef Multiple Vulnerabilities *** --------------------------------------------- Chef Software has acknowledged multiple security issues and vulnerabilities in Chef, which can be exploited by malicious people to conduct spoofing and cross-site scripting attacks, bypass certain security restrictions, disclose potentially sensitive information, cause a DoS (Denial of Service), and compromise a vulnerable system. --------------------------------------------- https://secunia.com/advisories/57836 *** WordPress Twitget Plugin Cross-Site Request Forgery Vulnerability *** --------------------------------------------- dxwsecurity has reported a vulnerability in the Twitget plugin for WordPress, which can be exploited by malicious people to conduct cross-site request forgery attacks. The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to e.g. change plugin configuration settings when a logged-in administrative user visits a specially crafted web page. --------------------------------------------- https://secunia.com/advisories/57892 *** Critical Patch Update - April 2014 *** --------------------------------------------- Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Products and Versions column. --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html *** Innominate mGuard OpenSSL HeartBleed Vulnerability *** --------------------------------------------- OVERVIEW Researcher Bob Radvanovsky of Infracritical has notified NCCIC/ICS-CERT that Innominate has released a new firmware version that mitigates the OpenSSL HeartBleed vulnerability in the mGuard products.This vulnerability could be exploited remotely. Exploits that target the OpenSSL Heartbleed vulnerability are known to be publicly available.AFFECTED PRODUCTSThe following Innominate mGuard versions are affected: --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-105-02 *** Siemens Industrial Products OpenSSL HeartBleed Vulnerability *** --------------------------------------------- OVERVIEWSiemens reported to NCCIC/ICS-CERT a list of products affected by the OpenSSL vulnerability (known as 'Heartbleed'). Joel Langill of Infrastructure Defense Security Services reported to ICS-CERT and Siemens the OpenSSL vulnerability affecting the S7-1500.Siemens has produced an update and Security Advisory (SSA-635659) that mitigates this vulnerability in eLAN and is currently working on updates for the other affected products. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-105-03 *** Looking for malicious traffic in electrical SCADA networks - part 1, (Tue, Apr 15th) *** --------------------------------------------- When infosec guys are performing intrusion detection, they usually look for attacks like portscans, buffer overflows and specific exploit signature. For example, remember OpenSSL heartbleed vulnerability? --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17967&rss *** New Feature: Monitoring Certification Revocation Lists https://isc.sans.edu/crls.html, (Wed, Apr 16th) *** --------------------------------------------- Certificate Revocation Lists (“CRLs”) are used to track revoked certificates. Your browser will download these lists to verify if a certificate presented by a web site has been revoked. The graph above shows how many certificates were revoked each day by the different CRLs we are tracking. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17969&rss *** Adobe Flash ExternalInterface Use-After-Free *** --------------------------------------------- VUPEN Vulnerability Research Team discovered a critical vulnerability in Adobe Flash. The vulnerability is caused by a use-after-free error when interacting with the "ExternalInterface" class from the browser, which could be exploited to achieve code execution via a malicious web page. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040102 *** Netgear N600 Password Disclosure / Account Reset *** --------------------------------------------- While i was lurking around the Netgear firmware today i came across various tweaking and others i was able to find a password disclosure,File uploading vulnerably which could compromise the entire router.as of now no patch from the vendor. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040101 *** Apache Syncope 1.0.8 / 1.1.6 Code Execution *** --------------------------------------------- In the various places in which Apache Commons JEXL expressions are allowed (derived schema definition, user / role templates, account links of resource mappings) a malicious administrator can inject Java code that can be executed remotely by the JEE container running the Apache Syncope core. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040106 *** Bugtraq: CVE-2014-2735 - WinSCP: missing X.509 validation *** --------------------------------------------- A user can not recognize an easy to perform man-in-the-middle attack, because the client does not validate the "Common Name" of the servers X.509 certificate. In networking environment that is not trustworthy, like a wifi network, using FTP AUTH TLS with WinSCP the servers identity can not be trusted. --------------------------------------------- http://www.securityfocus.com/archive/1/531847 *** Qemu: out of bounds buffer access, guest triggerable via IDE SMART *** --------------------------------------------- An out of bounds memory access flaw was found in Qemu's IDE device model. It leads to Qemu's memory corruption via buffer overwrite(4 bytes). It occurs while executing IDE SMART commands. A guest's user could use this flaw to corrupt Qemu process's memory on the host. --------------------------------------------- http://seclists.org/oss-sec/2014/q2/116 *** Hintergrund: Warum wir Forward Secrecy brauchen *** --------------------------------------------- Der SSL-GAU zeigt nachdrücklich, dass Forward Secrecy kein exotisches Feature für Paranoiker ist. Es ist vielmehr das einzige, was uns noch vor einer vollständigen Komplettüberwachung aller Kommunikation durch die Geheimdienste schützt. --------------------------------------------- http://www.heise.de/security/artikel/Warum-wir-Forward-Secrecy-brauchen-217…

1 0

Tageszusammenfassung - Dienstag 15-04-2014
by Daily end-of-shift report 15 Apr '14

15 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 14-04-2014 18:00 − Dienstag 15-04-2014 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Barracuda Multiple Products OpenSSL TLS/DTLS Heartbeat Two Information Disclosure Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/57869 *** DSA-2903 strongswan *** --------------------------------------------- http://www.debian.org/security/2014/dsa-2903 *** Occupy Your Icons Silently on Android *** --------------------------------------------- FireEye mobile security researchers have discovered a new Android security issue: a malicious app with normal protection level permissions can probe icons on Android home screen and modify them to point to phishing .. --------------------------------------------- http://www.fireeye.com/blog/uncategorized/2014/04/occupy_your_icons_silentl… *** From the Trenches: AV Evasion With Dynamic Payload Generation *** --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/04/14/from-the-… *** Critical Patch Update - April 2014 - Pre-Release Announcement *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html *** First Phase of TrueCrypt Audit Turns Up No Backdoors *** --------------------------------------------- A initial audit of the popular open source encryption software TrueCrypt turned up fewer than a dozen vulnerabilities, none of which so far point toward a backdoor surreptitiously inserted into the codebase. A report on the first phase of the audit was released .. --------------------------------------------- http://beta.slashdot.org/story/200749 *** Microsoft Confirms It Is Dropping Windows 8.1 Support *** --------------------------------------------- Microsoft TechNet blog makes clear that Windows 8.1 will not be patched, and that users must get Windows 8.1 Update if they want security patches, InfoWorlds Woody Leonhard reports. In what is surely the most customer-antagonistic move of the new Windows regime, Steve Thomas at Microsoft posted a TechNet article on Saturday stating categorically that Microsoft will .. --------------------------------------------- http://tech.slashdot.org/story/14/04/15/0053213/microsoft-confirms-it-is-dr… *** VMware reveals 27-patch Heartbleed fix plan *** --------------------------------------------- Go buy your vSysadmins a big choccy egg: their Easter in peril VMware has confirmed that 27 of its products need patches for the Heartbleed bug. --------------------------------------------- http://www.theregister.co.uk/2014/04/15/vmware_reveals_27patch_heartbleed_f… *** Cyberwar-Doku "netwars / out of CTRL": Webdoc bei heise *** --------------------------------------------- heise online präsentiert parallel zur Arte-Doku den ersten Teil der innovativen Multimedia-Dokumentation zum Thema Cyberwar. Sie entscheiden selbst, ob Sie beispielsweise lieber Details zu Stuxnet oder einen Kommentar des Star-Hackers FX sehen möchten. --------------------------------------------- http://www.heise.de/newsticker/meldung/Cyberwar-Doku-netwars-out-of-CTRL-We… *** Samsung Galaxy S5: Fingerabdrucksensor auch schon gehackt *** --------------------------------------------- Mit einer für das iPhone 5S entwickelten Fingerkuppenattrappe trickste Ben Schlabs die Sperre des neuen Samsung-Flagschiffs aus. Er konnte damit dann sogar Geld überweisen. --------------------------------------------- http://www.heise.de/security/meldung/Samsung-Galaxy-S5-Fingerabdrucksensor-… *** SSA-364879 (Last Update 2014-04-15): Vulnerabilities in SINEMA Server *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** SSA-654382 (Last Update 2014-04-15): Vulnerabilities in SIMATIC S7-1200 CPU *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** Akamai Withdraws Proposed Heartbleed Patch *** --------------------------------------------- As researchers demonstrate OpenSSL bug exploits that retrieve private keys, Akamai rescinds a patch suggestion for the SSL/TLS library after a security researcher punches holes in it. --------------------------------------------- http://www.darkreading.com/application-security/akamai-withdraws-proposed-h… *** (ISC) launches cyber forensics credential in Europe *** --------------------------------------------- Information and software security professional body (ISC)2 has announced the availability of its Certified Cyber Forensics Professional certification in Europe. Registration for CCFP-EU is now open, with the first exam available on 30 April 2014 at Pearson VUE test centres across the region. The German translation of the exam is to be available from 15 June 2014. --------------------------------------------- http://www.computerweekly.com/news/2240218864/ISC2-launches-cyber-forensics… *** BSI warnt vor BSI-Mails *** --------------------------------------------- Betrüger missbrauchen den Namen des BSI für eine Phishing-Kampagne, die vorgibt, dass der Empfänger bei "illegalen Aktivitäten" erwischt wurde. Das BSI rät, den Anhang keinesfalls zu öffnen. --------------------------------------------- http://www.heise.de/security/meldung/BSI-warnt-vor-BSI-Mails-2170549.html *** Hardware Giant LaCie Acknowledges Year-Long Credit Card Breach *** --------------------------------------------- Computer hard drive maker LaCie has acknowledged that a hacker break-in at its online store exposed credit card numbers and contact information on customers for the better part of the past .. --------------------------------------------- http://krebsonsecurity.com/2014/04/hardware-giant-lacie-acknowledges-year-l… *** Synology räumt nach Heartbleed auf: Passwort-Wechsel und Updates *** --------------------------------------------- Nachdem es durch die Heartbleed-Lücke gelang, auf Mail-Adressen und Passwörter von Synology-Nutzern zuzugreifen, fordert der Hersteller seine Kunden nun nachdrücklich zum Passwortwechsel auf. Ausserdem gibt es Security-Updates für die Synology-NAS. --------------------------------------------- http://www.heise.de/security/meldung/Synology-raeumt-nach-Heartbleed-auf-Pa… *** Exploiting CSRF under NoScript Conditions *** --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/04/15/exploitin…

1 0

Tageszusammenfassung - Montag 14-04-2014
by Daily end-of-shift report 14 Apr '14

14 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 11-04-2014 18:00 − Montag 14-04-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Heartbleed FAQ *** --------------------------------------------- Heartbleed FAQ11. April 2014Wir haben jetzt auch unsere Version einer FAQ zur "Heartbleed" veröffentlicht.Dieses Dokument ist kein finaler Bericht, sondern eine Bestandsaufnahme, die mit neuen Daten aktualisiert werden wird. So sind wir etwa dabei, den Status in Österreich noch genauer zu vermessen. Autor: Otmar Lendl --------------------------------------------- http://www.cert.at/services/blog/20140411232912-1127.html *** Heartbleed: Keys auslesen ist einfacher als gedacht *** --------------------------------------------- Zwei Personen ist es gelungen, private Schlüssel mit Hilfe des Heartbleed-Bugs aus einem nginx-Testserver auszulesen. Der Server gehört der Firma Cloudflare, die mit einem Wettbewerb sicherstellen wollte, dass das Auslesen privater Schlüssel unmöglich ist. (Server, OpenSSL) --------------------------------------------- http://www.golem.de/news/heartbleed-keys-auslesen-ist-einfacher-als-gedacht… *** NSA will nichts von "Heartbleed"-Lücke gewusst haben *** --------------------------------------------- In einem Bericht hatte die Nachrichtenagentur Bloomberg behauptet, die OpenSSL-Lücke sei der NSA seit zwei Jahren bekannt gewesen. Die US-Behörden wiesen das jedoch rasch zurück. --------------------------------------------- http://www.heise.de/security/meldung/NSA-will-nichts-von-Heartbleed-Luecke-… *** Heartbleed zeigt: Google muss Android-Updates in den Griff bekommen *** --------------------------------------------- Nur eine fast zwei Jahre alte Version betroffen, aber viele Millionen Geräte gefährdet - Updates unwahrscheinlich --------------------------------------------- http://derstandard.at/1397301984464 *** "Heartbleed": Noch immer tausende österreichische Webseiten betroffen *** --------------------------------------------- Sicherheitslücke findet sich auf Webservern öffentlicher Einrichtungen - Schulen und Gemeinden betroffen --------------------------------------------- http://derstandard.at/1397302008116 *** Identitätsdiebstahl: 7.500 Domain-Betreiber in Österreich betroffen *** --------------------------------------------- Das Bundeskriminalamt informiert nun alle Betreiber betroffener Domains --------------------------------------------- http://derstandard.at/1397302034346 *** OpenSSL use-after-free race condition read buffer *** --------------------------------------------- Topic: OpenSSL use-after-free race condition read buffer Risk: High Text:About two days ago, I was poking around with OpenSSL to find a way to mitigate Heartbleed. I soon discovered that in its defaul... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040079 *** Citrix VDI-in-a-Box Discloses Administrator Password to Local Users *** --------------------------------------------- http://www.securitytracker.com/id/1030068 *** Arbitrary Code Execution Bug in Android Reader *** --------------------------------------------- A security vulnerability in Adobe Reader for Android could give an attacker the ability to execute arbitrary code. --------------------------------------------- http://threatpost.com/arbitrary-code-execution-bug-in-android-reader/105421

1 0

Tageszusammenfassung - Freitag 11-04-2014
by Daily end-of-shift report 11 Apr '14

11 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 10-04-2014 18:00 − Freitag 11-04-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Heartbleed vendor informations / statistics *** --------------------------------------------- https://isc.sans.edu/diary/Heartbleed+vendor+notifications/17929 https://www.cert.fi/en/reports/2014/vulnerability788210.html http://securityaffairs.co/wordpress/23878/intelligence/statistics-impact-he… *** Gehackte Online-Konten: Mehr als zehn Millionen Abrufe von Sicherheitstest *** --------------------------------------------- Auch der zweite Sicherheitscheck des BSI zu gehackten Online-Konten stößt auf großes Interesse. Für Verwirrung sorgt aber weiter eine Sicherheitssperre von GMX und web.de. --------------------------------------------- http://www.golem.de/news/gehackte-online-konten-mehr-als-zehn-millionen-abr… *** The Heartbleed Hit List: The Passwords You Need to Change Right Now *** --------------------------------------------- ... it hasnt always been clear which sites have been affected. Mashable reached out to various companies included on a long list of websites that could potentially have the flaw. Below, weve rounded up the responses from some of the most popular social, email, banking and commerce sites on the web. --------------------------------------------- http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ *** Heartbleed Vulnerability Affects 5% of Select Top Level Domains from Top 1M *** --------------------------------------------- In trying to gauge the impact of the Heartbleed vulnerability, we proceeded to scanning the Top Level Domain (TLD) names of certain countries extracted from the top 1,000,000 domains by Alexa. We then proceeded to separate the sites which use SSL and further categorized those under "vulnerable" or "safe". The data we were able to... --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/heartbleed-vulne… *** Spionage-Botnet nutzte Heartbleed-Lücke schon vor Monaten aus *** --------------------------------------------- Bereits im November hat ein auf Spionage ausgelegtes Botnet offenbar versucht, durch die OpenSSL-Lücke Daten abzugreifen - möglicherweise im Auftrag eines Geheimdienstes. Die gute Nachricht ist: Die Anzahl der noch verwundbaren Server ist rückläufig. --------------------------------------------- http://www.heise.de/security/meldung/Spionage-Botnet-nutzte-Heartbleed-Luec… *** Heartbleed: Apple-Nutzer sind nicht betroffen *** --------------------------------------------- Weder Mac OS X, iOS noch Apples Dienste wie iCloud sind von der Heartbleed-Schwachstelle betroffen. Denn Apple verzichtet auf OpenSSL. Einige Apps verwenden die Kryptobibliothek jedoch. (Apple, Server-Applikationen) --------------------------------------------- http://www.golem.de/news/heartbleed-apple-nutzer-sind-nicht-betroffen-1404-… *** Heartbleed Explanation *** --------------------------------------------- http://xkcd.com/1354/ *** Critical Update for JetPack WordPress Plugin *** --------------------------------------------- The Jetpack team just released a critical security update to fix a security vulnerability in the Jetpack WordPress plugin. The vulnerability allows an attacker to bypass the site's access control and publish posts on the site. All versions of JetPack since October, 2012 (Jetpack 1.9) are vulnerable, and all users should update to version 2.9.3 --------------------------------------------- http://blog.sucuri.net/2014/04/critical-update-for-jetpack-wordpress-plugin… *** Security Updates for VMware vSphere *** --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0002.html http://www.vmware.com/security/advisories/VMSA-2014-0003.html *** IBM SPSS Analytic Server Discloses Passwords to Remote Authenticated Users *** --------------------------------------------- http://www.securitytracker.com/id/1030051 *** [2014-04-11] Multiple vulnerabilities in Plex Media Server *** --------------------------------------------- Plex Media Server contains several vulnerability that allow an attacker to intercept traffic between Plex Media Server and clients in plaintext. Furthermore Cross Site Request Forgery (CSRF) vulnerabilities allow an attacker to execute privileged commands in the context of Plex Media Server. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014…

1 0

Tageszusammenfassung - Donnerstag 10-04-2014
by Daily end-of-shift report 10 Apr '14

10 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 09-04-2014 18:00 − Donnerstag 10-04-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Hintergrund: Passwörter in Gefahr - was nun? *** --------------------------------------------- Durch Heartbleed sind theoretisch schon wieder viele Millionen Passwörter in Gefahr. Sicherheitsexperten raten dazu, alle zu ändern. heise-Security-Chefredakteur Jürgen Schmidt schätzt das anders ein. --------------------------------------------- http://www.heise.de/security/artikel/Passwoerter-in-Gefahr-was-nun-2167584.… *** Heartbleed: 600.000 Server immer noch ungeschützt *** --------------------------------------------- Die Sicherheitslücke Heartbleed zieht immer weitere Kreise. Möglicherweise wurde die Schwachstelle schon seit Monaten ausgenutzt. --------------------------------------------- http://futurezone.at/digital-life/heartbleed-600-000-server-immer-noch-unge… *** Sicherheitslücke: Unternehmen können für Schäden durch Heartbleed haftbar sein *** --------------------------------------------- Der Heartbleed-Bug gilt als eine der gravierendsten Sicherheitslücken aller Zeiten. Millionen SSL-gesicherte Websites waren betroffen, erste Missbrauchsfälle sind bekanntgeworden. Können Unternehmen und Admins, die den Fehler nicht behoben haben, für Schäden belangt werden? Golem.de hat nachgefragt. (Ruby, OpenSSL) --------------------------------------------- http://www.golem.de/news/sicherheitsluecke-unternehmen-koennen-fuer-schaede… *** Smartphones vom SSL-GAU (fast) nicht betroffen *** --------------------------------------------- Keine der wichtigen Smartphone-Plattformen setzt in der aktuellen Version eine der für Heartbleed anfälligen OpenSSL-Bibliotheken ein. Lediglich Android-Nutzer mit einer mittelalten Version benötigen ein Update. --------------------------------------------- http://www.heise.de/security/meldung/Smartphones-vom-SSL-GAU-fast-nicht-bet… *** OpenSSL-Bug: Spuren von Heartbleed schon im November 2013 *** --------------------------------------------- Ein Systemadministrator hat angeblich in einem Logfile vom November letzten Jahres Exploit-Code für den Heartbleed-Bug gefunden. Die EFF ruft andere Administratoren zu Nachforschungen auf. (Technologie, Server) --------------------------------------------- http://www.golem.de/news/openssl-bug-spuren-von-heartbleed-schon-im-novembe… *** Kriminalität: Der Untergrund ist digital *** --------------------------------------------- Wie lässt sich gemeinsam gegen die Kriminalität 2.0 vorgehen? Die Antwort auf dem Kongress des Verbandes für Sicherheitstechnik: Verzahnung, engere Kooperationen, Zusammenarbeit & und Hoffen auf aktive Bürger und die Vorratsdatenspeicherung. --------------------------------------------- http://www.heise.de/security/meldung/Kriminalitaet-Der-Untergrund-ist-digit… *** Windows XP: Wechselmuffel im Patch-Dilemma *** --------------------------------------------- Das offizielle Ende des XP-Supports bedeutet nicht, dass keine Patches mehr im Netz auftauchen dürften. Für Nutzer könnte es aber gefährlich werden, solche Dateien zu installieren. (Microsoft, Spam) --------------------------------------------- http://www.golem.de/news/windows-xp-wechselmuffel-im-patch-dilemma-1404-105… *** "Heartbleed"-Lücke - Chance nutzen *** --------------------------------------------- Wie F-Secure in einem Blog-Post schreibt, sollten Administratoren die Aufräumarbeiten im Zuge der "Heartbleed"-Lücke auch gleich nutzen, um die entsprechenden Konfigurationen auf aktuellen Stand zu bringen. F-Secure empfiehlt dazu den OWASP Transport Layer Protection Cheat Sheet, wir schliessen uns dem an und ergänzen um das Better Crypto Hardening Paper (PDF) von bettercrypto.org. --------------------------------------------- http://www.cert.at/services/blog/20140409164644-1090.html *** JSA10623 - 2014-04 Out of Cycle Security Bulletin: Multiple products affected by OpenSSL "Heartbleed" issue (CVE-2014-0160) *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10623&actp=RSS *** JSA10618 - 2014-04 Security Bulletin: Junos: Kernel panic processing high rate of crafted IGMP packets (CVE-2014-0614) *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10618&actp=RSS *** OpenVPN Access Server OpenSSL TLS Heartbeat Information Disclosure Vulnerability *** --------------------------------------------- https://secunia.com/advisories/57755 *** Multiple Vulnerabilities in Cisco ASA Software *** --------------------------------------------- Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA ASDM Privilege Escalation Vulnerability Cisco ASA SSL VPN Privilege Escalation Vulnerability Cisco ASA SSL VPN Authentication Bypass Vulnerability Cisco ASA SIP Denial of Service Vulnerability --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…

1 0

Tageszusammenfassung - Mittwoch 9-04-2014
by Daily end-of-shift report 09 Apr '14

09 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 08-04-2014 18:00 − Mittwoch 09-04-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Security updates available for Adobe Flash Player (APSB14-09) *** --------------------------------------------- A Security Bulletin (APSB14-09) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities, and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the security bulletin. --------------------------------------------- http://blogs.adobe.com/psirt/?p=1081 *** Assessing risk for the April 2014 security updates *** --------------------------------------------- Today we released four security bulletins addressing 11 unique CVE’s. Two bulletins have a maximum severity rating of Critical while the other two have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. --------------------------------------------- http://blogs.technet.com/b/srd/archive/2014/04/08/assessing-risk-for-the-ap… *** Summary for April 2014 - Version: 1.0 *** --------------------------------------------- * Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution * Cumulative Security Update for Internet Explorer * Vulnerability in Windows File Handling Component Could Allow Remote Code Execution * Vulnerability in Microsoft Publisher Could Allow Remote Code Execution --------------------------------------------- http://technet.microsoft.com/en-ca/security/bulletin/ms14-apr *** WordPress 3.8.2 Security Release *** --------------------------------------------- WordPress 3.8.2 is now available. This is an important security release for all previous versions and we strongly encourage you to update your sites immediately. This releases fixes a weakness that could let an attacker force their way into your site by forging authentication cookies --------------------------------------------- http://wordpress.org/news/2014/04/wordpress-3-8-2/ *** OSISoft PI Interface for DNP3 Improper Input Validation *** --------------------------------------------- OVERVIEWAdam Crain of Automatak and Chris Sistrunk, Sr. Consultant for Mandiant, have identified an improper input validation vulnerability in the OSIsoft PI Interface for DNP3 product. OSIsoft has produced an update that mitigates this vulnerability. OSIsoft and Automatak have tested the new version to validate that it resolves the vulnerabilityThis vulnerability can be remotely exploited. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-098-01 *** WellinTech KingSCADA Stack-Based Buffer Overflow *** --------------------------------------------- An anonymous researcher working with HP’s Zero Day Initiative has identified a stack-based buffer overflow in the WellinTech KingSCADA Stack. WellinTech has produced a patch that mitigates this vulnerability.This vulnerability could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-098-02 *** OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products *** --------------------------------------------- Multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** The April 2014 Security Updates *** --------------------------------------------- Today, we release four bulletins to address 11 CVEs in Microsoft Windows, Internet Explorer and Microsoft Office. --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2014/04/08/the-april-2014-security-… *** Heartbleed SSL-GAU: Neue Zertifikate braucht das Land *** --------------------------------------------- Ein simples Update reicht nicht: Nach der OpenSSL-Lücke müssen Serverbetreiber Zertifikate austauschen. Bei manchen CAs geht das kostenlos, andere Zertifikats-Anbieter und Hoster belassen es bei Warnungen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Heartbleed-SSL-GAU-Neue-Zertifikate-… *** Juniper SSL VPN (IVEOS) OpenSSL TLS Heartbeat Information Disclosure Vulnerability *** --------------------------------------------- Juniper has acknowledged a vulnerability in Juniper SSL VPN (IVEOS), which can be exploited by malicious people to disclose potentially sensitive information. --------------------------------------------- https://secunia.com/advisories/57758 *** Bugtraq: CVE-2014-0160 mitigation using iptables *** --------------------------------------------- Following up on the CVE-2014-0160 vulnerability, heartbleed. We've created some iptables rules to block all heartbeat queries using the very powerful u32 module. The rules allow you to mitigate systems that can't yet be patched by blocking ALL the heartbeat handshakes. We also like the capability to log external scanners :) --------------------------------------------- http://www.securityfocus.com/archive/1/531779 *** Heartbleed vendor notifications, (Wed, Apr 9th) *** --------------------------------------------- As people are running around having an entertaining day we thought it might be a good idea to keep track of the various vendor notifications. Id like to start a list here and either via comments or sending it let us know of vendor notifications relating to this issue. Please provide comments to the original article relating to the vulnerability itself, and use this post to only provide links to vendor notifications rather than articles etc about the issue. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17929&rss *** Bugtraq: SQL Injection in Orbit Open Ad Server *** --------------------------------------------- High-Tech Bridge Security Research Lab discovered vulnerability in Orbit Open Ad Server, which can be exploited to perform SQL Injection attacks, alter SQL requests to database of vulnerable application and potentially gain control over the vulnerable website. --------------------------------------------- http://www.securityfocus.com/archive/1/531781 *** Office für Mac: Update stopft kritische Lücke *** --------------------------------------------- Mit einer neuen OS-X-Version von Office 2011 hat Microsoft die RTF-Schwachstelle in Word beseitigt. Die Aktualisierung soll verschiedene Probleme in Outlook, Excel und Word beheben. --------------------------------------------- http://www.heise.de/security/meldung/Office-fuer-Mac-Update-stopft-kritisch… *** Sophos Web Appliance Security Bypass Vulnerability *** --------------------------------------------- A vulnerability has been reported in Sophos Web Appliance, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an unspecified error related to the "Change Password" dialog box and can be exploited to change the administrative password. --------------------------------------------- https://secunia.com/advisories/57706 *** Security Notice-Statement on OpenSSL Heartbeat Extension Vulnerability *** --------------------------------------------- Huawei has noticed information regarding OpenSSL heartbeat extension security vulnerability and immediately launched a thorough investigation. The investigation is still ongoing. Huawei PSIRT will keep updating the SN and will provide conclusions as soon as possible. Please stay tuned. --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices…

1 0

Tageszusammenfassung - Dienstag 8-04-2014
by Daily end-of-shift report 08 Apr '14

08 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 07-04-2014 18:00 − Dienstag 08-04-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Der GAU für Verschlüsselung im Web: Horror-Bug in OpenSSL *** --------------------------------------------- Ein äußerst schwerwiegender Programmierfehler gefährdet offenbar Verschlüsselung, Schlüssel und Daten der mit OpenSSL gesicherten Verbindungen im Internet. Angesichts der Verbreitung der OpenSource-Biliothek eine ziemliche Katastrophe. --------------------------------------------- http://www.heise.de/security/meldung/Der-GAU-fuer-Verschluesselung-im-Web-H… *** VU#568252: Websense Triton Unified Security Center 7.7.3 information disclosure vulnerability *** --------------------------------------------- Vulnerability Note VU#568252 Websense Triton Unified Security Center 7.7.3 information disclosure vulnerability Original Release date: 07 Apr 2014 | Last revised: 07 Apr 2014 Overview Websense Triton Unified Security Center 7.7.3 and possibly earlier versions contains an information disclosure vulnerability which could allow an authenticated attacker to view stored credentials of a possibly higher privileged user. Description CWE-200: Information ExposureWhen logged into the Websense Triton --------------------------------------------- http://www.kb.cert.org/vuls/id/568252 *** Energieversorger testet Sicherheit – und fällt durch *** --------------------------------------------- In „Stirb langsam 4.0“ fahren Cyber-Gauner übers Internet die komplette Stromversorgung im Osten der USA herunter. Ein unrealistisches Szenario? Nicht ganz ... --------------------------------------------- http://www.heise.de/newsticker/meldung/Energieversorger-testet-Sicherheit-u… *** The Muddy Waters of XP End-of-Life and Public Disclosures *** --------------------------------------------- Security researchers who have privately disclosed Windows XP vulnerabilities to Microsoft may never see patches for their bugs with XPs end of life date at hand. Will there be a rash of public disclosures? --------------------------------------------- http://threatpost.com/the-muddy-waters-of-xp-end-of-life-and-public-disclos… *** 2013 wurden Daten von über 500 Millionen Nutzern geklaut *** --------------------------------------------- Daten von mehr als einer halben Milliarde Internet-Nutzer sind im vergangenen Jahr nach Berechnung von IT-Sicherheitsexperten bei Online-Angriffen gestohlen worden. --------------------------------------------- http://futurezone.at/digital-life/2013-wurden-daten-von-ueber-500-millionen… *** Hintergrund: ct-Fritzbox-Test spürt verborgene Geräte auf *** --------------------------------------------- Manche Nutzer des Fritzbox-Tests erhalten unerwartete Ergebnisse. Nicht selten sind WLAN-APs, Repeater oder andere AVM-Geräte die Ursache. Darüber hinaus gibt es auch einige Fehlerquellen, die einen händischen Test erforderlich machen können. --------------------------------------------- http://www.heise.de/newsticker/meldung/Hintergrund-c-t-Fritzbox-Test-spuert… *** The 2013 Internet Security Threat Report: Year of the Mega Data Breach *** --------------------------------------------- Once again, it’s time to reveal the latest findings from our Internet Security Threat Report (ISTR), which looks at the current state of the threat landscape, based on our research and analysis from the past year. Key trends from this year’s report include the large increase in data breaches and targeted attacks, the evolution of mobile malware and ransomware, and the potential threat posed by the Internet of Things. --------------------------------------------- http://www.symantec.com/connect/blogs/2013-internet-security-threat-report-… *** Cacti Multiple Vulnerabilities *** --------------------------------------------- Some vulnerabilities have been reported in Cacti, which can be exploited by malicious users to conduct script insertion and SQL injection attacks and compromise a vulnerable system. * CVE-2014-2326 * CVE-2014-2708 * CVE-2014-2709 --------------------------------------------- https://secunia.com/advisories/57647 *** Open-Xchange Email Autoconfiguration Information Disclosure Weakness *** --------------------------------------------- A weakness has been reported in Open-Xchange, which can be exploited by malicious people to disclose certain sensitive information. The weakness is caused due to the application communicating certain information via parameters of a GET request when using the email autoconfiguration, which can be exploited to disclose the account password. --------------------------------------------- https://secunia.com/advisories/57654 *** VU#345337: J2k-Codec contains multiple exploitable vulnerabilities *** --------------------------------------------- Vulnerability Note VU#345337 J2k-Codec contains multiple exploitable vulnerabilities Original Release date: 08 Apr 2014 | Last revised: 08 Apr 2014 Overview J2k-Codec contains multiple exploitable vulnerabilities, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description J2k-Codec is a JPEG 2000 decoding library for Windows. J2k-Codec contains multiple exploitable exploitable vulnerabilities that can lead to arbitrary code execution. --------------------------------------------- http://www.kb.cert.org/vuls/id/345337

1 0

Tageszusammenfassung - Montag 7-04-2014
by Daily end-of-shift report 07 Apr '14

07 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 04-04-2014 18:00 − Montag 07-04-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** BSI-Webseite mit Prüfung ob die eigene Emailadresse im aktuellen Fall betroffen ist *** --------------------------------------------- Im Rahmen eines laufenden Ermittlungsverfahrens der Staatsanwaltschaft Verden (Aller) ist erneut ein Fall von großflächigem Identitätsdiebstahl aufgedeckt worden. ... Diese Webseite bietet eine Überprüfungsmöglichkeit, ob Sie von dem Identitätsdiebstahl betroffen sind. --------------------------------------------- https://www.sicherheitstest.bsi.de/ *** VirusShield: Nur ein Logo - sonst nichts *** --------------------------------------------- Die App VirusShield für Android erreichte innerhalb kürzester Zeit enorme Verkaufszahlen. Jedoch: Die App tut überhaupt nichts. (Google, Virenscanner) --------------------------------------------- http://www.golem.de/news/virusshield-nur-ein-logo-sonst-nichts-1404-105677-… *** Hash-Funktion: Entwurf für SHA-3-Standard liegt vor *** --------------------------------------------- Die US-Behörde Nist hat einen Entwurf für die Standardisierung der Hashfunktion SHA-3 vorgelegt. Drei Monate lang besteht nun die Möglichkeit, diesen zu kommentieren. (Technologie, Verschlüsselung) --------------------------------------------- http://www.golem.de/news/hash-funktion-entwurf-fuer-sha-3-standard-liegt-vo… *** Those strange e-mails with URLs in them can lead to Android malware, (Sat, Apr 5th) *** --------------------------------------------- Youve probably gotten a few of these e-mails over the last few months (I saw the first one of this latest kind in early Feb), we got one to the handlers list earlier this week which prompted this diary. They seem pretty innocuous, they have little or no text and a URL like the one shown below. Note: the above link doesnt lead to the malware anymore, so I didnt obscure it. Most seem to be sent from Yahoo! (or Yahoo!-related e-mail addresses), so they may be coming from addresses that were --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17909&rss *** XMPP-Layer Compression Uncontrolled Resource Consumption *** --------------------------------------------- Topic: XMPP-Layer Compression Uncontrolled Resource Consumption Risk: Medium Text:Uncontrolled Resource Consumption with XMPP-Layer Compression Original Release Date: 2014-04-04 Last Updated: 2014-04-04 ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040034 *** Fake Voting Campaign Steals Facebook Users’ Identities *** --------------------------------------------- Contributor: Parag SawantPhishers continuously come up with various plans to enhance their chances of harvesting users’ sensitive information. Symantec recently observed a phishing campaign where data is collected through a fake voting site which asks users to decide whether boys or girls are greater.read more --------------------------------------------- http://www.symantec.com/connect/blogs/fake-voting-campaign-steals-facebook-… *** Advice for Enterprises in 2014: Protect Your Core Data *** --------------------------------------------- Some companies may think – “if it can happen to a spy agency, there’s nothing we could do. We should just give up and not protect our data anymore.” Others may say: “let’s build a bigger wall around our data.” Both approaches are incorrect. Obviously, you have to protect your data. However, neither can enterprises just try and protect everything with the same rigor. ... What an enterprise needs to focus on is what really needs to be protected. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/advice-for-enter… *** Microsoft spells out new rules for exiling .EXEs *** --------------------------------------------- Microsoft has updated the methodology it uses to define adware, a move designed to make it clearer just what the company considers worthy for removal by its malware tools. ... The kinds of “unwanted behaviours” that Redmond is looking for will be familiar to anyone whos been burned by mistakenly clicking on the link, with lack of user choice or control topping the list. --------------------------------------------- http://www.theregister.co.uk/2014/04/07/microsoft_puts_adware_in_the_crossh… *** Netgear schließt Hintertür in Modemrouter DGN1000 *** --------------------------------------------- Die Firma hat ein Firmware-Update veröffentlicht, das die Hintertür auf Port 32764 des DSL-Modemrouters schließen soll. Über die Lücke können Angreifer die Passwörter der Geräte abgreifen. --------------------------------------------- http://www.heise.de/security/meldung/Netgear-schliesst-Hintertuer-in-Modemr… *** RSA Data Loss Prevention Security Bypass Security Issue *** --------------------------------------------- A security issue has been reported in RSA Data Loss Prevent, which can be exploited by malicious users to bypass certain security restrictions. The security issue is caused due an error within the session management and can be exploited to access otherwise restricted content. --------------------------------------------- https://secunia.com/advisories/57464

1 0

Tageszusammenfassung - Freitag 4-04-2014
by Daily end-of-shift report 04 Apr '14

04 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 03-04-2014 18:00 − Freitag 04-04-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** SMBEXEC Rapid Post Exploitation Tool *** --------------------------------------------- Smbexec is a tool that you can use for penetration testing domain controllers, the program allows to run post exploitation for domain accounts and expand the access to targeted network. this makes pentester have a full access without any privilege requirement. --------------------------------------------- http://www.sectechno.com/2014/03/30/smbexec-rapid-post-exploitation-tool/ *** IBM Security Bulletin: Fixes available for Cross Site Scripting vulnerabilities in IBM WebSphere Portal (CVE-2014-0828 and CVE-2014-0901) *** --------------------------------------------- Fixes are available for Cross Site Scripting vulnerabilities in IBM WebSphere Portal. CVE(s): CVE-2014-0828 and CVE-2014-0901 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** IBM Security Bulletin: WebSphere Partner Gateway Advanced/Enterprise is affected by vulnerabilities that exist in the IBM SDK for Java (CVE-2014-0411) *** --------------------------------------------- WebSphere Partner Gateway Advanced/Enterprise uses IBM SDK for Java that is based on Oracle JDK . Oracle has released January 2014 critical patch updates (CPU) which contain security vulnerability fixes. The IBM SDK for Java has been updated to incorporate these fixes. CVE(s): CVE-2014-0411 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** OTRS Help Desk clickjacking *** --------------------------------------------- OTRS Help Desk could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could send a specially-crafted HTTP request to hijack the victim's click actions or launch other client-side browser attacks. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/92233 *** iOS 7.1 bug enables iCloud account deletion, disabling Find My iPhone, without password *** --------------------------------------------- A bug demonstrated by a YouTube user on Wednesday may enable a thief to delete an iCloud account, disable Find My iPhone, and ultimately restore the device, without the need of a password. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/kToL7uqo4FE/ *** Your files held hostage by CryptoDefense? Dont pay up! The decryption key is on your hard drive *** --------------------------------------------- Blunder discovered in latest ransomware infecting PCs A basic rookie programming error has crippled an otherwise advanced piece of ransomware dubbed CryptoDefense – but the crap coders are still pulling in more than $30,000 a month from unwary punters.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/04/03/cryptodefen… *** Advance Notification Service for the April 2014 Security Bulletin Release *** --------------------------------------------- Today we provide advance notification for the release of four bulletins, two rated Critical and two rated Important in severity. These updates address issues in Microsoft Windows, Office and Internet Explorer. The update provided through MS14-017 fully addresses the Microsoft Word issue first described in Security Advisory 2953095. This advisory also included a Fix it to disable opening rich-text format (RTF) files within Microsoft Word. Once the security update is applied, you should disable --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2014/04/03/advance-notification-ser… *** Schneider Electric OPC Factory Server Buffer Overflow *** --------------------------------------------- OVERVIEW Researcher Wei Gao, formerly of IXIA, has identified a buffer overflow vulnerability in the Schneider Electric OPC Factory Server (OFS) application. Schneider Electric has produced a patch that mitigates this vulnerability. Wei Gao has tested the patch to validate that it resolves the vulnerability.This vulnerability could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-093-01 *** Adware: A new approach *** --------------------------------------------- Here at the Microsoft Malware Protection Center (MMPC) we understand advertising is part of the modern computing experience. However, we want to give our customers choice and control regarding what happens with their computers. To that end we have recently undergone some changes to both the criteria we use to classify a program as adware and how we remediate it when we find it. This blog will help explain the new criteria and how it affects some programs. Our updated objective criteria --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/04/03/adware-a-new-approach.as… *** Zeus malware found with valid digital certificate *** --------------------------------------------- A recently discovered variant of the Zeus banking Trojan was found to use a legitimate digital signature to avoid detection from Web browsers and anti-virus systems.Security vendor Comodo reported Thursday finding the variant 200 times while monitoring and analyzing data from users of its Internet security system. The variant includes the digital signature, a rootkit and a data-stealing malware component."Malware with a valid digital signature is an extremely dangerous situation," the --------------------------------------------- http://www.csoonline.com/article/2140021/data-protection/zeus-malware-found… *** Linux-PAM "pam_timestamp" Module Two Directory Traversal Vulnerabilities *** --------------------------------------------- Two vulnerabilities have been reported in Linux-PAM, which can be exploited by malicious people to bypass certain security restrictions. --------------------------------------------- https://secunia.com/advisories/57317 *** E-Mail-Konten gehackt: BSI will Millionen betroffene Nutzer informieren *** --------------------------------------------- Behörden und Provider wollen die Nutzer über den Hack von E-Mail-Konten informieren. Wie und wann die Aktion starten soll, steht aber noch nicht fest. (Spam, Computer) --------------------------------------------- http://www.golem.de/news/e-mail-konten-gehackt-bsi-will-millionen-betroffen… *** TLS-Bibliotheken: Fehler finden mit fehlerhaften Zertifikaten *** --------------------------------------------- Mit Hilfe von fehlerhaften X.509-Zertifikaten haben Forscher zahlreiche zum Teil sicherheitskritische Bugs in TLS-Bibliotheken gefunden. Erneut wurde dabei eine gravierende Sicherheitslücke in GnuTLS entdeckt. (Browser, Technologie) --------------------------------------------- http://www.golem.de/news/tls-bibliotheken-fehler-finden-mit-fehlerhaften-ze… *** Cisco Emergency Responder - Multiple vulnerabilities *** --------------------------------------------- Cross-Site Scripting - http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… Cross-Site Request Forgery - http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… Open Redirect - http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… Dynamic Content Modification - http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** PHP 5.4.27 released, (Fri, Apr 4th) *** --------------------------------------------- A new version of PHP has been released. The announcement comments: "The PHP development team announces the immediate availability of PHP 5.4.27. 6 bugs were fixed in this release, including CVE-2013-7345 in fileinfo module." --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17901&rss *** April 8th: Not Just About XP *** --------------------------------------------- April 8th will soon be upon us! And that means…Countdown Clocks…the end of extended support for Windows XP. But not just XP. Office 2003 is also reaching its life.And thats especially important to know because theres currently an Office vulnerability in the wild.Microsoft released its Security Bulletin Advance Notification yesterday: And the good news is: a patch for the Word vulnerability appears to be in the pipeline. --------------------------------------------- http://www.f-secure.com/weblog/archives/00002690.html *** Dealing with Disaster - A Short Malware Incident Response, (Fri, Apr 4th) *** --------------------------------------------- I had a client call me recently with a full on service outage - his servers werent reachable, his VOIP phones were giving him more static than voice, and his Exchange server wasnt sending or receiving mail - pretty much everything was offline. I VPNd in (I was not onsite) and started with the firewall, because things were bad enough thats all I could initially get to from a VPN session. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17905&rss *** Cisco IOS XR Software ICMPv6 Redirect Vulnerability *** --------------------------------------------- A vulnerability in Internet Control Message Protocol version 6 (ICMPv6) processing of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to affect IPv4 and IPv6 traffic passing through an affected device. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Researchers Uncover Interesting Browser-Based Botnet *** --------------------------------------------- Security researchers discovered an odd DDoS attack against several sites recently that relied on a persistent cross-site scripting vulnerability in a major video Web site and hijacked users’ browsers in order to flood the site with traffic. The attack on the unnamed site involved the use of injected Javascript on the site which would execute in […] --------------------------------------------- http://threatpost.com/researchers-uncover-interesting-browser-based-botnet/…

1 0

Tageszusammenfassung - Donnerstag 3-04-2014
by Daily end-of-shift report 03 Apr '14

03 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 02-04-2014 18:00 − Donnerstag 03-04-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Researchers Divulge 30 Oracle Java Cloud Service Bugs *** --------------------------------------------- Upset with the vulnerability handling process at Oracle, researchers yesterday disclosed over two dozen issues with the company’s Java Cloud Service platform. --------------------------------------------- http://threatpost.com/researchers-divulge-30-oracle-java-cloud-service-bugs… *** Ad Violations: Why Search Engines Won’t Display Your Site If it’s Infected With Malware *** --------------------------------------------- As your site’s webmaster, have you ever seen an e-mail from Google like this: Hello, We wanted to alert you that one of your sites violates our advertising policies. Therefore, we won’t be able to run any of your ads that link to that site, and any new ads pointing to that site will alsoRead More --------------------------------------------- http://feedproxy.google.com/~r/sucuri/blog/~3/kz7JGX2ydIU/ad-violations-why… *** IBM Lotus Web Content Managemen cross-site scripting *** --------------------------------------------- IBM Lotus Web Content Management is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/90566 *** Watching the watchers, (Thu, Apr 3rd) *** --------------------------------------------- A lot of companies today have various IDS and IPS devices implemented in their internal network (especially if you must be compliant with PCI DSS, for example). So these devices get implemented to monitor various traffic at various interfaces/perimeters in a company, but the question I got asked is how can we be sure that the IDS/IPS is doing its job? Obviously, some simple monitoring should be in place – this typically consists of pinging the device or collecting various counters such --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17895&rss *** Macro-Enabled Files Used as Infection Vectors (Again) *** --------------------------------------------- Macro-based attacks were popular in the early 2000s, but they gained much notoriety with the much publicized coverage of the Melissa virus. However, macro-based attacks soon began to drop off the radar. One major reason for this would be the security measures implemented by Microsoft to address malicious macro files. Another probable reason would also […]Post from: Trendlabs Security Intelligence Blog - by Trend MicroMacro-Enabled Files Used as Infection Vectors (Again) --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/1X49GtDdVuU/ *** New Check_MK stable release 1.2.4p1 *** --------------------------------------------- The most important changes are security patches for two CVEs (CVE-2014-2330 and CVE-2014-2331) which have been published on 2014-03-24 and 2014-03-28 on the bugtraq mailinglist. The mail from 2014-03-24 contained wrong information on the not-fixed issues, which had been corrected with the mail from 2014-03-28. All of the reported security related issues are fixed with this release. --------------------------------------------- http://lists.mathias-kettner.de/pipermail/checkmk-announce/2014-April/00008… *** A Series of Introductory Malware Analysis Webcasts *** --------------------------------------------- If you are looking to get started with malware analysis, tune into the webcast series I created to illustrate key tools and techniques for examining malicious software. --------------------------------------------- http://blog.zeltser.com/post/80874760857/introductory-malware-analysis-webc… *** Twelve sources of global cyber attack maps *** --------------------------------------------- 1 - Cyber Warfare Real Time Map by Kaspersky 2 - Top Daily DDoS Attacks Worldwide by Google 3 - Security Tachometer by Deutche Telekom 4 - Cyberfeed Live Botnet Map by AnubisNetworks 5 - Real-time Web Monitor by Akamai 6 - IpViking Live Map by Norse 7 - Honeypots from the Honeynet Project 8 - Global Activity Maps by Arbor 9 - Global Botnet Threat Activity Map by Trend Micro 10 - DDoS Attacks by ShadowServer 11 - Internet Malicious Activity Maps by TeamCymru 12 - Globe and WorldMap by F-Secure --------------------------------------------- http://sseguranca.blogspot.com.br/2014/03/ten-sources-of-global-cyber-attac… *** SNMPCheck - Enumerate the SNMP devices *** --------------------------------------------- Like to snmpwalk, snmpcheck allows you to enumerate the SNMP devices and places the output in a very human readable friendly format. It could be useful for penetration testing or systems monitoring. --------------------------------------------- http://hack-tools.blackploit.com/2014/04/snmpcheck-enumerate-snmp-devices.h… *** The Right Stuff: Staffing Your Corporate SOC *** --------------------------------------------- In my experience, passing a certification exam or getting a degree simply shows that a potential employee is a good test-taker or has the determination to plow through a degree program. Neither substitutes for the wealth of experience SOC analysts need to be good at their jobs. Don’t get me wrong. Certification programs can be an important piece of a cyber-security practitioner’s complete education. --------------------------------------------- http://www.darkreading.com/operations/careers-and-people/the-right-stuff-st… *** FortiBalancer SSH Access Security Bypass Vulnerability *** --------------------------------------------- A vulnerability has been reported in FortiBalancer, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to a configuration error related to SSH access and can be exploited to gain otherwise restricted SSH access. The vulnerability is reported in FortiBalancer 400, 1000, 2000, and 3000. --------------------------------------------- https://secunia.com/advisories/57673 *** Sicherheit: Fahnder entdecken Datensatz mit 18 Millionen Mailkonten *** --------------------------------------------- Schon wieder ist eine Datei mit Millionen gehackten Mailkonten sichergestellt worden. Alle großen deutschen E-Mail-Provider und mehrere internationale Anbieter sollen betroffen sein. (Spam, Computer) --------------------------------------------- http://www.golem.de/news/sicherheit-fahnder-entdecken-datensatz-mit-18-mill… *** Tool Estimates Incident Response Cost for Businesses *** --------------------------------------------- A new tool called CyberTab will help businesses estimate the cost of real and potential cyberattacks, and the amount a company could possibly save by investing in preventative measures and technologies. --------------------------------------------- http://threatpost.com/tool-estimates-incident-response-cost-for-businesses/… *** Bugtraq: [softScheck] Denial of Service in Microsoft Office 2007-2013 *** --------------------------------------------- softScheck has identified a Denial of Service vulnerability in Microsoft Outlook 2007-2013. A remote attacker can send a plaintext email containing an XML bomb as the message body, causing Outlook to freeze while opening the email. This forces the user to terminate the Outlook process. In the default Outlook configuration, in which email contents are displayed in a reading pane in the main window, the impact is more severe: Outlook will freeze while starting and will not be able to start anymore, since it tries to open and display the email during startup. To resolve the issue, Outlook needs to be started in safe mode and the email needs to be deleted. --------------------------------------------- http://www.securityfocus.com/archive/1/531722 *** DFRWS EU 2014 Annual Conference *** --------------------------------------------- DFRWS has a long history of being the foremost digital forensics research venue and has decided to hold a sister conference to bring the same opportunities to Europe. The first annual DFRWS EU conference will be held from May 7 to 9, 2014 in Amsterdam, NL. --------------------------------------------- http://www.dfrws.org/2014eu/ *** Cisco IOS Software IKE Main Mode Vulnerability *** --------------------------------------------- A vulnerability in the Internet Key Exchange (IKE) module of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to delete established security associations on an affected device. The vulnerability is due to improper handling of rogue IKE Main Mode packets. An attacker could exploit this vulnerability by sending a crafted IKE Main Mode packet to an affected device. An exploit could allow the attacker to cause valid, established IKE security associations on an affected device to drop. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…

1 0

Tageszusammenfassung - Mittwoch 2-04-2014
by Daily end-of-shift report 02 Apr '14

02 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 01-04-2014 18:00 − Mittwoch 02-04-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Whitehat Securitys Aviator browser is coming to Windows *** --------------------------------------------- I have had the privilege of knowing Jeremiah Grossman, the iCEO of Whitehat Security, for many years now. He has spoken on many occasions about web security and specifically web browser security or rather, the lack thereof. I recall at one point asking him, "OK, what do you use as a web browser?" He paused, smiled and said, "My own". That Cheshire cat response played over again in my head when Whitehat Security released their browser offering called Aviator. This is a --------------------------------------------- http://www.csoonline.com/article/2136258/application-security/whitehat-secu… *** 110,000 Wordpress Databases Exposed *** --------------------------------------------- For years now Ive been writing my various blog posts and I have used many different kinds of CMS platforms right back to posting using VI back in the 90s. My favourite platform that Ive used to create content has been Wordpress by far. I can almost here the security folks cringe. Yes, it is a massive headache to lockdown. But, I fight on as the user experience makes the pain worthwhile. OK, maybe worthwhile isnt the correct word. This is a platform that has had a long history of security --------------------------------------------- http://www.csoonline.com/article/2136246/application-security/110-000-wordp… *** "ct wissen Windows": So meistern Sie das Support-Ende von Windows XP *** --------------------------------------------- Pünktlich zum Support-Ende von Windows XP veröffentlichen wir mit dem "ct wissen Windows" ein Handbuch für alle Betroffenen. Es erläutert nicht nur, was das Support-Ende genau bedeutet, sondern liefert vor allem Praxis-Anleitungen. --------------------------------------------- http://www.heise.de/newsticker/meldung/c-t-wissen-Windows-So-meistern-Sie-d… *** Call for packets udp/137 broadcast, (Tue, Apr 1st) *** --------------------------------------------- One of our readers have reported that he has seen a broadcast traffic to udp/137 . He suspected that the traffic cause a denial of service to some of his systems. If you have seen such traffic and you would like to share some packets we would appreciate that. (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17887&rss *** AlienVault Open Source SIM date_from SQL injection *** --------------------------------------------- AlienVault Open Source SIM (OSSIM) is vulnerable to SQL injection. A remote authenticated attacker could send specially-crafted SQL statements to the ISO27001Bar1.php script using the date_from parameter, which could allow the attacker to view, add, modify or delete information in the back-end database. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/92172 *** Password bug let me see shoppers credit cards in eBay ProStores, claims infosec bod *** --------------------------------------------- Online bazaar fixes store account hijack flaw, were told A serious vulnerability that potentially allowed shoplifters to empty eBay ProStores shops and swipe customer credit cards has been fixed according to the security researcher who says he found the hole. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/04/01/ebay_stores… *** Fake Google apps removed from Window Phone Store by Microsoft *** --------------------------------------------- Five phony Google apps appeared in the app store, each with a $1.99 price tag, before being removed by the company. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/fXb73Il-oZg/ *** Hack of Boxee.tv exposes password data, messages for 158,000 users *** --------------------------------------------- Huge file circulating online contains e-mail addresses, full message histories. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/B676MRE54C8/ *** IT Analyst Highlights 6 IT Security 'Worst Practices' *** --------------------------------------------- In a new Network World article, prominent IT analyst and researcher Linda Musthaler is highlighting 6 'worst practices' that companies commit on their way to undermining, destabilizing, or just plain wrecking their IT security efforts: Failing to stay up-to-date with the latest technologies and techniques. Neglecting to take a comprehensive network security approach that also [...]The post IT Analyst Highlights 6 IT Security 'Worst Practices' appeared first on Seculert --------------------------------------------- http://www.seculert.com/blog/2014/04/it-analyst-highlights-6-it-security-wo… *** HP integrated Lights Out (iLO) IPMI Protocol Flaw Lets Remote Users Obtain Hashed Passwords *** --------------------------------------------- A vulnerability was reported in HP integrated Lights Out (iLO). A remote user can gain obtain hashed passwords. A remote user can invoke the IPMI 2.0 protocol to obtain the target user's salted SHA1 or MD5 hash. The vulnerability resides in the protocol design and is mandated by the IPMI 2.0 specification. --------------------------------------------- http://www.securitytracker.com/id/1029981 *** Extended Random: The PHANTOM NSA-RSA backdoor that never was *** --------------------------------------------- Profs paper was all about attacking Dual EC DRBG, not a Snowden-esque spy bombshell Over the last day or so the security press has been touting stories of a second NSA-induced backdoor in RSAs encryption software BSafe. But it appears to be more sound and fury than substance. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/04/02/extended_ra… *** Safari für Mac OS X: Update schließt Sicherheitslücken und bringt einige Neuerungen *** --------------------------------------------- Der Apple-Webbrowser ist für OS X Mavericks und OS X Mountain Lion in neuen Versionen verfügbar. Neben Patches gegen Sicherheitslücken gibt es Bugfixes und Änderungen an der Benachrichtigungsfunktion. --------------------------------------------- http://www.heise.de/security/meldung/Safari-fuer-Mac-OS-X-Update-schliesst-… *** [2014-04-02] Multiple vulnerabilities in Rhythm File Manager *** --------------------------------------------- An attacker being able to connect to the Android device (e.g. if he uses the same Wireless network), can access arbitrary local files from the device while the File Manager app is being used to stream media. Moreover, a malicious Android app or an attacker being able to connect to the Android device may issue system commands as the user "root" if "root browsing" is enabled. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Analysis: Financial cyber threats in 2013. Part 1: phishing *** --------------------------------------------- It has been quite a few years since cybercriminals started actively stealing money from user accounts at online stores, e-payment systems and online banking systems. --------------------------------------------- http://www.securelist.com/en/analysis/204792330/Financial_cyber_threats_in_… *** Bugtraq: [IMF 2014] Call for Participation *** --------------------------------------------- See the program at: http://www.imf-conference.org/imf2014/program.html The conference will take place from Monday, May 12th through Wednesday, May 14th in Münster, Germany. Registration details: http://www.imf-conference.org/imf2014/registration.html --------------------------------------------- http://www.securityfocus.com/archive/1/531707 *** VU#917700: Huawei Echo Life HG8247 optical router XSS vulnerability *** --------------------------------------------- Vulnerability Note VU#917700 Huawei Echo Life HG8247 optical router XSS vulnerability Original Release date: 02 Apr 2014 | Last revised: 02 Apr 2014 Overview Huawei Echo Life HG8247 optical router contains a stored cross-site scripting (XSS) vulnerability Description It has been reported that Huawei Echo Life HG8247 optical routers running software version V1R006C00S120 or earlier contain a stored cross-site scripting (XSS) vulnerability. An unauthenticated attacker can perform a stored --------------------------------------------- http://www.kb.cert.org/vuls/id/917700

1 0

Tageszusammenfassung - Dienstag 1-04-2014
by Daily end-of-shift report 01 Apr '14

01 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 31-03-2014 18:00 − Dienstag 01-04-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Report: RSA endowed crypto product with second NSA-influenced code *** --------------------------------------------- Extended Random like "dousing yourself with gasoline," professor warns. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/TbwAXYKTq34/ *** Old School Code Injection in an ATM .dll *** --------------------------------------------- During our last ATM review engagement, we found some interesting executable files that were run by Windows Services under Local System account. These binaries had weak file permissions that allowed us to modify them using the standard ATM user account. As a proof of concept, I decided to inject some code into one of them to take full control of the system. This post is about the technique I used to inject the code into a .dll used by one of the Windows Services. I’m sure there are many --------------------------------------------- http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/CRAp6jZhvVE/injecting-… *** A Look at the GnuTLS X.509 Verification Code Flaw *** --------------------------------------------- ... it was found that the GnuTLS X.509 certificate verification code fails to properly handle certain error conditions that may occur during the certificate verification process. While verifying the certificate, GnuTLS would report it as successful verification of the certificate, even though verification should have resulted in a failure. This means that invalid certificates may be accepted as valid, --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/iSFhF7R9kFI/ *** Creating an intelligent “sandbox” for coordinated malware eradication *** --------------------------------------------- Hello from China where I am presenting on coordinated malware eradication at the 2014 PC Security Labs Information Security Conference. Coordinated malware eradication was also the topic of my last blog. I said the antimalware ecosystem must begin to work with new types of partners if we are going to move from the current state of uncoordinated malware disruption, to a state of coordinated malware eradication. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/03/31/creating-an-intelligent-… *** Its not the breach that kills you, its the cover-up *** --------------------------------------------- Its how you handle yourself during and after a breach that will determine just how detrimental the breach actually is for your organization. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/Mi55LWhfA9c/ *** Managing Windows XP’s Risks in a Post-Support World *** --------------------------------------------- There are now less than two weeks left until Microsoft terminates support for the incredibly long-lived Windows XP. Rarely has a tech product lasted as long as XP has – from XP’s launch on October 25, 2001 to its last Patch Tuesday on April 8, 2014 a total of 12 years, 5 months, and two […]Post from: Trendlabs Security Intelligence Blog - by Trend MicroManaging Windows XP’s Risks in a Post-Support World --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/fSwrdK2qOeg/ *** EMC Cloud Tiering Appliance Request Validation Flaw Lets Remote Users View Files *** --------------------------------------------- A vulnerability was reported in EMC Cloud Tiering Appliance. A remote user can view files on the target system. The '/api/login' script does not properly validate user-supplied input. A remote user can supply a specially crafted XML External Entity (XXE) link to view files on target system with root privileges. --------------------------------------------- http://www.securitytracker.com/id/1029979 *** Grazer Linuxtage 2014: "Sicherheit im Netz" mit freier Software *** --------------------------------------------- Alternative Software-Szene lädt an der FH-Joanneum zu Workshops und Vorträgen --------------------------------------------- http://derstandard.at/1395363812795 *** Horde webmail - Open Redirect Vulnerability *** --------------------------------------------- An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040004 *** ModSecurity HTTP Requests Chunked Encoding Security Bypass Vulnerability *** --------------------------------------------- Martin Holst Swende has reported a vulnerability in ModSecurity, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error in the "modsecurity_tx_init()" function (apache2/modsecurity.c), which can be exploited to bypass the HTTP request body processing via a specially crafted request using chunked encoding. --------------------------------------------- https://secunia.com/advisories/57444 *** ct-Special "Umstieg auf Linux" am Kiosk erhältlich *** --------------------------------------------- Umsteigen auf Linux – warum nicht? Linux bietet eine Menge Vorteile – nicht nur für XP-Anwender, die demnächst keine Sicherheits-Fixes von Microsoft mehr erhalten. Das neue Sonderheft der ct-Redaktion hilft beim sanften Umstieg von Windows auf Linux. --------------------------------------------- http://www.heise.de/newsticker/meldung/c-t-Special-Umstieg-auf-Linux-am-Kio… *** IBM WebSphere Portal Two Cross-Site Scripting Vulnerabilities *** --------------------------------------------- Two vulnerabilities have been reported in IBM WebSphere Portal, which can be exploited by malicious people to conduct cross-site scripting attacks. --------------------------------------------- https://secunia.com/advisories/57592 *** cPanel Multiple Vulnerabilities *** --------------------------------------------- Two weaknesses, a security issue, and multiple vulnerabilities have been reported in cPanel, which can be exploited by malicious, local users to disclose potentially sensitive information and manipulate certain data, by malicious users to disclose potentially sensitive information, conduct script insertion attacks, manipulate certain data, and compromise a vulnerable system and by malicious people to conduct spoofing and cross-site scripting attacks and bypass certain security restrictions. --------------------------------------------- https://secunia.com/advisories/57576 *** VU#893726: Zyxel P660 series modem/router denial of service vulnerability *** --------------------------------------------- Zyxel P660 series modem/router contains a denial of service vulnerability when parsing a high volume of SYN packets on the web management interface. --------------------------------------------- http://www.kb.cert.org/vuls/id/893726 *** Cisco Security Manager HTTP Header Redirection Vulnerability *** --------------------------------------------- A vulnerability in the web framework of Cisco Security Manager could allow an unauthenticated, remote attacker to inject a crafted HTTP header which will cause a web page redirection to a possible malicious website. The vulnerability is due to insufficient validation user input of user input before using it as an HTTP header value. An attacker could exploit this vulnerability by convincing a user to access a crafted URL. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Cisco WSA HTTP Header Injection Vulnerability *** --------------------------------------------- A vulnerability in the web framework of Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to inject a crafted HTTP header that could cause a web page redirection to a possible malicious website. The vulnerability is due to insufficient validation of user input before using it as an HTTP header value. An attacker could exploit this vulnerability by persuading a user to access a crafted URL. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…

1 0

Tageszusammenfassung - Montag 31-03-2014
by Daily end-of-shift report 31 Mar '14

31 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 28-03-2014 18:00 − Montag 31-03-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Siemens ROS Improper Input Validation *** --------------------------------------------- Researcher Aivar Liimets from Martem Telecontrol Systems reported an improper input validation vulnerability in the Siemens Rugged Operating System (ROS), which could cause a denial-of-service (DoS) condition against the device's management web interface. Siemens coordinated the vulnerability details with NCCIC/ICS-CERT and has provided information for mitigation of the vulnerability.This vulnerability can be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-087-01 *** WiFi Bug Plagues Philips Internet-Enabled TVs *** --------------------------------------------- Some versions of Philips internet-enabled SmartTVs are vulnerable to cookie theft and an array of other tricks that abuse a lax WiFi setting. --------------------------------------------- http://threatpost.com/wifi-bug-plagues-philips-internet-enabled-tvs/105119 *** VulDB: Adobe Reader 11.0.06 Sandbox erweiterte Rechte *** --------------------------------------------- Die Schwachstelle wurde am 28.03.2014 von VUPEN via Pwn2Own 2014 publiziert. Die Identifikation der Schwachstelle wird seit dem 20.12.2013 mit CVE-2014-0512 vorgenommen. Sie ist schwierig auszunutzen. Der Angriff kann über das Netzwerk erfolgen. Zur Ausnutzung ist keine spezifische Authentisierung erforderlich. Es sind zwar keine technische Details, jedoch ein privater Exploit zur Schwachstelle bekannt. --------------------------------------------- http://www.scip.ch/?vuldb.12723 *** Adobe Flash Player Bugs Let Remote Users Execute Arbitrary Code *** --------------------------------------------- A remote user can create specially crafted content that, when loaded by the target user on a Windows-based system, will trigger a use-after-free and execute arbitrary code on the target system [CVE-2014-0506]. The code will run with the privileges of the target user. VUPEN reported this vulnerability (via Pwn2Own at CanSecWest 2014). A remote user can create specially crafted content that, when loaded by the target user, will trigger a heap overflow and execute arbitrary code on the target system [CVE-2014-0510]. The code will run with the privileges of the target user. Zeguang Zhao and Liang Chen reported this vulnerability (via Pwn2Own at CanSecWest 2014). --------------------------------------------- http://www.securitytracker.com/id/1029969 --------------------------------------------- (Notiz: soweit wir bisher herausfinden konnten, sind noch keine Exploits dazu "in the wild" aufgetaucht.) --------------------------------------------- *** nginx 1.4.6/1.5.11 Heap-based buffer overflow in the SPDY *** --------------------------------------------- A bug in the experimental SPDY implementation in nginx was found, which might allow an attacker to cause a heap memory buffer overflow in a worker process by using a specially crafted request, potentially resulting in arbitrary code execution (CVE-2014-0133). The problem affects nginx 1.3.15 - 1.5.11, compiled with the ngx_http_spdy_module module (which is not compiled by default) and without --with-debug configure option, if the "spdy" option of the "listen" directive is used in a configuration file. The problem is fixed in nginx 1.5.12, 1.4.7. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030250 *** Chip.de-Forum offenbar gehackt: 2,5 Millionen Nutzerdaten betroffen *** --------------------------------------------- Forumsmitglieder wurden per Mail über Hack informiert - Passwörter wurden außerdem unzureichend geschützt --------------------------------------------- http://derstandard.at/1395363600546 *** Who's Behind the "BLS Weblearn" Credit Card Scam? *** --------------------------------------------- A new rash of credit and debit card scams involving bogus sub-$15 charges and attributed to a company called "BLS Weblearn" is part of a prolific international scheme designed to fleece unwary consumers. This post delves deeper into the history and identity of the credit card processing network that has been enabling this type of activity for years. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/MxEDIVQPC94/ *** More Device Malware: This is why your DVR attacked my Synology Disk Station, (Mon, Mar 31st) *** --------------------------------------------- Last week, we reported that some of the hosts scanning for port 5000 are DVRs (to be more precise: Hikvision DVRs, commonly used to record video from surveillance cameras [1] ). Today, we were able to recover the malware responsible. You can download the malware here https://isc.sans.edu/diaryimages/hikvision.zip (password: infected) . The malware resides in /dev/cmd.so . A number of additional suspect files where located in the /dev directory which we still need to recover / analyze from the --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17879&rss *** Crack team of cyber warriors arrives to SAVE UK from grid-crippling HACK ATTACKS *** --------------------------------------------- National CERT goes live today The UK is finally getting a national Computer Emergency Response Team (CERT), with the delayed launch of the organisation taking place today. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/03/31/cert_uk_lau… *** Cisco Security Response Team Opens Its Toolbox *** --------------------------------------------- With a variety of security tools, CSIRT is able to detect and analyze malicious traffic throughout the network, including virus propagation, targeted attacks, and commonplace exploits. Because CSIRT continually identifies new security threats, the team needs some historical look-back at what occurred on the network. They also need a solution that can dissect the finer details of security incidents while facing the ever-present restrictions with data storage. --------------------------------------------- https://blogs.cisco.com/security/cisco-security-response-team-opens-its-too…

1 0

Tageszusammenfassung - Freitag 28-03-2014
by Daily end-of-shift report 28 Mar '14

28 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 27-03-2014 18:00 − Freitag 28-03-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** New PGP keys *** --------------------------------------------- At CERT.at we had to phase out some old 1024 bit DSA keys as well as create new master-signing keys. This turned out to be a major effort. Key roll-overs are never easy.In order to easy the key roll-over pains, we created a key transition document. This document is signed by the old keys in order to prove authorship. ... --------------------------------------------- http://www.cert.at/services/blog/20140328155445-1086.html *** NTP Amplification, SYN Floods Drive Up DDoS Attack Volumes *** --------------------------------------------- The potency of distributed denial of service attacks has increased steadily but dramatically over the last 14 months. --------------------------------------------- http://threatpost.com/ntp-amplification-syn-floods-drive-up-ddos-attack-vol… *** Schneider Electric Serial Modbus Driver Buffer Overflow *** --------------------------------------------- OVERVIEW Carsten Eiram of Risk-Based Security has identified a stack-based buffer overflow vulnerability in Schneider Electric’s Serial Modbus Driver that affects 11 Schneider Electric products. Schneider Electric has produced patches that mitigate this vulnerability. This vulnerability can be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-086-01 *** Apple Credential Phishing via appleidconfirm.net, (Thu, Mar 27th) *** --------------------------------------------- ISC user Craig Cox wrote in alerting us of a fairly sophisticated phishing campaign that is currently in progress. The website appleidconfirm.net has a seemingly realistic Apple login page that is being sent out by email. The site even includes JavaScript code which validates your Apple ID as an email in an attempt to obtain only valid credentials. Upon submitting what it considers valid credentials, youre redirected to the /?2 page of the site which contains another form which appears to --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17869&rss *** SonicWALL Email Security Input Validation Flaw in License Management’ and ‘Advanced Pages Permits Cross-Site Scripting Attacks *** --------------------------------------------- A vulnerability was reported in SonicWALL Email Security. A remote user can conduct cross-site scripting attacks. The 'License Management' and 'Advanced' pages do not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. --------------------------------------------- http://www.securitytracker.com/id/1029965 *** Word and Excel Files Infected Using Windows PowerShell *** --------------------------------------------- Malware targeting Word and Excel files has been around for some time, but we recently encountered a new malware family, CRIGENT (also known as “Power Worm”) which brings several new techniques to the table. (We detect these files as W97M_CRIGENT.JER and X97M_CRIGENT.A.) Most significantly, instead of creating or including executable code, CRIGENT uses the Windows PowerShell --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/9hUmCpAOj9M/ *** OpenSSH 6.6 bypass SSHFP DNS RR checking by HostCertificate *** --------------------------------------------- I've been looking at handling host keys better, and tripped over this bug. Essentially, if the server offers a HostCertificate that the client doesn't accept, then the client doesn't then check for SSHFP records. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030239 *** [2014-03-28] Multiple vulnerabilities in Symantec LiveUpdate Administrator *** --------------------------------------------- Attackers are able to compromise Symantec LiveUpdate Administrator at the application and database levels because of vulnerable password reset functionality and SQL injection vulnerabilities. This enables access to credentials of update servers on the network without prior authentication. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Python "os._get_masked_mode()" Race Condition Security Issue *** --------------------------------------------- A security issue has been reported in Python, which can be exploited by malicious, local users to potentially disclose or manipulate certain data. The security issue is caused due to a race condition within the "os._get_masked_mode()" function (Lib/os.py), which can be exploited to cause certain application-created files to be world-accessible. The security issue is reported in versions 3.4, 3.3, and 3.2. --------------------------------------------- https://secunia.com/advisories/57672 *** IBM Security Bulletin: IBM Operational Decision Manager and WebSphere ILOG JRules: Multiple security vulnerabilities in IBM JRE *** --------------------------------------------- This Security Bulletin addresses the security vulnerabilities that have shipped with the IBM Java Runtime Environment (JRE) included in IBM Operational Decision Manager and IBM ILOG JRules. IBM ODM and ILOG JRules now include the most recent version of the IBM JRE which fixes the security vulnerabilities reported in Oracles Critical Patch Update releases of January 2014. CVE(s): CVE-2014-0423, CVE-2014-0416 and CVE-2014-0411 Affected product(s) and affected version(s): IBM WebSphere ILOG --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** Cisco IOS Software High Priority Queue Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the packet driver code of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a reload of the affected device, resulting in a denial of service (DoS) condition. CVE-2014-2131 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…

1 0

Tageszusammenfassung - Donnerstag 27-03-2014
by Daily end-of-shift report 27 Mar '14

27 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 26-03-2014 18:00 − Donnerstag 27-03-2014 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Allied Telesis AT-RG634A ADSL router unauthenticated webshell *** --------------------------------------------- Risk: High, Allied Telesis AT-RG634A ADSL Broadband router hidden administrative unauthenticated webshell .. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030221 *** HP Multiple StoreOnce Products Unauthorised Access Security Bypass Vulnerability *** --------------------------------------------- https://secunia.com/advisories/57601 *** Linux Kernel ath9k "ath_tx_aggr_sleep()" Race Condition Vulnerability *** --------------------------------------------- https://secunia.com/advisories/57468 *** When ZOMBIES attack: DDoS traffic triples as 20Gbps becomes the new normal *** --------------------------------------------- Junk traffic mostly floods in from botnets DDoS traffic has more than trebled since the start of 2013, according to a new study released on Thursday that fingers zombie networks as the primary source of junk traffic that can be used to flood websites. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/03/27/ddos_trends… *** DSA-2885-1 libyaml-libyaml-perl -- security update *** --------------------------------------------- Ivan Fratric of the Google Security Team discovered a heap-based buffer overflow vulnerability in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a specially-crafted YAML document that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. --------------------------------------------- https://www.debian.org/security/2014/dsa-2885 *** Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication *** --------------------------------------------- Cisco released its semiannual Cisco IOS Software Security Advisory Bundled Publication on March 26, 2014. In direct response to customer feedback, Cisco releases bundles of Cisco IOS Software Security Advisories on the fourth Wednesday of the month in March and September of each calendar year. The publication includes 5 Security Advisories that address vulnerabilities in Cisco IOS Software and 1 Security Advisory that addresses .. --------------------------------------------- http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html *** Malware Hijacks Android Mobile Devices to Mine Cryptocurrency *** --------------------------------------------- Several bits of malware targeting Android mobile devices hijack the smartphone or tablets resources to mine digital currency such as Litecoin or Dogecoin. --------------------------------------------- http://threatpost.com/malware-hijacks-android-mobile-devices-to-mine-crypto…

1 0

Tageszusammenfassung - Donnerstag 27-03-2014
by Daily end-of-shift report 27 Mar '14

27 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 25-03-2014 18:00 − Mittwoch 26-03-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** A few updates on "The Moon" worm, (Tue, Mar 25th) *** --------------------------------------------- It has been over a month since we saw the "Moon" worm first exploiting various Linksys routers. I think it is time for a quick update to summarize some of the things we learned since then: Much of what we found so far comes thanks to the malware analysis done by Bernado Rodriges. Bernado used QEMU to run the code in a virtual environment. QEMU is as far as I know the only widely available virtualization technique that can simulate a MIPS CPU while running on an x86 host. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17855&rss *** WordPress Pingback-Funktion für DDoS-Attacken missbraucht *** --------------------------------------------- WordPress Pingback-Funktion für DDoS-Attacken missbraucht24. März 2014 In den letzten Tagen gab es zahlreiche Medienberichte zu DDoS-Angriffen durch Missbrauch der XML-RPC-Pingback-Funktion von WordPress. Einige dieser Beiträge möchte ich, zur weiterführenden Lektüre für Betroffene und Interessierte, im Folgenden auflisten. Blog Post von Daniel Cid vom Security-Dienstleister Sucuri mit Erklärungen zur Funktionsweise der Attacke. Weiters wird beschrieben, --------------------------------------------- http://www.cert.at/services/blog/20140324230619-1079.html *** Bugtraq: CVE-2013-6955 Synology DSM remote code execution *** --------------------------------------------- webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header. --------------------------------------------- http://www.securityfocus.com/archive/1/531602 *** OpenSSL 1.0.0l cache side-channel attack *** --------------------------------------------- Topic: OpenSSL 1.0.0l cache side-channel attack Risk: Medium Text:The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-tim... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030197 *** Xen HVMOP_set_mem_access Input Validation Flaw Lets Local Guest Users Deny Service on the Host System *** --------------------------------------------- A local user on the guest operating system can cause denial of service conditions on the host operating system. The HVMOP_set_mem_access HVM control operations does not properly validate input size. A local administrative user on an HVM guest operating system can consume excessive CPU resources on the host operating system. On version 4.2, only 64-bit versions of the hypervisor are affected. Device model emulators (qemu-dm) are affected. --------------------------------------------- http://www.securitytracker.com/id/1029956 *** Walkthrough of a Recent Zbot Infection and associated CnC Server *** --------------------------------------------- During routine ThreatLabZ log analysis, we encountered the following malicious Zbot executable connecting back to its CnC and exfiltrating data via POST requests. --------------------------------------------- http://feedproxy.google.com/~r/zscaler/research/~3/kygTD5dMmHo/walkthrough-… *** MIT Researchers Create Platform To Build Secure Web Apps That Never Leak Data *** --------------------------------------------- rjmarvin writes: "Researchers in the MIT Computer Science and Artificial Intelligence Laboratory have developed a platform for building secure web applications and services that never decrypt or leak data. MIT researcher Raluca Ada Popa, who previously worked on the Google and SAP-adopted CryptoDB, and her team, have put a longstanding philosophy into practice: to never store unencrypted data on servers. Theyve redesigned the entire approach to securing online data by creating Mylar, which --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/QIuCSrAxslY/story01.htm *** PAM timestamp internals bypass authentication *** --------------------------------------------- Topic: PAM timestamp internals bypass authentication Risk: Low Text:Hi When playing with some PAM modules for my own projects, I came across some implications of pam_timestamp (which is part ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030216 *** Nmap-Erfinder rebootet Full Disclosure *** --------------------------------------------- Gordon 'Fyodor' Lyon hat die überraschend geschlossene Full-Disclosure-Mailingliste wiederbelebt. Er habe viel Erfahrung mit dem Administrieren von Mailinglisten und keine Angst vor rechtlichen Drohungen, sagt der Sicherheitsexperte. --------------------------------------------- http://www.heise.de/security/meldung/Nmap-Erfinder-rebootet-Full-Disclosure… *** TYPO3 CMS 6.2 LTS is now available *** --------------------------------------------- ... TYPO3 CMS 6.2 LTS, which was released today. As the second TYPO3 release with long-term support (LTS), TYPO3 CMS 6.2 LTS will receive at least three years of support from the development team behind the open-source software. --------------------------------------------- http://typo3.org/news/article/typo3-presents-the-latest-version-of-its-free… *** Jetzt VoIP-Passwort ändern: Kriminelle nutzen erbeutete Fritzbox-Daten aus *** --------------------------------------------- Die Fritzbox-Angreifer haben anscheinend lange Zeit unbemerkt Zugangsdaten gesammelt, ohne sie zu benutzen. Für die Nutzer hat das jetzt ein übles Nachspiel, denn die meisten Passwörter funktionieren weiterhin. Der Schaden geht in die Hunderttausende. --------------------------------------------- http://www.heise.de/security/meldung/Jetzt-VoIP-Passwort-aendern-Kriminelle… *** Splunk Unspecified Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability has been reported in Splunk, which can be exploited by malicious people to conduct cross-site scripting attacks. Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability is reported in versions prior to 5.0.8. --------------------------------------------- https://secunia.com/advisories/57554 *** libcURL Connection Re-use and Certificate Verification Security Issues *** --------------------------------------------- Multiple security issues have been reported in libcURL, which can be exploited by malicious people to conduct spoofing attacks and bypass certain security restrictions. --------------------------------------------- https://secunia.com/advisories/57434 *** 10 rules of thumb of internet safety *** --------------------------------------------- Malicious parties on the internet try to gain access to your computer, tablet or mobile phone and to intercept personal data. Malware, phishing and spam are frequently occurring threats. These 10 rules of thumb provide a basis to protect yourself against these threats. --------------------------------------------- http://www.ncsc.nl/english/services/expertise-advice/knowledge-sharing/fact… *** New Metasploit 4.9 Helps Evade Anti-Virus Solutions, Test Network Segmentation, and Increase Productivity for Penetration Testers *** --------------------------------------------- Metasploit 4.9 helps penetration testers evade anti-virus solutions, generate payloads, test network segmentation, and generally increase productivity through updated automation and reporting features. Since version 4.8, Metasploit has added 67 new exploits and 51 auxiliary and post-exploitation modules to both its commercial and open source editions, bringing our total module count up to 1,974. The new version is available immediately. --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/03/26/new-metas… *** [Honeypot Alert] JCE Joomla Extension Attacks *** --------------------------------------------- Our web honeypots picked up some increased exploit attempts for an old Joomla Content Editor (JCE) Extension vulnerability. Although this vulnerability is a few years old, botnet owners are heavily scanning for sites that are vulnerable and attempting to exploit them. --------------------------------------------- http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/v7CME1mpcfQ/honeypot-a… *** Cisco IOS Software SSL VPN Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to a failure to process certain types of HTTP requests. To exploit the vulnerability, an attacker could submit crafted requests designed to consume memory to an affected device. An exploit could allow the attacker to consume and fragment memory on the affected device. This may cause reduced performance, a failure of certain processes, or a restart of the affected device. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device. To exploit this vulnerability, affected devices must be configured to process SIP messages. Limited Cisco IOS Software and Cisco IOS XE Software releases are affected. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IOS Software Crafted IPv6 Packet Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the implementation of the IP version 6 (IPv6) protocol stack in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause I/O memory depletion on an affected device that has IPv6 enabled. The vulnerability is triggered when an affected device processes a malformed IPv6 packet. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IOS Software Network Address Translation Vulnerabilities *** --------------------------------------------- The Cisco IOS Software implementation of the Network Address Translation (NAT) feature contains two vulnerabilities when translating IP packets that could allow an unauthenticated, remote attacker to cause a denial of service condition. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IOS Software Internet Key Exchange Version 2 Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of the affected device that would lead to a denial of service (DoS) condition. The vulnerability is due to how an affected device processes certain malformed IKEv2 packets. An attacker could exploit this vulnerability by sending malformed IKEv2 packets to an affected device to be processed. An exploit could allow the attacker to cause a reload of the affected device that would lead to a DoS condition. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Web Browser Security Revisited (Part 5) *** --------------------------------------------- In Part 1 of this series, we discussed the importance of web browser security and some security-related issues that are common to all or many of the popular browsers today. In Part 2, we talked about some specific security mechanisms that are built into Internet Explorer and how they're implemented. In Part 3, we looked at how to configure IE for best security. In Part 4, we examined how to do the same with Google Chrome. This time, we'll look at ... Chrome for Business. --------------------------------------------- http://www.windowsecurity.com/articles-tutorials/Web_Application_Security/w… *** Vuln: Apple Mac OS X APPLE-SA-2014-02-25-1 Multiple Security Vulnerabilities *** --------------------------------------------- Apple Mac OS X is prone to multiple vulnerabilities. The update addresses new vulnerabilities that affect ATS, CFNetwork Cookies, CoreAnimation, CoreText, Date and Time, curl, QuickTime, QuickLook, Finder, and File Bookmark components. Attackers can exploit these issues to execute arbitrary code, gain unauthorized access, bypass security restrictions, and perform other attacks. Failed attacks may cause denial-of-service conditions. These issues affect OS X versions prior to 10.9.2. --------------------------------------------- http://www.securityfocus.com/bid/65777

1 0

Tageszusammenfassung - Dienstag 25-03-2014
by Daily end-of-shift report 25 Mar '14

25 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 24-03-2014 18:00 − Dienstag 25-03-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Microsoft Security Advisory (2953095): Vulnerability in Microsoft Word Could Allow Remote Code Execution - Version: 1.0 *** --------------------------------------------- Microsoft is aware of a vulnerability affecting supported versions of Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. --------------------------------------------- http://technet.microsoft.com/en-us/security/advisory/2953095 *** Security Advisory 2953095: recommendation to stay protected and for detections *** --------------------------------------------- Today, Microsoft released Security Advisory 2953095 to notify customers of a vulnerability in Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. This blog will discuss mitigations and temporary defensive strategies that will help customers to protect themselves while we are working on a security update. This blog also provides some preliminary details of the exploit code observed in the wild. Mitigations and Workaround The in the wild --------------------------------------------- http://blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095… *** [dos] - Windows Media Player 11.0.5721.5230 - Memory Corruption PoC *** --------------------------------------------- #[+] Exploit Title: Windows Media Player 11.0.5721.5230 Memory Corruption PoC #[+] Date: 22-03-2014 #[+] Category: DoS/PoC #[+] Tested on: WinXp/Windows 7 Pro --------------------------------------------- http://www.exploit-db.com/exploits/32477 *** Security Notice- Allegro RomPager Information Disclosure Vulnerability in Multiple Huawei Routers *** --------------------------------------------- Huawei has noticed an information disclosure vulnerability on the RomPager embedded web server, which is developed by Allegro. The vulnerability affects Huawei HG520c, MT880, and MT886 access routers. --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices… *** Bugtraq: Deutsche Telekom CERT Advisory [DTC-A-20140324-001] vulnerabilities in cacti *** --------------------------------------------- Summary: Three vulnerabilities were found in cacti version 0.8.7g. The vulnerabilities are: 1) Stored Cross-Site Scripting (XSS) (via URL) 2) Missing CSRF (Cross-Site Request Forgery) token allows execution of arbitrary commands 3) The use of exec-like function calls without safety checks allow arbitrary commands --------------------------------------------- http://www.securityfocus.com/archive/1/531588 *** Bugtraq: Deutsche Telekom CERT Advisory [DTC-A-20140324-003] vulnerabilities in icinga *** --------------------------------------------- Two vulnerabilities were found in icinga version 1.9.1. These vulnerabilities are: 1) several buffer overflows 2) Off-by-one memory access --------------------------------------------- http://www.securityfocus.com/archive/1/531593 *** Bugtraq: Deutsche Telekom CERT Advisory [DTC-A-20140324-002] vulnerabilities in check_mk *** --------------------------------------------- Several vulnerabilities were found in check_mk version 1.2.2p2. The vulnerabilities are: 1 - Reflected Cross-Site Scripting (XSS) 2 - Stored Cross-Site Scripting (XSS) (via URL) 3 - Stored Cross-Site Scripting (XSS) (via external data, no link necessary) 4 - Stored Cross-Site Scripting (XSS) (via external data on service port, no link necessary) 5 - Missing CSRF (Cross-Site Request Forgery) token allows execution of arbitrary commands 6 - Multiple use of exec-like function calls which allow arbitrary commands 7 - Deletion of arbitrary files --------------------------------------------- http://www.securityfocus.com/archive/1/531594 *** Net-snmp snmptrapd Community String Processing Lets Remote Users Deny Service *** --------------------------------------------- A remote user can send a specially crafted SNMP trap request with an empty community string to trigger a flaw in newSVpv() and cause the target snmptrapd service to crash. Systems with the Perl handler enabled are affected. --------------------------------------------- http://www.securitytracker.com/id/1029950 *** Trojan.PWS.OSMP.21 infects payment terminals *** --------------------------------------------- March 25, 2014 Home users aren't the only ones being targeted by today's threats - various financial organisations are receiving their own share of attention from criminals who are crafting malicious applications for ATMs and payment terminals. Doctor Web has issued a warning regarding one such Trojan, namely, Trojan.PWS.OSMP.21. This malware is infecting the terminals of a major Russian payment system. --------------------------------------------- http://news.drweb.com/show/?i=4259&lng=en&c=9 *** RSA BSAFE Micro Edition Suite (MES) 4.0.x Denial Of Service *** --------------------------------------------- Summary: RSA BSAFE MES 4.0.5 contains fix for a security vulnerability that could potentially be exploited by malicious users to deny access to the affected system. Details: This vulnerability may cause unpredictable application behavior resulting in a server crash due to faulty certificate chain processing logic. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030193 *** PHP Fileinfo libmagic AWK File Processing Denial of Service Vulnerability *** --------------------------------------------- A vulnerability has been reported in PHP, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the libmagic library bundled in the Fileinfo extension when processing certain AWK scripts, which can be exploited to cause excessive CPU resources consumption via a specially crafted AWK script file. --------------------------------------------- https://secunia.com/advisories/57564 *** OpenVZ update for kernel *** --------------------------------------------- OpenVZ has issued an update for kernel. This fixes multiple vulnerabilities, which can be exploited by malicious people to potentially compromise a vulnerable system. --------------------------------------------- https://secunia.com/advisories/57573 *** Password Hashing Competition *** --------------------------------------------- Theres a private competition to identify new password hashing schemes. Submissions are due at the end of the month. --------------------------------------------- https://www.schneier.com/blog/archives/2014/03/password_hashin.html

1 0

Tageszusammenfassung - Montag 24-03-2014
by Daily end-of-shift report 24 Mar '14

24 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 21-03-2014 18:00 − Montag 24-03-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** NSA Targets Sys Admins to Infiltrate Networks *** --------------------------------------------- The latest Snowden documents show how the National Security Agency targets system administrators, in particular their personal email and social media accounts, in order to access target networks. --------------------------------------------- http://threatpost.com/nsa-targets-sys-admins-to-infiltrate-networks/104953 *** IBM Security Bulletin: IBM Security Directory Server can be affected by a vulnerability in IBM WebSphere Application Server (CVE-2014-0411) *** --------------------------------------------- The IBM WebSphere Application Server component provided with IBM Security Directory Server is vulnerable to a transport layer security (TLS) timing attack. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** BlackOS software package automates website hacking, costs $3,800 a year *** --------------------------------------------- An updated version of a malicious software package designed to automate the process of hacking websites is being offered up on underground markets for $3,800 a year, according to a blog by Trend Micro. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/yw9wyT8CoMQ/ *** WPA2 Wireless Security Crackable WIth "Relative Ease" *** --------------------------------------------- An anonymous reader writes "Achilleas Tsitroulis of Brunel University, UK, Dimitris Lampoudis of the University of Macedonia, Greece and Emmanuel Tsekleves of Lancaster University, UK, have investigated the vulnerabilities in WPA2 and present its weakness. They say that this wireless security system might now be breached with relative ease [original, paywalled paper] by a malicious attack on a network. --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/GNlVmrhVOM4/story01.htm *** Android update process gives malware a leg-up to evil: Indiana U *** --------------------------------------------- Old apps get access to privileges that didnt exist when they were written Researchers from Indiana University Bloomington have tagged a vulnerability in the way Android handles updates, which they say puts practically every Android device at risk of malicious software.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/03/23/android_upd… *** AWS urges developers to scrub GitHub of secret keys *** --------------------------------------------- Devs hit with unexpected bills after leaving secret keys exposed. Amazon Web Services (AWS) is urging developers using the code sharing site GitHub to check their posts to ensure they havent inadvertently exposed their log-in credentials. --------------------------------------------- http://www.itnews.com.au/News/375785,aws-urges-developers-to-scrub-github-o… *** D-Link DIR-600L Cross-Site Request Forgery Vulnerability *** --------------------------------------------- A vulnerability has been reported in D-Link DIR-600L, which can be exploited by malicious people to conduct cross-site request forgery attacks. The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to e.g. change administrative credentials when a logged-in user visits a specially crafted web page. --------------------------------------------- https://secunia.com/advisories/57392 *** Array Networks vxAG / vAPV Undocumented Accounts Security Issues *** --------------------------------------------- Some security issues have been reported in Array Networks vxAG and vAPV, which can be exploited by malicious people to bypass certain security restrictions. The security issues are caused due to the device using certain undocumented user accounts with default credentials, which can be exploited to gain otherwise restricted access to the device. --------------------------------------------- https://secunia.com/advisories/57442 *** PayPal for Android SSL Certificate Validation Security Issue *** --------------------------------------------- MWR InfoSecurity has reported a security issue in PayPal for Android, which can be exploited by malicious people to conduct spoofing attacks. The security issue is caused due to an error when verifying server SSL certificate within the WebHybridClient class and can be exploited to spoof a HTTPS connection and e.g. conduct Man-in-the-Middle (MitM) attacks. --------------------------------------------- https://secunia.com/advisories/57351 *** php-font-lib "name" Cross-Site Scripting Vulnerability *** --------------------------------------------- Daniel C. Marques has reported a vulnerability in php-font-lib, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed via the "name" GET parameter to www/make_subset.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. --------------------------------------------- https://secunia.com/advisories/57558

1 0

Tageszusammenfassung - Freitag 21-03-2014
by Daily end-of-shift report 21 Mar '14

21 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 20-03-2014 18:00 − Freitag 21-03-2014 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Taken in phishing attack, Microsoft's unmentionables aired by hacktivists *** --------------------------------------------- If Microsoft and eBay arent safe from social engineering attacks, who is? --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/B9IE0Uei57U/ *** Kaspersky Internet Security Regular Expression Patterns Processing Denial of Service Vulnerability *** --------------------------------------------- CXsecurity has discovered a vulnerability in Kaspersky Internet Security, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error when processing regular expression patterns and can be exploited to exhaust CPU resources and render the system unusable. --------------------------------------------- https://secunia.com/advisories/57316 *** DotNetNuke Unspecified Script Insertion Vulnerability *** --------------------------------------------- A vulnerability has been reported in DotNetNuke, which can be exploited by malicious users to conduct script insertion attacks. Certain unspecified input is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed. --------------------------------------------- https://secunia.com/advisories/57429 *** WordPress WP-Filebase Download Manager Plugin Arbitrary Code Execution Vulnerability *** --------------------------------------------- A vulnerability has been reported in the WP-Filebase Download Manager plugin for WordPress, which can be exploited by malicious users to compromise a vulnerable system. ... Successful exploitation of this vulnerability requires access rights to upload files (e.g. "Editor" access rights). The vulnerability is reported in version 0.3.0.03. Prior versions may also be affected. --------------------------------------------- https://secunia.com/advisories/57456 *** Zeus variant blocks user activity with full-screen pop-ups *** --------------------------------------------- Infected users are forced to contend with open windows, which are actually legitimate sites being displayed on their desktops. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/KHHSZFOdcH0/ *** A peek inside a modular, Tor C&C enabled, Bitcoin mining malware bot *** --------------------------------------------- Cybercriminals continue to maliciously 'innovate', further confirming the TTP (tactics, techniques and procedure) observations we made in our Cybercrime Trends 2013 assessment back in December, 2013, namely, that the diverse cybercrime ecosystem is poised for exponential growth. Standardizing the very basics of fraudulent and malicious operations, throughout the years, cybercriminals have successfully achieved a state of malicious economies of scale... --------------------------------------------- http://feedproxy.google.com/~r/WebrootThreatBlog/~3/V6XSH_U-eoU/ *** Siemens SIMATIC S7-1200 Improper Input Validation Vulnerabilities *** --------------------------------------------- OVERVIEWSiemens has reported two improper input validation vulnerabilities discovered separately by Prof. Dr. Hartmut Pohl of softScheck GmbH and Arne Vidström of Swedish Defence Research Agency (FOI) in Siemens' SIMATIC S7-1200 PLC. Siemens has produced a new version that mitigates these vulnerabilities.These vulnerabilities could be exploited remotely.AFFECTED PRODUCTSThe following SIMATIC S7-1200 PLC versions are affected: --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-079-01 *** Siemens SIMATIC S7-1200 Vulnerabilities *** --------------------------------------------- OVERVIEWSiemens, Ralf Spenneberg of OpenSource Training, Lucian Cojocar of EURECOM, Sascha Zinke from the FU Berlin's work team SCADACS, and Positive Technologies' researchers (Alexey Osipov, and Alex Timorin) have identified six vulnerabilities in the Siemens SIMATIC S7-1200 CPU family. Siemens has produced a new product release that mitigates these vulnerabilities.These vulnerabilities could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-079-02 *** Cisco AsyncOS Patch , (Fri, Mar 21st) *** --------------------------------------------- Cisco released a patch for AsyncOS, the operating system used in its E-Mail Security Appliance (ESA) and Security Management Appliance (SMA). The vulnerability is exploited by an authenticated attacker uploading a crafted blocklist file. The file has to be uploaded via FTP, so this vulnerability is only exploitable if the FTP service is enabled. Once the blacklist is pared, arbitrary commands are executed. This sounds like an OS command injection vulnerability. The parameters (assumed to be --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17839&rss *** Linux Kernel Netfilter DCCP Processing Flaw Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- Description: A vulnerability was reported in the Linux Kernel. A remote user can execute arbitrary code on the target system. A remote user can send specially crafted DCCP data to trigger a memory corruption flaw in 'nf_conntrack_proto_dccp.c' and execute arbitrary code on the target system. --------------------------------------------- http://www.securitytracker.com/id/1029945 *** Horde Framework Unserialize PHP Code Execution *** --------------------------------------------- Topic: Horde Framework Unserialize PHP Code Execution Risk: High Text:## # This module requires Metasploit --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030175 *** Monitoring for unusual network traffic key to banking botnet detection *** --------------------------------------------- Malware authors have had great success targeting financial institutions in recent years, and in turn those organizations have a vested interest in improving their banking botnet detection capabilities. However, one expert says financial firms are failing because they ignore unusual network traffic. --------------------------------------------- http://searchsecurity.techtarget.com/news/2240216637/Monitoring-for-unusual… *** Nokia X Android smartphone security features detailed *** --------------------------------------------- ... the Nokia X comes with the required security features to protect the data stored on the device without downloading third-party security apps. The three main ways to protect the data on the Nokia X smartphone is the screen security, encryption, and SIM card lock. --------------------------------------------- http://gadgets.ndtv.com/mobiles/news/nokia-x-android-smartphone-security-fe… *** Linux Worm Darlloz Infects over 31,000 Devices in Four Months *** --------------------------------------------- The worm is designed to infect computers running Intel x86 architectures, but it's also capable of infecting devices running MIPS, ARM, PowerPC architectures. Routers, set-top boxes and other devices usually have this kind of architecture. Based on its investigation, Symantec has determined that the main goal of Darlloz is to abuse infected devices for crypto-currency mining. Once it's installed on a computer, the worm installs open source mining software (cpuminer). --------------------------------------------- http://news.softpedia.com/news/Linux-Worm-Darlloz-Infects-over-31-000-Devic… *** Mass-Produced ATM Skimmers, Rogue PoS Terminals via 3D Printing? *** --------------------------------------------- On several underground forums, a cybercriminal named gripper is selling ATM skimmers and fake POS terminals, and is making some very bold claims doing so: Figure 1. Underground advertisement. The cybercriminal claims that he can mass-produce VeriFone VerixV point-of-sale (PoS) devices. (Verifone is a US-based provider of POS terminals.) Some specific VeriFone products such as the Vx510... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/YmksHI4j1OM/ *** Spotlight on Java SE 8 Security *** --------------------------------------------- March 18, 2014 was the long anticipated release of Java SE 8. I though I would spotlight some of the key security features of Java 8 for readers. First, many are not aware of security improvements made to Java 7. Let's begin with a quick review the Java SE 7 security features that were rolled into Java SE 8. --------------------------------------------- http://www.securitycurmudgeon.com/2014/03/20/spotlight-on-java-se-8-securit… *** IBM Security Bulletin: IBM WebSphere MQ Internet Pass-Thru - Potential denial of service on the command port listener (CVE-2013-5401) *** --------------------------------------------- A denial of service vulnerability exists and could be exploited by a remotely connected user to stop the remote administration service. CVE(s): CVE-2013-5401 Affected product(s) and affected version(s): WebSphere MQIPT 2.1.0.0 WebSphere MQIPT 2.0.x Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21666863 X-Force Database: http://xforce.iss.net/xforce/xfdb/87297 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** OpenSSL ECDSA Nonces Recovery Weakness *** --------------------------------------------- Yuval Yarom and Naomi Benger have reported a weakness in OpenSSL, which can be exploited by malicious, local users to disclose certain sensitive information. --------------------------------------------- https://secunia.com/advisories/57091 *** OpenSSH "child_set_env()" Security Bypass Security Issue *** --------------------------------------------- The security issue is caused due to an error within the "child_set_env()" function (usr.bin/ssh/session.c) and can be exploited to bypass intended environment restrictions by using a substring before a wildcard character. --------------------------------------------- https://secunia.com/advisories/57488 *** Oracle VirtualBox 3D Acceleration Multiple Privilege Escalation Vulnerabilities *** --------------------------------------------- Core Security has reported multiple vulnerabilities in Oracle VirtualBox, which can be exploited by malicious, local users in a guest virtual machine to gain escalated privileges. --------------------------------------------- https://secunia.com/advisories/57384 *** Cisco Hosted Collaboration Solution Packet Processing Denial of Service Vulnerability *** --------------------------------------------- A vulnerability has been reported in Cisco Hosted Collaboration Solution, which can be exploited by malicious people to cause a DoS (Denial of Service). --------------------------------------------- https://secunia.com/advisories/57496 *** Video zeigt Jailbreak von iOS 7.1 *** --------------------------------------------- Ein Entwickler hat seine Arbeit an einem Jailbreak von iOS 7.1 demonstriert. Apple hatte mit dem jüngsten iOS-Update die Schwachstellen geschlossen, die für den letzten Jailbreak zum Einsatz kamen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Video-zeigt-Jailbreak-von-iOS-7-1-21…

1 0

Tageszusammenfassung - Donnerstag 20-03-2014
by Daily end-of-shift report 20 Mar '14

20 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 19-03-2014 18:00 − Donnerstag 20-03-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** ZBOT Adds Clickbot Routine To Arsenal *** --------------------------------------------- The ZeuS/ZBOT malware family is probably one of the most well-known malware families today . It is normally known for stealing credentials associated with online banking accounts. However, ZBOT is no one-trick pony. Some ZBOT variants perform other routines like downloading or dropping other threats like ransomware. We recently came across one variant detected as TROJ_ZCLICK.A,... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/rrelQiGbzao/ *** New BlackOS Software Package Sold In Underground Forums *** --------------------------------------------- We recently came across this particular post in an underground forum: Figure 1. Underground forum post This particular post in Russian was advertising a new product, known as "BlackOS". Contrary to the name, it is not an operating system. However, it is definitely "black", or malicious: it is used to manage and redirect Internet traffic... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/mA8O58qz-TQ/ *** Phishing: Gehackter EA-Server hostet falsche Apple-Webseite *** --------------------------------------------- Kriminelle Hacker haben auf Servern des Spieleherstellers Electronic Arts eine gefälschte Webseite untergebracht, die Apple-IDs samt Passwörtern und Kreditkarteninformationen verlangt. Wie viele Nutzer ihre Daten dort eingegeben haben, ist nicht bekannt. --------------------------------------------- http://www.golem.de/news/phishing-gehackter-ea-server-hostet-falsche-apple-… *** "goto fail": Apple drängt Nutzer zum Update *** --------------------------------------------- Der Mac-Hersteller fordert inzwischen dazu auf, das Update auf OS X 10.9.2 alsbald möglich zu installieren - falls noch nicht geschehen. Ältere Versionen von OS X Mavericks und iOS weisen eine gravierende SSL-Schwachstelle auf. --------------------------------------------- http://www.heise.de/security/meldung/goto-fail-Apple-draengt-Nutzer-zum-Upd… *** Android: Sicherheitslücken wegen fehlender Updates bleiben Problem *** --------------------------------------------- 70 Prozent aller Android-Geräte weltweit besitzen eine Browser-Lücke, glaubt ein Forscher. Der simple Aufruf einer Website reicht, um sie auszunutzen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Android-Sicherheitsluecken-wegen-feh… *** Analysis: Spam report: February 2014 *** --------------------------------------------- The share of spam in global email traffic decreased by 7.6 percentage points and averaged 65.7% in January. As forecasted, the drop in the share of spam was due to a lull early in January when there is less business activity and a large number of botnets are turned off. --------------------------------------------- http://www.securelist.com/en/analysis/204792328/Spam_report_February_2014 *** Protokollanalyse: Mogeln im Quizduell *** --------------------------------------------- Entwickler verlassen sich zu sehr auf HTTPS und verzichten auf grundlegende Sicherheitsmaßnahmen. Über eine Man-in-the-Middle-Attacke konnten Security-Forscher in den Datenverkehr zwischen App-Server und Apps hineinsehen - und entdeckten Sonderbares. --------------------------------------------- http://www.golem.de/news/protokollanalyse-mogeln-im-quizduell-1403-105276-r… *** Cisco IronPort AsyncOS Software for ESA and SMA File Validation Flaw Lets Remote Authenticated Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1029937 *** SA-CONTRIB-2014-033 - Nivo Slider - Cross Site Scripting *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-033Project: Nivo Slider (third-party module)Version: 7.xDate: 2014-March-19Security risk: Moderately criticalExploitable from: RemoteVulnerability: Cross Site ScriptingDescriptionNivo Slider provides a way to showcase featured content. Nivo Slider gives administrators a simple method of adding slides to the slideshow, an administration interface to configure slideshow settings, and simple slider positioning using the Drupal block system.The module doesnt... --------------------------------------------- https://drupal.org/node/2221481

1 0

Tageszusammenfassung - Mittwoch 19-03-2014
by Daily end-of-shift report 19 Mar '14

19 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 18-03-2014 18:00 − Mittwoch 19-03-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Apache Update Resolves Security Vulnerabilities *** --------------------------------------------- Apache has released version 2.4.9 of its ubiquitous HTTP web server (HTTPD), resolving two security vulnerabilities and a number of other bugs in the process. --------------------------------------------- http://threatpost.com/apache-update-resolves-security-vulnerabilities/104849 *** Ebury-Rootkit: Zombie-Server greifen täglich eine halbe Million Rechner an *** --------------------------------------------- Zu den Opfern der Malware-Kampagne "Operation Windigo" gehören unter anderem kernel.org und cPanel. Die mit dem Ebury-Rootkit infizierten Server versenden Spam und attackieren Besucher der kompromittierten Webseiten. --------------------------------------------- http://www.heise.de/security/meldung/Ebury-Rootkit-Zombie-Server-greifen-ta… *** Wide Gap Between Attackers, BIOS Forensics Research *** --------------------------------------------- Advanced attackers are ahead of researchers when it comes to understanding firmware vulnerabilities and BIOS forensics, experts from MITRE and Intel said during last weeks CanSecWest. --------------------------------------------- http://threatpost.com/wide-gap-between-attackers-bios-forensics-research/10… *** Avast-Toolbar mit Shopping-Spion *** --------------------------------------------- Die Browser-Toolbar, die unter anderem mit der Antivirensoftware auf den Rechner gelangt, schaut dem Nutzer beim Einkaufen über die Schulter und baut Konkurrenzangebot in die Shop-Seiten ein. --------------------------------------------- http://www.heise.de/security/meldung/Avast-Toolbar-mit-Shopping-Spion-21496… *** Data suggests Android malware threat greatly overhyped *** --------------------------------------------- Its no secret that many in the security industry perceive Google Inc.s Android mobile platform to be plagued by malware, but Android security team lead Adrian Ludwig has made it his mission to eradicate the disingenuous meme of the burgeoning Android malware apocalypse. --------------------------------------------- http://searchsecurity.techtarget.com/news/2240216335/Data-suggests-Android-… *** Mailingliste Full Disclosure macht dicht *** --------------------------------------------- Die bekannte Sicherheits-Mailingliste wurde von ihrem Betreiber bis auf weiteres geschlossen. Full Disclosure war in der Vergangenheit immer wieder Schauplatz der Enthüllung wichtiger Sicherheitslücken. --------------------------------------------- http://www.heise.de/security/meldung/Mailingliste-Full-Disclosure-macht-dic… *** 10 Years of Mobile Malware: How Secure Are You? *** --------------------------------------------- Believe it or not, but it has been 10 years since the first mobile malware was created! On the infographic below, you can see a brief overview of the most important malware events in the past 10 years, with a short description of each of them. --------------------------------------------- https://www.linkedin.com/today/post/article/20140316112657-67886711-10-year… *** New Exploits Arrive for Old PHP Vulnerability *** --------------------------------------------- New exploits for a two-year-old PHP vulnerability popped up in October that allow hackers to run code on websites running vulnerable versions of the web development framework. --------------------------------------------- http://threatpost.com/new-exploits-arrive-for-old-php-vulnerability/104881 *** Fake Tor browser for iOS laced with adware, spyware, members warn *** --------------------------------------------- Title available since November raises questions about App Store vetting process. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/qB_-ioinSh4/ *** WordPress Subscribe To Comments Reloaded Plugin Cross-Site Request Forgery Vulnerability *** --------------------------------------------- https://secunia.com/advisories/57015 *** Moodle Multiple Security Issues and Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/57331 *** Samba smbcacls security bypass *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/91849

1 0

Tageszusammenfassung - Dienstag 18-03-2014
by Daily end-of-shift report 18 Mar '14

18 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 17-03-2014 18:00 − Dienstag 18-03-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Google's Public DNS Hijacked for 22 Minutes *** --------------------------------------------- The attackers hijacked the 8.8.8.8/32 DNS server for approximately 22 minutes. According to BGPmon, networks in Brazil and Venezuela were impacted. A screenshot published by the company shows that the traffic was redirected to BT Latin America's networks. --------------------------------------------- http://news.softpedia.com/news/Google-s-Public-DNS-Hijacked-for-22-Minutes-… *** Anonymisierung: Sniper-Angriff legt Tor-Nodes lahm *** --------------------------------------------- Mit einer sogenannten Sniper-Attacke können Angreifer nicht nur gezielt einzelne Tor-Knoten außer Gefecht setzen, sondern innerhalb von wenige Minuten das gesamte Netzwerk lahmlegen. Ein Patch wurde bereits erarbeitet. --------------------------------------------- http://www.golem.de/news/anonymisierung-sniper-angriff-legt-tor-nodes-lahm-… *** Scans for FCKEditor File Manager, (Mon, Mar 17th) *** --------------------------------------------- FCKEditor (now known as CKEditor [1]) is a popular full featured GUI editor many web sites use. For example, you frequently find it with blog systems like WordPress or as part of commenting/forum systems. As an additional feature, a filemanager can be added to allow users to upload images or other files. Sadly, while a very nice and functional plugin, this features if frequently not well secured and can be used to upload malicious files. We have seen some scans probing specifically... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17821&rss *** Hintergründe des Typo3-Hacks weiter im Dunkeln *** --------------------------------------------- Die Typo3 Association hat keine Informationen zu der Schwachstelle hinter dem Casino-Spam-Hack, der viele Typo3-Webseiten betrifft, und vermutet, dass der Hack andere Ursachen hat. Seiten ohne Typo-Installation sollen ebenfalls betroffen sein. --------------------------------------------- http://www.heise.de/newsticker/meldung/Hintergruende-des-Typo3-Hacks-weiter… *** Hidden Windigo UNIX ZOMBIES are EVERYWHERE *** --------------------------------------------- Check and wipe: The la-la-la-its-not-happening plan is no good Hackers using a Trojan seized control of over 25,000 Unix servers worldwide to create a potent spam and malware distribution platform. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/03/18/windigo_uni… *** Threatglass Tool Gives Deep Look Inside Compromised Sites *** --------------------------------------------- Trying to enumerate the compromised sites on the Internet is a Sisyphian task. Luckily, it's not a task that anyone really needs to perform any longer, especially now that Barracuda Labs has released its new Threatglass tool, a Web-based frontend that allows users to query a massive database of compromised sites to get detailed information... --------------------------------------------- http://threatpost.com/threatglass-tool-gives-deep-look-inside-compromised-s… *** March 2014 Security Bulletin Webcast and Q&A *** --------------------------------------------- Today we published the March 2014 Security Bulletin Webcast Questions & Answers page. We answered eight questions in total, with the majority focusing on the updates for Windows (MS14-016) and Internet Explorer (MS14-012). One question that was not answered on air has been included on the Q&A page. --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2014/03/17/march-2014-security-bull… *** When ASLR makes the difference *** --------------------------------------------- We wrote several times in this blog about the importance of enabling Address Space Layout Randomization mitigation (ASLR) in modern software because it's a very important defense mechanism that can increase the cost of writing exploits for attackers and in some cases prevent reliable exploitation. In today's blog, we'll go through ASLR one more time to show in practice how it can be valuable to mitigate two real exploits seen in the wild and to suggest solutions for programs... --------------------------------------------- https://blogs.technet.com/b/srd/archive/2014/03/12/when-aslr-makes-the-diff… *** Red Hat plans unified security management for Fedora 21 *** --------------------------------------------- One crypto policy to bind them Red Hat is planning a significant change to how its Fedora Linux distribution handles crypto policy, to ship with the due-in-late-2014 Fedora 21 release. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/03/18/red_hat_pla… *** Open-Xchange AppSuite 7.4.1 / 7.4.2 Cross Site Scripting *** --------------------------------------------- Topic: Open-Xchange AppSuite 7.4.1 / 7.4.2 Cross Site Scripting Risk: Low Text:Product: Open-Xchange AppSuite Vendor: Open-Xchange GmbH Internal reference: 31065 Vulnerability type: Cross Site Scriptin... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030134 *** Security Advisory-Y.1731 Vulnerability on Some Huawei Switches *** --------------------------------------------- Y.1731 is an ITU-T recommendation for OAM features on Ethernet-based networks. Y.1731 provides connectivity detection, diagnosis, and performance monitoring for VLAN/VSI services on MANs. Some Huawei switches support Y.1731 and therefore, has the Y.1731 vulnerability in processing special packets. The vulnerability causes the restart of switches (Vulnerability ID: HWPSIRT-2013-1165). --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** OpenSSH AcceptEnv Wildcard Processing Flaw May Let Remote Authenticated Users Bypass Environment Restrictions *** --------------------------------------------- http://www.securitytracker.com/id/1029925 *** DSA-2880 python2.7 *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-2880 *** Bugtraq: 2014 World Conference on IST - Madeira Island, April 15-17 *** --------------------------------------------- The 2014 World Conference on Information Systems and Technologies --------------------------------------------- http://www.securityfocus.com/archive/1/531513

1 0

Tageszusammenfassung - Montag 17-03-2014
by Daily end-of-shift report 17 Mar '14

17 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 14-03-2014 18:00 − Montag 17-03-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Security Exploit Patched on vBulletin - PHP Object Injection *** --------------------------------------------- The vBulletin team just issued a warning, and released patches for a security exploit that affected all versions of vBulletin including 3.5, 3.6, 3.7, 3.8, 4.X, 5.X. They recommend that anyone using vBulletin apply these patches as soon as possible. Here is part of their announcement: A security issue has been found that affects all... --------------------------------------------- http://blog.sucuri.net/2014/03/security-exploit-patched-on-vbulletin-php-ob… *** Pwn2Own results for Wednesday (Day One) *** --------------------------------------------- At Pwn4Fun, Google delivered a very impressive exploit against Apple Safari launching Calculator as root on Mac OS X. ZDI presented a multi-stage exploit, including an adaptable sandbox bypass, against Microsoft Internet Explorer, launching Scientific Calculator (running in medium integrity) with continuation. --------------------------------------------- http://www.pwn2own.com/2014/03/pwn2own-results-for-wednesday-day-one/ *** Pwn2Own results for Thursday (Day Two) *** --------------------------------------------- ... Vulnerabilities were successfully presented on Thursday in the Pwn2Own competition ... against Google Chrome, Microsoft Internet Explorer, Apple Safari, Mozilla Firefox, Adobe Flash. --------------------------------------------- http://www.pwn2own.com/2014/03/pwn2own-results-thursday-day-two/ *** Verschlüsselung: Caesar-Wettbewerb sucht authentifizierte Verschlüsselung *** --------------------------------------------- Die erste Runde des Caesar-Wettbewerbs hat begonnen. Das Ziel: Kryptografen suchen bessere Algorithmen für authentifizierte Verschlüsselung. --------------------------------------------- http://www.golem.de/news/verschluesselung-caesar-wettbewerb-sucht-authentif… *** The Long Tail of ColdFusion Fail *** --------------------------------------------- Earlier this month, I published a story about a criminal hacking gang using Adobe ColdFusion vulnerabilities to build a botnet of hacked e-commerce sites that were milked for customer credit card data. Todays post examines the impact that this botnet has had on several businesses, as well as the important and costly lessons these companies learned from the intrusions. --------------------------------------------- http://krebsonsecurity.com/2014/03/the-long-tail-of-coldfusion-fail/ *** Webstorage-App von Asus schwächelt erneut bei SSL *** --------------------------------------------- Eine eigentlich behobene SSL-Lücke in der Android-App für den Asus-Onlinespeicher Webstorage ist auferstanden: Die aktuelle App-Version überpüft nicht das vom Onlinespeicher übermittelte Serverzertifikat. --------------------------------------------- http://www.heise.de/security/meldung/Webstorage-App-von-Asus-schwaechelt-er… *** iOS 7 has weak random number generator *** --------------------------------------------- Trivial to break, says researcher In an effort to improve iDevice security, Apple replaced its internal random number generator between iOS 6 and iOS 7 - but a security researcher believes Cupertino inadvertently downgraded security. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/03/16/ios_7_has_w… *** VU#381692: Webmin contains a cross-site scripting vulnerability *** --------------------------------------------- Vulnerability Note VU#381692 Webmin contains a cross-site scripting vulnerability Original Release date: 14 Mar 2014 | Last revised: 14 Mar 2014 Overview Webmin 1.670, and possibly earlier versions, contains a cross-site scripting vulnerability. Description CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Webmin 1.670, and possibly earlier versions, contains a cross-site scripting vulnerability in the "search" parameter of the view.cgi... --------------------------------------------- http://www.kb.cert.org/vuls/id/381692 *** Siemens SIMATIC S7-1500 CPU Firmware Vulnerabilities *** --------------------------------------------- Siemens and Positive Technology researchers (Yury Goltsev, Llya Karpov, Alexey Osipov, Dmitry Serebryannikov and Alex Timorin) have identified nine firmware vulnerabilities in the Siemens SIMATIC S7-1500 CPU Firmware. Siemens has produced a patch that mitigates these vulnerabilities.These vulnerabilities could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-073-01 *** OpenX 2.8.11 Cross Site Request Forgery *** --------------------------------------------- Topic: OpenX 2.8.11 Cross Site Request Forgery Risk: Low Text: Hello, Multiple cross-site request forgery (CSRF) vulnerabilities in OpenX 2.8.11and earlier allows remote attackers to ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030121 *** iOS 7 Arbitrary Code Execution *** --------------------------------------------- When a specific value is supplied in USB Endpoint descriptor for a HID device the Apple device kernel panics and reboots --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030126 *** GNU Readline Insecure usage of temporary files *** --------------------------------------------- Topic: GNU Readline Insecure usage of temporary files Risk: Medium Text: Whilst auditing some code for insecure uses of temporary files I spotted a potential area of concern in GNU readline. (... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030129 *** HPSBNS02969 rev.1 - HP NonStop Servers running Java 7, Multiple Remote Vulnerabilities affecting Confidentiality, Integrity and Availability *** --------------------------------------------- Potential vulnerabilities have been identified with HP NonStop Servers running Java 7. The vulnerabilities could be exploited remotely affecting confidentiality, integrity and availability. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…

1 0

Tageszusammenfassung - Freitag 14-03-2014
by Daily end-of-shift report 14 Mar '14

14 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 13-03-2014 18:00 − Freitag 14-03-2014 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Bugtraq: [ MDVSA-2014:057 ] mediawiki *** --------------------------------------------- Updated mediawiki packages fix multiple vulnerabilities: --------------------------------------------- http://www.securityfocus.com/archive/1/531452 *** Vuln: Mutt Mailreader mutt_copy_hdr() Function Heap Based Buffer Overflow Vulnerability *** --------------------------------------------- Mutt mailreader is prone to a heap-based buffer-overflow vulnerability. Successful exploitation of this issue allow an attacker to execute arbitrary code in the context of the application, failed attempts lead to denial-of-service. Mutt prior to 1.5.23 are vulnerable. --------------------------------------------- http://www.securityfocus.com/bid/66165 *** Schneider Electric StruxureWare SCADA Expert ClearSCADA Parsing Vulnerability *** --------------------------------------------- OVERVIEW Andrew Brooks identified and reported to The Zero Day Initiative (ZDI) a File Parsing Vulnerability: Schneider Electric StruxureWare SCADA Expert ClearSCADA ServerMain.exe OPF File Parsing Vulnerability. Schneider Electric has prepared workarounds and helped develop security upgrades for a third‑party component that is affected.AFFECTED PRODUCTSThe following SCADA Expert ClearSCADA versions are affected: --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-072-01 *** VU#807134: WatchGuard Fireware XTM devices contain a cross-site scripting vulnerability *** --------------------------------------------- Vulnerability Note VU#807134 WatchGuard Fireware XTM devices contain a cross-site scripting vulnerability ... Overview WatchGuard Fireware XTM 11.8.1, and possibly earlier versions, contains a cross-site scripting vulnerability. --------------------------------------------- http://www.kb.cert.org/vuls/id/807134 *** Squid Flaw in SSL-Bump Lets Remote Users Deny Service *** --------------------------------------------- A remote user can send HTTPS requests to trigger a flaw in SSL-Bump and cause the target service to crash. Specially crafted requests are not required to trigger this vulnerability. --------------------------------------------- http://www.securitytracker.com/id/1029908 *** Wireshark NFS/M3UA/RLC Dissector Bugs Let Remote Users Deny Service and MPEG Buffer Overflow Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- Several vulnerabilities were reported in Wireshark. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can cause denial of service conditions. --------------------------------------------- http://www.securitytracker.com/id/1029907 *** Blogs of War: Don’t Be Cannon Fodder *** --------------------------------------------- On Wednesday, KrebsOnSecurity was hit with a fairly large attack which leveraged a feature in more than 42,000 blogs running the popular WordPress content management system (this blog runs on WordPress). This post is an effort to spread the word to other WordPress users to ensure their blogs arent used in attacks going forward. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/TMHH3NsEOxo/ *** Cisco Cloud Portal Discloses Cryptographic Material That Lets Remote Users Decrypt Data *** --------------------------------------------- A vulnerability was reported in Cisco Cloud Portal. A local user can obtain cryptographic material. A remote user with access to the cryptographic material can then decrypt data. The Cisco Intelligent Automation for Cloud (Cisco IAC) binaries include fixed cryptographic material. A remote user that can access encrypted data from the target Cisco IAC installation can decrypt the data. --------------------------------------------- http://www.securitytracker.com/id/1029915 *** Google Docs Users Targeted by Sophisticated Phishing Scam *** --------------------------------------------- We see millions of phishing messages every day, but recently, one stood out: a sophisticated scam targeting Google Docs and Google Drive users.The scam uses a simple subject of "Documents" and urges the recipient to view an important document on Google Docs by clicking on the included link.read more --------------------------------------------- http://www.symantec.com/connect/blogs/google-docs-users-targeted-sophistica… *** McAfee Email Gateway Input Validation Flaws Let Remote Authenticated Users Inject SQL and Operating System Commands *** --------------------------------------------- Several vulnerabilities were reported in McAfee Email Gateway. A remote authenticated user can execute arbitrary operating system commands on the target system. A remote authenticated user can inject SQL commands. --------------------------------------------- http://www.securitytracker.com/id/1029916 *** Firefox Exec Shellcode From Privileged Javascript Shell *** --------------------------------------------- Topic: Firefox Exec Shellcode From Privileged Javascript Shell Risk: Medium --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030113 *** A decade of securing Europe’s cyber future. The EU’s cyber security Agency ENISA is turning ten, and is looking at future challenges. *** --------------------------------------------- In the “eternal marathon” against cyber criminals, there is a “constant, increasing need for ENISA”. --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/a-decade-of-securing-europe… *** lighttpd Directory Traversal and SQL Injection Vulnerabilities *** --------------------------------------------- Two vulnerabilities have been reported in lighttpd, which can be exploited by malicious people to disclose potentially sensitive information and conduct SQL injection attacks. ... Successful exploitation requires mod_evhost and/or mod_simple_vhost modules to be enabled. --------------------------------------------- https://secunia.com/advisories/57333 *** Samsung Backdoor May Not Be as Wide Open as Initially Thought *** --------------------------------------------- ... As demonstrated in a proof-of-concept attack, this allowed certain baseband code to gain access to a device’s storage under a specific set of circumstances. But upon closer inspection, this backdoor is most likely not as bad as it was initially made out to be. --------------------------------------------- http://www.xda-developers.com/android/samsung-backdoor-may-not-be-as-wide-o… *** EU-Parlament stimmt für Meldepflicht von Cyberangriffen *** --------------------------------------------- Die Abgeordneten haben mit großer Mehrheit, aber einigen Änderungen einen Richtlinienentwurf der EU-Kommission zur Netz- und Informationssicherheit beschlossen. Mitgliedsländer sollen ihre Kooperationen stärken. --------------------------------------------- http://www.heise.de/newsticker/meldung/EU-Parlament-stimmt-fuer-Meldepflich… *** Gameover ZeuS Jumps on the Bitcoin Bandwagon *** --------------------------------------------- Were always asking our analysts the following question: seen anything interesting? And yesterday, the answer to our query was this: Gameover ZeuS has some additional strings.Very interesting, indeed.Heres a screenshot of the decrypted strings: • aBitcoinQt_exe • aBitcoind_exe • aWallet_dat • aBitcoinWallet • aBitcoinWalle_0Bitcoin wallet stealing has really moved up from the bush leagues. Gameover ZeuS is a pro.Analysis is ongoing.Heres the SHA1: --------------------------------------------- http://www.f-secure.com/weblog/archives/00002685.html *** Target staff IGNORED security alerts as hackers slurped 40m customers card details *** --------------------------------------------- Reports say staff dithered while hackers went to town Staff at US retailer Target failed to stop the theft of 40 million credit card records last December despite an escalating series of alarms from the companys security systems.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/03/14/target_fail… *** Debian Security Advisory DSA-2879-1 libssh -- security update *** --------------------------------------------- It was discovered that libssh, a tiny C SSH library, did not reset the state of the PRNG after accepting a connection. A server mode application that forks itself to handle incoming connections could see its children sharing the same PRNG state, resulting in a cryptographic weakness and possibly the recovery of the private key. --------------------------------------------- http://www.debian.org/security/2014/dsa-2879 *** Sophos UTM TCP Stack Memory Leak Denial of Service Vulnerability *** --------------------------------------------- A vulnerability has been reported in Sophos UTM, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within TCP stack and can be exploited to cause a memory leak. The vulnerability is reported in versions prior to 9.109. --------------------------------------------- https://secunia.com/advisories/57344 *** Blog: Analysis of, Malware from the MtGox leak archive *** --------------------------------------------- A few days ago the personal blog and Reddit account of MTgox CEO, Mark Karpeles, were hacked. Attackers used them to post a file, MtGox2014Leak.zip, which they claim contains valuable database dumps and specialized software for remote access to MtGox data. But this application is actually malware created to search and steal Bitcoin wallet files from their victims. It seems that the whole leak was invented to infect computers with Bitcoin-stealer malware that takes advantage of people keen interest in the MtGox topic. --------------------------------------------- http://www.securelist.com/en/blog/8196/Analysis_of_Malware_from_the_MtGox_l…

1 0

Tageszusammenfassung - Donnerstag 13-03-2014
by Daily end-of-shift report 13 Mar '14

13 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 12-03-2014 18:00 − Donnerstag 13-03-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Decoding Domain Generation Algorithms (DGAs) Part III - ZeusBot DGA Reproduction *** --------------------------------------------- At this point, you can go ahead and close the two parent processes (since we are not interested in their functionality, for the sake of simply finding the DGA). So we know that we are interested in discovering how this traffic is generated. So let's try to find out where it originates. Earlier, using API Monitor, we saw that explorer was using several functions within WinINet.dll:... --------------------------------------------- http://vrt-blog.snort.org/2014/03/decoding-domain-generation-algorithms.html *** F-Secure im Interview: "Wir erkennen Staatstrojaner und wollen das nicht ändern" *** --------------------------------------------- Von Regierungen erstellte Malware muss nicht immer so schlecht sein wie 0zapftis, der bayerische Staatstrojaner. Für F-Secures Virenforscher Mikko Hypponen ist entscheidend, dass Anti-Malwareunternehmen auch künftig uneingeschränkt arbeiten können, wie er im Gespräch mit Golem.de sagte. --------------------------------------------- http://www.golem.de/news/f-secure-im-interview-wir-erkennen-staatstrojaner-… *** WordPress XML-RPC PingBack Vulnerability Analysis *** --------------------------------------------- There were news stories this week outlining how attackers are abusing the XML-PRC "pingback" feature of WordPress blog sites to launch DDoS attacks on other sites. This blog post will provide some analysis on this attack and additional information for websites to protect themselves. Not A New Vulnerabilty The vulnerability in WordPresss XML-RPC API is not new. Here is data from the WordPress bug tracker from 7 years ago. While the vulnerability itself is not new,... --------------------------------------------- http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/MklfK5l9jYY/wordpress-… *** A Detailed Examination of the Siesta Campaign *** --------------------------------------------- Executive Summary FireEye recently looked deeper into the activity discussed in TrendMicro's blog and dubbed the "Siesta" campaign. The tools, modus operandi, and infrastructure used in the campaign present two possibilities: either the Chinese cyber-espionage unit APT1 is perpetrating this... --------------------------------------------- http://www.fireeye.com/blog/technical/targeted-attack/2014/03/a-detailed-ex… *** LightsOut EK Targets Energy Sector *** --------------------------------------------- Late last year, the story broke that threat actors were targeting the energy sector with Remote Access Tools and Intelligence gathering malware. It would seem that the attackers responsible for this threat are back for more. This particular APT struck late February between 2/24-2/26. The attack began as a compromise of a third party law firm which includes an energy law practice known as --------------------------------------------- http://feedproxy.google.com/~r/zscaler/research/~3/S2HhvPupa_0/lightsout-ek… *** Trojan.Skimer.19 threatens banks *** --------------------------------------------- March 4, 2014 Malware infecting the electronic innards of ATMs is not exactly a common phenomenon, so whenever such new kinds of programs emerge, they inevitably draw the attention of security specialists. Doctor Webs virus analysts got hold of a sample of Trojan.Skimer.19 which can infect ATMs. According to Doctor Web, banking system attacks involving Trojan.Skimer.19 persist to this day. Similar to its predecessors, the Trojan has its main payload incorporated into a dynamic link library... --------------------------------------------- http://news.drweb.com/show/?i=4267&lng=en&c=9 *** Trojan.Rbrute hacks Wi-Fi routers *** --------------------------------------------- March 5, 2014 Doctor Webs security researchers examined Trojan.Rbrute malware, which is designed to crack Wi-Fi router access passwords using brute force and change the DNS server addresses specified in the configuration of these devices. Criminals use this malicious program to spread the file infector known as Win32.Sector. When launched on a Windows computer, Trojan.Rbrute establishes a connection with the remote server and stands by for instructions. One of them provides the Trojan with a... --------------------------------------------- http://news.drweb.com/show/?i=4271&lng=en&c=9 *** Anatomy of a Control Panel Malware Attack, Part 1 *** --------------------------------------------- Recently we've discussed how Control Panel (CPL) malware has been spreading in Latin America. In the past, we've analyzed in some detail how CPL malware works as well as the overall picture of how this threat spreads. In this post, we shall examine in detail how they spread, and how they relate with other malicious sites. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/v3D2zLGXolU/ *** Ethical hacker backer hacked, warns of email ransack *** --------------------------------------------- Switches registrars, tightens security after upsetting incident The IT security certification body that runs the Certified Ethical Hacker programme has itself been hacked. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/03/13/ethical_hac… *** Samsung: Galaxy-Geräte haben eine Backdoor im Modem-Prozessor *** --------------------------------------------- In mehreren Smartphones und Tablets aus Samsungs Galaxy-Modellreihe wurde eine Backdoor im Modem-Prozessor entdeckt. Diese könnte von Angreifern dazu verwendet werden, auf die Daten auf dem Smartphone oder Tablet zuzugreifen oder auch Daten zu verändern, um so Schadsoftware zu verbreiten. (Smartphone, Samsung) --------------------------------------------- http://www.golem.de/news/samsung-galaxy-geraete-haben-eine-backdoor-im-mode… *** Google hackt Mac OS X für den guten Zweck *** --------------------------------------------- Das Sicherheitsteam des Suchmaschinen-Riesen hat einen brisanten Angriff auf Mac OS X demonstriert: Beim Aufruf einer Webseite mit Safari wurde Code als root ausgeführt. Das Schau-Hacken fand in einer neuen Kategorie des Wettbewerbs Pwn2Own statt. --------------------------------------------- http://www.heise.de/security/meldung/Google-hackt-Mac-OS-X-fuer-den-guten-Z… *** Metasploit Weekly Update: Theres a Bug In Your Brain *** --------------------------------------------- The most fun module this week, in my humble opinion, is from Rapid7's own Javascript Dementer, Joe Vennix. Joe wrote up this crafty implementation of a Safari User-Assisted Download and Run Attack, which is not technically a vulnerability or a bug or anything -- it's a feature that ends up being a kind of a huge risk. Here's how it goes:... --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/03/13/metasploi… *** TCIPG Seminar: Dynamic Data Attacks on Real-Time Power System Operations *** --------------------------------------------- With increasing dependence on modern information and communication technology, a future smart grid is potentially more vulnerable to coordinated cyber attacks launched by an adversary. In this talk, we consider several possible attack mechanisms aimed at disrupting real-time operations of a power grid. In particular, we are interested in dynamic attack strategies on the power system state estimation that lead to infeasible real-time dispatch and disrupt the real-time market operation. --------------------------------------------- http://tcipg.org/news/TCIPG-Seminar-2014-Mar-7-Tong *** Security update available for Adobe Shockwave Player *** --------------------------------------------- Adobe has released a security update for Adobe Shockwave Player 12.0.9.149 and earlier versions on the Windows and Macintosh operating systems. This update addresses a critical vulnerability that could potentially allow an attacker to remotely take control of the affected system. --------------------------------------------- http://helpx.adobe.com/security/products/shockwave/apsb14-10.html *** Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-4057, CVE-2013-4058 and CVE-2013-4059) *** --------------------------------------------- Security vulnerabilities exist in various versions of IBM InfoSphere Information Server or constituent products. See the individual descriptions for details. CVE(s): CVE-2013-4057, CVE-2013-4058, and CVE-2013-4059 Affected product(s) and affected version(s): IBM InfoSphere Information Server Versions 8.0, 8.1, 8.5, 8.7, and 9.1 running on all platforms --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul… *** Bugtraq: PowerArchiver: Uses insecure legacy PKZIP encryption when AES is selected (CVE-2014-2319) *** --------------------------------------------- http://www.securityfocus.com/archive/1/531440 *** SA-CONTRIB-2014-031 - Webform Template - Access Bypass *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-031Project: Webform Template (third-party module)Version: 7.xDate: 2014-March-12Security risk: Less criticalExploitable from: RemoteVulnerability: Access BypassDescriptionThis module enables you to copy webform config from one node to another.The module doesnt respect node access when providing possible nodes to copy from. As a result, a user may be disclosed the titles of nodes he does not have view access to and as such he may be able to copy the webform... --------------------------------------------- https://drupal.org/node/2216607 *** SA-CONTRIB-2014-030 - SexyBookmarks - Information Disclosure *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-030Project: SexyBookmarks (third-party module)Version: 6.xDate: 2014-March-12Security risk: Moderately criticalExploitable from: RemoteVulnerability: Information DisclosureDescriptionThe SexyBookmarks module is a port of the WordPress SexyBookmarks plug-in. The module adds social bookmarking using the Shareaholic service.The module discloses the private files location when Drupal 6 is configured to use private files.This vulnerability is mitigated by the fact... --------------------------------------------- https://drupal.org/node/2216269 *** Mitsubishi Electric Automation MC-WorX Suite Unsecure ActiveX Control *** --------------------------------------------- This advisory is a follow-up to the original alert, titled ICS-ALERT-13-259-01 Mitsubishi MC-WorX Suite Unsecure ActiveX Control,a published September 16, 2013, on the NCCIC/ICS‑CERT web site (this was originally incorrectly identified as MC-WorkX, the correct product name is MC-WorX). --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-051-02 *** Cisco Intelligent Automation for Cloud Cryptographic Implementation Issues *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** GNUpanel 0.3.5_R4 Cross Site Request Forgery / Cross Site Scripting *** --------------------------------------------- Topic: GNUpanel 0.3.5_R4 Cross Site Request Forgery / Cross Site Scripting Risk: Medium Text:# Exploit Title :GNUpanel 0.3.5_R4 - Multiple Vulnerabilities # Vendor Homepage :http://wp.geeklab.com.ar/gl-en/gnupanel... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030098 *** Proxmox Mail Gateway 3.1 Cross Site Scripting *** --------------------------------------------- Topic: Proxmox Mail Gateway 3.1 Cross Site Scripting Risk: Low Text:I. VULNERABILITY - Multiplus XSS in Proxmox Mail Gateway 3.1 II. BACKGROUND - Proxmox Mail G... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030097

1 0

Tageszusammenfassung - Mittwoch 12-03-2014
by Daily end-of-shift report 12 Mar '14

12 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 11-03-2014 18:00 − Mittwoch 12-03-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** When ASLR makes the difference *** --------------------------------------------- We wrote several times in this blog about the importance of enabling Address Space Layout Randomization mitigation (ASLR) in modern software because it's a very important defense mechanism that can increase the cost of writing exploits for attackers and in some cases prevent reliable exploitation. In today's blog, we'll go through ASLR one more time to show in practice how it can be valuable to mitigate two real exploits seen in the wild and to suggest solutions for programs... --------------------------------------------- http://blogs.technet.com/b/srd/archive/2014/03/11/when-aslr-makes-the-diffe… *** Zeus-in-the-mobile variant uses security firms name to gain victims trust *** --------------------------------------------- Android users are tricked into installing a spurious "security" app, which allows fraudsters to bypass one-time password authentication for online banking. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/uCKACIRIxoI/ *** BB10s dated crypto lets snoops squeeze the juice from your BlackBerry *** --------------------------------------------- BEAST will attack your sensitive web traffic, warns poster BlackBerry BB10 OS uses dated protocols that leave users at risk to known cryptographic attacks, according to a security researcher. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/03/12/bb10_dated_… *** WhatsApp erweitert Einstellungen zur Privatsphäre und bleibt trotzdem unsicher *** --------------------------------------------- Der Schutz der Privatsphäre bleibt in WhatsApp löchrig: Zwar können andere Nutzer durch das neueste Update nicht mehr sehen, wann man zuletzt im Chat online war, aber die Chats können wohl komplett durch andere Android-Apps ausgelesen werden. --------------------------------------------- http://www.heise.de/security/meldung/WhatsApp-erweitert-Einstellungen-zur-P… *** iOS 7.1: Innenraumortung iBeacon schwerer abzustellen *** --------------------------------------------- Nach dem Update auf Apples jüngsten Mobilbetriebssystem reicht es nicht aus, eine Anwendung, die das Indoor-Tracking nutzt, zu schließen - selbst nach einem Geräteneustart funkt iBeacon fleißig weiter. --------------------------------------------- http://www.heise.de/security/meldung/iOS-7-1-Innenraumortung-iBeacon-schwer… *** Is it the ISPs Fault if Your Home Broadband Router Gets Hacked? *** --------------------------------------------- As consumers we have a right to be huffy at our ISPs when something goes wrong. But is the Internet provider still to blame if, as in the recent cases of AAISP and now PlusNet, your home broadband router ends up being hijacked by a DNS redirection exploit? --------------------------------------------- http://www.ispreview.co.uk/index.php/2014/03/isps-fault-home-broadband-rout… *** Blog: Agent.btz: a source of inspiration? *** --------------------------------------------- The past few days has seen an extensive discussion within the IT security industry about a cyberespionage campaign called Turla, aka Snake and Uroburos, which, according to G-DATA experts, may have been created by Russian special services. --------------------------------------------- http://www.securelist.com/en/blog/8191/Agent_btz_a_source_of_inspiration *** Yokogawa CENTUM CS 3000 Vulnerabilities *** --------------------------------------------- Juan Vazquez of Rapid7 Inc.,a and independent researcher Julian Vilas Diaz have identified several buffer overflow vulnerabilities and released proof-of-concept (exploit) code for the Yokogawa CENTUM CS 3000 application. CERT/CC, NCCIC/ICS-CERT, and JPCERT have coordinated with Rapid7 and Yokogawa to mitigate these vulnerabilities. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-070-01 *** SSA-456423 (Last Update 2014-03-12): Vulnerabilities in SIMATIC S7-1500 CPU *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** VMSA-2014-0002 *** --------------------------------------------- VMware vSphere updates to third party libraries --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0002.html *** Apple Safari OSX code execution *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/91654 *** WordPress WP SlimStat Plugin URL Script Insertion Vulnerability *** --------------------------------------------- https://secunia.com/advisories/57305 *** Bugtraq: CORE-2014-0002 - Oracle VirtualBox 3D Acceleration Multiple Memory Corruption Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/531418 *** Vuln: MediaWiki text Prameter HTML Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/65906 *** Vuln: MediaWiki CVE-2014-2242 Cross Site Scripting Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/65910 *** [webapps] - ZyXEL Router P-660HN-T1A - Login Bypass *** --------------------------------------------- http://www.exploit-db.com/exploits/32204

1 0

Tageszusammenfassung - Dienstag 11-03-2014
by Daily end-of-shift report 11 Mar '14

11 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 10-03-2014 18:00 − Dienstag 11-03-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** A clear-eyed guide to Mac OSs actual security risks *** --------------------------------------------- Apple has improved its security in recent years, but is it enough? --------------------------------------------- http://www.csoonline.com/article/749495/a-clear-eyed-guide-to-mac-os-s-actu… *** CanSecWest Presenter Self-Censors Risky Critical Infrastructure Talk *** --------------------------------------------- Researcher Eric Filiol withdrew his presentation from this weeks CanSecWest conference because of concerns the information could be used to attack critical infrastructure worldwide. --------------------------------------------- http://threatpost.com/cansecwest-presenter-self-censors-risky-critical-infr… *** More Than 162,000 WordPress Sites Used for Distributed Denial of Service Attack *** --------------------------------------------- Distributed Denial of Service (DDOS) attacks are becoming a common trend on our blog lately, and that's OK because it's a very serious issue for every website owner. Today I want to talk about a large DDOS attack that leveraged thousands of unsuspecting WordPress websites as indirect amplification vectors. Any WordPress site with XML-RPC enabled... --------------------------------------------- http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-di… *** Can this $70 dongle stem the epidemic of password breaches? *** --------------------------------------------- Maybe not, but its approach could improve the security of password databases. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/TIJ7a8DsSVY/ *** Careto and OS X Obfuscation *** --------------------------------------------- Last month, security researchers released a report about a targeted attack operation which they named Careto, or Mask in Spanish. The attack was noted for encoding its configuration data and encrypting its network traffic, making analysis more difficult. However, the capabilities of the Mac malware used in Careto was not as sophisticated as its Windows... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/tLQMNa8HgFc/ *** Saboteurs slip Dendroid RAT into Google Play *** --------------------------------------------- Google quickly removed the malware, which was reportedly disguised as a legitimate parental control app, from its marketplace. --------------------------------------------- http://www.scmagazine.com/saboteurs-slip-dendroid-rat-into-google-play/arti… *** Ein Drittel aller Zertifikats-Herausgeber nur Security-Ballast *** --------------------------------------------- Bei einer Untersuchung von 48 Millionen SSL-Zertifikaten stellten Forscher fest, dass jeder dritte Herausgeber kein einziges HTTPS-Zertifikat ausgestellt hat. Diese Schläfer-CAs sind ein beträchtliches Sicherheitsrisiko, das man leicht entschärfen könnte. --------------------------------------------- http://www.heise.de/security/meldung/Ein-Drittel-aller-Zertifikats-Herausge… *** Download: Threat Report *** --------------------------------------------- Our Threat Report covering the second half of 2013 (with some forecasting of 2014) was released last week.Youll find it, and all of our previous reports in the Labs section of f-secure.com. On 10/03/14 At 06:24 PM --------------------------------------------- http://www.f-secure.com/weblog/archives/00002681.html *** Verschlüsselung: Snowden empfiehlt Textsecure und Redphone *** --------------------------------------------- Edward Snowden lobt in der Diskussion auf der SXSW Openwhispersystems und dessen Entwickler Moxie Marlinspike für die Veröffentlichung einfach zu nutzender Verschlüsselungstools. --------------------------------------------- http://www.golem.de/news/verschluesselung-snowden-empfiehlt-textsecure-und-… *** iOS 7.1: Apple stopft zahlreiche Sicherheitslücken *** --------------------------------------------- Mit dem jüngsten Update behebt Apple über zwei Dutzend teils kritische Fehler in seinem Mobilbetriebssystem. Ein Jailbreak ist nun nicht mehr möglich. --------------------------------------------- http://www.heise.de/security/meldung/iOS-7-1-Apple-stopft-zahlreiche-Sicher… *** Team Cymrus SOHO Pharming Whitepaper *** --------------------------------------------- UPDATE: Here is the video for our SOHO Pharming Update of March 11, 2014. This update discusses the results of our SOHO Pharming Whitepaper release as well as further developments on that topic. If youve navigated to this site from an external source and are seeking the download of the SOHO Pharming Whitepaper, please scroll down on this page. Thanks for watching and feel free to share with your colleagues and friends! --------------------------------------------- https://www.team-cymru.com/ReadingRoom/Whitepapers/SOHOPharming.html *** Microsoft Security Bulletin Summary for March 2014 *** --------------------------------------------- This bulletin summary lists security bulletins released for March 2014. With the release of the security bulletins for March 2014, this bulletin summary replaces the bulletin advance notification originally issued March 6, 2014. --------------------------------------------- http://technet.microsoft.com/en-us/security/bulletin/ms14-mar *** Security updates available for Adobe Flash Player *** --------------------------------------------- Adobe has released security updates for Adobe Flash Player 12.0.0.70 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.341 and earlier versions for Linux. These updates address important vulnerabilities, and Adobe recommends users update their product installations to the latest versions: ... --------------------------------------------- http://helpx.adobe.com/security/products/flash-player/apsb14-08.html *** TA14-069A: Microsoft Ending Support for Windows XP and Office 2003 *** --------------------------------------------- Original release date: March 10, 2014 Systems Affected Microsoft Windows XP with Service Pack 3 (SP3) Operating SystemMicrosoft Office 2003 Products Overview Microsoft is ending support for the Windows XP operating system and Office 2003 product line on April 8, 2014. [1] After this date, these products will no longer receive:Security patches which help protect PCs from harmful viruses, spyware, and other malicious softwareAssisted technical support from MicrosoftSoftware and content updates... --------------------------------------------- https://www.us-cert.gov/ncas/alerts/TA14-069A-0 *** Asterisk - Multiple Vulnerabilities *** --------------------------------------------- Asterisk PJSIP Channel Drive Bug Lets Remote Users Deny Service Asterisk chan_sip File Descriptor Flaw Lets Remote Authenticated Users Deny Service Asterisk HTTP Header Cookie Processing Overflow Lets Remote Users Deny Service Asterisk PJSIP Channel Driver Subscription Handling Bug Lets Remote Users Deny Service --------------------------------------------- http://www.securitytracker.com/id/1029892 http://www.securitytracker.com/id/1029891 http://www.securitytracker.com/id/1029890 http://www.securitytracker.com/id/1029893 *** FreeType Buffer Overflow in CFF Driver Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1029895 *** D-Link DIR-600 Cross-Site Request Forgery Vulnerability *** --------------------------------------------- https://secunia.com/advisories/57304 *** D-Link DSL-2640U Cross-Site Request Forgery Vulnerability *** --------------------------------------------- https://secunia.com/advisories/57269 *** Bugtraq: Android Vulnerability: Install App Without User Explicit Consent *** --------------------------------------------- http://www.securityfocus.com/archive/1/531394 *** IBM Security Bulletin: IBM SPSS SamplePower vsflex8l ActiveX Control ComboList Property Remote Code Execution Vulnerability (CVE-2014-0895) *** --------------------------------------------- There is security vulnerability with an ActiveX control shipped by IBM SPSS SamplePower Version 3.0.1. This is corrected in the IBM SPSS SamplePower product Interim Fix. CVE(s): CVE-2014-0895 Affected product(s) and affected version(s): IBM SPSS SamplePower for Windows V3.0.1 Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21666790 X-Force Database: --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** IBM Security Bulletin: Download of Code Without Integrity Check vulnerability in IBM Security AppScan Standard (CVE-2014-0904) *** --------------------------------------------- IBM Security AppScan Standard can be affected a vulnerability in the update process that could allow remote code injection. CVE(s): CVE-2014-0904 Affected product(s) and affected version(s): IBM Security AppScan Standard 8.8 IBM Security AppScan Standard 8.7 IBM Security AppScan Standard 8.6 IBM Rational AppScan Standard 8.5 IBM Rational AppScan Standard 8.0 IBM Rational AppScan Standard 7.9 Refer to the following reference URLs for remediation and additional vulnerability details: --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** HPSBGN02970 rev.1 - HP Rapid Deployment Pack (RDP) or HP Insight Control Server Deployment, Multiple Remote Vulnerabilities affecting Confidentiality, Integrity and Availability *** --------------------------------------------- Potential vulnerabilities have been identified with HP Rapid Deployment Pack (RDP) or HP Insight Control Server Deployment. The vulnerabilities could be exploited remotely affecting confidentiality, integrity and availability. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** HPSBMU02947 rev.1 - HP System Management Homepage (SMH) Running on Linux and Windows, Remote Disclosure of Information and Cross-Site Request Forgery (CSRF) *** --------------------------------------------- Potential security vulnerabilities have been identified with HP System Management Homepage (SMH) running on Linux and Windows. The vulnerabilities could be exploited remotely resulting in disclosure of information or cross-site request forgery (CSRF). --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** HPSBMU02948 rev.1 - HP Systems Insight Manager (SIM) Running on Linux and Windows, Remote Execution of Arbitrary Code, Denial of Service (DoS), Disclosure of Information *** --------------------------------------------- Potential security vulnerabilities have been identified with HP Systems Insight Manager (SIM) running on Linux and Windows. The vulnerabilities could be exploited remotely resulting in execution of arbitrary code, Denial of Service (DoS), or disclosure of information. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** HPSBUX02976 SSRT101236 rev.1 - HP-UX Running NFS rpc.lockd, Remote Denial of Service (DoS) *** --------------------------------------------- A potential security vulnerability has been identified with HP-UX running NFS rpc.lockd. The vulnerability could be exploited remotely to create a Denial of Service (DoS). --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…

1 0

Tageszusammenfassung - Montag 10-03-2014
by Daily end-of-shift report 10 Mar '14

10 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 07-03-2014 18:00 − Montag 10-03-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Experts analyze Snake, Uroburos malware samples dating back to 2006 *** --------------------------------------------- Researchers with BAE Systems Applied Intelligence have determined that a possibly Russian-fueled malware campaign known as Snake, or Uroburos, may actually date back as far as 2006. --------------------------------------------- http://www.scmagazine.com/experts-analyze-snake-uroburos-malware-samples-da… *** SSL-Verschlüsselung auch in iOS-Apps problematisch *** --------------------------------------------- Nicht nur bei Android-Apps - auch im iPhone-Universum erweisen sich die Datenverbindungen von Apps recht oft als angreifbar. Rund 14 Prozent der iOS-Apps, die SSL einsetzen konnte ein Forscherteam austricksen. --------------------------------------------- http://www.heise.de/newsticker/meldung/SSL-Verschluesselung-auch-in-iOS-App… *** iOS Security *** --------------------------------------------- iOS is designed with comprehensive security that offers enterprise-grade protection of corporate data. Learn more about the advanced security features of iOS in this security guide. --------------------------------------------- https://ssl.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf *** ETH40G: Verschlüsselung mit 40 Gigabit pro Sekunde *** --------------------------------------------- Mit dem ETH40G aus der SITLine-Reihe verspricht Rohde & Schwarz einen hohen verschlüsselten Datendurchsatz mit 40 Gigabit pro Sekunde in breitbandigen Netzen. --------------------------------------------- http://www.golem.de/news/eth40g-verschluesselung-mit-40-gigabit-pro-sekunde… *** Linux kernel IPv6 crash due to router advertisement flooding *** --------------------------------------------- Topic: Linux kernel IPv6 crash due to router advertisement flooding Risk: Medium Text:The Linux kernel is vulnerable to a crash on hosts that accept router advertisements. An unlimited number of routes can be cre... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030061 *** OpenVZ update for kernel *** --------------------------------------------- OpenVZ has issued an update for the kernel. This fixes a weakness and a vulnerability, which can be exploited by malicious, local users in a guest virtual machine to potentially disclose sensitive information and by malicious, local users to cause a DoS (Denial of Service). --------------------------------------------- https://secunia.com/advisories/57300 *** FFmpeg Multiple Vulnerabilities *** --------------------------------------------- Some vulnerabilities have been reported in FFmpeg, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise an application using the library. --------------------------------------------- https://secunia.com/advisories/56866 *** Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Edition. *** --------------------------------------------- Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Edition. CVE(s): CVE-2014-0428, CVE-2014-0422, CVE-2013-5907, CVE-2014-0415, CVE-2014-0410, CVE-2013-5889, CVE-2014-0417, CVE-2014-0387, CVE-2014-0424, CVE-2013-5878, CVE-2014-0373, CVE-2014-0375, CVE-2014-0403, CVE-2014-0423, CVE-2014-0376, CVE-2013-5910, CVE-2013-5884, CVE-2013-5896, CVE-2013-5899, CVE-2014-0416, CVE-2013-5887, CVE-2014-0368, CVE-2013-5888, CVE-2013-5898 and CVE-2014-0411 Affected product(s) --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/multiple_vulnerabilit… *** Vuln: PHP Fileinfo Component Out of Bounds Memory Corruption Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/66002

1 0

Tageszusammenfassung - Freitag 7-03-2014
by Daily end-of-shift report 07 Mar '14

07 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 06-03-2014 18:00 − Freitag 07-03-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** The Snake Campaign *** --------------------------------------------- This new report from BAE Systems Applied Intelligence today provides further details on how the recently disclosed ‘Snake’ cyber espionage toolkit operates. Timelines of the malware development show this to be much bigger campaign than previously known. Specifically it reveals that the malware has actually been in development since at least 2005. From the complexity of the malware, and the range of variants and techniques used to support its operation, the research also suggests that --------------------------------------------- http://www.baesystems.com/what-we-do-rai/the-snake-campaign *** Diffie-Hellman: Unsinnige Krypto-Parameter *** --------------------------------------------- Ein kurzer Schlüsselaustausch bringt Chrome zum Absturz, andere Browser akzeptieren völlig unsinnige Parameter für einen Diffie-Hellman-Schlüsselaustausch. Im Zusammenhang mit den jüngst gefundenen TLS-Problemen könnte das ein Sicherheitsrisiko sein. (Opera, Firefox) --------------------------------------------- http://www.golem.de/news/diffie-hellman-unsinnige-krypto-parameter-1403-104… *** Shedding New Light on Tor-Based Malware *** --------------------------------------------- Researchers at Kaspersky Lab and Microsoft have shared new insight into how malware campaigns operate over the Tor anonymity network, as well as other darknets. --------------------------------------------- http://threatpost.com/shedding-new-light-on-tor-based-malware/104651 *** EMC Documentum TaskSpace privilege escalation *** --------------------------------------------- EMC Documentum TaskSpace could allow a remote attacker to gain elevated privileges on the system, caused by an error related to the way dm_world group users were added to the dm_superusers_dynamic group. An attacker could exploit this vulnerability to gain elevated privileges on the system. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/91600 *** Multiple Cisco Wireless LAN Controllers WebAuth denial of service *** --------------------------------------------- Multiple Cisco Wireless LAN Controllers are vulnerable to a denial of service, caused by the failure to deallocate memory used during the processing of a WebAuth login. By creating an overly large number of WebAuth requests, an attacker could exploit this vulnerability to cause the device to reboot. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/91602 *** New Tool Makes Android Malware Easier To Create *** --------------------------------------------- itwbennett writes "A new commercial tool designed to allow cybercriminals to easily transform legitimate Android applications into malicious software has hit the underground market, paving the way for cheap and easy development of sophisticated Android malware. Security researchers from Symantec said Wednesday in a blog post that the tool, called Dendroid, is marketed by its creators as an Android remote administration tool (RAT) and is being sold for $300." Read more of this story --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/lUI1_mGPycM/story01.htm *** The Siesta Campaign: A New Targeted Attack Awakens *** --------------------------------------------- In the past few weeks, we have received several reports of targeted attacks that exploited various application vulnerabilities to infiltrate various organizations. Similar to the Safe Campaign, the campaigns we noted went seemingly unnoticed and under the radar. The attackers orchestrating the campaign we call the Siesta Campaign used multicomponent malware to target certain institutions that […]Post from: Trendlabs Security Intelligence Blog - by Trend MicroThe Siesta Campaign: A New --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/-rYSWuRUzdQ/ *** Gameover trojan uses rootkit to remain stealthy, tougher to remove *** --------------------------------------------- Researchers have discovered a Gameover variant of the Zeus trojan that has been modified to include the Necurs rootkit, which makes the malware tougher to detect and remove by protecting files on the disk and memory. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/F6bJXyUofvI/ *** Apache Struts Bugs Let Remote Users Deny Service and Manipulate the ClassLoader *** --------------------------------------------- A remote user can supply specially crafted 'class' parameter values to the ParametersInterceptor class to manipulate the ClassLoader [CVE-2014-0094]. A remote user can send a multipart request with a specially crafted Content-Type header to to trigger a flaw in the Apache Commons FileUpload component and cause denial of service conditions [CVE-2014-0050]. --------------------------------------------- http://www.securitytracker.com/id/1029876 *** Linux Memory Dump with Rekall, (Fri, Mar 7th) *** --------------------------------------------- Memory dumping for incident response is nothing new, but ever since they locked down access to direct memory (/dev/mem) on Linux, I’ve had bad experiences dumping memory. I usually end up crashing the server about 60 percent of the time while collecting data with Fmem. A new version of Linux memory dumping utility rekall (previous called Winpmem) has recently came out. I’ve been testing it on the latest versions of Ubuntu and Redhat EL 5 and have not run into any issues with --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17775&rss *** Citrix NetScaler Application Delivery Controller Multiple Flaws Let Users Gain Elevated Privileges and Deny Service *** --------------------------------------------- Several vulnerabilities were reported in Citrix NetScaler Application Delivery Controller. A local user can obtain passwords. A user can gain elevated privileges. A remote user can conduct cross-site scripting and cross-site request forgery attacks. A user can cause denial of service conditions. --------------------------------------------- http://www.securitytracker.com/id/1029880 *** February 2014 virus activity review from Doctor Web *** --------------------------------------------- February 28, 2014 Although it’s the years shortest month, February proved to be quite eventful in terms of information security. In particular, Doctor Webs security researchers discovered several Trojans that replace browser window banners and steal confidential information. Also identified were new malignant programs targeting Android. Viruses According to statistics collected in February 2014 by Dr.Web CureIt!, Trojan.Packed.24524, which spreads in the guise of legitimate software, was --------------------------------------------- http://news.drweb.com/show/?i=4262&lng=en&c=9 *** ownCloud 4.0.x / 4.5.x Remote Code Execution *** --------------------------------------------- Topic: ownCloud 4.0.x / 4.5.x Remote Code Execution Risk: High Text:Vulnerability title: Remote Code Execution in ownCloud CVE: CVE-2014-2044 Vendor: ownCloud Product: ownCloud Affected versi... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030055 *** WordPress Premium Gallery Manager Shell Upload *** --------------------------------------------- Topic: WordPress Premium Gallery Manager Shell Upload Risk: High Text: Wordpress Plugins Premium Gallery Manager Arbitrary File Upload ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030053 *** [2014-03-07] Unauthenticated access & manipulation of settings in Huawei E5331 MiFi mobile hotspot *** --------------------------------------------- Unauhenticated attackers are able to gain access to sensitive configuration (e.g. WLAN passwords in clear text or IMEI information of the SIM card) and even manipulate all settings in the web administration interface! This can even be exploited remotely via Internet depending on the mobile operator setup or via CSRF attacks. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** HP-UX m4(1) Command Flaw Lets Local Users Gain Elevated Privileges *** --------------------------------------------- A vulnerability was reported in HP-UX. A local user can obtain elevated privileges on the target system. A local user can exploit an unspecified flaw in the HP-UX m4(1) command to gain elevated privileges. --------------------------------------------- http://www.securitytracker.com/id/1029881 *** Hack gegen AVM-Router: Fritzbox-Lücke offengelegt, Millionen Router in Gefahr *** --------------------------------------------- Die Schonfrist ist abgelaufen: Im Netz kursieren Details, wie man die kritische Schwachstelle in den Fritzboxen ausnutzt. Das bedeutet akute Gefahr, da nach Erkenntnissen von heise Security noch immer sehr viele AVM-Router verwundbar sind. --------------------------------------------- http://www.heise.de/security/meldung/Hack-gegen-AVM-Router-Fritzbox-Luecke-… *** ComiXology gehackt: User müssen Passwort ändern *** --------------------------------------------- Die größte digitale Comics-Plattform ComiXology wurde Opfer eines unerlaubten Zugriffs auf Datenbanken mit Usernamen, E-Mailinfos und verschlüsselten Passwörtern. --------------------------------------------- http://futurezone.at/digital-life/comixology-gehackt-user-muessen-passwort-… *** Via Drucker ins Netz: PDF-Trojaner verwandelt IP-Telefone in Wanzen *** --------------------------------------------- Ausschließlich durch Missbrauch von Lücken in Geräten wie Netzwerkdruckern oder VoIP-Telefonen können Angreifer ein Netzwerk attackieren. Demonstriert wurde, wie sich die Telefone in Wanzen verwandeln lassen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Via-Drucker-ins-Netz-PDF-Trojaner-ve… *** Microsoft Security Bulletin Advance Notification for March 2014 *** --------------------------------------------- * Remote Code Execution Microsoft Windows,Internet Explorer * Remote Code Execution Microsoft Windows * Elevation of Privilege Microsoft Windows * Security Feature Bypass Microsoft Windows * Security Feature Bypass Microsoft Silverlight --------------------------------------------- http://technet.microsoft.com/en-us/security/bulletin/ms14-mar *** PHP 5.4.26 and 5.5.10 available. Several Security Fixes @ : http://www.php.net/downloads.php, (Fri, Mar 7th) *** --------------------------------------------- PHP 5.4.26 and 5.5.10 available. Several Security Fixes @ : http://www.php.net/downloads.php -- Tom Webb (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17777&rss *** Windows XP: Bundesregierung sorgt sich um Sicherheit von Geldautomaten *** --------------------------------------------- Zum 8. April läuft Microsofts Support für Windows XP aus. Darum hält es das BSI laut Innenministerium für geboten, aktuelle Betriebssysteme einzusetzen, die mit Sicherheitsupdates versorgt werden. --------------------------------------------- http://www.heise.de/newsticker/meldung/Windows-XP-Bundesregierung-sorgt-sic… *** New Attacks on HTTPS Traffic Reveal Plenty About Your Web Surfing *** --------------------------------------------- Researchers at UC Berkeley have developed new attacks that analyze HTTPS traffic and can accurately determine what pages youve visited during an encrypted session. --------------------------------------------- http://threatpost.com/new-attacks-on-https-traffic-reveal-plenty-about-your… *** Open-Source-CMS: Sicherheitsupdate für Joomla *** --------------------------------------------- Das Joomla-Entwicklerteam hat ein Sicherheitsupdate für die beiden aktuell unterstützten Versionszweige des Open-Source-CMS veröffentlicht. Joomla 2.5.19 und Joomla 3.2.3 sollen kürzlich entdeckte Schwachstellen des Content Management Systems stopfen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Open-Source-CMS-Sicherheitsupdate-fu… *** FFmpeg Multiple Vulnerabilities *** --------------------------------------------- Multiple vulnerabilities have been reported in FFmpeg, which can be exploited by malicious people to cause a DoS (Denial of Service) in an application using the library. --------------------------------------------- https://secunia.com/advisories/57282 *** Security Bulletin: Multiple vulnerabilities in IBM QRadar SIEM (CVE-2014-0838, CVE-2014-0835, CVE-2014-0836, CVE-2014-0837) *** --------------------------------------------- Multiple vulnerabilities exist in the AutoUpdate settings page and the AutoUpdate process within the IBM QRadar SIEM that when used together could result in remote code execution. CVE(s): CVE-2014-0835, CVE-2014-0836, CVE-2014-0837, and CVE-2014-0838 Affected product(s) and affected version(s): IBM QRadar Security Information and Event Manager (SIEM) 7.2 MR1 and earlier Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul… *** Security Bulletin: Information regarding security vulnerability in IBM SDK Java™ Technology Edition that is shipped with IBM WebSphere Application Server and addressed by Oracle CPU January 2014 *** --------------------------------------------- Multiple security vulnerabilities exist in the IBM SDK Java Technology Edition that is shipped with IBM WebSphere Application Server and included in the products that are listed in this document. CVE(s): CVE-2014-0411 Affected product(s) and affected version(s): WebSphere Process Server V6.1.2, 6.2.x, 7.0.x WebSphere Process Server on z/OS V6.2.x, 7.0.x WebSphere Process Server Hypervisor Edition for Red Hat Enterprise Linux Server for x86 (32-bit) V7.0.0 WebSphere Process Server Hypervisor --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_inf…

1 0

Tageszusammenfassung - Donnerstag 6-03-2014
by Daily end-of-shift report 06 Mar '14

06 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 05-03-2014 18:00 − Donnerstag 06-03-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Apple OpenSSL Verification Surprises *** --------------------------------------------- Apple ships a patched version of OpenSSL with OS X. If no precautions are taken, their changes rob you of the power to choose your trusted CAs, and break the semantics of a callback that can be used for custom checks and verifications in client software. --------------------------------------------- https://hynek.me/articles/apple-openssl-verification-surprises/ *** Sefnit's Tor botnet C&C details *** --------------------------------------------- We have talked about the impact that resulted from the Sefnit botnet Tor hazard as well as the clean-up effort that went into that threat. In this post we'd like to introduce some of the details regarding the Tor component's configuration and its communication with the Tor service. Specifically, we'll talk about how Trojan:Win32/Sefnit.AT communicates with the Tor network, what domains it tries to contact, and where it keeps its configuration data. After Sefnit... --------------------------------------------- https://blogs.technet.com/b/mmpc/archive/2014/03/05/sefnit-s-tor-botnet-c-a… *** Cisco-Router mit Passwörtern im Quellcode des Web-Interfaces *** --------------------------------------------- In zwei Routern und einer Firewall von Cisco klafft eine Sicherheitslücke, die es Angreifern erlaubt, sich mit Administratorrechnern anzumelden. Die Geräte geben die Passwörter im Quelltext des Anmeldefensters preis. --------------------------------------------- http://www.heise.de/security/meldung/Cisco-Router-mit-Passwoertern-im-Quell… *** Akute Angriffsserie auf D-Link-Modems *** --------------------------------------------- Tausende Internetanschlüsse sind aufgrund einer Sicherheitslücke in DSL-Modems von D-Link akut gefährdet - allein in Deutschland. Die Schwachstelle wird bereits systematisch für Angriffe missbraucht. Wer betroffene Geräte betreibt, muss umgehend handeln. --------------------------------------------- http://www.heise.de/security/meldung/Akute-Angriffsserie-auf-D-Link-Modems-… *** Joomla! Core - Multiple Vulnerabilities *** --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/xcttKR2_t_4/578-20140301-c… http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/-FMP5B4UydI/579-20140302-c… http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/3SC6NBuk13g/580-20140303-c… http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/oiSyKvvYgXA/581-20140304-c… *** SA-CONTRIB-2014-028 - Masquerade - Access bypass *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-028Project: Masquerade (third-party module)Version: 6.x, 7.xDate: 2014-March-05Security risk: Highly criticalExploitable from: RemoteVulnerability: Access bypassDescriptionThis module allows a user with the right permissions to switch users. When a user has been limited to only masquerading as certain users via the "Enter the users this user is able to masquerade as" user profile field, they can still masquerade as any user on the site by using the... --------------------------------------------- https://drupal.org/node/2211401 *** Security Bulletins: Citrix NetScaler Application Delivery Controller Multiple Security Vulnerabilities *** --------------------------------------------- A number of security vulnerabilities have been identified in Citrix NetScaler Application Delivery Controller (ADC). --------------------------------------------- http://support.citrix.com/article/CTX139049 *** HP Data Protector Backup Client Service Remote Code Execution *** --------------------------------------------- Topic: HP Data Protector Backup Client Service Remote Code Execution Risk: High Text:## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-fr... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030052 *** PHP date() is evil (XSS'able) *** --------------------------------------------- Topic: PHP date() is evil (XSS'able) Risk: Low Text:I was playing with PHP (As usual) and i was thinking about date() It's a PHP function that displays date in different ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030046

1 0

Tageszusammenfassung - Mittwoch 5-03-2014
by Daily end-of-shift report 05 Mar '14

05 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 04-03-2014 18:00 − Mittwoch 05-03-2014 18:00 Handler: Alexander Riepl Co-Handler: Christian Wojner *** Windows XP: Microsoft drängt mit Popup zum Umstieg *** --------------------------------------------- Microsoft will XP-Nutzer direkter darauf hinweisen, dass der Support für das Betriebssystem endet. Zusätzlich soll die bislang kostenpflichtige Migrationshilfe PCmover Express umsonst bereit - das Angebot hat aber einen Pferdefuss. --------------------------------------------- http://www.heise.de/security/meldung/Windows-XP-Microsoft-draengt-mit-Popup… *** 69 Prozent der beliebtesten Android Apps funken im Klartext *** --------------------------------------------- Bei einer Untersuchung von 10,000 Android-Apps haben Forscher herausgefunden, dass die Mehrzahl ihre Datenverbindungen gar nicht verschlüsselt und weitere 26 Prozent SSL so einsetzen, dass die Verbindung angreifbar ist. --------------------------------------------- http://www.heise.de/security/meldung/69-Prozent-der-beliebtesten-Android-Ap… *** Geld her oder Seite weg: Erpressung mit DDoS-Angriff *** --------------------------------------------- Angreifer fordern Geld, um Attacken auf Seiten zu stoppen --------------------------------------------- http://derstandard.at/1392687169264 *** Blog: Tor hidden services - a safe haven for cybercriminals *** --------------------------------------------- http://www.securelist.com/en/blog/8187/Tor_hidden_services_a_safe_haven_for… *** Malware nutzt iTunes als Lockmittel *** --------------------------------------------- Nachgebaute iTunes-Seiten locken zur Installation der vermeintlichen Apple-Software - stattdessen erhält der Nutzer Malware. Prominent platzierte Suchmaschinenwerbung zum Begriff "iTunes" dient als Zubringer. --------------------------------------------- http://www.heise.de/security/meldung/Malware-nutzt-iTunes-als-Lockmittel-21… *** Apache Shiro 1.2.2 LDAP Authentication Bypass *** --------------------------------------------- Topic: Apache Shiro 1.2.2 LDAP Authentication Bypass Risk: High Text:Dear Apache Shiro Community, The Apache Shiro team has released Apache Shiro version 1.2.3. This is the third bug fix point... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030034 *** Windows Escalate UAC Protection Bypass (In Memory Injection) *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030039 *** HPSBHF02965 rev.1 - HP Security Management System, Remote Execution of Arbitrary Code *** --------------------------------------------- A potential security vulnerability has been identified with HP Security Management System. The vulnerability could be remotely exploited to allow remote execution of arbitrary code. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** HPSBUX02973 SSRT101455 rev.1 - HP-UX Running Java6/7, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities *** --------------------------------------------- Potential security vulnerabilities have been identified in the Java Runtime Environment (JRE) and the Java Developer Kit (JDK) running on HP-UX. These vulnerabilities could allow remote unauthorized access, disclosure of information, and other vulnerabilities. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** WordPress Relevanssi Plugin "category_name" SQL Injection Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56641 *** Java OpenID Server 1.2.1 XSS / Session Fixation *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030037 *** VU#823452: Serena Dimensions CM 12.2 Build 7.199.0 web client vulnerabilities *** --------------------------------------------- Serena Dimensions CM 12.2 Build 7.199.0 web client and possibly earlier versions contains multiple cross-site scripting vulnerabilities.CWE-79: Improper Neutralization of Input --------------------------------------------- http://www.kb.cert.org/vuls/id/823452

1 0

Tageszusammenfassung - Dienstag 4-03-2014
by Daily end-of-shift report 04 Mar '14

04 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 03-03-2014 18:00 − Dienstag 04-03-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** TLS: Sicherheitslücke bei Client-Authentifizierung *** --------------------------------------------- Erneut gibt es Probleme mit dem TLS-Protokoll. Mit der Triple Handshake-Attacke kann ein bösartiger HTTPS-Server einem weiteren Server vorgaukeln, er hätte das Zertifikat eines Nutzers. Die meisten Anwender sind von dem Angriff vermutlich nicht betroffen. --------------------------------------------- http://www.golem.de/news/tls-sicherheitsluecke-bei-client-authentifizierung… *** Webspace: Sicherheitsrisiko FTP *** --------------------------------------------- Wer eine eigene Webseite betreibt, überträgt sie meist per FTP zum Webhoster. Dabei kommt häufig keine Verschlüsselung zum Einsatz. Kein einziger großer Provider weist seine Kunden auf diese Risiken adäquat hin; bei manchen Providern ist eine verschlüsselte Verbindung überhaupt nicht möglich. --------------------------------------------- http://www.golem.de/news/webspace-sicherheitsrisiko-ftp-1403-104889-rss.html *** Großangriff auf Router: DNS-Einstellungen manipuliert *** --------------------------------------------- Forscher entdeckten einen Großangriff auf Router: Bei über 300.000 Routern, die im Privat- oder Büroeinsatz sind, wurden angeblich die DNS-Einstellungen manipuliert. Die Angreifer hätten dadurch jederzeit den Datenverkehr der Geräte umleiten können. --------------------------------------------- http://www.heise.de/security/meldung/Grossangriff-auf-Router-DNS-Einstellun… *** Sicherheitslücke: GnuTLS jetzt mit "goto fail" *** --------------------------------------------- Auch die Open-Source-Bibliothek für gesicherte Verbindungen weist einen schwerwiegenden Fehler beim überprüfen von Zertifikaten auf. Aktuelle Patches sollen ihn beheben. --------------------------------------------- http://www.heise.de/security/meldung/Sicherheitsluecke-GnuTLS-jetzt-mit-got… *** GNUTLS-SA-2014-2 - Certificate Verification Issue *** --------------------------------------------- A vulnerability was discovered that affects the certificate verification functions of all gnutls versions. A specially crafted certificate could bypass certificate validation checks. --------------------------------------------- http://gnutls.org/security.html#GNUTLS-SA-2014-2 *** WordPress plugin Google Analytics MU 2.3 CSRF *** --------------------------------------------- Topic: WordPress plugin Google Analytics MU 2.3 CSRF Risk: Low Text:Details = Software: Google Analytics MU Version: 2.3 Homepage: http://wordpress.org/plugins/google-analytics-mu/ CVSS... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030018 *** Joomla 3.2.2 Cross Site Scripting *** --------------------------------------------- Topic: Joomla 3.2.2 Cross Site Scripting Risk: Low Text:# == # Title ...| Persistent pre-auth XSS in Joomla # Version .| Joomla 3.2.2 # Date ....| 3.03.2014 #... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030030

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily