=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 28-02-2014 18:00 − Montag 03-03-2014 18:00
Handler: Alexander Riepl
Co-Handler: Christian Wojner
*** Komplexe Spionagesoftware namens Uroburos entdeckt ***
---------------------------------------------
Sicherheitsexperten von G Data haben eine mutmaßliche Geheimdienstsoftware entdeckt, die offenbar darauf abzielt, hochsensible und geheime Informationen von staatlichen Einrichtungen, Nachrichtendiensten und Großunternehmen zu stehlen.
---------------------------------------------
http://www.heise.de/security/meldung/Komplexe-Spionagesoftware-namens-Urobu…
Multiple vulnerabilities in Oracle Demantra 12.2.1
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030004http://cxsecurity.com/issue/WLB-2014030007http://cxsecurity.com/issue/WLB-2014030006http://cxsecurity.com/issue/WLB-2014030005
*** Wo-möglich-Verschlüsselung für mehr Sicherheit ***
---------------------------------------------
Harte Verschlüsselung oder nur Wo-möglich-Verschlüsselung gegen NSA und Konsorten? Darüber diskutierte der STRINT-Workshop der IETF und des W3C am Wochenende in London.
---------------------------------------------
http://www.heise.de/security/meldung/Wo-moeglich-Verschluesselung-fuer-mehr…
*** DSA-2868 php5 ***
---------------------------------------------
denial of service
---------------------------------------------
http://www.debian.org/security/2014/dsa-2868
*** WordPress VideoWhisper Live Streaming Plugin Multiple Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/57202
*** Apache Camel XSLT XML External Entities and Arbitrary Code Execution Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/57125
*** Hintergrund: VM-Erkennung in Malware ***
---------------------------------------------
Die rote oder die blaue Pille? Immer mehr Schädlinge wollen wissen, ob ihre Umgebung echt oder nur virtuell ist.
---------------------------------------------
http://www.heise.de/security/artikel/VM-Erkennung-in-Malware-2131459.html
*** The Mobile Cybercriminal Underground Market in China ***
---------------------------------------------
The availability of affordable mobile Internet access has changed the computing landscape everywhere. More and more people are using mobile devices both for work and for entertainment. China is no exception. According to a report published by the China Internet Network Information Center (CNNIC), 81% of Chinese Internet users went online using their mobile phone ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/the-mobile-cyber…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 27-02-2014 18:00 − Freitag 28-02-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Are Automated Update Services the Next Surveillance Frontier? ***
---------------------------------------------
Automated update services that provide users with security patches and feature enhancements are also a potential hunting ground for intelligence agencies and law enforcement surveillance activity.
---------------------------------------------
http://threatpost.com/are-automated-update-services-the-next-surveillance-f…
*** DDoS and BCP 38, (Thu, Feb 27th) ***
---------------------------------------------
Quite often on many lists we will hear the term Best Current Practice (BCP) 38 bandied about and further recommendations to implement [1] [2][3][4] (See NANOG Mailing list archive) . Some will say "it will aid in DDoS mitigation" and even others will even state "All Internet Service Providers (ISP) should implement this." Now before the philosophical discussions ensue in the comments, it might be a good idea to discuss, technically, what it is? And perhaps what it can do?
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17735&rss
*** Oversharing, (Fri, Feb 28th) ***
---------------------------------------------
When ISC reader Michael contacted us about "odd UDP traffic from all over" that he was suddenly seeing in his firewall log, we at first assumed that his Internet connection had "inherited" a dynamic IP address that had before been used by a rampant file sharing user, and that Michael was now seeing the "after glow". We still asked for a PCAP (tcpdump) file though, and when we looked at what Michael sent back, we saw to our surprise...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17737&rss
*** Highly Effective Joomla Backdoor with Small Profile ***
---------------------------------------------
It feels like every day we're finding gems, or what appear to be gems to us. We try to balance the use of the term, but I can't lie, these are truly gems. The things they are doing, and by they I mean the attackers, are in some instance ingenious. I think you'll agree that...
---------------------------------------------
http://blog.sucuri.net/2014/02/highly-effective-joomla-backdoor-with-small-…
*** Tilon/SpyEye2 intelligence report ***
---------------------------------------------
Tilon, son of Silon, or... SpyEye2 evolution of SpyEye? The malware family commonly known as Tilon has been around for several years now. While several public analysis reports have described the malware; no one has thus far linked it with the well-known SpyEye malware family. In light of the recent news of the guilty plea...
---------------------------------------------
http://blog.fox-it.com/2014/02/25/tilonspyeye2-intelligence-report/
*** Malicious Proxy Auto-Config redirection ***
---------------------------------------------
Internet banking credentials are a desired target for cybercriminals. They can be targeted with man-in-the-middle attacks or through password stealing trojans such as Fareit, Zbot or Banker. A less known, yet commonly found in South America and to a lesser extent in Russia, method to gain unauthorized access to a user's banking credentials is through malicious Proxy Auto-Config (PAC) files. Normally, PAC files offer similar functionality to the hosts file, allowing IP/website redirection,...
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2014/02/28/malicious-proxy-auto-con…
*** Notorious "Gameover" malware gets itself a kernel-mode rootkit... ***
---------------------------------------------
Zeus, also known as Zbot, is a malware family that we have written about many times on Naked Security...
---------------------------------------------
http://nakedsecurity.sophos.com/2014/02/27/notorious-gameover-malware-gets-…
*** [2014-02-28] Authentication bypass (SSRF) and local file disclosure in Plex Media Server ***
---------------------------------------------
The Plex Media Server proxy functionality fails to properly validate pre-authentication user requests. This allows unauthenticated attackers to make the Plex Media Server execute arbitrary HTTP requests and hence bypass all authentication and execute commands with administrative privileges. Furthermore, because of insufficient input validation, arbitrary local files can be disclosed without prior authentication including passwords and other sensitive information.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014…
*** [2014-02-28] Privilege escalation vulnerability in MICROSENS Profi Line Modular Industrial Switch Web Manager ***
---------------------------------------------
Attackers are able to elevate privileges during login from read-only user rights to full read/write or debug access rights by simply changing result values of the affected CGI script. This allows attackers to reconfigure the device.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014…
*** VU#534284: Synology DiskStation Manager VPN module hard-coded password vulnerability ***
---------------------------------------------
Synology DiskStation Manager 4.3-3810 update 1 and possibly earlier versions contain a VPN server module which contains a hard-coded password which cannot be changed. According to the original forum post...
---------------------------------------------
http://www.kb.cert.org/vuls/id/534284
*** Moodle 2.6.1 Cross Site Scripting ***
---------------------------------------------
Topic: Moodle 2.6.1 Cross Site Scripting Risk: Low Text:# == # Title ...| Moodle 2.6.1 # Version .| (Feb 27 2014) moodle-latest-26.zip # Date ....| 27.02.2014...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014020247
*** Cisco IPS MainApp SNMP Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the SNMP code of Cisco Intrusion Prevention System (IPS) Software could allow an unauthenticated, remote attacker to cause the MainApp process to become unresponsive. This creates a denial of service (DoS) condition because the Cisco IPS sensor is not able to execute several critical tasks including alert notification, event store management, and sensor authentication. The Cisco IPS web server will also be unavailable while the MainApp process is unresponsive. Additionally, due to this general system failure, other processes such as the Analysis Engine may not function properly.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Cisco Unified Communications Domain Manager Cross-Site Scripting Vulnerability ***
---------------------------------------------
A vulnerability in the web framework of Cisco Unified Communications Domain Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface on the affected system.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Schneider Electric Floating License Manager Vulnerability ***
---------------------------------------------
Schneider Electric had become aware of an "unquoted service path" vulnerability in the Schneider Electric Floating License Manager, produced a patch that mitigates this vulnerability, and notified NCCIC/ICS-CERT.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-058-01
*** Schneider Electric OFS Buffer Overflow Vulnerability ***
---------------------------------------------
Schneider Electric has reported to NCCIC/ICS-CERT a Stack Buffer Overflow vulnerability supplied with the Schneider Electric OPC Factory Server (OSF).
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-058-02
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 26-02-2014 18:00 − Donnerstag 27-02-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Avaya to Patch Zero Days That Turn IP Phone into Radio Transmitters ***
---------------------------------------------
Avaya is expected to patch zero-day vulnerabilities in its latest one-X IP phones. The vulnerabilities and an exploit will be demonstrated this week at RSA Conference 2014.
---------------------------------------------
http://threatpost.com/avaya-to-patch-zero-days-that-turn-ip-phone-in-radio-…
*** Detecting malware on Mac OS X with USM and MIDAS ***
---------------------------------------------
Let's briefly review what we accomplished in the first post: Understood the capabilities and design of MIDAS Deployed MIDAS on a Mac OS X endpoint installed the MIDAS plugin in AlienVault USM Verified the integration by running MIDAS and confirming the events in the SIEM. How does this make us safer? More generally, what does this mean? To answer these questions we need to understand what plists and kexts mean from a security perspective. PlistsProperty list files contain configuration data...
---------------------------------------------
http://www.alienvault.com/open-threat-exchange/blog/detecting-malware-on-ma…
*** Ongoing NTP Amplification Attacks, (Wed, Feb 26th) ***
---------------------------------------------
Brett, who alerted us earlier this month regarding the mass exploit against Linksys devices has surfaced a current issue hes facing with ongoing NTP amplification attacks. A good US-CERT summary of the attack is here: https://www.us-cert.gov/ncas/alerts/TA14-013A. Brett indicates that: "We are seeing massive attacks on our NTP servers, attempting to exploit the traffic amplification vulnerability reported last month. Our IPs are being probed by an address in the Netherlands, and a couple...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17723&rss
*** Yes, You Too Can Be An Evil Network Overlord - On The Cheap With OpenBSD, pflow And nfsen ***
---------------------------------------------
Have you ever wanted to know whats really going on in your network? Some free tools with surprising origins can help you to an almost frightening degree.One question I get a lot (or variants that end up being very close) is, "How do you keep up with whats happening in your network?". A close cousin is "how much do you actually know about your users?".The exact answer to both can have legal implications, so before I proceed to the tech content, Ill ask you to make sure you...
---------------------------------------------
http://bsdly.blogspot.com/2014/02/yes-you-too-can-be-evil-network.html
*** Weekly Metasploit Update: Encoding-Fu, New Powershell Payload, Bug Fixes ***
---------------------------------------------
In this week's Metasploit weekly update, we begin with OJ TheColonial Reeves' new optimized sub encoding module (opt_sub.rb). As the name implies, this encoder takes advantage of the SUB assembly instruction to encode a payload with printable characters that are file path friendly. Encoders like this are incredibly useful for developing a memory corruption exploit...
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2014/02/26/weekly-me…
*** Security: Cisco öffnet Snort-Schnittstelle ***
---------------------------------------------
Wenige Wochen nach der Übernahme des Snort-Entwicklers Sourcefire hat Cisco die Schnittstelle zu dem Intrusion Detection System unter dem Namen OpenAppID öffentlich gemacht. Zudem wurde der Malware-Schutz des aufgekauften Unternehmens in Ciscos Sicherheitsportfolio integriert.
---------------------------------------------
http://www.golem.de/news/security-cisco-oeffnet-snort-schnittstelle-1402-10…
*** Mac OS X 10.6 Snow Leopard: Apple aktualisiert nicht mehr ***
---------------------------------------------
Die letzten zwei größeren Sicherheitsupdates von Apple standen nur noch für Mavericks, Mountain Lion und Lion bereit. Dabei ist OS X 10.6 noch relativ weit verbreitet.
---------------------------------------------
http://www.heise.de/security/meldung/Mac-OS-X-10-6-Snow-Leopard-Apple-aktua…
*** Was the iOS SSL Flaw Deliberate? ***
---------------------------------------------
Last October, I speculated on the best ways to go about designing and implementing a software backdoor. I suggested three characteristics of a good backdoor: low chance of discovery, high deniability if discovered, and minimal conspiracy to implement. The critical iOS vulnerability that Apple patched last week is an excellent example. Look at the code. What caused the vulnerability is...
---------------------------------------------
https://www.schneier.com/blog/archives/2014/02/was_the_ios_ssl.html
*** Android & iOS: Gratis-Werkzeuge zur Malware-Analyse ***
---------------------------------------------
Die Linux-Distribution Santoku bringt alle Werkzeuge mit, um Malware und andere Apps für iOS und Android professionell unter die Lupe zu nehmen. Eine Kombination aus einer App und einem Webdienst analysiert unter anderem Datenströme von Apps.
---------------------------------------------
http://www.heise.de/security/meldung/Android-iOS-Gratis-Werkzeuge-zur-Malwa…
*** Atlassian - Security Bypass Vulnerabilities in various Products ***
---------------------------------------------
Security Bypass Vulnerabilities in Atlassian Bamboo, Confluence, FishEye, JIRA, Crucible and Stash
---------------------------------------------
https://secunia.com/advisories/57086https://secunia.com/advisories/57088https://secunia.com/advisories/57095https://secunia.com/advisories/57105https://secunia.com/advisories/56842https://secunia.com/advisories/56936
*** [2014-02-27] Local Buffer Overflow vulnerability in SAS for Windows ***
---------------------------------------------
Attackers are able to completely compromise SAS clients when a malicious SAS program gets executed as the software "SAS for Windows" is affected by a local buffer overflow vulnerability.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014…
*** Drupal - Vulnerabilities in third-party Modules and Themes ***
---------------------------------------------
Vulnerabilities in Open Omega (third-party theme), Content locking (anti-concurrent editing) (third-party module), Project Issue File Review (third-party module) and Mime Mail (third-party module)
---------------------------------------------
https://drupal.org/node/2205877https://drupal.org/node/2205807https://drupal.org/node/2205767https://drupal.org/node/2205991
*** Schneider Electric CitectSCADA Products Exception Handler Vulnerability (Update A) ***
---------------------------------------------
This updated advisory is a follow-up to the original advisory titled ICSA-13-350-01 Schneider Electric SCADA Products Exception Handler Vulnerability that was published February 25, 2014, on the NCCIC/ICS-CERT web site. This advisory was originally posted to the US-CERT secure Portal library on December 16, 2013. Schneider Electric requested the title change to reduce confusion.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-350-01A
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 25-02-2014 18:00 − Mittwoch 26-02-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Chameleon: Forschungsvirus verbreitet sich von WLAN zu WLAN ***
---------------------------------------------
Britische Wissenschaftler haben unter dem Namen "Chameleon" einen vollständigen Router-Wurm geschaffen, der das Internet nicht braucht. Die Malware kopiert sich von einem Router zum anderen per WLAN und kann sich so epidemieartig ausbreiten. Aber auch Wege zur Abwehr solcher Gefahren sind absehbar. (WLAN, Virus)
---------------------------------------------
http://www.golem.de/news/chameleon-forschungs-virus-verbreitet-sich-von-wla…
*** DDoSing a Cell Phone Network ***
---------------------------------------------
Interesting research: Abstract: The HLR/AuC is considered to be one of the most important network elements of a 3G network. It can serve up to five million subscribers and at least one transaction with HLR/AuC is required for every single phone call or data session. This paper presents experimental results and observations that can be exploited to perform a novel...
---------------------------------------------
https://www.schneier.com/blog/archives/2014/02/ddosing_a_cell.html
*** IE Zero-day Exploit Being Used in Widespread Attacks ***
---------------------------------------------
The number of attacks exploiting a yet-to-be-patched vulnerability in Internet Explorer has increased dramatically over the past few days, indicating the exploit is no longer used just in targeted attacks against particular groups of people.
---------------------------------------------
http://www.cio.com/article/748778/IE_Zero_day_Exploit_Being_Used_in_Widespr…
*** QuickTime 7.7.5 für Windows behebt diverse Sicherheitslücken ***
---------------------------------------------
Apples Multimediaumgebung enthält unter Windows eine ganze Reihe von sicherheitsrelevanten Bugs. Version 7.7.5 soll sie beheben - ein schnelles Update ist angeraten.
---------------------------------------------
http://www.heise.de/security/meldung/QuickTime-7-7-5-fuer-Windows-behebt-di…
*** Announcing EMET 5.0 Technical Preview ***
---------------------------------------------
Today, we are thrilled to announce a preview release of the next version of the Enhanced Mitigation Experience Toolkit, better known as EMET. You can download EMET 5.0 Technical Preview here. This Technical Preview introduces new features and enhancements that we expect to be key components of the final EMET 5.0 release. We are releasing this technical preview to gather customer feedback about the new features and enhancements. Your feedback will affect the final EMET 5.0 technical
---------------------------------------------
https://blogs.technet.com/b/srd/archive/2014/02/25/announcing-emet-5-0-tech…
*** VU#684412: libpng denial-of-service vulnerability ***
---------------------------------------------
Vulnerability Note VU#684412 libpng denial-of-service vulnerability Original Release date: 25 Feb 2014 | Last revised: 25 Feb 2014 Overview libpng versions 1.6.0 through 1.6.9 contain a denial-of-service vulnerability. Description CWE-835: Loop with Unreachable Exit Condition (Infinite Loop) - CVE-2014-0333Glenn Randers Pehrson of the PNG Development Group reports:The progressive decoder in libpng16 enters an infinite loop, thus hanging the application, when it encounters a zero-length IDAT...
---------------------------------------------
http://www.kb.cert.org/vuls/id/684412
*** Schneider Electric SCADA Products Exception Handler Vulnerability ***
---------------------------------------------
Researcher Carsten Eiram of Risk Based Security has identified an exception handling vulnerability in Schneider Electric’s CitectSCADA application. The original vulnerability reported by Mr. Eiram had already been fixed in CitectSCADA v7.20SP2. While investigating this vulnerability report, Schneider Electric discovered additional related vulnerabilities and has produced a patch that mitigates them in SCADA Expert Vijeo Citect, CitectSCADA, and PowerSCADA Expert.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-350-01
*** IBM AIX OpenSSL Multiple Denial of Service Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/57041
*** Python Buffer Overflow in socket.recvfrom_into() Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1029831
*** Cisco Unified Communications Manager CAPF Unauthenticated Device Information Update Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Cisco Unified Communications Manager OS Administration CSRF Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Cisco Unified Contact Center Express CCMConfig Sensitive Information Disclosure Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Cisco Unified Contact Center Express Serviceability Page CSRF Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 24-02-2014 18:00 − Dienstag 25-02-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Android users under attack through malicious ads in Facebook ***
---------------------------------------------
Cyber-criminals are always trying to attract people's attention in order to carry out their crimes. So it should be no surprise that they have now found a combined way of using Facebook (the world's largest social network), WhatsApp (the leading text messaging program for smartphones, recently bought by Facebook) and Android (the most popular operating...
---------------------------------------------
http://pandalabs.pandasecurity.com/android-users-under-attack-through-malic…
*** New attack completely bypasses Microsoft zero-day protection app ***
---------------------------------------------
Whitehats ability to sidestep EMET strongly suggest criminal hackers can, too.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/aCb9-4Ke6D8/
*** Poisoned YouTube ads serve Caphaw banking trojan ***
---------------------------------------------
YouTubes ad network was compromised to host the Styx exploit kit, researchers found.
---------------------------------------------
http://www.scmagazine.com/poisoned-youtube-ads-serve-caphaw-banking-trojan/…
*** Blog: The first Tor Trojan for Android ***
---------------------------------------------
Virus writers of Android Trojans have traditionally used Windows malware functionality as a template. Now, yet another technique from Windows Trojans has been implemented in malware for Android: for the first time we have detected an Android Trojan that uses a domain in the .onion pseudo zone as a C&C. The Trojan uses the anonymous Tor network built on a network of proxy servers. As well as providing users with anonymity,...
---------------------------------------------
http://www.securelist.com/en/blog/8184/The_first_Tor_Trojan_for_Android
*** Touchlogger: iOS im Lauscheinsatz ***
---------------------------------------------
Die Sicherheitsexperten von Fireeye Labs haben eine iOS-App entwickelt, mit der sich alle Eingaben auf der Touchscreen-Oberfläche im Hintergrund mitschneiden und an einen Server übermitteln lassen.
---------------------------------------------
http://www.golem.de/news/touchlogger-ios-im-lauscheinsatz-1402-104776-rss.h…
*** The Tenth Anniversary of Mobile Malware ***
---------------------------------------------
2014 marks the tenth anniversary of mobile malware. It all began in 2004, when the first variant of SymbOS.Cabir was submitted to security researchers. The analysis revealed that this worm targeted Symbian OS, which was a very popular mobile operating system at the time. Infected phones would search for nearby Bluetooth devices that...
---------------------------------------------
http://www.symantec.com/connect/blogs/tenth-anniversary-mobile-malware
*** Best Practices in Computer Network Defense ***
---------------------------------------------
This article was published in the book in Computer Network Defense: Incident Detection and Response. Edited by Melissa E. Hathaway, NATO Science for Peace and Security Series, 2014. The article is about the Dutch approach, the importance of intertnational cooperation and the role of the Dutch Cyber Security Council.
---------------------------------------------
http://www.ncsc.nl/english/current-topics/news/best-practices-in-computer-n…
*** "goto fail": Demo-Exploit für SSL-Schwachstelle in iOS und OS X ***
---------------------------------------------
Der Sicherheitsforscher Aldo Cortesi hat sein Tool mitmproxy angepasst, um den verschlüsselten Datenverkehr von ungepatchten iOS-Geräten und Macs mit OS X 10.9 Mavericks mitzuschneiden. Fast alles lasse sich mitlesen, so Cortesi.
---------------------------------------------
http://www.heise.de/security/meldung/goto-fail-Demo-Exploit-fuer-SSL-Schwac…
*** HPSBST02937 rev.1 - HP StoreVirtual 4000 and StoreVirtual VSA Software dbd_manager, Remote Execution of Arbitrary Code ***
---------------------------------------------
A potential security vulnerability has been identified with HP StoreVirtual 4000 and StoreVirtual VSA Software (formerly known as HP LeftHand Virtual SAN Appliance) dbd_manager. The vulnerability could be remotely exploited resulting in execution of arbitrary code.
---------------------------------------------
http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDispl…
*** HPSBMU02971 rev.1 - HP Application Information Optimizer, Remote Execution of Code, Information Disclosure ***
---------------------------------------------
A potential security vulnerability has been identified in the Web Console component of HP Application Information Optimizer (formerly HP Database Archiving). The vulnerability could be exploited to allow remote execution of code and information disclosure.
---------------------------------------------
http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDispl…
*** Bugtraq: WiFiles HD v1.3 iOS - File Include Web Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/531236
*** MYBB 1.6.12 search.php Sql injection ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014020202
*** GitHub RCE by Environment variable injection Bug Bounty ***
---------------------------------------------
Topic: GitHub RCE by Environment variable injection Bug Bounty Risk: High Text:GitHub RCE by Environment variable injection Bug Bounty writeup Disclaimer: Ill keep this really short but I hope youll g...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014020209
*** TYPO3 6.1.7 XSS / Disclosure / Shell Upload ***
---------------------------------------------
Topic: TYPO3 6.1.7 XSS / Disclosure / Shell Upload Risk: High Text:# == # Title ...| Multiple vulnerabilities in Typo3 CMS # Version .| introductionpackage-6.1.7 # Date .....
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014020208
*** FreePBX 2.x Remote Command Execution ***
---------------------------------------------
Topic: FreePBX 2.x Remote Command Execution Risk: High Text:App : Freepbx 2.x Download : schmoozecom.net Auther : i-Hmx Mail : n0p1337(a)gmail.com Home : security arrays inc. , sec4ever...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014020206
*** Zen Cart E-Commerce 1.5.1 Multiple vulnerabilities ***
---------------------------------------------
Topic: Zen Cart E-Commerce 1.5.1 Multiple vulnerabilities Risk: High Text:# == # Title ...| Multiple vulnerabilities in Zen Cart e-commerce # Version .| zen-cart-v1.5.1-full-file...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014020203
*** WordPress Search Everything Plugin SQL Injection Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56820
*** AutoCAD Insecure Library and FAS File Loading Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/57002
*** OATH Toolkit libpam-oath replay ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/91316
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 21-02-2014 18:00 − Montag 24-02-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Researchers Develop Complete Microsoft EMET Bypass ***
---------------------------------------------
Researchers at Bromium Labs are expected to deliver a paper today that explains how they were able to bypass all of the memory protection mitigations in Microsofts Enhanced Mitigation Experience Toolkit
---------------------------------------------
http://threatpost.com/researchers-develop-complete-microsoft-emet-bypass/10…
*** Apples SSL/TLS bug (22 Feb 2014) ***
---------------------------------------------
Yesterday, Apple pushed a rather spooky security update for iOS that suggested that something was horribly wrong with SSL/TLS in iOS but gave no details. Since the answer is at the top of the Hacker News thread, I guess the cats out of the bag already and were into the misinformation-quashing stage now.
---------------------------------------------
https://www.imperialviolet.org/2014/02/22/applebug.html
*** An In-depth Analysis of Linux/Ebury ***
---------------------------------------------
ESET has been analyzing and tracking an OpenSSH backdoor and credential stealer named Linux/Ebury. The result of this work on the Linux/Ebury malware family is part of a joint research effort with CERT‑Bund, the Swedish National Infrastructure for Computing, the European Organization for Nuclear Research (CERN) and other organizations forming an international Working Group.
---------------------------------------------
http://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/
*** Microsoft Windows Crash Reports Reveal New APT, POS Attacks ***
---------------------------------------------
You never know what youll glean from a Windows crash report: security researchers recently unearthed a previously unknown advanced persistent threat campaign as well as a new point-of-sale system attack by perusing and analyzing those crash reports also known as Dr. Watson.
---------------------------------------------
http://www.darkreading.com/attacks-breaches/microsoft-windows-crash-reports…
*** NIST Unveils Crypto Standards Proposal ***
---------------------------------------------
Because of concerns of possible National Security Agency meddling with its cryptographic standards, the National Institute of Standards and Technology has issued a draft report proposing revisions in how it develops cryptographic standards.
---------------------------------------------
http://www.govinfosecurity.com/nist-unveils-crypto-standards-proposal-a-6519
*** Freier Zugriff auf Fernsteuerungen für Industrieanlagen ***
---------------------------------------------
Ein Projekt der FU Berlin dokumentiert, dass weltweit tausende Industrieanlagen über das Internet erreichbar, aber nur unzureichend geschützt sind. Es entstand eine interaktive Karte, auf der potenziell angreifbare Anlagen eingezeichnet sind.
---------------------------------------------
http://www.heise.de/security/meldung/Freier-Zugriff-auf-Fernsteuerungen-fue…
*** Security vulnerabilities found in 80% of best-selling SOHO wireless routers ***
---------------------------------------------
Tripwire has analyzed the security provided by the most popular wireless routers used in many small and home offices and found that 80 percent of Amazon's top 25 best-selling SOHO wireless router models have security vulnerabilities.
---------------------------------------------
http://www.net-security.org/secworld.php?id=16399
*** eGroupWare Multiple PHP Object Injection Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/57047
*** JBoss RichFaces Malformed Push Request Denial of Service Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/57053
*** Barracuda Firewall Exception Handling Cross Site Scripting ***
---------------------------------------------
Topic: Barracuda Firewall Exception Handling Cross Site Scripting Risk: Low Text:Document Title: Barracuda Bug Bounty #36 Firewall - Client Side Exception Handling Web Vulnerability References ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014020186
*** DSA-2866 gnutls26 ***
---------------------------------------------
certificate verification flaw
---------------------------------------------
http://www.debian.org/security/2014/dsa-2866
*** ICONICS GENESIS32 Insecure ActiveX Control ***
---------------------------------------------
NCCIC/ICS-CERT discovered a vulnerability in the ICONICS GENESIS32 application during resolution of unrelated products. ICONICS has produced a patch for all vulnerable versions of its GENESIS32 product. ICONICS GENESIS32 Version 9.0 and newer are not vulnerable to this ActiveX vulnerability.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-14-051-01
*** HPSBMU02964 rev.1 - HP Service Manager, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Remote Denial of Service (DoS), Execution of Arbitrary Code, Unauthorized Access, Disclosure of Information and Authentication Issues ***
---------------------------------------------
Potential security vulnerabilities have been identified with HP Service Manager. The vulnerabilities could be remotely exploited resulting in Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Denial of Service (DoS), execution of arbitrary code, unauthorized access, disclosure of Information, and authentication issues.
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** ASUS router drive-by code execution via XSS and authentication bypass ***
---------------------------------------------
Several ASUS routers include reflected Cross-Site Scripting (CWE-79) and authentication bypass (CWE-592) vulnerabilities. An attacker who can lure a victim to browse to a web site containing a specially crafted JavaScript payload can execute arbitrary commands on the router as administrator (root). No user interaction is required.
---------------------------------------------
https://sintonen.fi/advisories/asus-router-auth-bypass.txt
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 20-02-2014 18:00 − Freitag 21-02-2014 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** Adobe Flash: Zero-Day-Exploit wird aktiv ausgenutzt ***
---------------------------------------------
Adobe hat diesen Monat erneut einen Sicherheitspatch für den Flash Player veröffentlicht. Dieser sollte schleunigst eingespielt werden. Derzeit laufen Attacken auf den Flash Player, bei dem ein Sicherheitsloch aktiv ausgenutzt wird. (Adobe, Server)
---------------------------------------------
http://www.golem.de/news/adobe-flash-zero-day-exploit-wird-aktiv-ausgenutzt…http://blogs.adobe.com/psirt/?p=1059http://helpx.adobe.com/security/products/flash-player/apsb14-07.html
*** Sicherheitsupdate für freie Datenbank PostgreSQL ***
---------------------------------------------
Die Entwickler schließen mehrere Sicherheitslücken, die Anwendern eine Veränderung ihrer Rechte erlaubten. Außerdem warnen sie vor einem noch nicht behobenen Fehler, der das Kapern eines System-Accounts ermöglicht.
---------------------------------------------
http://www.heise.de/security/meldung/Sicherheitsupdate-fuer-freie-Datenbank…http://www.postgresql.org/about/news/1506/
*** Spamvertised "You received a new message from Skype voicemail service" themed emails lead to Angler exploit kit ***
---------------------------------------------
We've just intercepted a currently circulating malicious spam campaign that's attempting to trick potential botnet victims into thinking that they've received a legitimate Voice Message Notification from Skype. In reality though, once socially engineered users click on the malicious link found in the bogus emails, they're automatically exposed to the client-side exploits served by the Angler exploit kit.
---------------------------------------------
http://www.webroot.com/blog/2014/02/20/spamvertised-received-new-message-sk…
*** Erpressungs-Trojaner Bitcrypt geknackt ***
---------------------------------------------
Der Erpressungs-Trojaner Bitcrypt verschlüsselt Dateien des Anwenders und rückt die Daten nur gegen Zahlung von Lösegeld wieder raus. Sicherheitsexperten gelang es jedoch, die Verschlüsselung zu knacken.
---------------------------------------------
http://www.heise.de/security/meldung/Erpressungs-Trojaner-Bitcrypt-geknackt…
*** Google Fixes 28 Security Flaws in Chrome 33 ***
---------------------------------------------
Google Chrome 33 is out, and the new version of the browser includes fixes for 28 security vulnerabilities, including a number of high-severity bugs. The company paid out more than $13,000 in rewards to researchers who reported vulnerabilities that were fixed in this release.
---------------------------------------------
https://threatpost.com/google-fixes-28-security-flaws-in-chrome-33/104391
*** HP Service Manager Bugs Let Remote Users Execute Arbitrary Code and Deny Service and Conduct Cross-Site Scripting and Cross-Site Requset Forgery Attacks ***
---------------------------------------------
CVE Reference: CVE-2013-6202
Date: Feb 21 2014
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
---------------------------------------------
http://www.securitytracker.com/id/1029803http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDispl…
*** AdRotate 3.9.4 SQL Injection ***
---------------------------------------------
Topic: AdRotate 3.9.4 SQL Injection Risk: Medium Text:Advisory ID: HTB23201 Product: AdRotate Vendor: AJdG Solutions Vulnerable Version(s): 3.9.4 and probably prior Tested Versi...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014020178
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 19-02-2014 18:00 − Donnerstag 20-02-2014 18:00
Handler: Alexander Riepl
Co-Handler: Christian Wojner
*** Malicious iFrame Injections Host Payload on Tumblr ***
---------------------------------------------
It's always fun to watch malware developers using different techniques to code their creations. Sometimes it's a matter of obfuscation, placement, injection, but this time it's how they code it to be dynamic. I believe this is not the first one that uses this service, but it's the first time I'm seeing ..
---------------------------------------------
http://blog.sucuri.net/2014/02/malicious-iframe-injections-host-payload-on-…
*** Health Care Systems Poorly Protected, Many Already Compromised ***
---------------------------------------------
New report shows that health care industry intellectual property, payment information, and patient data are poorly protected and, in many cases, already compromised.
---------------------------------------------
http://threatpost.com/health-care-systems-poorly-protected-many-already-com…
*** Microsoft release FixIt for IE9/IE10 Zero Day, (Thu, Feb 20th) ***
---------------------------------------------
Microsoft has published a TechNet article detailing the availability of a "FixIt" for the current IE9/IE10 zero day which has been doing the rounds. Corporate users will presumably have to wait until the availability of the patch which Microsoft say will be released during the monthly patching cycle..
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17684&rss
*** Microsoft Security Advisory (2934088) ***
---------------------------------------------
Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 10. Only Internet Explorer 9 and Internet Explorer 10 are affected by this vulnerability. Other supported versions of Internet Explorer are not affected. Applying the Microsoft Fix it solution, "MSHTML Shim Workaround," prevents ..
---------------------------------------------
https://technet.microsoft.com/en-us/security/advisory/2934088
*** Fritzbox-Lücke: Jetzt auch bei WLAN-Repeatern ***
---------------------------------------------
Auf den Routern haben zwar längst noch nicht alle Nutzer die Sicherheitslücke gestopft, aber zumindest stehen Firmware-Updates bereit. Nun bessert AVM auch die Software anderer Produkte mit WLAN-Schnittstelle aus.
---------------------------------------------
http://www.heise.de/security/meldung/Fritzbox-Luecke-Jetzt-auch-bei-WLAN-Re…
*** Datenbank-Leck in Leoben, Hack-Angriff auf Energie Steiermark ***
---------------------------------------------
Zusammenhang beider Vorfälle möglich - Zugriff auf Gas-Kundendaten bei Energie Steiermark
---------------------------------------------
http://derstandard.at/1392685633659
*** eXtplorer Joomla! Authentication Bypass Security Issue ***
---------------------------------------------
https://secunia.com/advisories/57022
*** SA-CONTRIB-2014-022 - Slickgrid - Access bypass ***
---------------------------------------------
The module doesnt check access sufficiently, allowing users to ..
---------------------------------------------
https://drupal.org/node/2200491
*** Drupal Maestro 7.x Cross Site Scripting ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014020165
*** [remote] - MediaWiki Thumb.php Remote Command Execution ***
---------------------------------------------
http://www.exploit-db.com/exploits/31767
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 18-02-2014 18:00 − Mittwoch 19-02-2014 18:00
Handler: Alexander Riepl
Co-Handler: Christian Wojner
*** Time to Harden Your Hardware? ***
---------------------------------------------
Most Internet users are familiar with the concept of updating software that resides on their computers. But this past week has seen alerts about an unusual number of vulnerabilities and attacks against some important and ubiquitous hardware devices, from consumer-grade Internet routers, data storage and home automation products to enterprise-class security solutions.
---------------------------------------------
http://krebsonsecurity.com/2014/02/time-to-harden-your-hardware/
*** 2013 DataBreach Report By Risk Based Security ***
---------------------------------------------
Today Riskbasedsecurity.com has announced a report that covers the 2013 period for databreaches of all kinds.
---------------------------------------------
http://www.cyberwarnews.info/2014/02/19/2013-databreach-report-by-risk-base…
*** Lets Talk About Your Security Breach with Metasploit. Literally. In Real Time. ***
---------------------------------------------
During a recent business trip in Boston, Tod and I sat down in a bar with the rest of the Metasploit team, and shared our own random alcohol-driven ideas on Metasploit hacking. At one point we started talking about hacking webcams. At that time Metasploit could only list webcams, take a snapshot, stream (without sound), or record audio using a meterpreter...
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2014/02/18/lets-talk…
*** 300,000 Usernames, Passwords Posted to Pastebin ***
---------------------------------------------
More than 300,000 credentials were posted on the clipboard website Pastebin.com in the year 2013 alone according to a recent analysis by a Swiss security firm.
---------------------------------------------
http://threatpost.com/300000-usernames-passwords-posted-to-pastebin/104333
*** Smartphones und Tablets: Exploit-Code für 14 Monate altes Android-Sicherheitsloch ***
---------------------------------------------
Für eine seit 14 Monaten bekannte Sicherheitslücke in Android ist Exploit-Code für das Framework Metasploit veröffentlicht worden. Ein Sicherheitsforscher kritisiert, dass die meisten im Umlauf befindlichen Android-Geräte die Sicherheitslücke aufweisen.
---------------------------------------------
http://www.golem.de/news/smartphones-und-tablets-exploit-code-fuer-14-monat…
*** Detected new Zeus variant which makes use of steganography ***
---------------------------------------------
Security experts at Malwarebytes detected a new of the popular Zeus banking trojan variant which makes use of steganography to hide the configuration file.
---------------------------------------------
http://securityaffairs.co/wordpress/22334/malware/zeus-banking-malware-nest…
*** Hack gegen AVM-Router: AVM veröffentlicht Liste betroffener Fritzboxen ***
---------------------------------------------
Nach langem Hin und Her hat AVM jetzt eine Liste aller Fritzboxen veröffentlicht, die deren genauen Sicherheitsstatus dokumentiert. Für zwei der betroffenen Geräte steht noch kein Update bereit und einige Fragen bleiben weiterhin offen.
---------------------------------------------
http://www.heise.de/security/meldung/Hack-gegen-AVM-Router-AVM-veroeffentli…
*** Admin rights key to mitigating vulnerabilities, study shows ***
---------------------------------------------
Its been best-practice for a very long time: all users and processes should run with the fewest privileges necessary. This limits the damage that can be done by an attacker if the user or process is compromised.
---------------------------------------------
http://www.zdnet.com/admin-rights-key-to-mitigating-vulnerabilities-study-s…
*** Second Group Seen Using IE 10 Zero Day ***
---------------------------------------------
There are at least two different groups running attacks exploiting the recently published zero day vulnerability in Internet Explorer 10, and researchers say one of the groups used the bug to impersonate a French aerospace manufacturer and compromise victims visiting the spoofed Web page. The attackers also used a special feature of ..
---------------------------------------------
http://threatpost.com/second-group-seen-using-ie-10-zero-day/104344
*** Security Bulletins: SSL Certificate Validation Vulnerability in the Citrix ShareFile Mobile Application for Android and the Citrix ShareFile Mobile for Tablets Application for Android ***
---------------------------------------------
---------------------------------------------
http://support.citrix.com/article/CTX140303
*** MediaWiki Thumb.php Remote Command Execution ***
---------------------------------------------
Topic: MediaWiki Thumb.php Remote Command Execution
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014020153
*** Ruby on Rails Multiple Vulnerabilities ***
---------------------------------------------
Ruby on Rails Multiple Vulnerabilities
---------------------------------------------
https://secunia.com/advisories/56964
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 17-02-2014 18:00 − Dienstag 18-02-2014 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
*** Wait a minute... that's not a real JPG! ***
---------------------------------------------
When attackers compromise a website and want to harvest credit cards, they need to either find where the data is stored or capture the data in transit. This blog post shows how identifying files with false file signatures can uncover malicious activity on a server. I recently discovered credit card data hidden behind a .jpg extension that lead me to the work of an attacker capturing credit cards from customers using an online checkout page.
---------------------------------------------
http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/3m5-LV3n59k/wait-a-min…
*** [2014-02-18] Critical vulnerabilities in Symantec Endpoint Protection ***
---------------------------------------------
Attackers are able to completely compromise the Symantec Endpoint Protection Manager server as they can gain access at the system and database level because of critical XXE and SQL injection vulnerabilities. Furthermore attackers can manage all endpoints and possibly deploy attacker-controlled code on clients.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014…
*** Scanning for Symantec Endpoint Manager, (Mon, Feb 17th) ***
---------------------------------------------
Last week, we mentioned a new vulnerability in Symantec Endpoint Protection Management. According to Symantecs advisory, this product listens on port 9090 and 8443/TCP. Both ports are scanned regularly for various vulnerabilities, in particular 8443, being that it is frequently used by web servers as an alternative to 443. However, on February 7th, we detected a notable increase in scans for both ports.
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17657&rss
*** GE Proficy Vulnerabilities ***
---------------------------------------------
OVERVIEW Researchers amisto0x07 and Z0mb1E of Zero Day Initiative (ZDI) have identified two vulnerabilities in the General Electric (GE) Proficy human-machine interface/supervisory control and data acquisition (HMI/SCADA) - CIMPLICITY application. GE has released security advisories, GEIP13-05 and GEIP13-06, to inform customers about these vulnerabilities.These vulnerabilities could be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01
*** PHP Backdoors: Hidden With Clever Use of Extract Function ***
---------------------------------------------
When a site gets compromised, one thing we know for sure is that attackers love to leave malware that allows them access back to the site; this type of malware is called a backdoor.
---------------------------------------------
http://feedproxy.google.com/~r/sucuri/blog/~3/kPCRBZwe1mQ/php-backdoors-hid…
*** A journey to CVE-2014-0497 exploit ***
---------------------------------------------
Last week we published a blog post about a CVE-2013-5330 exploit. We've also recently seen a new, similar attack targeting a patched Adobe Flash Player vulnerability (CVE-2014-0497). The vulnerability related to this malware was addressed with a patch released by Adobe on February 4, 2014. Flash Player versions 12.0.0.43 and earlier are vulnerable. We analyzed how these attacks work and found the following details.
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2014/02/17/a-journey-to-cve-2014-04…
*** WordPress two-factor login plugin bug, er, bypasses 2-factor login ***
---------------------------------------------
Cross-site vulnerability exposes bloggers
The maker of a popular plugin that provides two-factor authentication for WordPress bloggers is preparing an update - after finding a vulnerability in its system. It advises that anyone using two-factor plugins from any vendor need to check their security strength.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/02/18/wordpress_2…
*** VU#656302: Belkin Wemo Home Automation devices contain multiple vulnerabilities ***
---------------------------------------------
Vulnerability Note VU#656302 Belkin Wemo Home Automation devices contain multiple vulnerabilities Original Release date: 18 Feb 2014 | Last revised: 18 Feb 2014
Overview Belkin Wemo Home Automation devices contain multiple vulnerabilities. Description CWE-321: Use of Hard-coded Cryptographic Key - CVE-2013-6952Belkin Wemo Home Automation firmware contains a hard-coded cryptographic key and password. An attacker may be able to extract the key and password to sign a malicious firmware
---------------------------------------------
http://www.kb.cert.org/vuls/id/656302
*** SSA-892342 (Last Update 2014-02-18): Denial-of-Service Vulnerability in RuggedCom ROS-based Devices ***
---------------------------------------------
Summary: A potential vulnerability might allow attackers to perform a Denial-of-Service attack over the network without authentication on RuggedCom products running ROS. RuggedCom and Siemens address this issue by a firmware update.
AFFECTED PRODUCTS
All RuggedCom ROS-based devices with:
All ROS versions before 3.11
ROS 3.11 (for RS950G): all versions
ROS 3.12: all versions < ROS v3.12.4
ROS 4.0 (for RSG2488)
---------------------------------------------
https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit…
*** Exploit Released for Vulnerability Targeted By Linksys Router Worm ***
---------------------------------------------
Technical details about a vulnerability in Linksys routers thats being exploited by a new worm have been released Sunday along with a proof-of-concept exploit and a larger than earlier expected list of potentially vulnerable device models.
---------------------------------------------
http://www.cio.com/article/748352/Exploit_Released_for_Vulnerability_Target…
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 14-02-2014 18:00 − Montag 17-02-2014 18:00
Handler: Alexander Riepl
Co-Handler: Christian Wojner
*** Not Just Pills or Payday Loans, It's Essay SEO SPAM! ***
---------------------------------------------
Remember back in school or college when you had to write pages and pages of long essays, but you had no time write them? Or maybe you were just too lazy? Yeah, good times. Well, it seems like some companies are trying to end this problem. They are offering services where clients pay ..
---------------------------------------------
http://blog.sucuri.net/2014/02/not-just-pills-or-payday-loans-its-essay-seo…
*** New IE 10 Zero Day Targeting Military Intelligence ***
---------------------------------------------
A new campaign, dubbed Operation SnowMan, has been spotted leveraging a previously unknown zero-day in Internet Explorer 10 to compromise the U.S. Veterans of Foreign Wars website this week.
---------------------------------------------
http://threatpost.com/new-ie-10-zero-day-targeting-military-intelligence/10…
*** Microsoft Internet Explorer 10 remote code execution exploit ***
---------------------------------------------
Microsoft Internet Explorer 10 remote code execution exploit, Use-after-free vulnerability in Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code via vectors in...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014020123
*** The New Normal: 200-400 Gbps DDoS Attacks ***
---------------------------------------------
KrebsOnSecurity has been targeted by countless denial-of-service attacks intended to knock it offline. Earlier this week, KrebsOnSecurity was hit by easily the most massive and intense such attack yet -- a nearly 200 Gpbs assault leverging a simple attack method that industry experts is becoming alarmingly common.
---------------------------------------------
http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gbps-ddos-attacks/
*** More Malware Embedded in RTFs ***
---------------------------------------------
RTF (Rich Text Format) files have been used before by cybercriminals, but of late it seems their use of this format is becoming more creative. We have earlier talked about how CPL files were being embedded in RTF files and sent to would-be victims as an e-mail attachment. These CPL files would then proceed to download malicious ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/more-malware-emb…
*** More on HNAP - What is it, How to Use it, How to Find it, (Sat, Feb 15th) ***
---------------------------------------------
Weve had a ton of discussion on the most recent set of home router vulnerabilities based on the HNAP protocol. But what is the HNAP protocol for, and why is it so persistently enabled? HNAP (Home Network Administration Protocol) is a network device management protocol, useful for anyone, but I think meant primarily for ISPs to manage fleets of ..
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17648&rss
*** Crowdfunding-Plattform Kickstarter gehackt ***
---------------------------------------------
Die Crowdfunding-Plattform Kickstarter wurde Opfer eines Hackerangriffs. Jenseits von Benutzernamen und Mail-Adressen griffen die Hacker auch auf verschlüsselte Passwörter zu.
---------------------------------------------
http://www.heise.de/security/meldung/Crowdfunding-Plattform-Kickstarter-geh…
*** Zugangsdaten im Umlauf: FTP-Server von Webseiten angegriffen ***
---------------------------------------------
Es sollen wohl tausende Zugangsdaten zu FTP-Servern im Umlauf sein, darunter auch Zugänge für bekannte Webseiten. Erste Fälle, in denen Schadinhalte auf Webseiten wie der New York Times untergebracht wurden, gab es schon. (Virus, Server-Applikationen)
---------------------------------------------
http://www.golem.de/news/zugangsdaten-im-umlauf-ftp-server-von-webseiten-an…
*** HP Data Protector EXEC_BAR Remote Command Execution ***
---------------------------------------------
Topic: HP Data Protector EXEC_BAR Remote Command Execution, import argparse import socket ..
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014020134
*** WebSphere Application Server Multiple Java Vulnerabilities ***
---------------------------------------------
WebSphere Application Server Multiple Java Vulnerabilities
---------------------------------------------
https://secunia.com/advisories/56778
*** Mapping Hacking Team's "Untraceable" Spyware ***
---------------------------------------------
Remote Control System (RCS) is sophisticated computer spyware marketed and sold exclusively to governments by Milan-based Hacking Team. Hacking Team was first thrust into the public spotlight in 2012 when RCS was used against award-winning Moroccan media outlet Mamfakinch, and United Arab Emirates (UAE) human rights activist Ahmed Mansoor. Most recently, Citizen Lab research found that RCS was used to target Ethiopian journalists in the Washington DC area.
---------------------------------------------
https://citizenlab.org/2014/02/mapping-hacking-teams-untraceable-spyware/
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 13-02-2014 18:00 − Freitag 14-02-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Angriffe über Zero-Day-Lücke im Internet Explorer ***
---------------------------------------------
Im IE klafft eine kritische Schwachstelle, durch die man seinen Rechner beim Surfen mit Schadcode infizieren kann. Sie wird bereits für gezielte Cyber-Angriffe missbraucht.
---------------------------------------------
http://www.heise.de/security/meldung/Angriffe-ueber-Zero-Day-Luecke-im-Inte…http://www.securitytracker.com/id/1029765http://www.kb.cert.org/vuls/id/732479
*** BSI warnt Admins: "Zahlreiche deutsche Server mit Ebury-Rootkit infiziert" ***
---------------------------------------------
Das CERT-Bund hat das Linux-Rootkit bereits auf hunderten deutschen Servern lokalisiert; vermutlich sind deutlich mehr betroffen. Admins sollten ihr System jetzt testen.
---------------------------------------------
http://www.heise.de/security/meldung/BSI-warnt-Admins-Zahlreiche-deutsche-S…
*** Bizarre attack infects Linksys routers with self-replicating malware ***
---------------------------------------------
Some 1,000 devices have been hit by the worm, which seeks out others to infect.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/9tO67obVxlY/story01…
*** Apples iCloud verschickt und empfängt Mail im Klartext ***
---------------------------------------------
Ein kurzer Nachtest von Apples iCloud-Mail-Diensten förderte zu Tage, dass Apples Mail-Server weniger Schutz vor Schnüfflern bieten als fast aller anderen Mail-Provider.
---------------------------------------------
http://www.heise.de/security/meldung/Apples-iCloud-verschickt-und-empfaengt…
*** DoubleClick malvertising campaign exposes long-run beneath the radar malvertising infrastructure ***
---------------------------------------------
Today, at 2014-02-12 12:16:20 (CET), we became aware of a possible evasive/beneath the radar malvertising based g01pack exploit kit attack, taking place through the DoubleClick ad network using an advertisement featured at About.com. Investigating further, we were able to identify the actual domains/IPs involved in the campaign, and perhaps most interestingly, managed to establish a rather interesting connection between the name servers of one of the domains involved in the attacks, and what...
---------------------------------------------
http://www.webroot.com/blog/2014/02/14/doubleclick-malvertising-campaign-ex…
*** SYM14-004 Symantec Endpoint Protection Management Vulnerabilities ***
---------------------------------------------
On Tuesday, February 18, SEC Consult Vulnerability Lab, an Austrian-based security consultancy, is planning to release an advisory to the public regarding vulnerabilities that it found within Symantec Endpoint Protection. For additional information on the SYM14-004 vulnerability, read the Symantec Security Response SYM14-004 Security Advisory.
---------------------------------------------
http://www.symantec.com/business/support/index?page=content&id=TECH214866http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se…http://www.heise.de/security/meldung/Update-fuer-kritische-Luecken-im-Syman…
*** CA 2E Web Option Unauthenticated Privilege Escalation ***
---------------------------------------------
Topic: CA 2E Web Option Unauthenticated Privilege Escalation Risk: Medium Text:Vulnerability title: Unauthenticated Privilege Escalation in CA 2E Web Option CVE: CVE-2014-1219 Vendor: CA Product: 2E W...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014020111http://www.securityfocus.com/archive/1/531064
*** GnuTLS Intermediate Certificate Processing Flaw May Let Remote Users Bypass Certificate Validation ***
---------------------------------------------
http://www.securitytracker.com/id/1029766
*** Bugtraq: Critical security flaws in Nagios NRPE client/server crypto ***
---------------------------------------------
http://www.securityfocus.com/archive/1/531063
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 12-02-2014 18:00 − Donnerstag 13-02-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** In the wild: Phony SSL certificates impersonating Google, Facebook, and iTunes ***
---------------------------------------------
Bogus credentials may be enough to ensnare some smartphone apps, researchers say.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/_AvaaGHbDLo/story01…
*** Gameover Zeus most active banking trojan in 2013, researchers report ***
---------------------------------------------
The most active banking trojan of 2013 was the Gameover variant Zeus, according to the latest research by the experts with the Dell SecureWorks Counter Threat Unit.
---------------------------------------------
http://www.scmagazine.com/gameover-zeus-most-active-banking-trojan-in-2013-…
*** Decoding Domain Generation Algorithms (DGAs) - Part I ***
---------------------------------------------
Part 1 - Unpacking the binary to properly view it in IDA Pro
---------------------------------------------
http://vrt-blog.snort.org/2014/02/decoding-domain-generation-algorithms.html
*** Weekly Metasploit Update: Android WebView Exploit, Clipboard Monitor, and Mass Checks ***
---------------------------------------------
Weekly Metasploit Update: Android WebView Exploit, Clipboard Monitor, and Mass Checks
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2014/02/13/weekly-me…
*** TYPO3: Several vulnerabilities in third party extensions ***
---------------------------------------------
Several vulnerabilities have been found in the following third-party TYPO3 extensions: alpha_sitemap, femanager ke_stats, outstats, px_phpids, smarty, wec_map
---------------------------------------------
http://typo3.org/news/article/several-vulnerabilities-in-third-party-extens…
*** python-gnupg Command Injection Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56616
*** Security Bulletin: Multiple vulnerabilities in current IBM SDK for Java for WebSphere Application Server January 2014 CPU ***
---------------------------------------------
Multiple security vulnerabilities exist in the IBM SDK for Java that is shipped with IBM WebSphere Application Server. CVE(s): CVE-2014-0411 Affected product(s) and affected version(s): SDK shipped with IBM WebSphere Application Server Version 8.5.0.0 through 8.5.5.1, Version 8.0.0.0 through 8.0.0.8, Version 7.0.0.0 through 7.0.0.31, Version 6.1.0.0 through 6.1.0.47 Refer to the following reference URLs for remediation and additional vulnerability details.
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul…
*** Drupal - Vulnerabilities in third-party Contributions ***
---------------------------------------------
https://drupal.org/node/2194135https://drupal.org/node/2194589https://drupal.org/node/2194621https://drupal.org/node/2194639https://drupal.org/node/2194655https://drupal.org/node/2194671https://drupal.org/node/2194809https://drupal.org/node/2194877
*** SAP NetWeaver Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56947
*** Juniper Networks - 2014-02 Security Threat Response Manager: Multiple vulnerabilities ***
---------------------------------------------
Product Affected: STRM series devices and virtual machines with SRTM software releases: 2010.0, 2012.0, 2012.1, 2013.1, 2013.2
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10614
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 11-02-2014 18:00 − Mittwoch 12-02-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Security update available for Adobe Shockwave Player (APSB14-06) ***
---------------------------------------------
A Security Bulletin (APSB14-06) has been published regarding an update for Adobe Shockwave Player 12.0.7.148 and earlier for Windows and Macintosh. This update addresses critical vulnerabilities that could potentially allow an attacker to remotely take control of the affected system.
---------------------------------------------
http://blogs.adobe.com/psirt/?p=1051
*** Assessing risk for the February 2014 security updates ***
---------------------------------------------
Today we released seven security bulletins addressing 31 unique CVEs. Four bulletins have a maximum severity rating of Critical while the other three have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
---------------------------------------------
https://blogs.technet.com/b/srd/archive/2014/02/11/assessing-risk-for-the-f…
*** Vulnerability in Microsoft Forefront Protection for Exchange Could Allow Remote Code Execution (2927022) ***
---------------------------------------------
This security update resolves a privately reported vulnerability in Microsoft Forefront. The vulnerability could allow remote code execution if a specially crafted email message is scanned. This security update is rated Critical for all supported builds of Microsoft Forefront Protection for Exchange 2010.
---------------------------------------------
http://technet.microsoft.com/en-us/security/bulletin/ms14-008
*** Attacking ICS Systems "Like Hacking in the 1980s" ***
---------------------------------------------
Here's how nuts the world of ICS security is: Jonathan Pollet, a security consultant who specializes in ICS systems, was at a Texas amusement park recently and the ride he was waiting for was malfunctioning. The operator told him the ride used a Siemens PLC as part of the control system, so he went...
---------------------------------------------
http://threatpost.com/attacking-ics-systems-like-hacking-in-the-1980s/104200
*** CVE-2014-0050: Exploit with Boundaries, Loops without Boundaries ***
---------------------------------------------
In this article I will discuss CVE-2014-0050: Apache Commons FileUpload and Apache Tomcat Denial-of-Service in detail. The article reviews the vulnerabilitys technical aspects in depth and includes recommendations that can help administrators defend from future exploitation of this security issue. How do we know about this vulnerability? About five days ago, Mark Thomas, a Project Management Committee Member and Committer in the Apache Tomcat project, sent an email about the accidentally leaked
---------------------------------------------
http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-lo…
*** Suspected Mass Exploit Against Linksys E1000 / E1200 Routers, (Wed, Feb 12th) ***
---------------------------------------------
Brett, who operates an ISP in Wyoming, notified us that he had a number of customers with compromissed Linksys routers these last couple of days. The routers, once compromissed, scan port 80 and 8080 as fast as they can (saturating bandwidth available). It is not clear which vulnerability is being exploited, but Brett eliminated weak passwords. E1200 routers with the latest firmware (2.0.06) appear to be immune agains the exploit used. E1000 routers are end-of-life and dont appear to have an...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17621&rss
*** Cracking Linksys "Encryption" ***
---------------------------------------------
Perusing the release notes for the latest Linksys WRT120N firmware, one of the more interesting comments reads: Firmware 1.0.07 (Build 01) - Encrypts the configuration file. Having previously reversed their firmware obfuscation and patched their code to re-enable JTAG debugging, I thought that surely I would be able to use...
---------------------------------------------
http://www.devttys0.com/2014/02/cracking-linksys-crypto/
*** MSRT February 2014 - Jenxcus ***
---------------------------------------------
We have been seeing a lot more VBScript malware in recent months, thanks in most part to VBS/Jenxcus. Jenxcus is a worm coded in VBScript that is capable of propagating via removable drives. Its payload opens a backdoor on an infected machine, allowing it to be controlled by a remote attacker. For the past few months we have seen the number of affected machines remain constantly high. For this reason we have included Jenxcus in the February release of the Microsoft Malicious Software...
---------------------------------------------
https://blogs.technet.com/b/mmpc/archive/2014/02/11/msrt-february-2014-jenx…
*** BSI empfiehlt, dringend Fritz!Box-Update einzuspielen ***
---------------------------------------------
Routerhersteller AVM hat am vergangenen Wochenende ein Update für seine Fritz!Box Routermodelle zur Verfügung gestellt, um eine in der letzten Woche bekannt gewordene Schwachstelle zu schließen.
---------------------------------------------
https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2014/Fritz-Box-U…
*** MatrikonOPC Improper Input Validation ***
---------------------------------------------
Adam Crain of Automatak and independent researcher Chris Sistrunk have identified an improper input validation vulnerability in the MatrikonOPC SCADA DNP3 OPC Server application. MatrikonOPC has produced a patch that mitigates this vulnerability. The researchers have tested the patch to validate that it resolves the vulnerability.This vulnerability could be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-010-01
*** Cisco Unified Communications Manager several Vulnerabilities ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** VU#727318: DELL SonicWALL GMS/Analyzer/UMA contains a cross-site scripting (XSS) vulnerability ***
---------------------------------------------
Vulnerability Note VU#727318 DELL SonicWALL GMS/Analyzer/UMA contains a cross-site scripting (XSS) vulnerability Original Release date: 11 Feb 2014 | Last revised: 11 Feb 2014 Overview DELL SonicWALL GMS/Analyzer/UMA version 7.1, and possibly earlier versions, contains a cross-site scripting (XSS) vulnerability. (CWE-79) Description CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)DELL SonicWALL GMS/Analyzer/UMA version 7.1 contains a cross-site...
---------------------------------------------
http://www.kb.cert.org/vuls/id/727318
*** FreePBX 2.x Code Execution ***
---------------------------------------------
Topic: FreePBX 2.x Code Execution Risk: High Text:App : Freepbx 2.x download : schmoozecom.com Author : i-Hmx mail : n0p1337(a)gmail.com Home : sec4ever.com , secarrays ltd ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014020088
*** TYPO3 - Several vulnerabilities in third party extensions ***
---------------------------------------------
http://typo3.org/news/article/several-vulnerabilities-in-third-party-extens…http://typo3.org/news/article/several-vulnerabilities-in-extension-mm-forum…http://typo3.org/news/article/access-bypass-in-extensions-yet-another-galle…http://typo3.org/news/article/mass-assignment-in-extension-direct-mail-subs…http://typo3.org/news/article/insecure-unserialize-in-extension-news-tt-new…
*** [webapps] - NetGear DGN2200 N300 Wireless Router - Multiple Vulnerabilities ***
---------------------------------------------
http://www.exploit-db.com/exploits/31617
*** McAfee Firewall Enterprise OpenSSL OCSP Response Verification Denial of Service Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56930https://secunia.com/advisories/56932
*** [webapps] - jDisk (stickto) v2.0.3 iOS - Multiple Vulnerabilities ***
---------------------------------------------
http://www.exploit-db.com/exploits/31618
*** MyBB Extended Useradmininfo Plugin "User-Agent" Script Insertion Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56921
*** Puppet Enterprise - CVE-2013-6393 (Threat of denial of service and potential for arbitrary code execution due to a flaw in libyaml) ***
---------------------------------------------
A flaw in the way `libyaml` parsed YAML tags could lead to a heap-based buffer overflow. An attacker could submit a YAML document that, when parsed by an application using `libyaml`, would cause the application to crash or potentially execute malicious code. This has been patched in PE 3.1.3.
---------------------------------------------
http://puppetlabs.com/security/cve/cve-2013-6393
*** FFmpeg Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56838
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 10-02-2014 18:00 − Dienstag 11-02-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Update (2/10) - Advance Notification Service for February 2014 Security Bulletin Release ***
---------------------------------------------
Update as of February 10, 2014 We are adding two updates to the February release. There will be Critical-rated updates for Internet Explorer and VBScript in addition to the previously announced updates scheduled for release on February 11, 2014. These updates have completed testing and will be included in tomorrow's release. This brings the total for Tuesday's release to seven bulletins, four Critical. Please review the ANS summary page for updated information to help customers...
---------------------------------------------
http://blogs.technet.com/b/msrc/archive/2014/02/10/advance-notification-ser…
*** IBMs remote firmware configuration protocol ***
---------------------------------------------
I spent last week looking into the firmware configuration protocol used on current IBM system X servers. IBM provide a tool called ASU for configuring firmware settings, either in-band (ie, running on the machine you want to reconfigure) or out of band (ie, running on a remote computer and communicating with the baseboard management controller - IMM in IBM-speak). Im not a fan of using vendor binaries for this kind of thing. They tend to be large (ASU is a 20MB executable) and difficult to
---------------------------------------------
http://mjg59.dreamwidth.org/29210.html
*** Das Ende des Magnetstreifens - USA wechseln auf Chip&Pin ***
---------------------------------------------
Die USA ist eine Hochburg für den Betrug mit geklauten Kreditkartendaten. Doch ab 2015 soll damit Schluss sein -- Visa und Mastercard stellen auf die in Europa seit langem üblichen Karten mit SmartCard-Chip um.
---------------------------------------------
http://www.heise.de/security/meldung/Das-Ende-des-Magnetstreifens-USA-wechs…
*** Survey: Just 1 in 3 Euro biz slackers meets card security standards ***
---------------------------------------------
Yet PCI-DSS has largely been a failure, wails securo-bod European businesses are lagging far behind the rest of the world in compliance with global payment card industry security standards, according to a new survey.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/02/11/pci_survey_…
*** NTP-Reflection: Cloudflare meldet massiven DDoS-Angriff ***
---------------------------------------------
Der Netzwerksicherheitsanbieter Cloudflare hat in der Nacht einen massiven DDoS-Angriff auf einen seiner Kunden gemeldet. Es handele sich um einen NTP-Reflection-Angriff, der größer sein soll als der Angriff auf Spamhaus Mitte 2013. (Server, DE-CIX)
---------------------------------------------
http://www.golem.de/news/ntp-reflection-cloudfare-meldet-massiven-ddos-angr…
*** Anti-Diebstahl-Software für Notebooks als Einfallstor ***
---------------------------------------------
Sicherheitsexperten haben die auf Notebooks oft vorinstallierte Anwendung Computrace unter die Lupe genommen. Ergebnis: Die Software hat eine massive Sicherheitslücke. Außerdem lässt sie sich nicht immer deaktivieren.
---------------------------------------------
http://www.heise.de/security/meldung/Anti-Diebstahl-Software-fuer-Notebooks…
*** The Mask/Careto: Hochentwickelter Cyberangriff auf Energieunternehmen ***
---------------------------------------------
Bis Januar 2014 war die Cyberwaffe The Mask aktiv, die Sicherheitslücken in Kaspersky-Software und im Adobe Flash Player ausnutzte. Die Malware arbeitet mit Rootkit, Bootkit und Versionen für Mac OS X, Linux, Android und iOS und löscht ihre Logdateien durch überschreiben.
---------------------------------------------
http://www.golem.de/news/the-mask-careto-hochentwickelter-cyberangriff-auf-…
*** Blog: The Careto/Mask APT: Frequently Asked Questions ***
---------------------------------------------
The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007.
---------------------------------------------
http://www.securelist.com/en/blog/208216078/The_Careto_Mask_APT_Frequently_…
*** Five OAuth Bugs Lead to Github Hack ***
---------------------------------------------
A Russian researcher was able to take five low severity OAuth bugs and string them together to create what he calls a "simple but high severity exploit" in Github.
---------------------------------------------
http://threatpost.com/five-oauth-bugs-lead-to-github-hack/104178
*** Your PenTest Tools Arsenal ***
---------------------------------------------
When it comes about information security one of the major problems is to set your PenTest Tools Arsenal. The truth is there are too many tools out there and it would take forever to try half of them to see if it fit your needs. Over the years, there are some well established tools that most of security professionals use them but that doesn't mean that out there are not unknown still very good pentest tools.
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2014/02/11/your-pent…
*** Symantec Web Gateway Security Management Console Multiple Security Issues ***
---------------------------------------------
Symantec Web Gateway (SWG) Appliance management console is susceptible to both local and remote access cross-site scripting (XSS) and local access SQL injection (sqli) vulnerabilities. Successful exploitation may result in an authorized user gaining unauthorized access to files on the management console or possibility being able to manipulate the backend data base. There is also potential for remote hijacking of an authorized user session with associated privileges.
---------------------------------------------
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se…
*** Schneider ClearSCADA File Parsing Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56880
*** [webapps] - WiFi Camera Roll 1.2 iOS - Multiple Vulnerabilities ***
---------------------------------------------
http://www.exploit-db.com/exploits/31573
*** IBM WebSphere Portal Arbitrary File Upload Security Bypass Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56805
*** Bugtraq: Open-Xchange Security Advisory 2014-02-10 ***
---------------------------------------------
http://www.securityfocus.com/archive/1/531005
*** parcimonie (0.6 to 0.8, included) possible correlation between key fetches ***
---------------------------------------------
Topic: parcimonie (0.6 to 0.8, included) possible correlation between key fetches Risk: Low Text:Hi, Holger Levsen discovered that parcimonie [1], a privacy-friendly helper to refresh a GnuPG k...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014020072
*** Joomla JomSocial Remote Code Execution Vulnerability ***
---------------------------------------------
The JomSocial team just released an update that fixes a very serious remote code execution vulnerability that affects any JomSocial version older than 3.1.0.4. From their hot-fix update: Yesterday we released version 3.1.0.4 which fixes two vulnerabilities. As a result of the first vulnerability, our own site was hacked. Thankfully, our security experts spotted the...
---------------------------------------------
http://blog.sucuri.net/2014/02/joomla-jomsocial-remote-code-execution-vulne…
*** Perl Regex Processing Flaw Lets Remote and Local Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1029735
*** Titan FTP Server 10.32 Build 1816 Directory Traversals ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014020075
*** Avaya Call Management System (CMS) Security Issue and Two Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56926
*** Google Android addJavascriptInterface code execution ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/90998
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 07-02-2014 18:00 − Montag 10-02-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Darkleech + Bitly.com = Insightful Statistics ***
---------------------------------------------
This post is about how hackers abuse popular web services, and how this helps security researchers obtain interesting statistics about malware attacks. We, at Sucuri, work with infected websites every day. While we see some particular infections on one site or on multiple sites, we can't accurately tell how many more sites out there are...
---------------------------------------------
http://blog.sucuri.net/2014/02/darkleech-bitly-com-insightful-statistics.ht…
*** The Internet is Broken - Act Accordingly ***
---------------------------------------------
Costin Raiu is a cautious man. He measures his words carefully and says exactly what he means, and is not given to hyperbole or exaggeration. Raiu is the driving force behind much of the intricate research into APTs and targeted attacks that Kaspersky Lab's Global Research and Analysis Team has been doing for the last...
---------------------------------------------
http://threatpost.com/the-internet-is-broken-act-accordingly/104141
*** Linkup ransomware blocks internet access, mines Bitcoins ***
---------------------------------------------
A trojan variant, Linkup, identified by Emsisoft, takes control of DNS servers, blocks internet access and mines Bitcoins.
---------------------------------------------
http://www.scmagazine.com/linkup-ransomware-blocks-internet-access-mines-bi…
*** February 2014 Threat Stats ***
---------------------------------------------
Its no surprise that this months threat stats reveal that the largest breach to take place in December involved Target, where 40 million individuals were affected by the point-of-sale malware that swiped the data.
---------------------------------------------
http://www.scmagazine.com/february-2014-threat-stats/slideshow/1809/#0
*** iOS: Sicherheitsforscher warnt vor DoS-Möglichkeit über Snapchat ***
---------------------------------------------
Durch Wiederverwendung alter App-Tokens soll es möglich sein, große Mengen an Nachrichten an Nutzer des Bilderdienstes zu schicken, was dann auch dem iPhone Probleme bereiten soll. Snapchat ist das Problem neu.
---------------------------------------------
http://www.heise.de/security/meldung/iOS-Sicherheitsforscher-warnt-vor-DoS-…
*** Want to remotely control a car? $20 in parts, some oily fingers, and youre in command ***
---------------------------------------------
Spanish hackers have been showing off their latest car-hacking creation; a circuit board using untraceable, off-the-shelf parts worth $20 that can give wireless access to the cars controls while its on the road.
---------------------------------------------
http://www.theregister.co.uk/2014/02/06/want_to_hack_a_car_20_in_parts_some…
*** Mac Trojan Steals Bitcoin Wallet Credentials ***
---------------------------------------------
A new Trojan for Mac OS X disguised as an app for sending and receiving payments steals Bitcoin wallet login credentials.
---------------------------------------------
http://threatpost.com/mac-trojan-steals-bitcoin-wallet-credentials/104152
*** Security Bulletin: Fix available for Cross Site Scripting vulnerabilities in IBM Connections Portlets for WebSphere Portal (CVE-2014-0855) ***
---------------------------------------------
A fix is available for Cross Site Scripting (XSS) vulnerabilities in IBM Connections Portlets for WebSphere Portal.
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21663921
*** Bugtraq: [oCERT-2014-001] MantisBT input sanitization errors ***
---------------------------------------------
http://www.securityfocus.com/archive/1/530980
*** Bugtraq: ASUS AiCloud Enabled Routers 12 Models - Authentication bypass and Sensitive file/path disclosure ***
---------------------------------------------
http://www.securityfocus.com/archive/1/530985
*** Contao "Input::postRaw()" PHP Object Injection Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56755
*** Xerox ColorQube 8700 / 8900 Unspecified Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56889
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 06-02-2014 18:00 − Freitag 07-02-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Advance Notification Service for February 2014 Security Bulletin Release ***
---------------------------------------------
Today we are providing advance notification for the release of five bulletins, two rated Critical and three rated Important, for February 2014. The Critical updates address vulnerabilities in Microsoft Windows and Security Software while the Important-rated updates address issues in Windows and the .NET Framework.
---------------------------------------------
http://blogs.technet.com/b/msrc/archive/2014/02/06/advance-notification-ser…
*** Syrian Electronic Army nimmt beinahe Facebook vom Netz ***
---------------------------------------------
Die Hacker der Syrian Electronic Army haben es fast geschafft, Facebooks Domain zu kapern. Zugang verschafften sie sich wohl durch das Administrationsinterface der Registrars MarkMonitor.
---------------------------------------------
http://www.heise.de/security/meldung/Syrian-Electronic-Army-nimmt-beinahe-F…
*** Bug in iOS 7: Fernortung lässt sich abdrehen ***
---------------------------------------------
Mit einem Trick ist es möglich, bei iOS-7-Geräten Apples "Mein iPhone/iPad suchen", mit dem auch ein geklautes Gerät wiedergefunden werden kann, ohne Passwort zu deaktivieren. Dazu muss das Gerät allerdings entsperrt sein.
---------------------------------------------
http://www.heise.de/security/meldung/Bug-in-iOS-7-Fernortung-laesst-sich-ab…
*** A Look at Malware with Virtual Machine Detection ***
---------------------------------------------
It's not uncommon for the malware of today to include some type of built-in virtual machine detection. Virtual Machines (VMs) are an essential part of a malware analyst's work environment. After all, we wouldn't want to infect our physical - or "bare-metal" computers - to all the...
---------------------------------------------
http://blog.malwarebytes.org/intelligence/2014/02/a-look-at-malware-with-vi…
*** Large-scale DNS redirection on home routers for financial theft ***
---------------------------------------------
In late 2013 CERT Polska received confirmed reports about modifications in e-banking websites observed on... iPhones. Users were presented with messages about alleged changes in account numbers that required confirmation with mTANs. This behavior would suggest that some Zeus-like trojan had been ported to iOS. As this would be the first confirmed case of such malware...
---------------------------------------------
https://www.cert.pl/news/8019/langswitch_lang/en
*** Fritzbox-Angriff analysiert: AVM bereitet Firmware-Updates vor ***
---------------------------------------------
AVM hat den für Telefoniemissbrauch benutzten Angriffsweg nachvollzogen und bereitet Firmware-Updates für Fritzboxen vor, die am Wochenende erscheinen sollen.
---------------------------------------------
http://www.heise.de/security/meldung/Fritzbox-Angriff-analysiert-AVM-bereit…
*** Joomla! PROJOOM Smart Flash Header Component Arbitrary File Upload Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56831
*** Bugtraq: CVE-2014-1214 - Remote Code Execution in Projoom NovaSFH Plugin ***
---------------------------------------------
http://www.securityfocus.com/archive/1/530938
*** Core FTP Server Vulnerabilities ***
---------------------------------------------
CVE-2014-1441: Race condition leading to Denial of Service on the "AUTH SSL" command with invalid SSL data CVE-2014-1442: "XCRC" Directory Traversal Information Disclosure CVE-2014-1443: Password Disclosure Vulnerability
---------------------------------------------
http://permalink.gmane.org/gmane.comp.security.full-disclosure/91518
*** Bugtraq: [SECURITY] CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS ***
---------------------------------------------
http://www.securityfocus.com/archive/1/530936
*** IBM Tealeaf CX Passive Capture Application remote code execution ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89228
*** IBM Tealeaf CX Passive Capture Application local file include ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89229
*** Symantec Encryption Management Server Web Email Protection information disclosure ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/90946
*** Palo Alto Networks PAN-OS Certificate Invalidation on Master Key Change Security Bypass Security Issue ***
---------------------------------------------
https://secunia.com/advisories/56392
*** Schneider Electric SCADAPack VxWorks Debugger Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56811
*** osCommerce 2.3.3.4 SQL Injection ***
---------------------------------------------
Topic: osCommerce 2.3.3.4 SQL Injection Risk: Medium Text:# Title: osCommerce v2.x SQL Injection Vulnerability # Dork: Powered by osCommerce # Author: Ahmed Aboul-Ela # Contact: ahme...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014020042
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 05-02-2014 18:00 − Donnerstag 06-02-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Target Hackers Broke in Via HVAC Company ***
---------------------------------------------
Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers.
---------------------------------------------
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/JuvkO7plF2E/
*** Angriffe auf Fritzboxen: AVM empfiehlt Abschaltung der Fernkonfiguration ***
---------------------------------------------
Nach ersten Fällen von Telefonie-Missbrauch halten Angriffe auf Fritzboxen über die Fernkonfiguration an. Um Schäden vorzubeugen, sollen Fritzbox-Nutzer die Funktion vorübergehend deaktivieren.
---------------------------------------------
http://www.heise.de/security/meldung/Angriffe-auf-Fritzboxen-AVM-empfiehlt-…
*** Demystifying Point of Sale Malware and Attacks ***
---------------------------------------------
Cybercriminals have an insatiable thirst for credit card data. There are multiple ways to steal this information on-line, but Point of Sales are the most tempting target. An estimated 60 percent of purchases at retailers' Point of Sale (POS) are paid for using a credit or debit card. Given that large retailers may process thousands of transactions daily though their POS, it stands to reason that POS terminals have come into the crosshairs of cybercriminals seeking large volumes of credit...
---------------------------------------------
http://www.symantec.com/connect/blogs/demystifying-point-sale-malware-and-a…
*** Malware Uses ZWS Compression for Evasion Tactic ***
---------------------------------------------
Cybercriminals can certainly be resourceful when it comes to avoiding detection. We have seen many instances wherein malware came equipped with improved evasion techniques, such as preventing execution of analysis tools, hiding from debuggers, blending in with normal network traffic, along with various JavaScript techniques. Security researchers have now come across malware that uses a legitimate compression technique to go unnoticed by security solutions.
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-uses-zws…
*** New Asprox Variant Goes Above and Beyond to Hijack Victims ***
---------------------------------------------
[UPDATE] After further analysis, this threat was identified as Asprox botnet and not Zbot
---------------------------------------------
http://research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.…
*** OpenLDAP 2.4.36 Remote Users Deny Of Service ***
---------------------------------------------
Topic: OpenLDAP 2.4.36 Remote Users Deny Of Service Risk: Medium Text:It was discovered that OpenLDAP, with the rwm overlay to slapd, could segfault if a user were able to query the directory and i...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014020032
*** Rockwell RSLogix 5000 Password Vulnerability ***
---------------------------------------------
OVERVIEW: This advisory was originally posted to the US-CERT secure Portal library on January 21, 2014, and is now being released to the NCCIC/ICS-CERT Web site.Independent researcher Stephen Dunlap has identified a password vulnerability in the Rockwell Automation RSLogix 5000 software. Rockwell Automation has produced a new version that mitigates this vulnerability.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-021-01
*** NETGEAR Router D6300B Telnet Backdoor Lets Remote Users Gain Root Access ***
---------------------------------------------
http://www.securitytracker.com/id/1029727
*** DSA-2855 libav ***
---------------------------------------------
several vulnerabilities
---------------------------------------------
http://www.debian.org/security/2014/dsa-2855
*** Security Bulletin: IBM Domino IMAP Server Denial of Service Vulnerability (CVE-2014-0822) ***
---------------------------------------------
The IMAP server in IBM Domino contains a denial of service vulnerability. A remote unauthenticated attacker could exploit this security vulnerability to cause a crash of the Domino server. The fix for this issue is available as a hotfix and is planned to be incorporated in all upcoming Interim Fixes, Fix Packs and Maintenance Releases.
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21663023
*** Bugtraq: ESA-2014-005: EMC Documentum Foundation Services (DFS) Content Access Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/530929
*** Vulnerabilities in Drupal Third-Party Modules ***
---------------------------------------------
https://drupal.org/node/2187453https://drupal.org/node/2189509https://drupal.org/node/2189643https://drupal.org/node/2189751
*** WordPress WooCommerce SagePay Direct Payment Gateway Cross-Site Scripting Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56801
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 04-02-2014 18:00 − Mittwoch 05-02-2014 18:00
Handler: Stephan Richter
Co-Handler: Robert Waldner
*** WordPress Stop User Enumeration Plugin "author" User Enumeration Weakness ***
---------------------------------------------
Andrew Horton has discovered a weakness in the Stop User Enumeration plugin for WordPress, which can be exploited by malicious people to disclose certain sensitive information.
The weakness is caused due to an error when handling the "author" POST parameter, which can be exploited to enumerate valid usernames.
The weakness is confirmed in version 1.2.4. Other versions may also be affected.
---------------------------------------------
https://secunia.com/advisories/56643
*** Chrome Web Store Beset by Spammy Extensions ***
---------------------------------------------
Twelve seemingly legitimate Chrome browser extensions installed by more than 180,000 users are injecting advertisements on 44 popular websites.
---------------------------------------------
http://threatpost.com/chrome-web-store-beset-by-spammy-extensions/104031
*** Joomla! JomSocial Component Arbitrary Code Execution Vulnerability ***
---------------------------------------------
A vulnerability has been reported in the JomSocial component for Joomla!, which can be exploited by malicious people to compromise a vulnerable system.
---------------------------------------------
https://secunia.com/advisories/56692
*** New Zbot Variant Goes Above and Beyond to Hijack Victims ***
---------------------------------------------
Zbot is an extremely venomous threat, which has strong persistent tactics to ensure that the victim remains infected despite removal attempts. We will get to the overabundance of methods used to keep the victim infected later on.
---------------------------------------------
http://feedproxy.google.com/~r/zscaler/research/~3/ZKiYWwxWXJA/new-zbot-var…
*** Microsoft Security Advisory (2755801): Update for Vulnerabilities in Adobe Flash Player in Internet Explorer - Version: 19.0 ***
---------------------------------------------
The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10 and Internet Explorer 11.
---------------------------------------------
http://technet.microsoft.com/en-us/security/advisory/2755801
*** Cybercriminals release Socks4/Socks5 based Alexa PageRank boosting application ***
---------------------------------------------
A newly released, commercially available, DIY tool is pitching itself as being capable of boosting a given domain/list of domains on Alexa’s PageRank, relying on the syndication of Socks4/Socks5 malware-infected/compromised hosts through a popular Russian service.
---------------------------------------------
http://feedproxy.google.com/~r/WebrootThreatBlog/~3/VIunL9T8af4/
*** Peinliches Loch in BlackBerrys Geschäftsdaten-Tresor ***
---------------------------------------------
Beim BlackBerry 10 versagt eine Policy, die geschäftliche Kontakte vor Zugriffen durch persönliche Apps schützen soll. Die Schwachstelle macht persönlichen Android-Apps Namen und Telefonnummern zugänglich.
---------------------------------------------
http://www.heise.de/security/meldung/Peinliches-Loch-in-BlackBerrys-Geschae…
*** Standard Operational Procedures to manage multinational cyber-crises finalised by EU, EFTA Member States and ENISA ***
---------------------------------------------
Today, with the development of the EU-Standard Operational Procedures (EU-SOPs), a milestone has been reached for the management of multinational cyber crises. These procedures were developed by the EU and European Free Trade Association (EFTA) Member States in collaboration with the EU Agency ENISA.
---------------------------------------------
http://www.enisa.europa.eu/media/press-releases/standard-operational-proced…
*** #Asusgate: Zehntausende Router geben private Dateien preis ***
---------------------------------------------
Im Netz sind IP-Adressen für zehntausende verwundbare Asus-Router aufgetaucht. Unter dem Titel "#ASUSGATE" veröffentlichten Unbekannte zudem Listen mit privaten Dateien auf angeschlossenen USB-Geräten.
---------------------------------------------
http://www.heise.de/security/meldung/Asusgate-Zehntausende-Router-geben-pri…
*** How to fail at Incident Response ***
---------------------------------------------
Im a firm believer in having a sound incident response plan (and policies to go with it). One big piece of this is having a plan with regards to how the IR team should communicate. How should you communicate? Well, thats going to depend on your situation. But let me first answer the easier question: how you should not communicate.
---------------------------------------------
http://malwarejake.blogspot.se/2014/02/how-to-fail-at-incident-response.html
*** Blog: CVE-2014-0497 – a 0-day vulnerability ***
---------------------------------------------
A short while ago, we came across a set of similar SWF exploits and were unable to determine which vulnerability they exploited.
---------------------------------------------
http://www.securelist.com/en/blog/8177/CVE_2014_0497_a_0_day_vulnerability
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 03-02-2014 18:00 − Dienstag 04-02-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** New iFrame Injections Leverage PNG Image Metadata ***
---------------------------------------------
We're always trying to stay ahead of the latest trends, and today we caught a very interesting one that we have either been missing, or it's new. We'll just say it's new.. We're all familiar with the idea of iFrame Injections, right? Understanding an iFrame Injection The iFrame HTML tag is very standard today, it's...
---------------------------------------------
http://blog.sucuri.net/2014/02/new-iframe-injections-leverage-png-image-met…
*** These Guys Battled BlackPOS at a Retailer ***
---------------------------------------------
Ever since news broke that thieves stole more than 40 million debit and credit card accounts from Target using a strain of Point-Of-Sale malware known as BlackPOS, much speculation has swirled around unanswered questions, such as how this malware was introduced into the network, and what mechanisms were used to infect thousands of Targets cash registers.
---------------------------------------------
http://krebsonsecurity.com/2014/02/these-guys-battled-blackpos-at-a-retaile…
*** Search Engines for OSINT and Recon ***
---------------------------------------------
Based on the title to this post, you're thinking, "Awesome, Dave! Welcome to 2006!" Well hang on there. There's an amazing number of awesome search facilities that can be useful when doing OSINT and recon work for pen testing. I'll list a lot of different sites that I have discovered and use regularly for both.
---------------------------------------------
http://daveshackleford.com/?p=999
*** Defending Against Tor-Using Malware, Part 2 ***
---------------------------------------------
Last week, we talked about what Tor is, how it works, and why system administrators need to be aware of it. Now the question is: should I block Tor, and if I do decide to do that, what can be done to block Tor? Tor, by itself, is not inherently malicious. If a user wants...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/njzW9v7v14w/
*** VU#228886: ZTE ZXV10 W300 router contains hardcoded credentials ***
---------------------------------------------
Vulnerability Note VU#228886 ZTE ZXV10 W300 router contains hardcoded credentials Original Release date: 03 Feb 2014 | Last revised: 03 Feb 2014 Overview ZTE ZXV10 W300 router version 2.1.0, and possibly earlier versions, contains hardcoded credentials. (CWE-798) Description ZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet service on the device. The username is "admin" and the password is "XXXXairocon" where "XXXX" is the last...
---------------------------------------------
http://www.kb.cert.org/vuls/id/228886
*** VU#593118: Fortinet Fortiweb 5.0.3 contains a reflected cross-site scripting vulnerability ***
---------------------------------------------
Vulnerability Note VU#593118 Fortinet Fortiweb 5.0.3 contains a reflected cross-site scripting vulnerability Original Release date: 03 Feb 2014 | Last revised: 03 Feb 2014 Overview Fortinet Fortiweb 5.0.3, and possibly earlier versions, contains a cross-site scripting vulnerability. (CWE-79) Description CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)Fortinet Fortiweb 5.0.3, and possibly earlier versions, contains a cross-site scripting...
---------------------------------------------
http://www.kb.cert.org/vuls/id/593118
*** VU#728638: Fortinet FortiOS 5.0.5 contains a reflected cross-site scripting (XSS) vulnerability ***
---------------------------------------------
Vulnerability Note VU#728638 Fortinet FortiOS 5.0.5 contains a reflected cross-site scripting (XSS) vulnerability Original Release date: 03 Feb 2014 | Last revised: 03 Feb 2014 Overview Fortinet FortiOS 5.0.5, and possibly earlier versions, contains a cross-site scripting vulnerability. (CWE-79) Description CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)Fortinet FortiOS 5.0.5, and possibly earlier versions, contains a cross-site scripting...
---------------------------------------------
http://www.kb.cert.org/vuls/id/728638
*** VU#813382: Dell KACE K1000 management appliance contains a cross-site scripting vulnerability ***
---------------------------------------------
Vulnerability Note VU#813382 Dell KACE K1000 management appliance contains a cross-site scripting vulnerability Original Release date: 04 Feb 2014 | Last revised: 04 Feb 2014 Overview Dell KACE K1000 management appliance version 5.5.90545, and possibly earlier versions, contains a cross-site scripting (XSS) vulnerability. (CWE-79) Description Dell KACE K1000 management appliance version 5.5.90545, and possibly earlier versions, contains a cross-site scripting (XSS) vulnerability. The
---------------------------------------------
http://www.kb.cert.org/vuls/id/813382
*** Security Bulletins: Vulnerability in Citrix XenMobile Device Manager server, formerly known as Zenprise Device Manager server, could result in unauthenticated information disclosure ***
---------------------------------------------
A vulnerability in Citrix XenMobile Device Manager server, formerly known as Zenprise Device Manager server, that could allow a remote, unauthenticated attacker to gain access to stored data.
---------------------------------------------
http://support.citrix.com/article/CTX140044
*** MyBB 1.6.12 POST Cross Site Scripting ***
---------------------------------------------
Topic: MyBB 1.6.12 POST Cross Site Scripting Risk: Low Text: <!-- Exploit-Title: MyBB 1.6.12 POST XSS 0day Google-Dork: inurl:index.php intext:Powered By MyBB Date: Februrary 2n...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014020018
*** Chrony chronyc Protocol Response Amplification Denial of Service Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56727
*** mpg123 MP3 Decoding Buffer Overflow Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56729
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 31-01-2014 18:00 − Montag 03-02-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Telefonie-Missbrauch anscheinend kein Massenhack von AVMs Fritzboxen ***
---------------------------------------------
In den letzten Tagen wunderten sich einige Fritzbox-Nutzer über hohe, teils exorbitante Telefongebühren. Dahinter stecken anscheinend Angriffe mit bekannten Zugangsdaten auf die Fernkonfiguration der verwendeten Fritzboxen.
---------------------------------------------
http://www.heise.de/security/meldung/Telefonie-Missbrauch-anscheinend-kein-…
*** Hackers Use a Trick to Deliver Zeus Banking Malware ***
---------------------------------------------
IDG News Service - Hackers found a new way to slip past security software and deliver Zeus, a long-known malicious software program that steals online banking details. Security company Malcovery Security, based in Georgia, alerted security analysts after finding that none of 50 security programs on Googles online virus scanning service VirusTotal were catching it as of early Sunday.
---------------------------------------------
http://www.cio.com/article/747601/Hackers_Use_a_Trick_to_Deliver_Zeus_Banki…
*** More than a million Android devices infected with bootkit trojan ***
---------------------------------------------
More than a million Android mobile devices worldwide are now infected with a crafty bootkit trojan known as Android.Oldboot.1.origin - a number that has more than tripled in a week.
---------------------------------------------
http://www.scmagazine.com//more-than-a-million-android-devices-infected-wit…
*** DailyMotion Still Infected, Serving Fake AV Malware ***
---------------------------------------------
DailyMotion, one of the most popular websites on the Web, is still serving fake AV malware three weeks after it was notified of a compromise.
---------------------------------------------
http://threatpost.com/dailymotion-still-infected-serving-fake-av-malware/10…
*** SSA-342587 (Last Update 2014-02-03): Vulnerabilities in SIMATIC WinCC Open Architecture ***
---------------------------------------------
https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit…
*** VU#250358: Various Inmarsat broadband satellite terminals contain multiple vulnerabilities ***
---------------------------------------------
A number of broadband satellite terminals which utilize the Inmarsat satellite telecommunications network have been found to contain undocumented hardcoded login credentials (CWE-798). Additionally, these broadband satellite terminals utilize an insecure proprietary communications protocol that allows...
---------------------------------------------
http://www.kb.cert.org/vuls/id/250358
*** DSA-2851 drupal6 ***
---------------------------------------------
impersonation
---------------------------------------------
http://www.debian.org/security/2014/dsa-2851
*** IBM Financial Transaction Manager multiple vulnerabilities ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/90584http://xforce.iss.net/xforce/xfdb/90585http://xforce.iss.net/xforce/xfdb/90586http://xforce.iss.net/xforce/xfdb/90612
*** Security Bulletin: Cross-Site Request Forgery in IBM InfoSphere Master Data Management - Collaborative Edition (CVE-2013-5427) ***
---------------------------------------------
Due to insufficient safeguards against cross-site request forgery, an attacker can trick a legitimate user into opening a URL that results in an action being taken as that user, potentially without the knowledge of that user. Any actions taken require that the legitimate user be already authenticated or to authenticate separately as part of the attack.
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21663181
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 30-01-2014 18:00 − Freitag 31-01-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Researcher Warns of Critical Flaws in Oracle Servers ***
---------------------------------------------
There are two vulnerabilities in some of Oracle's older database packages that allow an attacker to access a remote server without a password and even view the server's filesystem and dump arbitrary files. Oracle has not released a patch for one of the flaws, even though it was reported by a researcher more than two...
---------------------------------------------
http://threatpost.com/researcher-warns-of-critical-flaws-in-oracle-servers/…
*** Linux: Sicherheitslücke in x32-Code ***
---------------------------------------------
Eine Sicherheitslücke im Linux-Kernel ermöglicht Nutzern das Schreiben in beliebige Speicherbereiche. Betroffen sind nur Kernel mit Unterstützung für x32-Code, in Ubuntu ist dies standardmäßig aktiviert.
---------------------------------------------
http://www.golem.de/news/linux-sicherheitsluecke-in-x32-code-1401-104300-rs…
*** Yahoo! Mail! users! change! your! passwords! NOW! ***
---------------------------------------------
Web giant blames third-party database compromise Yahoo! is urging users of its Mail service to change their passwords to something secure and unique to the web giant - after a security breach exposed account login details to theft.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/01/31/yahoo_mail_…
*** Akamai Releases Third Quarter, 2013 State of the Internet Report ***
---------------------------------------------
Akamai Technologies, Inc. (NASDAQ: AKAM), the leading provider of cloud services for delivering, optimizing and securing online content and business applications, today released its Third Quarter, 2013 State of the Internet Report. Based on data gathered from the Akamai Intelligent Platform, the report provides insight into key global statistics such as network connectivity and connection speeds, attack traffic, and broadband adoption and availability, among many others.
---------------------------------------------
http://www.akamai.com/html/about/press/releases/2014/press_012814.html
*** Chewbacca Point-of-Sale Malware Campaign Found in 10 Countries ***
---------------------------------------------
A criminal campaign using the Tor-based Chewbacca Trojan, which includes memory-scraping malware and a keylogger, is responsible for the theft of more than 49,000 credit card numbers in 10 countries.
---------------------------------------------
http://threatpost.com/chewbacca-point-of-sale-malware-campaign-found-in-10-…
*** 3S CoDeSys Runtime Toolkit NULL Pointer Dereference ***
---------------------------------------------
Independent researcher Nicholas Miles has identified a NULL pointer dereference vulnerability in Smart Software Solutions (3S) CoDeSys Runtime Toolkit application. 3S has produced an update that mitigates this vulnerability. Nicholas Miles has tested the update to validate that it resolves the vulnerability. This vulnerability could be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-030-01
*** Schneider Electric Telvent SAGE RTU DNP3 Improper Input Validation Vulnerability ***
---------------------------------------------
This advisory was originally posted to the US-CERT secure portal library on January 06, 2014, and is now being released to the NCCIC/ICS-CERT Web site. Adam Crain of Automatak and independent researchers Chris Sistrunk and Adam Todorski have identified an improper input validation in the Schneider Electric Telvent SAGE 3030 remote terminal unit (RTU). Schneider Electric has produced a patch that mitigates this vulnerability. This vulnerability could be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-006-01
*** Moodle - MSA-14-0002: Group constraints lacking in "login as" ***
---------------------------------------------
Users were able to log in as a user who in a is not in the same group without the permission to see all groups.
---------------------------------------------
https://moodle.org/mod/forum/discuss.php?d=252415
*** TYPO3-PSA-2014-001: Cross-Site Request Forgery Protection in TYPO3 CMS 6.2 ***
---------------------------------------------
In TYPO3 CMS, protection against CSRF has been implemented for many important actions (like creating, editing or deleting records) but is still missing in other places (like Extension Manager, file upload, configuration module). The upcoming 6.2 LTS version will finally close this gap and will protect editors or administrators from these kind of attacks.
---------------------------------------------
https://typo3.org/teams/security/security-bulletins/psa/typo3-psa-2014-001/
*** Puppet - CVE-2013-6450 - Potential denial of service (daemon crash) via crafted traffic from a TLS 1.2 client. ***
---------------------------------------------
The DTLS retransmission implementation in OpenSSL through 0.9.8y and 1.x through 1.0.1e does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context by interfering with packet delivery, related...
---------------------------------------------
http://puppetlabs.com/security/cve/cve-2013-6450
*** VU#108062: Lexmark laser printers contain multiple vulnerabilities ***
---------------------------------------------
Certain Lexmark devices are vulnerable to unverified password changes and stored cross-site scripting attacks.
---------------------------------------------
http://www.kb.cert.org/vuls/id/108062
*** A10 Networks Loadbalancer GET directory traversal ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/90814
*** Check Point Endpoint Security MI Server Certificate Validation Flaw Lets Remote Users Conduct Man-in-the-Middle Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1029704
*** Bugtraq: [SECURITY] [DSA 2849-1] curl security update ***
---------------------------------------------
http://www.securityfocus.com/archive/1/530910
*** Bugtraq: Joomla! JomSocial component < 3.1.0.1 - Remote code execution ***
---------------------------------------------
http://www.securityfocus.com/archive/1/530909
*** Joomla! JV Comment Component "id" SQL Injection Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56588
*** Vuln: OpenStack Compute (Nova) Compressed qcow2 Disk Images Denial of Service Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63467
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 29-01-2014 18:00 − Donnerstag 30-01-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** New Clues in the Target Breach ***
---------------------------------------------
An examination of the malware used in the Target breach suggests that the attackers may have taken advantage of a poorly secured feature built into a widely-used IT management software product that was running on the retailers internal network.
---------------------------------------------
http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/
*** How to Debug DKIM, (Wed, Jan 29th) ***
---------------------------------------------
DKIM is one way to make it easier for other servers to figure out if an e-mail sent on behalf of your domain is spoofed. Your mail server will add a digital signature to each email authenticating the source. This isnt as good a signing the entire e-mail, but it is a useful tool to at least validate the domain used as part of the "From" header. The problem is that DKIM can be tricky to debug. If you have mail rejected, it is useful to be able to manually verify what went wrong. For
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17528
*** Honey Encryption Tricks Hackers with Decryption Deception ***
---------------------------------------------
Honey Encryption is an encryption tool in the works that fools an attacker with bogus decrypted data that looks like it could be a plausible guess at an encryption key or password.
---------------------------------------------
http://threatpost.com/honey-encryption-tricks-hackers-with-decryption-decep…
*** Attacker extorts coveted Twitter username in elaborate social engineering scheme ***
---------------------------------------------
Naoki Hiroshima recently relinquished to an attacker a prized possession that he owned since 2007: a very rare Twitter username so coveted that not only have people tried to steal it, but one person offered $50,000 for it.
---------------------------------------------
http://www.scmagazine.com//attacker-extorts-coveted-twitter-username-in-ela…
*** Security 101 fail: 3G/4G modems expose control panels to hackers ***
---------------------------------------------
Embedded kit depressingly riddled with cross-site request forgery vulns, says researcher Vulnerabilities in a number of 3G and 4G USB modems can be exploited to steal login credentials - or rack up victims mobile bills by sending text messages to premium-rate numbers - a security researcher warns.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/01/30/3gmodem_sec…
*** Energy: cyber security is crucial for protection against threats for smart grids which are key for energy availability claims EU cyber security Agency in new report ***
---------------------------------------------
The EU's cyber security agency ENISA signals that assessing the threats for smart grids is crucial for their protection and is therefore a key element in ensuring energy availability.
---------------------------------------------
http://www.enisa.europa.eu/media/press-releases/energy-cyber-security-is-cr…
*** Code-Einschleusung durch MediaWiki-Lücke ***
---------------------------------------------
In der beliebten Wiki-Software klafft eine kritische Lücke, durch die Angreifer den Server kompromittieren können. Gepatchte Versionen sorgen für Abhilfe.
---------------------------------------------
http://www.heise.de/security/meldung/Code-Einschleusung-durch-MediaWiki-Lue…
*** Windows-Taskmanager Process Explorer 16 mit Einbindung von VirusTotal ***
---------------------------------------------
Die nun erschienene Version 16 des Process Explorer befragt auf Wunsch den web-basierten Multi-Scanner VirusTotal. Dort prüfen rund 50 Virenscanner, ob eine Datei gefährlich ist.
---------------------------------------------
http://www.heise.de/security/meldung/Windows-Taskmanager-Process-Explorer-1…
*** Critical infrastructure hack data found in public domain ***
---------------------------------------------
Data available from mainstream online media - such as blogs, social networking websites, and specialist online publications - could be used by malevolent agents to mount a cyber-attack on UK critical national infrastructure (CNI), the findings of an investigative assessment to be presented next week will warn.
---------------------------------------------
http://eandt.theiet.org/news/2014/jan/ics-security.cfm
*** Pidgin Multiple Vulnerabilities ***
---------------------------------------------
Multiple vulnerabilities have been reported in Pidgin, which can be exploited by malicious people to compromise a user's system.
---------------------------------------------
https://secunia.com/advisories/56693
*** Bugtraq: SimplyShare v1.4 iOS - Multiple Web Vulnerabilities ***
---------------------------------------------
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official SimplyShare v1.4 iOS mobile application.
---------------------------------------------
http://www.securityfocus.com/archive/1/530906
*** OTRS Security Advisory 2014-01 - CSRF issue in customer web interface ***
---------------------------------------------
An attacker that managed to take over the session of a logged in customer could create tickets and/or send follow-ups to existing tickets due to missing challenge token checks.
---------------------------------------------
https://www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-inte…
*** OTRS Security Advisory 2014-02 - SQL injection issue ***
---------------------------------------------
Affected by this vulnerability are all releases of OTRS 3.1.x up to and including 3.1.18, 3.2.x up to and including 3.2.13 and 3.3.x up to and including 3.3.3.
---------------------------------------------
https://www.otrs.com/security-advisory-2014-02-sql-injection-issue/
*** VLC Media Player RTSP Processing "parseRTSPRequestString()" Buffer Overflow Vulnerability ***
---------------------------------------------
A vulnerability has been discovered in VLC Media Player, which can be exploited by malicious people to compromise a user's system.
---------------------------------------------
https://secunia.com/advisories/56676
*** SA-CONTRIB-2014-007 - Services - Multiple access bypass vulnerabilities ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2014-007
Project: Services (third-party module)
Version: 7.xDate: 2014-January-29
Security risk: Highly critical
Exploitable from: Remote
Vulnerability: Multiple access bypass vulnerabilitiesDescriptionThis module enables you to expose an API to third party systems using REST, XML-RPC or other protocols.The form API provides a method for developers to submit forms programmatically using the function drupal_form_submit(). During programmatic form submissions, all access...
---------------------------------------------
https://drupal.org/node/2184843
*** SA-CONTRIB-2014-008 - Tribune - Cross Site Scripting (XSS) ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2014-008
Project: Tribune (third-party module)Version: 6.x, 7.xDate: 2014-January-29
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Cross Site Scripting
DescriptionA tribune is a type of chatroom.The module doesnt sufficiently filter user provided text from Tribune node titles.This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create a Tribune node.
---------------------------------------------
https://drupal.org/node/2184845
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 28-01-2014 18:00 − Mittwoch 29-01-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Introducing ModSecurity Status Reporting ***
---------------------------------------------
The Trustwave SpiderLabs Research team is committed to making ModSecurity the best open source WAF possible. To this end, we have deployed Buildbot platforms and revamped regression tests for our different ports to ensure code quality and reliability. But we want to take it even further. The question is, how else can we improve ModSecurity development and support? To best answer that question, we need some basic insight into the ModSecurity user community: How many ModSecurity deployments are...
---------------------------------------------
http://blog.spiderlabs.com/2014/01/introducing-modsecurity-status-reporting…
*** Defending Against Tor-Using Malware, Part 1 ***
---------------------------------------------
In the past few months, the Tor anonymity service as been in the news for various reasons. Perhaps most infamously, it was used by the now-shuttered Silk Road underground marketplace. We delved into the topic of the Deep Web in a white paper titled Deepweb and Cybercrime. In our 2014 predictions, we noted that cybercriminals would go deeper...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/F4F76IP9KP8/
*** Eyeing SpyEye ***
---------------------------------------------
Earlier this week, it was announced by the United States Department of Justice that the creator of the notorious SpyEye banking malware, Aleksandr Andreevich Panin (also known as Gribodemon or Harderman), had pleaded guilty before a federal court to charges related to creating and distributing SpyEye. Trend Micro was a key part of this investigation...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/4eIEz-KJvXo/
*** This tool demands access to YOUR ENTIRE DIGITAL LIFE. Is it from GCHQ? No - its by IKEA ***
---------------------------------------------
Order a flat-pack kitchen, surrender your HDDs contents If the Target hack - along with all its predecessors - taught us anything, its that the database isnt the vulnerability. Its the data thats the problem.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/01/29/ikea_demand…
*** Botnetz nutzt Lücke in alten Java-Versionen ***
---------------------------------------------
Sicherheitsexperten haben Schadsoftware entdeckt, die eine vor Monaten geschlossene Java-Lücke ausnutzt, um ein Botnetz aufzubauen. Das Programm läuft auf Windows, Linux und Mac OSX; Abhilfe ist einfach möglich.
---------------------------------------------
http://www.heise.de/security/meldung/Botnetz-nutzt-Luecke-in-alten-Java-Ver…
*** Cisco Network Time Protocol Distributed Reflective Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the Network Time Protocol (NTP) package of several Cisco products could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013…
*** Cisco Identity Services Engine Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** WordPress WebEngage Plugin Multiple Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
Multiple vulnerabilities have been discovered in the WebEngage plugin for WordPress, which can be exploited by malicious people to conduct cross-site scripting attacks.
---------------------------------------------
https://secunia.com/advisories/56700
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 27-01-2014 18:00 − Dienstag 28-01-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Making Your Printer Say "Feed Me a Kitten" and Also Exfiltrate Sensitive Data ***
---------------------------------------------
As of this last release, PJL (HP's Printer Job Language) is now a grown-up Rex::Proto protocol! Since extending a protocol in Metasploit is beyond the scope of this post, we'll just be covering how to use the PoC modules included with the new protocol. Feel free to dig around in lib/rex/proto/pjl*, though!
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2014/01/23/hacking-p…
*** Coordinated malware eradication ***
---------------------------------------------
Today, as an industry, we are very effective at disrupting malware families, but those disruptions rarely eradicate them. Instead, the malware families linger on, rearing up again and again to wreak havoc on our customers. To change the game, we need to change the way we work. It is counterproductive when you think about it. The antimalware ecosystem encompasses many strong groups: security vendors, service providers, CERTs, anti-fraud departments, and law enforcement. Each group uses their...
---------------------------------------------
https://blogs.technet.com/b/mmpc/archive/2014/01/27/industry-needs-to-work-…
*** Trustworthy electronic signatures, secure e-Government and trust: the way forward for improving EU citizens' trust in web services, outlined by EU Agency ENISA ***
---------------------------------------------
The EU's cyber security Agency, ENISA, is publishing a series of new studies about the current security practices of Trust Service Providers (TSPs) and recommendations for improving cross-border trustworthiness and interoperability for the new regulated TSPs and for e-Government services using them.
---------------------------------------------
http://www.enisa.europa.eu/media/press-releases/trustworthy-electronic-sign…
*** Android VPN redirect vuln now spotted lurking in Kitkat 4.4 ***
---------------------------------------------
Now may be a good time to check this out, says securo-bod Israeli researchers who specialise in ferreting out Android vulns have discovered a new flaw in KitKat 4.4 that allows an attacker to redirect secure VPN traffic to a third-party server.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/01/28/android_vpn…
*** File Infectors and ZBOT Team Up, Again ***
---------------------------------------------
File infectors and ZBOT don't usually go together, but we recently saw a case where these two kinds of threats did. This particular file infector - PE_PATNOTE.A - appends its code to all executable files on the infected system,...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/n_0oP1-kYzo/
*** Login-Diebstahl: Warnung vor manipuliertem Filezilla-Client ***
---------------------------------------------
Avast warnt vor manipulierten Programmversionen des beliebten Filezilla-Clients. Wer die falsche Version des FTP-Programms nutzt, gibt Kriminellen die Zugangsdaten für die verwendeten FTP-Server. Betroffen sind nur Anwender, die Filezilla von der falschen Quelle heruntergeladen haben.
---------------------------------------------
http://www.golem.de/news/login-diebstahl-warnung-vor-manipuliertem-filezill…
*** Blog: A cross-platform java-bot ***
---------------------------------------------
Early this year, we received a malicious Java application for analysis, which turned out to be a multi-platform bot capable of running on Windows, Mac OS and Linux. The bot was written entirely in Java. The attackers used vulnerability CVE-2013-2465 to infect users with the malware.
---------------------------------------------
http://www.securelist.com/en/blog/8174/A_cross_platform_java_bot
*** DDoS attacks become smarter, faster and more severe ***
---------------------------------------------
DDoS attacks will continue to be a serious issue in 2014 - as attackers become more agile and their tools become more sophisticated, according to Radware. Their report was compiled using data from over 300 cases and the Executive Survey consisting of personal interviews with 15 high-ranking security executives.
---------------------------------------------
http://www.net-security.org/secworld.php?id=16268
*** Worldwide Infrastructure Security Report ***
---------------------------------------------
Arbor's annual Worldwide Infrastructure Security Report offers unique insight from network operators on the front lines in the global battle against network threats.
---------------------------------------------
http://www.arbornetworks.com/resources/infrastructure-security-report
*** SI6 Networks IPv6 Toolkit ***
---------------------------------------------
A security assessment and troubleshooting tool for the IPv6 protocols
---------------------------------------------
http://www.si6networks.com/tools/ipv6toolkit/
*** Security Bulletin: Multiple vulnerabilities in IBM QRadar SIEM (CVE-2014-0838, CVE-2014-0835, CVE-2014-0836, CVE-2014-0837) ***
---------------------------------------------
Multiple vulnerabilities exist in the AutoUpdate settings page and the AutoUpdate process within the IBM QRadar SIEM that when used together could result in remote code execution.
---------------------------------------------
https://www-304.ibm.com/support/docview.wss?uid=swg21663066
*** VU#686662: Fail2ban postfix and cyrus-imap filters contain denial-of-service vulnerabilities ***
---------------------------------------------
Fail2ban versions prior to 0.8.11 are susceptible to a denial-of-service attack when a maliciously crafted email address is parsed by the postfix or cyrus-imap filters. If users have not deployed either of these filters then they are not affected.
---------------------------------------------
http://www.kb.cert.org/vuls/id/686662
*** VU#863369: Mozilla Thunderbird does not adequately restrict HTML elements in email message content ***
---------------------------------------------
Mozilla Thunderbird does not adequately restrict HTML elements in email content, which could allow an attacker to execute arbitrary script when a specially-crafted email message is forwarded or replied to. ---------------------------------------------
http://www.kb.cert.org/vuls/id/863369
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 24-01-2014 18:00 − Montag 27-01-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** ModSecurity Advanced Topic of the Week: HMAC Token Protection ***
---------------------------------------------
This blog post presents a powerful feature of ModSecurity v2.7 that has been highly under-utilized by most users: HMAC Token Protection. There was a previous blog post written that outlined some usage examples here, however we did not properly demonstrate the protection coverage gained by its usage. Specifically, by using the HMAC Token Protection capabilities of ModSecurity, you can reduce the attack surface of the following attacks/vulnerabilities: Forceful Browsing of Website Content
---------------------------------------------
http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/4JiUhR_1fSQ/modsecurit…
*** Mitigation of NTP amplification attacks involving Junos ***
---------------------------------------------
When an NTP client or server is enabled within the [edit system ntp] hierarchy level of the Junos configuration, REQ_MON_GETLIST and REQ_MON_GETLIST_1 control messages supported by the monlist feature within NTP may allow remote attackers to cause a denial of service. NTP is not enabled in Junos by default. Once NTP is enabled, an attacker can exploit these control messages in two different ways:...
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10613
*** Sicherheitslücke in Pages: Update angeraten ***
---------------------------------------------
Nutzer der Mac- und iOS-Version von Pages sollten die neueste Version installieren - eine Sicherheitslücke in älteren Versionen erlaubt unter Umständen das Ausführen von Schadcode.
---------------------------------------------
http://www.heise.de/security/meldung/Sicherheitsluecke-in-Pages-Update-ange…
*** First Android bootkit has infected 350,000 devices ***
---------------------------------------------
January 24, 2014 Russian anti-virus company Doctor Web is warning users about a dangerous Trojan for Android that resides in the memory of infected devices and launches itself early on in the OS loading stage, acting as a bootkit. This allows the Trojan to minimize the possibility that it will be deleted, without tampering with the devices file system. Currently, this malignant program is operating on more than 350,000 mobile devices belonging to users in various countries,...
---------------------------------------------
http://news.drweb.com/show/?i=4206&lng=en&c=9
*** Security Advisory-DoS Vulnerability in Eudemon8000E ***
---------------------------------------------
Huawei Eudemon8000E firewall allows users to log in to the device using Telnet or SSH. When an attacker sends to the device a mass of TCP packets with special structure, the logging process become slowly and users may be unable to log in to the device (HWNSIRT-2014-0101).
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…
*** Security Bulletin: GSKit certificate chain vulnerability in IBM Security Directory Server and Tivoli Directory Server (CVE-2013-6747) ***
---------------------------------------------
A vulnerability has been identified in the GSKit component utilized by IBM Security Directory Server (ISDS) and IBM Tivoli Directory Server (TDS). A malformed certificate chain can cause the ISDS or TDS client application or server process using GSKit to hang or crash.
---------------------------------------------
https://www-304.ibm.com/support/docview.wss?uid=swg21662902
*** Security Bulletin: IBM Security SiteProtector System can be affected by a vulnerability in the IBM Java JRE (CVE-2013-5809) ***
---------------------------------------------
IBM Security SiteProtector System can be affected by vulnerability in the IBM Java JRE. This vulnerability could allow a remote attacker to affect confidentiality, integrity, and availability by means of unknown vectors related to the Java 2D component.
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21662685
*** Security Bulletin eDiscovery Manager (CVE-2013-5791 and CVE-2013-5763) ***
---------------------------------------------
CVE-2013-5791 - CVSS Score: 10 An unspecified vulnerability in Oracle Outside In Technology related to the Outside In Filters component could allow a local attacker to cause a denial of service. CVE-2013-5763 - CVSS Score: 6.8 Oracle Outside In technology is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the OS/2 Metafile parser. By causing a vulnerable application to process a malicious file, a remote attacker...
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21659481
*** Vulnerability Note VU#168751 - Emerson Network Power Avocent MergePoint Unity 2016 KVM switches contain a directory traversal vulnerability ***
---------------------------------------------
Emerson Network Power Avocent MergePoint Unity 2016 (MPU2016) KVM switches running firmware version 1.9.16473 and possibly previous versions contain a directory traversal vulnerability. An attacker can use directory traversal to download critical files such as /etc/passwd to obtain the credentials for the device.
---------------------------------------------
http://www.kb.cert.org/vuls/id/168751
*** Vulnerability Note VU#105686 - Thecus NAS Server N8800 contains multiple vulnerabilities ***
---------------------------------------------
CVE-2013-5667 - Thecus NAS Server N8800 Firmware 5.03.01 get_userid OS Command Injection CVE-2013-5668 - Thecus NAS Server N8800 Firmware 5.03.01 CVE-2013-5669 - Thecus NAS Server N8800 Firmware 5.03.01 plain text administrative password
---------------------------------------------
http://www.kb.cert.org/vuls/id/105686
*** Cisco Video Surveillance Operations Manager MySQL Database Insufficient Authentication Controls ***
---------------------------------------------
A vulnerability in the configuration of the MySQL database as installed by Cisco Video Surveillance Operations Manager (VSOM) could allow an unauthenticated, remote attacker to access the MySQL database.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Security update available for Adobe Digital Editions ***
---------------------------------------------
Adobe has released a security update for Adobe Digital Editions for Windows and Macintosh. This update addresses a vulnerability in the software that could cause the application to crash and potentially allow an attacker to take control of the affected system.
---------------------------------------------
http://helpx.adobe.com/security/products/Digital-Editions/apsb14-03.html
*** Hitachi Cosminexus Products Multiple Java Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56545
*** Drupal Doubleclick for Publishers Module Slot Names Script Insertion Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56521
*** WordPress SS Downloads Plugin Multiple Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56532
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 23-01-2014 18:00 − Freitag 24-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** Russische Spione im Tor-Netz enttarnt ***
---------------------------------------------
Forscher stießen auf 20 Exit Nodes, welche die HTTPS-Verbindungen von Tor-Nutzern aufzubrechen versuchten. Die meisten davon stammen aus Russland.
---------------------------------------------
http://www.heise.de/security/meldung/Russische-Spione-im-Tor-Netz-enttarnt-…
*** Bug Exposes IP Cameras, Baby Monitors ***
---------------------------------------------
A bug in the software that powers a broad array of Webcams, IP surveillance cameras and baby monitors made by Chinese camera giant Foscam allows anyone with access to the devices Internet address to view live and recorded video footage, KrebsOnSecurity has learned.
---------------------------------------------
http://krebsonsecurity.com/2014/01/bug-exposes-ip-cameras-baby-monitors/
*** "Syrian Electronic Army" attackierten Twitter-Account von CNN ***
---------------------------------------------
Sender: "Ja, es ist auch uns passiert. CNN-Accounts gehackt"
---------------------------------------------
http://derstandard.at/1389858074081
*** 65.000 E-Mail-Konten bei Salzburg AG gehackt ***
---------------------------------------------
Bei der Salzburg AG sind die Zugangsdaten von mehr als 65.000 E-Mail- und Internetkonten gehackt worden. Bankdaten seien nicht betroffen, betonte das Unternehmen. Die Hintergründe der Tat sind unklar. User und Kunden üben Kritik.
---------------------------------------------
http://news.orf.at/stories/2215391/
*** Angebliche Sicherheitslücke in aktuellem Chrome nicht zu finden ***
---------------------------------------------
Ein Fehler in Googles Browser lässt sich mit der aktuellen Version nicht reproduzieren. Google will die Lücke schon vor Längerem geschlossen haben.
---------------------------------------------
http://www.heise.de/security/meldung/Angebliche-Sicherheitsluecke-in-aktuel…
*** Malicious links for iOS users ***
---------------------------------------------
January 23, 2014 Russian anti-virus company Doctor Web is warning iOS device users about a growing number of incidents involving the distribution of links to bogus sites via mobile app advertisements. An iOS user misguided by such fraud can end up subscribed to a pseudo-service and thus lose money from their mobile account. Recently, users of mobile devices running iOS have been encountering advertisements with increasing frequency in the free applications on their smart phones and tablets. Ads
---------------------------------------------
http://news.drweb.com/show/?i=4204&lng=en&c=9
*** GE Proficy Multiple Vulnerabilities ***
---------------------------------------------
Researchers amisto0x07 and Z0mb1E of Zero Day Initiative (ZDI) have identified two vulnerabilities in the General Electric (GE) Proficy human-machine interface/supervisory control and data acquisition (HMI/SCADA) - CIMPLICITY application. GE has released security advisories, GEIP13-05 and GEIP13-06, to inform customers about these vulnerabilities.These vulnerabilities could be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01
*** DSA-2848 mysql-5.5 ***
---------------------------------------------
Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.35. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details.
---------------------------------------------
http://www.debian.org/security/2014/dsa-2848
*** Bugtraq: [CVE-2014-1607.] Cross Site Scripting(XSS) in Drupal Event calendar module ***
---------------------------------------------
Reflected cross-site scripting (XSS) vulnerability in Drupal 7.14 EventCalendar Module, found in eventcalendar/year allows remote attackers to inject arbitrary web scripts or HTML after the inproperly sanitizited Year Parameter.
---------------------------------------------
http://www.securityfocus.com/archive/1/530876
*** Cisco TelePresence Video Communication Server Expressway Default SSL Certificate Vulnerability ***
---------------------------------------------
A vulnerability in the Cisco TelePresence Video Communication Server (VCS) Expressway could allow an unauthenticated, remote attacker to execute a man-in-the-middle (MITM) attack between one or more affected devices.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 22-01-2014 18:00 − Donnerstag 23-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
*** SA-CONTRIB-2014-005 - Leaflet - Access bypass ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2014-005
Project: Leaflet (third-party module)
Version: 7.xDate: 2014-January-22
Security risk: Critical
Exploitable from: Remote
Vulnerability: Access bypass
Description
The Leaflet module enables you to display an interactive map using the Leaflet library, using entities as map features.The module exposes complete data from entities used as map features to any site visitor with a Javascript inspector (like Firebug).
---------------------------------------------
https://drupal.org/node/2179103
*** New Android Malware Steals SMS Messages, Intercepts Calls ***
---------------------------------------------
A new strain of Android malware has emerged that masquerades as an Android security app but once installed, can steal text messages and intercept phone calls.
---------------------------------------------
http://threatpost.com/new-android-malware-steals-sms-messages-intercepts-ca…
*** Official PERL Blogs hacked, 2,924 Author Credentials Leaked by ICR ***
---------------------------------------------
The breach has seen 2,924 user account credentials published to quickleak.org as well as the blog having a deface page added but was not obtrusive to the actually website.
---------------------------------------------
http://www.cyberwarnews.info/2014/01/22/official-perl-blogs-hacked-2924-aut…
*** CrowdStrike Takes On Chinese, Russian Attack Groups in Threat Report ***
---------------------------------------------
Russian attackers targeted energy sector targets and a Chinese nexus intrusion group infected foreign embassies with malware using watering hole tactics in 2013, CrowdStrike researchers found in its first-ever Global Threat Report.
---------------------------------------------
http://www.securityweek.com/crowdstrike-takes-chinese-russian-attack-groups…
*** Outdated energy, water and transport Industrial Control Systems without sufficient cyber security controls require coordinated testing of capability at EU levels, says the EU's cyber security Agency ENISA ***
---------------------------------------------
Today, the EU's cyber security Agency ENISA published a new report to give advice regarding the next steps towards coordinated testing of capability of the often outdated Industrial Control Systems (ICS) for European industries. Among the key recommendations is the testing of ICS is a concern for all EU Member States and could be dealt with at EU levels according to ENISA.
---------------------------------------------
http://www.enisa.europa.eu/media/press-releases/ics-without-sufficient-cybe…
*** Analysis: Spam in December 2013 ***
---------------------------------------------
In December, spammers continued to honor the traditions of the season and tried to attract potential customers with a variety of original gift and winter vacation offers, taking advantage of the approaching holidays.
---------------------------------------------
http://www.securelist.com/en/analysis/204792323/Spam_in_December_2013
*** Chrome Eavesdropping Exploit Published ***
---------------------------------------------
Exploit code has been published for a Google Chrome bug that allows malicious websites granted permission to use a computers microphone for speech recognition to continue listening after a user leaves the website.
---------------------------------------------
http://threatpost.com/chrome-eavesdropping-exploit-published/103798
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 21-01-2014 18:00 − Mittwoch 22-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
*** [2014-01-22] Backdoor account & command injection vulnerabilities in Allnet IP-Cam ALL2281 ***
---------------------------------------------
The IP camera Allnet ALL2281 is affected by critical vulnerabilities that allow an attacker to gain access to the webinterface via a backdoor account. Furthermore, executing arbitrary OS commands is possible.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014…
*** Feodo Tracker kämpft gegen Rechnungs-Spam ***
---------------------------------------------
Das Feodo-Botnet beschert Deutschland aktuell massenhaft Viren-Spam – vermeintlich im Namen bekannter Mobilfunkprovider und Banken. Der Feodo-Tracker sammelt Indizien, um das Spam-Netzwerk zu bremsen.
---------------------------------------------
http://www.heise.de/security/meldung/Feodo-Tracker-kaempft-gegen-Rechnungs-…
*** Security Bulletins: Citrix XenServer Multiple Security Updates ***
---------------------------------------------
A number of security vulnerabilities have been identified in Citrix XenServer. These vulnerabilities affect all currently supported versions of Citrix XenServer up to and including Citrix XenServer 6.2 Service Pack 1.
The following vulnerabilities have been addressed: CVE-2013-4494, CVE-2013-4554, CVE-2013-6885
---------------------------------------------
http://support.citrix.com/article/CTX140038
*** Security Bulletins: Citrix XenClient XT Multiple Security Updates ***
---------------------------------------------
A number of security vulnerabilities have been identified in Citrix XenClient XT. These vulnerabilities affect all currently supported versions of Citrix XenClient XT up to and including version 3.2.
The following vulnerabilities have been addressed: CVE-2013-4355, CVE-2013-4370, CVE-2013-4416, CVE-2013-4494, CVE-2013-4554
---------------------------------------------
http://support.citrix.com/article/CTX139624
*** SSL Labs: Stricter security requirements for 2014 ***
---------------------------------------------
Today, were releasing a new version of SSL Rating Guide as well as a new version of SSL Test to go with it. Because the SSL/TLS and PKI ecosystem continues to move at a fast pace, we have to periodically evaluate our rating criteria to keep up.
---------------------------------------------
http://blog.ivanristic.com/2014/01/ssl-labs-stricter-security-requirements-…
*** [2014-01-22] Critical vulnerabilities in T-Mobile HOME NET Router LTE (Huawei B593u-12) ***
---------------------------------------------
Attackers are able to completely compromise the T-Mobile Austria HOME NET router (based on Huawei B593u-12) without prior authentication. Depending on the configuration of the router it is also possible to exploit the flaws directly from the Internet.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014…
*** Digitally signed data-stealing malware targets Mac users in "undelivered courier item" attack ***
---------------------------------------------
Our colleagues at SophosLabs pointed us at a interesting item of malware the other day, namely a data-stealing Trojan aimed at Mac users. In fact, it was somewhat more than that: it was one of those "undelivered courier item" emails linking to a dodgy web server that guessed whether you were running Windows or OS X, and targeted you accordingly.
---------------------------------------------
http://nakedsecurity.sophos.com/2014/01/21/data-stealing-malware-targets-ma…
*** Cisco TelePresence System Software Command Execution Vulnerability ***
---------------------------------------------
Cisco TelePresence System Software contains a vulnerability in the System Status Collection Daemon (SSCD) code that could allow an unauthenticated, adjacent attacker to execute arbitrary commands with the privileges of the root user.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco TelePresence Video Communication Server SIP Denial of Service Vulnerability ***
---------------------------------------------
Cisco TelePresence Video Communication Server (VCS) contains a vulnerability that could allow an unauthenticated, remote attacker to trigger the failure of several critical processes which may cause active call to be dropped and prevent users from making new calls until the affected system is reloaded.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco TelePresence ISDN Gateway D-Channel Denial of Service Vulnerability ***
---------------------------------------------
Cisco TelePresence ISDN Gateway contains a vulnerability that could allow an unauthenticated, remote attacker to trigger the drop of the data channel (D-channel), causing all calls to be terminated and preventing users from making new calls.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 20-01-2014 18:00 − Dienstag 21-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
*** Sicherheitstest eingerichtet: BSI meldet millionenfachen Identitätsdiebstahl ***
---------------------------------------------
Behörden haben bei der Analyse von Botnetzen rund 16 Millionen betroffene Benutzerkonten entdeckt. Das BSI bietet einen Sicherheitstest an, um E-Mails auf Identitätsdiebstahl zu überprüfen. (Internet, Security)
---------------------------------------------
http://www.golem.de/news/sicherheitstest-eingerichtet-bsi-meldet-millionenf…
*** Android Vulnerability Enables VPN Bypass ***
---------------------------------------------
A hole in Androids VPN feature could expose what should be securely communicated data as clear, unencrypted text.
---------------------------------------------
http://threatpost.com/android-vulnerability-enables-vpn-bypass/103719
*** Details on Patched Microsoft Office 365 XSS Vulnerability Disclosed ***
---------------------------------------------
A cross-site scripting vulnerability in Microsoft Office 365 casts attention on the need to shore up the security of cloud-based enterprise applications.
---------------------------------------------
http://threatpost.com/details-on-patched-microsoft-office-365-xss-vulnerabi…
*** Kampf um die Hintertüren einer vernetzten Welt ***
---------------------------------------------
Adam Philpott vom Netzwerk-Riesen Cisco bestreitet Kooperation mit Geheimdiensten und skizziert neue Bedrohungen im Netz der Zukunft
---------------------------------------------
http://derstandard.at/1389857261752
*** Blog: WhatsApp for PC - a guaranteed Trojan banker ***
---------------------------------------------
WhatsApp for PC - now from Brazil and bringing banker which will steal your money. It hides itself as an mp3 file and has a low VT detection.
---------------------------------------------
http://www.securelist.com/en/blog/208214225/WhatsApp_for_PC_a_guaranteed_Tr…
*** EU cyber security Agency ENISA calls for secure e-banking and e-payments: non-replicable, single-use credentials for e-identities are needed in the financial sector ***
---------------------------------------------
Different tokens, devices, mobile phones, e-signatures, etc. are used to authenticate our e-identities. Yet, some financial institutions are still not considering the risk of inadequate authentication mechanisms according to a new study by the EU Agency ENISA.
---------------------------------------------
http://www.enisa.europa.eu/media/press-releases/enisa-calls-for-secure-e-ba…
*** Spoiled Onions ***
---------------------------------------------
As of January 2014, the Tor anonymity network consists of 5,000 relays of which almost 1,000 are exit relays. As the diagram to the right illustrates, exit relays bridge the gap between the Tor network and the open Internet. As a result, exit relays are able to see anonymised network traffic as it is sent by Tor clients. While most exit relays are innocuous and run by well-meaning volunteers, there are exceptions: In the past, some exit relays were documented to have sniffed and
---------------------------------------------
http://www.cs.kau.se/philwint/spoiled_onions/
*** Merkur-Kundendaten mit Nocard geknackt ***
---------------------------------------------
Studenten der FH Salzburg ist mit dem Kundenkartengenerator Zugriff auf Kundenprofile gelungen
---------------------------------------------
http://derstandard.at/1389857747260
*** WordPress WordFence Plugin "User-Agent" Script Insertion Vulnerability ***
---------------------------------------------
Input passed via the "User-Agent" HTTP header is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a administrator's browser session in context of an affected site when the malicious data is being viewed.
---------------------------------------------
https://secunia.com/advisories/56558
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 17-01-2014 18:00 − Montag 20-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
*** NCR: Weltweit 95 Prozent aller Geldautomaten mit Windows XP ***
---------------------------------------------
Laut einem hochrangigen Manager des Herstellers NCR laufen fast alle Geldautomaten weltweit noch mit Windows XP. Die Deutsche Kreditwirtschaft will davon nichts wissen, und erklärt, dass die Geldautomaten in Deutschland nicht am Internet hängen. Daher spiele die Art des Betriebssystems keine Rolle.
---------------------------------------------
http://www.golem.de/news/ncr-weltweit-95-prozent-aller-geldautomaten-mit-wi…
*** Adware vendors buy Chrome Extensions to send ad- and malware-filled updates ***
---------------------------------------------
A first-hand account of this, which was first spotted by OMGChrome, was given by Amit Agarwal, developer of the "Add to Feedly" extension. One morning, Agarwal got an e-mail offering "4 figures" for the sale of his Chrome extension. The extension was only about an hours worth of work, so Agarwal agreed to the deal, the money was sent over PayPal, and he transferred ownership of the extension to another Google account..
---------------------------------------------
http://arstechnica.com/security/2014/01/malware-vendors-buy-chrome-extensio…
*** VPN Related Vulnerability Discovered on an Android device - Disclosure Report ***
---------------------------------------------
As part of our ongoing mobile security research we have uncovered a network vulnerability on Android devices which has serious implications for users using VPN. This vulnerability enables malicious apps to bypass active VPN configuration (no ROOT permissions required) and redirect secure data communications to a different network address. These communications are captured in CLEAR TEXT (no encryption), leaving the information completely exposed. This redirection can take place while leaving the
---------------------------------------------
http://cyber.bgu.ac.il/blog/vpn-related-vulnerability-discovered-android-de…
*** Looking Forward Into 2014: What 2013′s Mobile Threats Mean Moving Forward ***
---------------------------------------------
2013 was the year that the Android malware not just grew, but matured into a full-fledged threat landscape. Not only did the number of threats grow, the sophistication and capabilities associated with these threats grew as well. As we noted earlier, the number of mobile malware threats has crossed the one million mark, and as of ...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/mF1EIjR8duU/
*** Open-Xchange Server Multiple Vulnerabilities ***
---------------------------------------------
Multiple vulnerabilities have been reported in Open-Xchange, which can be exploited by malicious users to disclose potentially sensitive information and by malicious people to conduct cross-site scripting and script insertion attacks.
---------------------------------------------
https://secunia.com/advisories/56390
*** F5 ARX Series Cyrus SASL NULL Pointer Dereference Vulnerability ***
---------------------------------------------
F5 has acknowledged a vulnerability in F5 ARX Series, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to a bundled vulnerable version of Cyrus SASL in relation to the ARX Manager Configuration utility.
---------------------------------------------
http://secunia.com/advisories/56077/
*** Moodle Security Bypass Security Issue and Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
A security issue and a vulnerability have been reported in Moodle, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to conduct cross-site request forgery attacks.
---------------------------------------------
https://secunia.com/advisories/56556
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 16-01-2014 18:00 − Freitag 17-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
*** JS-Binding-Over-HTTP Vulnerability and JavaScript Sidedoor: Security Risks Affecting Billions of Android App Downloads ***
---------------------------------------------
Third-party libraries, especially ad libraries, are widely used in Android apps. Unfortunately, many of them have security and privacy issues. In this blog, we summarize our findings related to the insecure usage of JavaScript binding in ad libraries.
---------------------------------------------
http://www.fireeye.com/blog/technical/2014/01/js-binding-over-http-vulnerab…
*** ECAVA INTEGRAXOR BUFFER OVERFLOW VULNERABILITY ***
---------------------------------------------
Overview: This advisory is a follow-up to the alert titled ICS-ALERT-14-015-01 Ecava IntegraXor Buffer Overflow Vulnerability that was published January 15, 2014, on the NCCIC/ICS-CERT Web site.
Independent researcher Luigi Auriemma identified a buffer overflow vulnerability in the Ecava IntegraXor application without coordination with NCCIC/ICS-CERT, the vendor, or any other coordinating entity known to NCCIC/ICS-CERT. Ecava has produced a patch version that mitigates this vulnerability.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-016-01
*** A Closer Look at the Target Malware, Part II ***
---------------------------------------------
Yesterdays story about the point-of-sale malware used in the Target attack has prompted a flood of reporting from antivirus and security vendors. Buried within those reports are some interesting details that speak to possible actors involved and to the timing and discovery of this breach.
---------------------------------------------
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/V1LusjgMQk8/
*** HPSBUX02961 SSRT101420 rev.1 - HP-UX Running BIND, Remote Denial of Service (DoS) ***
---------------------------------------------
A potential security vulnerability has been identified with HP-UX running BIND. This vulnerability could be exploited remotely to create a Denial of Service (DoS).
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** Thingbot: Botnetz infiziert Kühlschrank ***
---------------------------------------------
Ein US-Sicherheitsunternehmen hat ein Botnetz enttarnt. Das Besondere daran ist, dass etwa ein Viertel der infizierten Geräte keine Computer sind, sondern andere Internet-fähige Geräte - darunter ein Kühlschrank. (Spam, Malware)
---------------------------------------------
http://www.golem.de/news/thingbot-botnetz-infiziert-kuehlschrank-1401-10397…
*** Microsoft löscht Tor-Software nach Trojaner-Befall ***
---------------------------------------------
Von mehreren hunderttausend Windows-PCs hat Microsoft veraltete Tor-Software gelöscht, die ein Trojaner installiert hatte. Auf bis zu zwei Millionen Rechnern soll der heimlich eingerichtete Dienst immer noch aktiv sein.
---------------------------------------------
http://www.heise.de/security/meldung/Microsoft-loescht-Tor-Software-nach-Tr…
*** Oldboot: the first bootkit on Android ***
---------------------------------------------
A few days ago, we found an Android Trojan using brand new method to modify devices boot partition and booting script file to launch system service and extract malicious application during the early stage of systems booting. Due to the special RAM disk feature of Android devices boot partition, all current mobile antivirus product in the world can't completely remove this Trojan or effectively repair the system. We named this Android Trojan family as Oldboot. As far as we
---------------------------------------------
http://blogs.360.cn/360mobile/2014/01/17/oldboot-the-first-bootkit-on-andro…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 15-01-2014 18:00 − Donnerstag 16-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
*** Compromised Sites Pull Fake Flash Player From SkyDrive ***
---------------------------------------------
On most days, our WorldMap shows more of the same thing. Today is an exception.One infection is topping so high in the charts that it pretty much captured our attention.Checking the recent history of this threat, we saw that these past few days, it has been increasing in infection hits.So we dug deeper It wasnt long before we saw that a lot of scripts hosted in various websites got compromised. Our telemetry actually showed that almost 40% of the infected websites were hosted in Germany. In
---------------------------------------------
http://www.f-secure.com/weblog/archives/00002659.html
*** Microsoft antimalware support for Windows XP ***
---------------------------------------------
Microsoft has announced the Windows XP end of support date of April 8, 2014. After this date, Windows XP will no longer be a supported operating system. To help organizations complete their migrations, Microsoft will continue to provide updates to our antimalware signatures and engine for Windows XP users through July 14, 2015. This does not affect the end-of-support date of Windows XP, or the supportability of Windows XP for other Microsoft products, which deliver and apply those signatures.
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2014/01/15/microsoft-antimalware-su…
*** SA-CORE-2014-001 - Drupal core - Multiple vulnerabilities ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CORE-2014-001Project: Drupal coreVersion: 6.x, 7.xDate: 2014-January-15Security risk: Highly criticalExploitable from: RemoteVulnerability: Multiple vulnerabilitiesDescriptionMultiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.Impersonation (OpenID module - Drupal 6 and 7 - Highly critical)A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack
---------------------------------------------
https://drupal.org/SA-CORE-2014-001
*** A First Look at the Target Intrusion, Malware ***
---------------------------------------------
Last weekend, Target finally disclosed at least one cause of the massive data breach that exposed personal and financial information on more than 110 million customers: Malicious software that infected point-of-sale systems at Target checkout counters. Todays post includes new information about the malware apparently used in the attack, according to two sources with knowledge of the matter.
---------------------------------------------
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/OVODHvnhoQs/
*** Amazons public cloud fingered as USs biggest MALWARE LAIR ***
---------------------------------------------
Cyber-crooks lurve Bezos & Cos servers and their whitelisted IP addresses Amazons public cloud is the largest haven of malware spreaders in the US, according to security company Solutionary.…
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/01/16/amazon_clou…
*** Ecava IntegraXor Buffer Overflow Vulnerability ***
---------------------------------------------
NCCIC/ICS-CERT is aware of a public report of a buffer overflow vulnerability with proof-of-concept (PoC) exploit code affecting Ecava IntegraXor, a supervisory control and data acquisition/human-machine interface (SCADA/HMI) product. According to this report, the vulnerability is exploitable by using a command to load an arbitrary resource from an arbitrary DLL located in the program’s main folder.
---------------------------------------------
http://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-015-01
*** Advisory (ICSA-13-344-01) WellinTech Multiple Vulnerabilities ***
---------------------------------------------
NCCIC/ICS-CERT received reports from the Zero Day Initiative (ZDI) regarding a remote code execution vulnerability and an information disclosure vulnerability in WellinTech KingSCADA, KingAlarm&Event, and KingGraphic applications. These vulnerabilities were reported to ZDI by security researcher Andrea Micalizzi. WellinTech has produced a new version that mitigates these vulnerabilities. These vulnerabilities could be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-344-01
*** Google verstärkt Anti-Spam-Team mit Zukauf ***
---------------------------------------------
Das Team des Startups Impermium, das ein System gegen E-Mail-Account-Missbrauch entwickelt, wechselt zum Internet-Giganten.
---------------------------------------------
http://www.heise.de/security/meldung/Google-verstaerkt-Anti-Spam-Team-mit-Z…
*** Telekom reagiert mit Blog-Eintrag auf gefälschte Rechnungen ***
---------------------------------------------
Erneut versenden Kriminelle gefälschte Online-Rechnungen der Telekom als Lockmittel, um Schadsoftware zu verbreiten. Dieses Mal reagiert der Konzern mit Warn-Mails und einem Blog-Eintrag, der Unterscheidungsmerkmale zu echten Rechnungen erklärt.
---------------------------------------------
http://www.heise.de/security/meldung/Telekom-reagiert-mit-Blog-Eintrag-auf-…
*** The Hidden Backdoors to the City of Cron ***
---------------------------------------------
An attackers key to creating a profitable malware campaign is its persistency. Malicious code that is easily detected and removed will not generate enough value for their creators. This is the reason why we are seeing more and more malware using creative backdoor techniques, different obfuscation methods, and using unique approaches to increase the lifespanRead More
---------------------------------------------
http://feedproxy.google.com/~r/sucuri/blog/~3/MCeUaRyYi88/the-hidden-backdo…
*** DynDNS-Dienst knickt unter DDoS-Attacke ein ***
---------------------------------------------
Dyn, Betreiber eines der bekanntesten DynDNS-Dienstes, ist Ziel eines DDoS-Angriffs geworden. Es ist zwar nur ein Teil der DNS-Infrastruktur des Anbieters betroffen, aber die Störung schlägt dennoch bis zu den Nutzern durch.
---------------------------------------------
http://www.heise.de/newsticker/meldung/DynDNS-Dienst-knickt-unter-DDoS-Atta…
*** Niederländische Behörden warnen vor Webcams ***
---------------------------------------------
Die niederländischen Justizbehörden warnen, dass die in Tablets und Latops eingebauten Webcams eine Sicherheitslücke darstellen, über die Hacker eindringen können. Abkleben wird empfohlen.
---------------------------------------------
http://www.heise.de/security/meldung/Niederlaendische-Behoerden-warnen-vor-…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 14-01-2014 18:00 − Mittwoch 15-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** Verfassungsschutz: Gefahr der Online-Wirtschaftsspionage noch immer unterschätzt ***
---------------------------------------------
Viele kleine und mittelständische Unternehmen sähen Ausgaben für IT-Sicherheit immer noch nicht als gut investiertes Geld an, meinte der Präsident des Bundesamts für Verfassungsschutz.
---------------------------------------------
http://www.heise.de/security/meldung/Verfassungsschutz-Gefahr-der-Online-Wi…
*** NSA zapft auch Computer ohne Internetverbindung an ***
---------------------------------------------
Die NSA hat weltweit auf rund 100.000 Computern Spionagesoftware installiert. Auch zu Computern ohne Internetverbindung hat sich der US-Geheimdienst Zutritt verschafft.
---------------------------------------------
http://futurezone.at/netzpolitik/nsa-zapft-auch-computer-ohne-internetverbi…
*** A Look Into the Future and the January 2014 Bulletin Release ***
---------------------------------------------
In January, there are those who like to make predictions about the upcoming year. I am not one of those people. Instead, I like to quote Niels Bohr who said, "Prediction is very difficult, especially if it's about the future." However, I can say without a doubt that change is afoot in 2014. In February, usage of the MD5 hash algorithm in certificates will be restricted, as first discussed in Security Advisory 2862973, and the update goes out through Microsoft Update on the...
---------------------------------------------
http://blogs.technet.com/b/msrc/archive/2014/01/14/a-look-into-the-future-a…
*** Kritische und wichtige Patches von Adobe und Microsoft ***
---------------------------------------------
Was lange währt wird endlich gut: Microsoft hat an seinem Patchday unter anderem die Rechteausweitungslücke in Windows geschlossen, die mindestens seit November für Angriffe missbraucht wird. Von Adobe gibt es dringende Updates für Acrobat und Reader.
---------------------------------------------
http://www.heise.de/security/meldung/Kritische-und-wichtige-Patches-von-Ado…
*** Oracle schließt 144 Sicherheitslücken ***
---------------------------------------------
Update betrifft auch Java 7 und Java 5
---------------------------------------------
http://derstandard.at/1388651059299
*** Adobe Security Bulletins Posted ***
---------------------------------------------
Today, we released the following Security Bulletins:
APSB14-01 – Security updates available for Adobe Reader and Acrobat
APSB14-02 – Security updates available for Adobe Flash Player
Customers of the affected products should consult the relevant Security Bulletin(s) for details.
---------------------------------------------
http://blogs.adobe.com/psirt/?p=1041
*** Oracle Critical Patch Update Advisory - January 2014 ***
---------------------------------------------
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 144 new security fixes across the product families listed below.
---------------------------------------------
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
*** Summary for January 2014 - Version: 1.0 ***
---------------------------------------------
This bulletin summary lists security bulletins released for January 2014.
With the release of the security bulletins for January 2014, this bulletin summary replaces the bulletin advance notification originally issued January 9, 2014. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.
---------------------------------------------
http://technet.microsoft.com/en-ca/security/bulletin/ms14-jan
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 13-01-2014 18:00 − Dienstag 14-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
*** HPSBUX02960 SSRT101419 rev.1 - HP-UX Running NTP, Remote Denial of Service (DoS) ***
---------------------------------------------
A potential security vulnerability has been identified with HP-UX running NTP. The vulnerability could be exploited remotely to create a Denial of Service (DoS).
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** Security: Mathematische Formel für den Cyberwar ***
---------------------------------------------
Zwei Wissenschaftler aus den USA haben eine Formel entwickelt, mit sie ausrechnen können, wann der beste Zeitpunkt ist, um einen Cyberangriff auf ein bestimmtes Ziel mit bestimmten Mitteln durchzuführen. (Cyberwar, Security)
---------------------------------------------
http://www.golem.de/news/security-mathematische-formel-fuer-den-cyberwar-14…
*** Router-Backdoor: Cisco, Netgear und Linksys versprechen Schutz ***
---------------------------------------------
Erst Ende Januar will Cisco ein Update liefern, das die in einigen Geraten gefundene Hintertür beseitigt; Netgear und Linksys nennen noch keinen Termin. Support-Anfragen zeigen, dass die Hintertür seit mindestens 10 Jahren aktiv ist.
---------------------------------------------
http://www.heise.de/security/meldung/Router-Backdoor-Cisco-Netgear-und-Link…
*** Spamming and scanning botnets - is there something I can do to block them from my site?, (Tue, Jan 14th) ***
---------------------------------------------
Spamming and scanning botnets - is there something I can do to block them from my site? This question keeps popping up on forums and all places popular with those beleaguer souls despondent of the random spamming and over filled logs from scanning. Although this isnt a Magic ball question answer does come out a: Maybe, Maybe not. The reason behind the ambiguity is logical, to a degree; it's easy trying to hinder, frustrate and reduce the effectiveness of automated botnet processes,
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17426&rss
*** ISC BIND NSEC3-Signed Zones Queries Handling Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability has been reported in ISC BIND, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error when handling queries for NSEC3-signed zones and can be exploited to cause a crash with an "INSIST" failure by sending a specially crafted query.
Successful exploitation requires an authoritative nameservers serving at least one NSEC3-signed zone.
---------------------------------------------
https://secunia.com/advisories/56427
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 10-01-2014 18:00 − Montag 13-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
*** Factsheet published: Certificates with 1024 bit RSA are being phased-out ***
---------------------------------------------
Does your organisation still use certificates with an RSA key-length of at most 1024 bits? The NCSC recommends to replace them. The factsheet Certificates with 1024 bit RSA are being phased-out provides you with more information and perspectives for action.
---------------------------------------------
https://www.ncsc.nl/english/current-topics/news/factsheet-published-certifi…
*** Symantec Endpoint Protection multiple vulnerabilities ***
---------------------------------------------
Symantec Endpoint Protection authentication privilege escalation
http://xforce.iss.net/xforce/xfdb/90224
Symantec Endpoint Protection search paths privilege escalation
http://xforce.iss.net/xforce/xfdb/90226
Symantec Endpoint Protection custom polocies security bypass
http://xforce.iss.net/xforce/xfdb/90225
*** Juniper Junos multiple vulnerabilities ***
---------------------------------------------
Juniper Junos CLI Commands Let Local Users Gain Elevated Privileges
http://www.securitytracker.com/id/1029585
Juniper Junos Branch SRX Series HTTP Processing Flaw Lets Remote Users Deny Service
http://www.securitytracker.com/id/1029584
Juniper Junos Branch SRX Series IP Processing Flaw Lets Remote Users Deny Service
http://www.securitytracker.com/id/1029583
Juniper Junos BGP Update Processing Flaw Lets Remote Users Deny Service
http://www.securitytracker.com/id/1029582
Juniper Junos XNM Command Processor Lets Remote Users Consume Excessive Memory on the Target System
http://www.securitytracker.com/id/1029586
*** Die tausend gestopften Löcher des FFmpeg ***
---------------------------------------------
Zwei Google-Ingenieure haben vor zwei Jahren damit begonnen, automatisiert nach Fehlern in dem freien Multimedia-Framework FFmpeg zu fahnden, von denen inzwischen über 1120 behoben wurden.
---------------------------------------------
http://www.heise.de/security/meldung/Die-tausend-gestopften-Loecher-des-FFm…
*** Microsoft Twitter accounts, blog hijacked by SEA ***
---------------------------------------------
Another week, ANOTHER security own goal for Redmond Microsoft had two Twitter accounts and an official blog compromised over the weekend in another embarrassing security incident for the Redmond giant.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/01/13/microsoft_t…
*** Trends in Targeted Attacks: 2013 ***
---------------------------------------------
FireEye has been busy over the last year. We have tracked malware-based espionage campaigns and published research papers on numerous advanced threat actors. We chopped through Poison Ivy, documented a cyber arms dealer, and revealed that Operation Ke3chang had targeted
---------------------------------------------
http://www.fireeye.com/blog/technical/malware-research/2014/01/trends-in-ta…
*** Cisco bestätigt Hintertür in mehreren Routern ***
---------------------------------------------
Test-Interface erlaubt Zugriff auf sensible Daten - Update soll noch im Jänner folgen
---------------------------------------------
http://derstandard.at/1388650811096
*** Bericht: Britischer Geheimdienst GCHQ schwächte GSM-Verschlüsselung ***
---------------------------------------------
Bislang wurde kolportiert, die NATO habe in den 1980er-Jahren auf einem schwachen A5/1-Algorithmus bestanden. Nun weist ein norwegischer Wissenschaftler den Briten die Verantwortung dafür zu.
---------------------------------------------
http://www.heise.de/security/meldung/Bericht-Britischer-Geheimdienst-GCHQ-s…
*** Versorgung mit Virensignaturen für Windows-XP-Rechner vorerst gesichert ***
---------------------------------------------
Am 8. April lässt Microsoft den Support für Windows XP fallen, doch die Antiviren-Hersteller beeindruckt das nicht. Die Folge: Um Signatur-Updates muss sich der XP-Anwender vorerst keine Sorgen machen, solange der Virenwächter nicht von Microsoft kommt.
---------------------------------------------
http://www.heise.de/security/meldung/Versorgung-mit-Virensignaturen-fuer-Wi…
*** LKA NRW warnt vor Betrugsversuchen angeblicher Microsoft-Mitarbeiter ***
---------------------------------------------
In den vergangenen Wochen haben sich Fälle gehäuft, in denen angebliche Mitarbeiter des Microsoft-Supports versuchen, PC-Nutzer per Telefon zu schädigen.
---------------------------------------------
http://www.heise.de/security/meldung/LKA-NRW-warnt-vor-Betrugsversuchen-ang…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 09-01-2014 18:00 − Freitag 10-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** Understanding and mitigating NTP-based DDoS attacks ***
---------------------------------------------
Over the last couple of weeks you may have been hearing about a new tool in the DDoS arsenal: NTP-based attacks. These have become popular recently and caused trouble for some gaming web sites and service providers. Wed long thought that NTP might become a vector for DDoS attacks because, like DNS, it is a simple UDP-based protocol that can be persuaded to return a large reply to a small request. Unfortunately, that prediction has come true.
---------------------------------------------
http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-atta…
*** Advance Notification for January 2014 - Version: 1.0 ***
---------------------------------------------
This is an advance notification of security bulletins that Microsoft is intending to release on January 14, 2014.
This bulletin advance notification will be replaced with the January bulletin summary on January 14, 2014. For more information about the bulletin advance notification service, see...
---------------------------------------------
http://technet.microsoft.com/en-us/security/bulletin/ms14-jan
*** Oracle Critical Patch Update Pre-Release Announcement - January 2014 ***
---------------------------------------------
This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for January 2014, which will be released on Tuesday, January 14, 2014. While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory.
---------------------------------------------
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
*** Prenotification Security Advisory for Adobe Reader and Acrobat ***
---------------------------------------------
Adobe is planning to release security updates on Tuesday, January 14, 2014 for Adobe Reader and Acrobat XI (11.0.05) and earlier versions for Windows and Macintosh.
---------------------------------------------
http://helpx.adobe.com/security/products/reader/apsb14-01.html
*** Adobe, Microsoft und Oracle zelebrieren ersten Patchday des Jahres ***
---------------------------------------------
Kommenden Dienstag ist es wieder soweit. Adobe will kritische Lücken in Acrobat und Adobe Reader schließen, Microsoft unter anderem eine Windows-Lücke, die bereits seit November vergangenen Jahres ausgenutzt wird.
---------------------------------------------
http://www.heise.de/security/meldung/Adobe-Microsoft-und-Oracle-zelebrieren…
*** Tackling the Sefnit botnet Tor hazard ***
---------------------------------------------
Sefnit, a prevailing malware known for using infected computers for click fraud and bitcoin mining, has left millions of machines potentially vulnerable to future attacks. We recently blogged about Sefnit performing click fraud and how we added detection on the upstream Sefnit installer. In this blog we explain how the Tor client service, added by Sefnit, is posing a risk to millions of machines, and how we are working to address the problem. Win32/Sefnit made headlines last August as it took...
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botn…
*** Schon wieder hunderttausende Kundendaten durch xt:Commerce-Lücke geklaut ***
---------------------------------------------
Eine weitere Sicherheitslücke in xt:Commerce 3 und einigen der Nachfolger wird derzeit ausgenutzt, um die Namen, Mail-Adressen und Passwort-Hashes in Online-Shops zu entwenden. Betroffen sind über 230.000 Kunden vor allem aus Deutschland und Österreich.
---------------------------------------------
http://www.heise.de/security/meldung/Schon-wieder-hunderttausende-Kundendat…
*** Cisco Context Directory Agent Multiple Vulnerabilities ***
---------------------------------------------
Multiple vulnerabilities have been reported in Cisco Context Directory Agent, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to conduct cross-site scripting attacks and manipulate certain data.
---------------------------------------------
https://secunia.com/advisories/56365
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 08-01-2014 18:00 − Donnerstag 09-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** Intercepted Email Attempts to Steal Payments, (Wed, Jan 8th) ***
---------------------------------------------
A reader sent in details of a incident that is currently being investigated in their environment. (Thank you Peter for sharing! ) It appears to be a slick yet elaborate scam to divert a customer payment to the scammers. It occurs when the scammer attempts to slip into an email conversation and go undetected in order to channel an ordinary payment for service or goods into his own coffers. Here is a simple breakdown of the flow: Supplier sends business email to customer, email mentions a...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17366&rss
*** ZeroAccess Takedown and the TDSS Aftermath ***
---------------------------------------------
Early December last year, Microsoft - in cooperation with certain law enforcement agencies - announced their takedown of the ZeroAccess operations. This development, however, also yielded an unexpected effect on another well-known botnet, in particular TDSS. TDSS and ZeroAccess ZeroAccess is one of the most notable botnets in the world, with its malware known for rootkit...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/v07x5pzmpj4/
*** Malvertising attacks via Yahoo ads may precede broader iframe attacks ***
---------------------------------------------
A New Years malvertisement attack on Yahoo.com that is believed to have infected the systems and devices of thousands of website visitors could signal an uptick in the use of highly effective iframe Web attacks on larger online communities.
---------------------------------------------
http://searchsecurity.techtarget.com/news/2240212218/Malvertising-attacks-v…
*** Personal banking apps leak info through phone ***
---------------------------------------------
For several years I have been reading about flaws in home banking apps, but I was skeptical. To be honest, when I started this research I was not expecting to find any significant results.
---------------------------------------------
http://blog.ioactive.com/2014/01/personal-banking-apps-leak-info-through.ht…
*** Falscher Alarm: Avast für Android hält alle Apps für Viren ***
---------------------------------------------
Ein fehlerhaftes Signaturupdate hat dazu geführt, dass Avast Android-Virenscanner am heutigen Donnerstag zahlreich fündig wurde.
---------------------------------------------
http://www.heise.de/security/meldung/Falscher-Alarm-Avast-fuer-Android-hael…
*** WordPress-Angreifer lieben TimThumb ***
---------------------------------------------
Akamai hat Attacken auf WordPress-Erweiterungen untersucht und festgestellt, dass sich die Angreifer vor allem auf ein Plug-in eingeschossen haben.
---------------------------------------------
http://www.heise.de/security/meldung/WordPress-Angreifer-lieben-TimThumb-20…
*** Critics Cut Deep on Yahoo Mail Encryption Rollout ***
---------------------------------------------
Yahoo has turned on HTTPS by default for its web-based email service, but the deployment is inconsistent across the board and experts are critical of its use of weak standards and the lack of Perfect Forward Secrecy and HSTS.
---------------------------------------------
http://threatpost.com/critics-cut-deep-on-yahoo-mail-encryption-rollout/103…
*** Drupal Media 7.x Access Bypass ***
---------------------------------------------
Topic: Drupal Media 7.x Access Bypass Risk: High Text:View online: https://drupal.org/node/2169767 * Advisory ID: PSA-2014-001 * Project: Media [1] (third-party module) ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014010051
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 07-01-2014 18:00 − Mittwoch 08-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** 64-bit ZBOT Leverages Tor, Improves Evasion Techniques ***
---------------------------------------------
Reports have surfaced that ZeuS/ZBOT, the notorious online banking malware, is now targeting 64-bit systems. During our own investigation, we have confirmed that several ZBOT 32-bit samples (detected as TSPY_ZBOT.AAMV) do have an embedded 64-bit version (detected as TSPY64_ZBOT.AANP). However, our investigation also lead us to confirm other noteworthy routines of the malware, including its...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/RjjdkzMleq4/
*** Malicious Ads on DailyMotion Redirect to Fake AV Attack ***
---------------------------------------------
Popular video-sharing site DailyMotion is serving malicious ads that redirect site visitors to domains hosting Fake AV malware, security firm Invincea reports.
---------------------------------------------
http://threatpost.com/malicious-ads-on-dailymotion-redirect-to-fake-av-atta…
*** Einbruch in die Opensuse-Foren ***
---------------------------------------------
Die öffentlichen Opensuse-Foren sind Opfer eines Angriffs geworden und derzeit abgeschaltet.
---------------------------------------------
http://www.heise.de/security/meldung/Einbruch-in-die-Opensuse-Foren-2078128…
*** Yahoo Mail: Verschlüsselung wird endlich Default ***
---------------------------------------------
Alle Kommunikation mit Webmail-Service nun per HTTPS abgesichert - Aber kein Perfect Forward Secrecy
---------------------------------------------
http://derstandard.at/1388650341295
*** Satellite Links for Remote Networks May Pose Soft Target for Attackers ***
---------------------------------------------
Land-based terminals that send data to satellites may pose a soft target for hackers, an analysis from a computer security firm shows. VSATs, an abbreviation for "very small aperture terminals," supply Internet access to remote locations, enabling companies to transmit data from an isolated network to an organizations main one. The devices are used in a variety of industries, including energy, financial services and defense.
---------------------------------------------
http://www.cio.com/article/745580/Satellite_Links_for_Remote_Networks_May_P…
*** Linux Kernel, Font Bugs Fixed in Ubuntu ***
---------------------------------------------
A huge number of security vulnerabilities have been fixed in Ubuntu, including a remotely exploitable font flaw that an attacker could use to run arbitrary code on vulnerable machines. A number of Linux kernel flaws also were patched in some versions of the operating system. The font vulnerability affects five different versions of Ubuntu, including...
---------------------------------------------
http://threatpost.com/linux-kernel-font-bugs-fixed-in-ubuntu/103500
*** VU#487078: QNAP QTS path traversal vulnerability ***
---------------------------------------------
Vulnerability Note VU#487078 QNAP QTS path traversal vulnerability Original Release date: 08 Jan 2014 | Last revised: 08 Jan 2014 Overview QNAP QTS 4.0.3 and possibly earlier versions contain a path traversal vulnerability. Description CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) - CVE-2013-7174QNAP QTS is a Network-Attached Storage (NAS) system accessible via a web interface. QNAP QTS 4.0.3 and possibly earlier versions contain a path traversal...
---------------------------------------------
http://www.kb.cert.org/vuls/id/487078
*** Vuln: Cisco Unified Communications Manager Unauthorized Access Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/64690
*** HP 2620 Switch Series Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56290
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 03-01-2014 18:00 − Dienstag 07-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: Matthias Fraidl
*** Router auf Backdoor testen ***
---------------------------------------------
Die Netzwerkausrüster hüllen sich nach wie vor über den Zweck des kürzlich entdeckten, undokumentierten Router-Dienstes in Schweigen. So finden Sie heraus, ob Ihr Router ebenfalls auf Befehle wartet.
---------------------------------------------
http://www.heise.de/security/meldung/Router-auf-Backdoor-testen-2074844.html
*** Backdoor in Routern: Hersteller rätseln und analysieren ***
---------------------------------------------
Noch immer können die Router-Hersteller keine plausible Erklärung dafür liefern, dass auf auf ihren Geräten ein undokumentierter Konfigurationsdienst läuft. Sie sind nach eigenen Angaben selbst noch mit der Analyse beschäftigt.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Backdoor-in-Routern-Hersteller-raets…
*** Distributionen patchen Drupal -- außer Ubuntu ***
---------------------------------------------
Debian und Fedora liefern Sicherheitsupdates für kürzlich gemeldete Sicherheitsprobleme in Drupal. Wer Ubuntu nutzt, muss sich jedoch selber kümmern.
---------------------------------------------
http://www.heise.de/security/meldung/Distributionen-patchen-Drupal-ausser-U…
*** Recent Windows Zero-Day Targeted Embassies, Used Syria-related Email ***
---------------------------------------------
In late November, Microsoft revealed that a zero-day vulnerability was in use in targeted attacks against Windows XP and Server 2003 systems. From samples of the exploit examined, it has a backdoor payload that possesses sophisticated anti-analysis techniques. Further research of this earlier attack - discussed in the blog posts above - has revealed that the exploit was deployed via...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/xqgSESnrQns/
*** A Year of Spam: The Notable Trends of 2013 ***
---------------------------------------------
2013 was a year of change inthe spam landscape. The volume of spam increased from 2012. We witnessed the decline of a previously-successful exploit kit. The old became new again, thanks to different techniques used by spammers. While we still saw traditional types of spam, we also saw several "improvements" which allowed spammers to avoid...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/uZ0knuU7r3A/
*** Malware Deployed by Fake Digital Certificates Bypassing Endpoint Security ***
---------------------------------------------
Enterprises that place unwavering faith in the sanctity of digital certificates may want to re-think that belief, now that the latest chapter in the Win32/Winwebsec malware saga has revealed a troubling new development: the use of stolen authentication credentials. Win32/Winwebsec is the catch-all term used by Microsoft to reference a group of fake anti-virus programs [...]
---------------------------------------------
http://www.seculert.com/blog/2014/01/malware-deployed-by-fake-digital-certi…
*** Ransomware: Powerlocker wird für 100 US-Dollar angeboten ***
---------------------------------------------
Die Gruppe Malware Crusaders warnt vor einer neuen Ransomware, die nicht nur besser verschlüsselt, sondern mit zusätzlichen Funktionen ausgestattet ist. In einschlägigen Foren wird Powerlocker bereits für 100 US-Dollar angeboten. (Virus, Malware)
---------------------------------------------
http://www.golem.de/news/ransomware-powerlocker-wird-fuer-100-us-dollar-ang…
*** Malicious Advertisements served via Yahoo ***
---------------------------------------------
Fox-IT operates the shared Security Operations Center service ProtACT. This service monitors the networks of our clients for malicious activity. On January 3 we detected and investigated the infection of clients after they visited yahoo.com.
---------------------------------------------
http://blog.fox-it.com/2014/01/03/malicious-advertisements-served-via-yahoo/
*** WordPress Connect plugin for WordPress unspecified cross-site scripting ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/90106
*** Debian devscripts uscan.pl code execution ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/90107
*** [2013-12-27] XPath Injection in IBM Web Content Manager ***
---------------------------------------------
By exploiting the identified XPath Injection vulnerability, an unauthenticated user is able to extract sensitive application configuration data from vulnerable installations of IBM Web Content Manager.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2013…
*** HP Data Protector code execution ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/90001http://xforce.iss.net/xforce/xfdb/90002http://xforce.iss.net/xforce/xfdb/90003
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 02-01-2014 18:00 − Freitag 03-01-2014 18:00
Handler: Alexander Riepl
Co-Handler: L. Aaron Kaplan
*** Greyhats expose 4.5 million Snapchat phone numbers using 'theoretical' hack ***
---------------------------------------------
Snapchat largely discounted weakness that partially exposed user numbers.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/8aPSkYeU_SA/
*** Target's Use of 3DES Encryption Invites Scrutiny, Worry ***
---------------------------------------------
Targets admission that encrypted PIN data was stolen and secured with 3DES encryption has experts concerned because of the age of the algorithm and the availability of stronger options.
---------------------------------------------
http://threatpost.com/targets-use-of-3des-encryption-invites-scrutiny-worry…
*** Mysterioese Backdoor in diversen Router-Modellen ***
---------------------------------------------
Auf Routern von Linksys und Netgear lauscht ein undokumentierter Dienst, der auf Befehle wartet. Bislang gibt es lediglich ein Indiz dafuer, was es damit auf sich haben koennte.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Mysterioese-Backdoor-in-diversen-Rou…
*** Scans Increase for New Linksys Backdoor (32764/TCP), (Thu, Jan 2nd) ***
---------------------------------------------
We do see a lot of probes for port 32764/TCP . According to a post to github from 2 days ago, some Linksys devices may be listening on this port enabling full unauthenticated admin access. [1] At this point, I urge everybody to scan their networks for devices listening on port 32764/TCP. If you use a Linksys router, try to scan its public IP address from outside your network. Our data shows almost no scans to the port prior to today, but a large number from 3 source IPs today. The by far
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17336&rss
*** NSA Exploit of the Day: DEITYBOUNCE ***
---------------------------------------------
Todays item from the NSAs Tailored Access Operations (TAO) group implant catalog is DEITYBOUNCE: DEITYBOUNCE (TS//SI//REL) DEITYBOUNCE provides software application persistence on Dell PowerEdge servers by exploiting the motherboard BIOS and utilizing System Management Mode (SMM) to gain periodic execution while the Operating System loads. (TS//SI//REL) This technique supports multi-processor systems with RAID hardware and Microsoft Windows 2000, 2003, and...
---------------------------------------------
https://www.schneier.com/blog/archives/2014/01/nsa_exploit_of.html
*** Advanced Dewplayer plugin for WordPress download-file.php directory traversal ***
---------------------------------------------
Advanced Dewplayer plugin for WordPress download-file.php directory traversal
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89978
*** "Penetrating Hard Targets": NSA arbeitet an Quantencomputern zur Kryptoanlayse ***
---------------------------------------------
Dokumente des NSA-Whistleblowers Edward Snowden legen nahe, dass die NSA bei der Entwicklung von Quantencomputern keinen Vorsprung hat. Mit derartiger Technik koennte bestehende Public-Key-Kryptographie geknackt werden.
---------------------------------------------
http://www.heise.de/security/meldung/Penetrating-Hard-Targets-NSA-arbeitet-…
*** HPSBMU02895 SSRT101253 rev.1 - HP Data Protector, Remote Increase of Privilege, Denial of Service (DoS), Execution of Arbitrary Code ***
---------------------------------------------
Potential security vulnerabilities have been identified with HP Data Protector. These vulnerabilities could be remotely exploited to allow an increase of privilege, create a Denial of Service (DoS), or execute arbitrary code.
---------------------------------------------
http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDispl…
*** Bundesnetzagentur praesentiert Entwurf des IT-Sicherheitskatalogs ***
---------------------------------------------
Eine Liste von Sicherheitsanforderungen soll die IT-Infrastruktur unserer Stromnetze absichern. Bis Februar kann man diesen Entwurf noch kommentieren.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Bundesnetzagentur-praesentiert-Entwu…
*** Cost/Benefit Analysis of NSAs 215 Metadata Collection Program ***
---------------------------------------------
It has amazed me that the NSA doesnt seem to do any cost/benefit analyses on any of its surveillance programs. This seems particularly important for bulk surveillance programs, as they have significant costs aside from the obvious monetary costs. In this paper, John Mueller and Mark G. Stewart have done the analysis on one of these programs. Worth reading....
---------------------------------------------
https://www.schneier.com/blog/archives/2014/01/costbenefit_ana_1.html
*** UPDATED X1 : OpenSSL.org Defaced by Attackers Gaining Access to Hypervisor, (Thu, Jan 2nd) ***
---------------------------------------------
By now, most of you have heard that the openssl.org website was defaced. While the source code and repositories were not tampered with, this obviously concerned people. What is more interesting is that the attack was made possible by gaining access to the hypervisor that hosts the VM responsible for the website. Attacks of this sort are likely to be more common as time goes on as it provides easy ability to take over a host without having to go through the effort of actually rooting a box.
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17333&rss
*** Bankautomaten per USB-Stick uebernommen ***
---------------------------------------------
Sicherheitsforscher haben Schadcode entdeckt, der per USB-Stick auf Geldautomaten geladen wird und Ganoven dann beliebig Geld auszahlt. Die Malware enthaelt ausserdem raffinierte Funktionen, die den Hintermaennern Kontrolle ueber die Auszahlungen gibt
---------------------------------------------
http://www.heise.de/security/meldung/Bankautomaten-per-USB-Stick-uebernomme…
*** Ubuntu bessert TLSv1.2-Unterstuetzung nach ***
---------------------------------------------
In aktuellen Ubuntu-Versionen kann die zentrale Crypto-Bibliothek OpenSSL kein TLSv1.2; das soll sich erst mit Ubuntu 14.04 LTS aendern.
---------------------------------------------
http://www.heise.de/security/meldung/Ubuntu-bessert-TLSv1-2-Unterstuetzung-…
*** Ueberwachung: BND fischt deutlich weniger Kommunikation ab ***
---------------------------------------------
Der Bundesnachrichtendienst hat seine Filtermethoden offenbar verbessert. Im Jahr 2012 sind viel weniger verdaechtige Kommunikationsinhalte als in den Vorjahren in den Netzen haengengeblieben. (Datenschutz, DE-CIX)
---------------------------------------------
http://www.golem.de/news/ueberwachung-bnd-fischt-deutlich-weniger-kommunika…
*** Slovenian jailed for creating code behind 12 MILLION strong Mariposa botnet army ***
---------------------------------------------
A Slovenian virus writer who created an infamous strain of malware used to infect an estimated 12 million computers worldwide has been jailed for almost five years.
---------------------------------------------
http://www.theregister.co.uk/2014/01/03/mariposa_botnet_mastermind_jailed/
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 30-12-2013 18:00 − Donnerstag 02-01-2014 18:00
Handler: L. Aaron Kaplan
Co-Handler: Stephan Richter
*** Joseph Stiglitz on Trust ***
---------------------------------------------
Joseph Stiglitz has an excellent essay on the value of trust, and the lack of it in todays society. Trust is what makes contracts, plans and everyday transactions possible; it facilitates the democratic process, from voting to law creation, and is necessary for social stability. It is essential for our lives. It is trust, more than money, that makes the...
---------------------------------------------
https://www.schneier.com/blog/archives/2013/12/joseph_stiglitz.html
*** Sqlmap Tricks for Advanced SQL Injection ***
---------------------------------------------
Sqlmap is an awesome tool that automates SQL Injection discovery and exploitation processes. I normally use it for exploitation only because I prefer manual detection in order to avoid stressing the web server or being blocked by IPS/WAF devices. Below I provide a basic overview of sqlmap and some configuration tweaks for finding trickier injection points. Basics Using sqlmap for classic SQLi is very straightforward: ./sqlmap.py -u http://mywebsite.com/page.php?vulnparam=hello The target URL...
---------------------------------------------
http://blog.spiderlabs.com/2013/12/sqlmap-tricks-for-advanced-sql-injection…
*** NSA Surveillance Has No Boundaries, Expert Says ***
---------------------------------------------
Expert Jacob Appelbaums keynote at CCC describes the deep catalog of hacks and backdoors at the NSAs disposal.
---------------------------------------------
http://threatpost.com/nsa-surveillance-has-no-boundaries-expert-says/103355
*** Protecting the data about data ***
---------------------------------------------
It has been said that encryption simply trades one secret (the data) for another (the key). In the same way, encrypting data naturally shifts attention to that which is not protected: the metadata.
---------------------------------------------
http://www.scmagazine.com//protecting-the-data-about-data/article/327122/
*** Yes, the BBC still uses FTP. And yes, a Russian crook hacked the server ***
---------------------------------------------
Convenient file-store a convenient target for crook touting access A BBC FTP server ftp.bbc.co.uk was compromised by a Russian hacker and access to it touted online, say computer security researchers.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2013/12/30/bbc_ftp_ser…
*** Why NSA spied on inexplicably unencrypted Windows crash reports ***
---------------------------------------------
Windows reports what hardware you have and what software doesnt work.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/CCjtHJ8WSwY/
*** 30C3: Sicherheitsalbträume des Jahres 2014 ***
---------------------------------------------
Unmodulierte Basisbandsysteme stellen nach Ansicht von Sicherheitsexperten des CCC lohnende Angriffsziele dar. Im Biometrie-Segment habe Apple mit Touch ID "die Büchse der Pandora" geöffnet.
---------------------------------------------
http://www.heise.de/newsticker/meldung/30C3-Sicherheitsalbtraeume-des-Jahre…
*** Juniper SSL VPN and UAC Host Checker Issue, (Tue, Dec 31st) ***
---------------------------------------------
A few readers have written asking about odd denials when trying to use Juniper VPNs. Turns out they released a Product Support Notification (subscription required) about their host check feature which fails on endpoints that have a local date set 12/31/2013 or later. There are working on a fix but as a workaround, you can change the local date on the PC, disable host checker verification all together or create a manual host checker process that disables checking firewall, anti-virus and/or
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17321&rss
*** X11/X.Org Security In Bad Shape ***
---------------------------------------------
An anonymous reader writes "A presentation at the Chaos Communication Congress explains how X11 Server security with being worse than it looks. The presenter found more than 120 bugs in a few months of security research and is not close to being done in his work. Upstream X.Org developers have begun to call most of his claims valid. The presentation by Ilja van Sprunde is available for streaming." Read more of this story at Slashdot.
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/W_cx3sKOALE/story01.htm
*** Administratoren! Machet Krypto, aber besser... ***
---------------------------------------------
Bettercrypto hilft Systemadmins, Verschlüsselung einzurichten und zu verbessern. Copy&Paste ist gewünscht, Verbesserungsvorschläge ebenso.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Administratoren-Machet-Krypto-aber-b…
*** Dual_EC_DRBG Backdoor: a Proof of Concept ***
---------------------------------------------
New submitter Reliable Windmill sends this followup to the report that RSA took money from the NSA to use backdoored tech for random number generation in encryption software. From the article: "Dual_EC_DRBG is an pseudo-random number generator promoted by NIST in NIST SP 800-90A and created by NSA. This algorithm is problematic because it has been made mandatory by the FIPS norm (and should be implemented in every FIPS approved software) and some vendors even promoted this algorithm as...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/_PXJ0M1qmQI/story01.htm
*** Hacker finden Hintertüren in Netgear- und Linksys-Routern ***
---------------------------------------------
Ein findiger Hacker hat in den vergagnenen Tagen einen seltsamen Hintergrunddienst auf seinem Router entdeckt. Darüber kann sich jeder Zugang zu seinem Netzwerk verschaffen.
---------------------------------------------
http://futurezone.at/netzpolitik/hacker-finden-hintertueren-in-netgear-und-…
*** Österreichische Begeh: Kopierbarkeit von RFID-Schlüssel bekannt ***
---------------------------------------------
Unternehmen hat nach 30C3-Vortrag von Adrian Dabrowski Stellung bezogen
---------------------------------------------
http://derstandard.at/1388649760468
*** Manipulierte Speicherkarten als Malware-Versteck ***
---------------------------------------------
Hacker zeigen Angriff gegen eingebetteten Mikrokontroller - Daten können vor dem Betriebssystem versteckt werden
---------------------------------------------
http://derstandard.at/1388649791611
*** Snapchat schweigt nach Datenleck ***
---------------------------------------------
Der Anbieter der Foto-App Snapchat äußert sich bisher nicht zu dem Vorfall, bei dem Unbekannte die Daten von 4,6 Millionen Kunden erbeutet haben. Zuvor hatte das Unternehmen Warnungen von Sicherheitsexperten in den Wind geschlagen.
---------------------------------------------
http://www.heise.de/security/meldung/Snapchat-schweigt-nach-Datenleck-20742…
*** memcached mit löchriger Authentifizierung ***
---------------------------------------------
Die SASL-Authentifizierung des Cache-Servers ist zu gutmütig. Auch mit ungültigen Zugangsdaten kommt man beim zweiten Versuch rein.
---------------------------------------------
http://www.heise.de/security/meldung/memcached-mit-loechriger-Authentifizie…
*** OpenSSL.org Defaced by Attackers Gaining Access to Hypervisor, (Thu, Jan 2nd) ***
---------------------------------------------
By now, most of you have heard that the openssl.org website was defaced. While the source code and repositories were not tampered with, this obviously concerned people. What is more interesting is that the attack was made possible by gaining access to the hypervisor that hosts the VM responsible for the website. Attacks of this sort are likely to be more common as time goes on as it provides easy ability to take over a host without having to go through the effort of actually rooting a box.
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17333&rss
*** Der Spiegel Article on Networking Equipment Infiltration ***
---------------------------------------------
On December 29, 2013, the German news publication Der Spiegel published an article referencing leaked documents from the U.S. National Security Agency (NSA) that mentioned "software implants" for networking devices. Cisco is one of a number of technology companies mentioned in the article...
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-…
*** Security Notice-Statement About the Networking Equipment Infiltration Article in Der Spiegel ***
---------------------------------------------
On December 29, 2013, German news agency Der Spiegel published a report titled "Shopping for Spy Gear: Catalog Advertises NSA Toolbox" and described Huawei as one of the vendors that might be impacted.
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-notices…
*** Security Advisory-A DoS Vulnerability in the SSH Module on Huawei AR Router ***
---------------------------------------------
On Some Huawei AR routers that receive a large number of SSH authentication attack packets with malformed data, legitimate users fail to log in through SSH. Attackers can construct massive attack packets to cause the AR routers to deny SSH login from legitimate users. (HWPSIRT-2013-1255).
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…
*** Vuln: mod_nss Module NSSVerifyClient CVE-2013-4566 Authentication Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/64114
*** Vuln: libgadu SSL Certificate Validation CVE-2013-4488 Security Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63473
*** Debian update for ruby-i18n ***
---------------------------------------------
https://secunia.com/advisories/56212
*** DSA-2833 openssl ***
---------------------------------------------
several vulnerabilities
---------------------------------------------
http://www.debian.org/security/2014/dsa-2833
*** DSA-2832 memcached ***
---------------------------------------------
several vulnerabilities
---------------------------------------------
http://www.debian.org/security/2014/dsa-2832
*** DSA-2831 puppet ***
---------------------------------------------
insecure temporary files
---------------------------------------------
http://www.debian.org/security/2013/dsa-2831
*** Debian update for typo3-src ***
---------------------------------------------
https://secunia.com/advisories/56266
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 27-12-2013 18:00 − Montag 30-12-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** eBay Vulnerable to Account Hijacking Via XSRF ***
---------------------------------------------
A researcher reported a cross-site request forgery vulnerability to eBay in August, and despite repeated communication from the online auction that the code has been repaired, the site remains vulnerable to exploit.
---------------------------------------------
http://threatpost.com/ebay-vulnerable-to-account-hijacking-via-xsrf/103311
*** 12 Days of HaXmas: Meterpreter, Reloaded ***
---------------------------------------------
Over the last quarter of 2013, we here in the Democratic Freehold of Metasploit found that we needed to modernize our flagship remote access toolkit (RAT), Meterpreter. That started with cleaving Meterpreter out of the main Metasploit repository and setting it up with its own repository, and then bringing in a dedicated Meterpreter hacker, the indomitable OJ TheColonial Reeves. We couldn't be happier with the results so far.
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2013/12/27/meterpret…
*** 12 Days of HaXmas: Exploiting (and Fixing) RJS Rails Info Leaks ***
---------------------------------------------
Several weeks ago, Egor Homakov wrote a blog post pointing out a common info leak vulnerability in many Rails apps that utilize Remote JavaScript. The attack vector and implications can be hard to wrap your head around, so in this post I'll explain how the vulnerability occurs and how to exploit it.
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2013/12/29/remote-js…
*** Major flaw discovered in mobile software used by govt agencies ***
---------------------------------------------
The vulnerability discovered by an Israeli security researcher affects Samsungs Galaxy S4 device, which is currently used by government agencies.
---------------------------------------------
http://www.scmagazine.com/major-flaw-discovered-in-mobile-software-used-by-…
*** Who's Still Robbing ATMs with USB Sticks? ***
---------------------------------------------
Here's one quick way to rob a bank, over and over again. Find an ATM running Windows XP. Skeptical? Don't be, they're still installed all around the world. Next, cut a piece from its chassis to expose its USB port. ...
---------------------------------------------
http://www.wired.com/threatlevel/2013/12/whos-robbing-atms-usb-stick/
*** NTP reflection attack, (Fri, Dec 27th) ***
---------------------------------------------
Symantec has notice in the last few weeks that there is a significant NTP reflection attacks. NTP is Network time protocol and it's used to synch the time between client and server, it is a UDP protocol and it's run on port 123. In the NTP reflection attack the attacker send a crafted packet which request a large amount of date send to the host. "In this case, the attackers are taking advantage of the monlist command. Monlist is a remote command in older version of NTP that...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17300
*** DRG online challenge(s), (Sat, Dec 28th) ***
---------------------------------------------
For the last couple of months DRG (the Dragon Research Group) has posted some interesting security challenges. The last one, for December, is currently online so if you want to test your security skills - and post the solutions for the public benefit, do not miss the current challenge available at http://dragonresearchgroup.org/challenges/201312/ Those of you who like playing CTFs will enjoy this. Other (older) challenges are still online too, so if you have some time off here's...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17306
*** 30C3: Keine Hintertüren in Tor ***
---------------------------------------------
Roger Dingledine, Vater des Tor-Netzwerks, hat auf dem Hamburger Hackerkongress erklärt, dass eine Vertreterin des US-Justizministeriums auf eine bessere Überwachbarkeit des Anonymisierungsdienstes gedrängt habe.
---------------------------------------------
http://www.heise.de/security/meldung/30C3-Keine-Hintertueren-in-Tor-2072708…
*** The story of a Trojan Dropper I ***
---------------------------------------------
Introduction: Recently, Zscaler ThreatlabZ received a suspicious file from one of our customers, which was named "OrderDetails.zip". After extracting the executable file from the archive I have performed a virustotal scan to get some information about the file. At that time, very few antivirus vendors had definitions in place, which flagged the file as malicious. As such, I decided...
---------------------------------------------
http://research.zscaler.com/2013/12/the-story-of-trojan-dropper-i.html
*** The story of a Trojan dropper II ***
---------------------------------------------
Analysis: Lets analyze the PE file in detail and see what it's up to. Like most malware, this sample was packed and in order to properly analyze it, we must begin by unpacking the binary. Keeping this in mind, I began by debugging the file, hoping to find the reference to the data section in order to determine precisely where the encrypted portion of data was to be found. Fortunately,...
---------------------------------------------
http://research.zscaler.com/2013/12/the-story-of-trojan-dropper-ii.html
*** RFID-Begehcard: Mit dem Skipass in Wiens Wohnhäuser ***
---------------------------------------------
"Österreich ist sicher", heißt es vollmundig auf der Webseite des Begehsystems. Doch Häuser, die ihren Eingang mit der Begehcard sichern, sind leicht zu öffnen. Alles, was man dazu braucht, ist ein neu programmierbarer RFID-Skipass. (RFID, Sicherheitslücke)
---------------------------------------------
http://www.golem.de/news/rfid-begehcard-ohne-sicherheit-mit-dem-skipass-in-…
*** Open-Source Release of MANTIS Cyber-Threat Intelligence Management Framework ***
---------------------------------------------
Today, Siemens CERT is releasing the "MANTIS Cyber-Threat Intelligence Management Framework" as Open Source under GPL2+.
---------------------------------------------
http://making-security-measurable.1364806.n2.nabble.com/Open-Source-Release…
*** The Year in NSA ***
---------------------------------------------
It's that most wonderful time of the year, the time when everyone with access to an email machine puts together a list of the best or worst of whatever happened in the last 12 months. In the computer security world, there is no doubt that such a list would find NSA stories in places one...
---------------------------------------------
http://threatpost.com/the-year-in-nsa/103329
*** PIN Skimmer offers a new side channel attack against mobile devices ***
---------------------------------------------
Researchers with the University of Cambridge revealed just how effective PIN Skimmers can be against mobile devices in a recently released study on the new type of side-channel attack.
---------------------------------------------
http://www.scmagazine.com/pin-skimmer-offers-a-new-side-channel-attack-agai…
*** HP Application Information Optimizer Flaw in Archive Query Server Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1029542
*** HP Service Manager Input Validation Hole Permits Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1029541
*** HPSBMU02959 rev.1 - HP Service Manager WebTier and Windows Client, Cross-Site Scripting (XSS), Execution of Arbitrary Code and other Vulnerabilities ***
---------------------------------------------
Potential security vulnerabilities have been identified with HP Service Manager WebTier and Windows Client. The vulnerabilities could be remotely exploited including cross-site scripting (XSS) and execution of arbitrary code.
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** DSA-2828 drupal6 ***
---------------------------------------------
several vulnerabilities
---------------------------------------------
http://www.debian.org/security/2013/dsa-2828
Next End-of-Shift Report on 2014-01-02
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 23-12-2013 18:00 − Freitag 27-12-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** Hintergrund: Erfolgreicher Angriff auf Linux-Verschlüsselung ***
---------------------------------------------
Linux Unified Key Setup (LUKS) ist das Standardverfahren für die Komplettverschlüsselung der Festplatte unter Linux; viele Systeme, darunter Ubuntu 12.04 LTS, setzen dabei LUKS im CBC-Modus ein. Jakob Lell demonstriert, dass diese Kombination anfällig für das Einschleusen einer Hinterür ist.
---------------------------------------------
http://www.heise.de/security/artikel/Erfolgreicher-Angriff-auf-Linux-Versch…
*** Protection metrics - November results ***
---------------------------------------------
In our October results, we talked about a trio of families related to Win32/Sefnit. Our November results showed progress against Sefnit and the installers and downloaders of Sefnit (Win32/Rotbrow and Win32/Brantall). In comparison to September, active Sefnit infections have been reduced by 82 percent. As with prior months, our rate of incorrect detections also remained low and performance stayed consistent.
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2013/12/23/protection-metrics-novem…
*** Turkey: Understanding high malware encounter rates in SIRv15 ***
---------------------------------------------
In our most recent version of the Security Intelligence Report, we compared the encounter rates of malware categories for the top 10 countries with computers reporting the most detections in 2Q13. Amongst these countries, Turkey stood out with considerably high encounter rates in multiple categories. Encounter rate is the percentage of computers in a country that reported at least one detection of malware.
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2013/12/23/turkey-understanding-hig…
*** Popular Registrar Namecheap Fixes DNS Hijack Bug ***
---------------------------------------------
The domain registrar and Web-hosting company Namecheap has fixed a cross site request forgery vulnerability in its DNS setup page.
---------------------------------------------
http://threatpost.com/popular-registrar-namecheap-fixes-dns-hijack-bug/1032…
*** What a successful exploit of a Linux server looks like ***
---------------------------------------------
Like most mainstream operating systems these days, fully patched installations of Linux provide a level of security that requires a fair amount of malicious hacking to overcome. Those assurances can be completely undone by a single unpatched application, as Andre' DiMino has demonstrated when he documented an Ubuntu machine in his lab being converted into a Bitcoin-mining, denial-of-service-spewing, vulnerability-exploiting hostage under the control of attackers.
---------------------------------------------
http://arstechnica.com/security/2013/12/anatomy-of-a-hack-what-a-successful…
*** Turkey Tops World in Per Capita Malware Encounters ***
---------------------------------------------
Microsoft claims that Turkish machines encounter more malware than computers in any other country in the world.
---------------------------------------------
http://threatpost.com/turkey-tops-world-in-per-capita-malware-encounters/10…
*** New Trojan.Mods mines bitcoins ***
---------------------------------------------
Russian anti-virus company Doctor Web is warning users about a new Trojan.Mods modification that has been dubbed Trojan.Mods.10. This Trojans authors followed the major trend of December 2013 and added a bitcoin miner to the set of Trojan.Mods.10's features. You may recall that Trojan.Mods programs were found in large numbers in the wild in spring 2013 and were primarily designed to intercept browsers DNS queries and redirect users to malignant sites.
---------------------------------------------
http://news.drweb.com/show/?i=4176&lng=en&c=9
*** New CryptoLocker Spreads Via Removable Drives ***
---------------------------------------------
We recently came across a CryptoLocker variant that had one notable feature - it has propagation routines.
Analysis of the malware, detected as WORM_CRILOCK.A, shows that this malware can spread via removable drives. This update is considered significant because this routine was unheard of in other CRILOCK variants.
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/new-cryptolocker…
*** OpenSSL mit kaputter Hintertür ***
---------------------------------------------
Die von der NSA als Hintertür entworfene Zufallszahlenfunktion Dual EC findet sich auch in der offenen Krypto-Bibliothek OpenSSL. Allerdings war sie dort funktionsunfähig, ohne dass es jemand bemerkt hätte.
---------------------------------------------
http://www.heise.de/security/meldung/OpenSSL-mit-kaputter-Hintertuer-207237…
*** Big Data and security analytics collide ***
---------------------------------------------
Big Data will become "The next big thing" - a critical re-evaluation and re-tooling of our analytical abilities. This is not about being able to query more data, but being able to query all data.
---------------------------------------------
http://www.scmagazine.com/big-data-and-security-analytics-collide/article/3…
*** Infection found on "feedburner.com" ***
---------------------------------------------
Recently we have seen the websites of MySQL and PHP.net being compromised. We have also blogged about Google Code being used as a drop site for holding malicious code. These instances clearly suggest that attackers are targeting popular websites and using them in their attacks as they are less likely to be blocked by URL filters. This time we found that Google acquired "FeedBurner", which provides custom RSS feeds and management tools to users is hosting an infected page.
---------------------------------------------
http://research.zscaler.com/2013/12/infection-found-on-feedburnercom.html
*** Hackers who breached php.net exposed visitors to highly unusual malware ***
---------------------------------------------
Eight weeks after hackers compromised the official PHP website and laced it with attack code, outside security researchers have uncovered evidence that some visitors were exposed to malware that's highly unusual, if not unique.
---------------------------------------------
http://arstechnica.com/security/2013/12/hackers-who-breached-php-net-expose…
*** Python Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56234
*** Puppet Enterprise Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56251
*** Novell Client Bug Lets Local Users Crash the System ***
---------------------------------------------
http://www.securitytracker.com/id/1029533
*** Cisco IOS XE VTY Authentication security bypass ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89901
*** cPanel WHM XML and JSON APIs Arbitrary File Disclosure Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56207
*** VMware Patches Privilege Vulnerability in ESX, ESXi ***
---------------------------------------------
http://threatpost.com/vmware-patches-privilege-vulnerability-in-esx-esxi/10…
*** Zimbra 8.0.2 and 7.2.2 Collaboration Server LFI Exploit ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120155
*** Synology DiskStation Manager SLICEUPLOAD Remote Command Execution ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120156
*** RT: Request Tracker 4.0.10 SQL Injection ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013040083
*** Bugtraq: Song Exporter v2.1.1 RS iOS - File Include Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/530489
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 20-12-2013 18:00 − Montag 23-12-2013 18:00
Handler: L. Aaron Kaplan
Co-Handler: Stephan Richter
*** What to Expect in Surveillance Politics in 2014 (Hint: It's Not Reform) ***
---------------------------------------------
You would think that a federal district judge calling the NSA program almost Orwellian would be a good sign for surveillance and privacy in 2014. If you're holding out hope for an act of political courage to end bulk surveillance ...
---------------------------------------------
http://www.wired.com/opinion/2013/12/dont-get-too-excited-about-recent-ruli…
*** DHS Turns To Unpaid Interns For Nations Cyber Security ***
---------------------------------------------
theodp writes "A week after President Obama stressed the importance of computer science to America, the Department of Homeland Security put out a call for 100+ of the nations best-and-brightest college students to work for nothing on the nations cyber security. The unpaid internship program, DHS notes, is the realization of recommendations (PDF) from the Homeland Security Advisory Councils Task Force on CyberSkills, which included execs from Facebook, Lockheed Martin, and Sony, and was...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/leJ5tNqGbgU/story01.htm
*** Microsoft Security Essentials Misses 39% of Malware ***
---------------------------------------------
Barence writes "The latest tests from Dennis Publishings security labs saw Microsoft Security Essentials fail to detect 39% of the real-world malware thrown at it. Dennis Technology Labs (DTL) tested nine home security products on a Windows 7 PC, including Security Essentials, which is distributed free to Windows users and built into Windows 8 in the form of Windows Defender. While the other eight packages all achieved protection scores of 87% or higher - with five scoring 98% or 99%..
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/8Vg-UHP2dqo/story01.htm
*** Kritische Sicherheitslücken in Write-Blocker entdeckt ***
---------------------------------------------
Gleich mehrere Sicherheitslücken entdeckte ein IT-Forensik-Experte in dem neuen Write-Blocker Ditto. Die Folge: Statt seine eigentliche Arbeit zu verrichten, kann das Gerät selbst als Angriffswerkzeug missbraucht werden und Untersuchungen torpedieren.
---------------------------------------------
http://www.heise.de/security/meldung/Kritische-Sicherheitsluecken-in-Write-…
*** Strange DNS Queries - Request for Packets, (Sat, Dec 21st) ***
---------------------------------------------
We have received a pcap sample of DNS queries that display a strange behavior. The queries are type ANY for domains ghmn.ru and fkfkfkfa.com. When doing a nslookup, both domains have 100 IPs listed under their domain names with each of them resolving exactly the same last octets (i.e. .1, .10, .100, etc). Queries with the same transaction ID are often repeated several times. The traffic samples we have received indicate the queries are sent by either a host or a server. If anyone else is...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17264&rss
*** evasiOn7: Jailbreak für iOS 7 - mit umstrittenen Funktionen ***
---------------------------------------------
Ein erster Jailbreak für iOS 7, mit dem sich Apps jenseits von Apples App Store installieren lassen, ist verfügbar. Er geriet allerdings wegen Integration eines chinesischen App Stores mit Raubkopien und wegen Verschleierung des Codes gleich in Verruf.
---------------------------------------------
http://www.heise.de/security/meldung/evasiOn7-Jailbreak-fuer-iOS-7-mit-umst…
*** Backdoor in Krypto-Software: RSA Security dementiert NSA-Zahlungen ***
---------------------------------------------
Man habe "niemals einen geheimen Vertrag mit der NSA geschlossen, um einen bekannt anfälligen Zufallszahlengenerator in die Verschlüsselungsbibliotheken von BSAFE zu integrieren", betont RSA Security - leugnet aber keineswegs Zusammenarbeit mit der NSA.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Backdoor-in-Krypto-Software-RSA-Secu…
*** Anti-Bruteforce-Tool DenyHosts sperrt Admins aus ***
---------------------------------------------
Admins, die ihre Server mit DenyHosts vor Brute-Force-Angriffen schützen, müssen handeln - andernfalls stehen sie möglicherweise bald vor verschlossenen Türen.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Anti-Bruteforce-Tool-DenyHosts-sperr…
*** How I hacked a journalist ***
---------------------------------------------
It started off as a follow-up to a story a journalist had written several years ago. The story was about data protection, and had showed that a simple subject access request could provide you with enough information to steal someone's identity. Now, Claudia Joseph wanted to see if anything had changed and to update the world on the new dangers. What would happen if somebody was able to infiltrate your online life? Claudia contacted us and started the conversation with "Can you hack...
---------------------------------------------
http://www.nccgroup.com/en/blog/2013/12/how-i-hacked-a-journalist/
*** Practical malleability attack against CBC-Encrypted LUKS partitions ***
---------------------------------------------
Topic: Practical malleability attack against CBC-Encrypted LUKS partitions Risk: Medium Text:Article location: http://www.jakoblell.com/blog/2013/12/22/practical-malleability-attack-agai…...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120153
*** Alert: Adobe License Key Email Scam ***
---------------------------------------------
Adobe is aware of reports that a phishing campaign is underway involving malicious email purporting to deliver license keys for a variety of Adobe offerings. Customers who receive one of these emails should delete it immediately without downloading attachments or...
---------------------------------------------
http://blogs.adobe.com/psirt/2013/12/20/alert-adobe-license-key-email-scam/
*** [webapps] - Jenkins 1.523 - Inject Persistent HTML Code ***
---------------------------------------------
http://www.exploit-db.com/exploits/30408
*** Security Bulletin: Multiple vulnerabilities in current IBM SDK for Java for WebSphere Application Server Community 3.0.0.4 October 2013 CPU (CVE-2013-5802,CVE-2013-5825) ***
---------------------------------------------
Multiple security vulnerabilities exist in the IBM SDK for Java that is shipped with IBM WebSphere Application Server Community 3.0.0.4. CVE(s): CVE-2013-5802, and CVE-2013-5825 Affected product(s) and affected version(s): WebSphere Application Server Community Edition 3.0.0.4 Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: http://www.ibm.com/support/docview.wss?uid=swg21660594 X-Force Database:...
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul…
*** Security Bulletin: Fix available for Unauthorized Information Retrieval Security Vulnerability in IBM WebSphere Portal (CVE-2013-6735) ***
---------------------------------------------
A fix that blocks unauthorized information retrieval is available for a security vulnerability in IBM WebSphere Portal.
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21660289
*** Wordpress information leakage and backdoor in writing settings ***
---------------------------------------------
Topic: Wordpress information leakage and backdoor in writing settings Risk: High Text:Hello list! As Ive announced earlier (http://seclists.org/fulldisclosure/2013/Nov/219), I conducted a Day of bugs in WordPr...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120152
*** Synology DiskStation Manager (DSM) multiple scripts directory traversal ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89892
*** Avant Browser Rendering Engines Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56242
*** Nagios "process_cgivars()" Off-By-One Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55976
Next End-of-Shift Report on 2013-12-27
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 19-12-2013 18:00 − Freitag 20-12-2013 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Do You Hear What I Hear? ***
---------------------------------------------
This article, recently published in the Journal of Communications, adds another log to the BadBIOS fire. It has been stated that devices in the BadBIOS case are communicating across an air-gap with commodity PC audio hardware. This paper clearly spells out one workable way to communicate in this way. Even if this doesn't end up...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/XrnMZDjVZpk/
*** NSA's broken Dual_EC random number generator has a "fatal bug" in OpenSSL ***
---------------------------------------------
No plans to fix a bug in "toxic" algorithm that no one seems to use.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/DAvvFpw-R04/story01…
*** Microsoft warnt vor signierter Malware ***
---------------------------------------------
Immer mehr Schädlinge tragen eine gültige digitale Signatur. Die Unterschriften werden typischerweise mit gestohlenen Entwicklerzertifikaten erstellt.
---------------------------------------------
http://www.heise.de/security/meldung/Microsoft-warnt-vor-signierter-Malware…
*** Exploiting Password Recovery Functionalities ***
---------------------------------------------
Password recovery functionalities can result in vulnerabilities in the same application they are intended to protect. Vulnerabilities such as username enumeration (showing different error messages when the user exists or not in the database), sensitive information disclosure (sending the password in clear-text by e-mail to user) and recover password message hijack (involving an attacker receiving a copy of the recover password message) are some common vulnerabilities that may be found in a...
---------------------------------------------
http://blog.spiderlabs.com/2013/12/exploiting-password-recovery-functionali…
*** Quick Joomla Refresher ***
---------------------------------------------
I havent come into contact with Joomla for a while, but I had the opportunity recently in a penetration test of a web site that was running the popular Content Management System (CMS). In this blog post I mention some of the tools I used to check the security of a particular Joomla installation and comment upon their effectiveness. Depending on your source, Joomla is within the top five contenders for the most popular CMS. Alternatives include WordPress, Drupal and others. CMS frameworks have...
---------------------------------------------
http://blog.spiderlabs.com/2013/12/quick-joomla-refresher.html
*** Not quite the average exploit kit: Zuponcic ***
---------------------------------------------
This post connects three recent developments in the realm of malware infections: .htaccess server compromise, the Zuponcic exploit kit and the Ponmocup botnet. It seems that the defacto standard of exploit kits is getting competition. Understanding how this exploit kit works will give you a better chance of defending against it and for identifying the .htaccess compromise on your server.
---------------------------------------------
http://blog.fox-it.com/2013/12/19/not-quite-the-average-exploit-kit-zuponci…
*** Nach BKA-Einsatz: ZeroAccess-Botnetz streicht die Segel ***
---------------------------------------------
Die Drahtzieher hinter dem ZeroAccess-Botnetz schwenken die virtuelle weiße Fahne. Nach weiteren Aktionen der Strafverfolgungsbehörden haben sie das Bot hüten anscheinend vorerst aufgegeben.
---------------------------------------------
http://www.heise.de/security/meldung/Nach-BKA-Einsatz-ZeroAccess-Botnetz-st…
*** Digitale Forensik: Ungelöste Probleme bei Beweissicherung digitaler Artefakte ***
---------------------------------------------
Etliche Probleme der Beweissicherung digitaler Artefakte sind noch längst nicht gelöst, zeigte sich auf dem Workshop Forensik und Internetkriminalität. Dazu lieferte das BSI ein Lagebild, das von einem ungebrochenen Anstieg der Netzkriminalität ausgeht.
---------------------------------------------
http://www.heise.de/security/meldung/Digitale-Forensik-Ungeloeste-Probleme-…
*** BitTorrent stellt Peer-to-Peer-Chat-System vor ***
---------------------------------------------
Als Antwort auf die flächendeckende NSA-Schnüffelei hat BitTorrent ein Chat-System entwickelt, das ohne zentralen Server auskommt und anonyme, verschlüsselte Kommunikation ermöglicht.
---------------------------------------------
http://www.heise.de/security/meldung/BitTorrent-stellt-Peer-to-Peer-Chat-Sy…
*** Erneute Lücke in OpenX wird aktiv ausgenutzt ***
---------------------------------------------
Kritische Sicherheitslücken in der aktuellen Version der Anzeigen-Server-Software OpenX und in dessen Fork Revive werden genutzt, um Schad-Software zu verteilen. Das CERT-Bund benachrichtigt täglich mehrere betroffene Server-Betreiber.
---------------------------------------------
http://www.heise.de/security/meldung/Erneute-Luecke-in-OpenX-wird-aktiv-aus…
*** Viren-Statistiken: Rückblick finster, Ausblick noch finsterer ***
---------------------------------------------
Das Jahr 2014 hält für Smartphone-Benutzer besonders viele digitale Angriffe bereit, sagen Antivirenhersteller nach Auswertung ihrer Statistiken.
---------------------------------------------
http://www.heise.de/security/meldung/Viren-Statistiken-Rueckblick-finster-A…
*** RSA Archer eGRC Input Validation Flaws Permit Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1029523
*** WordPress URL Redirector Abuse and XSS vulnerabilities ***
---------------------------------------------
Topic: WordPress URL Redirector Abuse and XSS vulnerabilities Risk: Low Text:Hello list! As Ive announced earlier (http://seclists.org/fulldisclosure/2013/Nov/219), I conducted a Day of bugs in WordP...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120142
*** Google Picasa RAW Image Parsing Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55555
*** cPanel Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56146
*** Hitachi Cosminexus Products XML External Entities Information Disclosure Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56142
*** IBM Security Access Manager for Enterprise Single Sign-On Security Issue and Two Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56176
*** Revive Adserver "what" SQL Injection Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55963
*** Apache Santuario DTD Processing Flaw Lets Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1029524
*** Apple Motion Memory Access Error Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1029521
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 18-12-2013 18:00 − Donnerstag 19-12-2013 18:00
Handler: Stephan Richter
Co-Handler: Robert Waldner
*** IBM HTTP Server GSKit SSLv2 Session Resuming Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability has been reported in IBM HTTP Server, which can be exploited by malicious people to cause a DoS (Denial of Service).
---------------------------------------------
https://secunia.com/advisories/56058
*** Tor use best practices ***
---------------------------------------------
To date the NSA's and FBI's primary attacks on Tor users have been MITM attacks (NSA) and hidden service web server compromises (FBI) which either sent tracking data to the Tor user's computer, compromised it, or both. Thus you need a reasonably secure system from which you can use Tor and reduce your risk of being tracked or compromised.
---------------------------------------------
http://digital-era.net/tor-use-best-practices/
*** New DDoS Bot Has a Fancy For Ferrets ***
---------------------------------------------
Researchers at Arbor Networks have discovered a new denial of service botnet called Trojan.Ferret.
---------------------------------------------
http://threatpost.com/new-ddos-bot-has-a-fancy-for-ferrets/103226
*** WordPress S3 Video Plugin "base" Cross-Site Scripting Vulnerability ***
---------------------------------------------
Input passed to the "base" GET parameter in wp-content/plugins/s3-video/views/video-management/preview_video.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerability is confirmed in version 0.96 and reported in versions prior to 0.983.
---------------------------------------------
https://secunia.com/advisories/56167
*** IrfanView GIF buffer overflow ***
---------------------------------------------
IrfanView is vulnerable to a heap-based buffer overflow, caused by improper bounds checking when processing the LZW code stream within GIF files. By persuading a victim to open a specially-crafted GIF file containing an overly long LZW code stream, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89820
*** NovaTech Orion DNP3 Improper Input Validation Vulnerability ***
---------------------------------------------
Adam Crain of Automatak and independent researcher Chris Sistrunk have identified an improper input validation vulnerability in the NovaTech Orion Substation Automation Platform. NovaTech has produced a firmware update that mitigates this vulnerability. The researchers have tested the firmware update to validate that it resolves the vulnerability.This vulnerability could be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-352-01
*** IBM iNotes email message active content cross-site scripting ***
---------------------------------------------
IBM iNotes is vulnerable to cross-site scripting, caused by improper validation of active content within an email message. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials or other sensitive information.
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/86594
*** IBM iNotes ultra-light mode persistent cross-site scripting ***
---------------------------------------------
IBM iNotes is vulnerable to cross-site scripting in the ultra-light mode, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject and execute malicious script in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials or other sensitive information.
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/86595
*** SSA-742938 (Last Update 2013-12-17): Open Ports in SINAMICS S/G Firmware ***
---------------------------------------------
SSA-742938 (Last Update 2013-12-17): Open Ports in SINAMICS S/G Firmware
---------------------------------------------
https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit…
*** SA-CONTRIB-2013-098 - Ubercart - Session Fixation Vulnerability ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2013-098Project: Ubercart (third-party module)Version: 6.x, 7.xDate: 2013-12-18Security risk: Less criticalExploitable from: RemoteVulnerability: Session FixationDescriptionThe Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal.The module doesnt sufficiently protect against session fixation attacks when a user is automatically logged in to a newly created account during checkout.This vulnerability is mitigated by the fact that
---------------------------------------------
https://drupal.org/node/2158651
*** Researchers propose international vulnerability purchase plan ***
---------------------------------------------
In a bid to cut down on costs and eliminate potential misuse, NSS Labs has put forth an initiative imploring vendors to purchase vulnerabilities.
---------------------------------------------
http://feedproxy.google.com/~r/SCMagazineHome/~3/I9nD_zWQzsI/
*** cURL Certificate Validation Flaw Lets Remote Users Spoof SSL Servers ***
---------------------------------------------
A vulnerability was reported in cURL. A remote user that can conduct a man-in-the-middle attack can spoof SSL servers.
The software does not properly verify the certificate CN or SAN name field in certain cases. A remote user that can conduct a man-in-the-middle attack can spoof SSL servers.
Systems that use GnuTLS as the TLS backend are affected.
Systems with digital signature verification (CURLOPT_SSL_VERIFYPEER) disabled are affected.
---------------------------------------------
http://www.securitytracker.com/id/1029517
*** OpenJPEG Heap Overflows Let Remote Users Execute Arbitrary Code ***
---------------------------------------------
Several vulnerabilities were reported in OpenJPEG. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can cause denial of service conditions.
A remote user can create a specially crafted image file that, when loaded by the target user, will trigger a heap overflow and execute arbitrary code on the target system [CVE-2013-6045, CVE-2013-6054]. The code will run with the privileges of the target user.
A remote user can create a specially crafted image file that, when loaded by the target user, will cause the application that uses openJPEG to crash [CVE-2013-1447, CVE-2013-6052].
---------------------------------------------
http://www.securitytracker.com/id/1029514
*** Splunk Enterprise Data Processing Flaw Lets Remote Users Deny Service ***
---------------------------------------------
A vulnerability was reported in Splunk Enterprise. A remote user can cause denial of service conditions.
A remote user can send specially crafted data to cause the target server to become unavailable.
Systems configured as data 'receivers' on the listening or receiving port(s) are affected, including instances configured as indexers and forwarders configured as intermediate forwarders.
---------------------------------------------
http://www.securitytracker.com/id/1029519
*** Blog: Malware in metadata ***
---------------------------------------------
One of the systems I have been running collects all our web malware detections for .ES domains. I usually check it out every morning, just in case I see something especially interesting or relevant. And when I find something, I like to create some statistics to have a global overview.There are some things that I find every time I check my stats, like URLs that have been infected for more than 200 days, even being notified. That speaks of the lack of security awareness on some companies, and how
---------------------------------------------
http://www.securelist.com/en/blog/208214192/Malware_in_metadata
*** Factsheet Stop using Windows XP ***
---------------------------------------------
Microsoft will stop issuing Windows XP updates as of 8 April 2014. The operating system will receive the end-of-life status. The NCSC advises, together with DefCERT, Microsoft and Team High Tech Crime, to no longer use Windows XP, but to switch to another operating system.
---------------------------------------------
http://www.ncsc.nl/english/services/expertise-advice/knowledge-sharing/fact…
*** Cisco Unified Communications Manager Sensitive Information Disclosure Vulnerability ***
---------------------------------------------
A vulnerability in the disaster recovery system (DRS) of Cisco Unified Communications Manager (UCM) could allow an authenticated, remote attacker to acquire sensitive information about DRS-related devices.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013…
*** [Announce] [security fix] GnuPG 1.4.16 released ***
---------------------------------------------
Along with the publication of an interesting new side channel attack by Daniel Genkin, Adi Shamir, and Eran Tromer we announce the availability of a new stable GnuPG release to relieve this bug: Version 1.4.16. [...] Whats New =========== * Fixed the RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis attack as described by Genkin, Shamir, and Tromer. See . [CVE-2013-4576]
---------------------------------------------
http://lists.gnupg.org/pipermail/gnupg-devel/2013-December/028102.html
*** Acoustic Cryptanalysis ***
---------------------------------------------
This is neat: Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPGs current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be...
---------------------------------------------
https://www.schneier.com/blog/archives/2013/12/acoustic_crypta.html
*** Apache XML Security Transforms Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability has been reported in Apache XML Security, which can be exploited by malicious people to cause a DoS (Denial of Service) in an application using the library.
The vulnerability is caused due to an error when applying Transforms and can be exploited to exhaust memory resources and cause a crash.
The vulnerability is reported in versions prior to 1.5.6.
---------------------------------------------
https://secunia.com/advisories/55639
*** TRENDnet Multiple Products Telnet Security Bypass Vulnerability ***
---------------------------------------------
A vulnerability has been reported in multiple TRENDnet products, which can be exploited by malicious people to bypass certain security restrictions.
The vulnerability is caused due to a certain undocumented functionality, which can be exploited to enable telnet management and subsequently manipulate device configuration.
---------------------------------------------
https://secunia.com/advisories/55890
*** Icinga Off-By-One and Buffer Overflow Vulnerabilities ***
---------------------------------------------
Some vulnerabilities have been reported in Icinga, which can be exploited by malicious users to potentially cause a DoS (Denial of Service) and compromise a vulnerable system.
1) Some boundary errors within the web interface when processing CGI parameters can be exploited to cause stack-based buffer overflows.
Successful exploitation of this vulnerability may allow execution of arbitrary code.
2) An off-by-one error within the "process_cgivars()" function can be exploited to cause an out of bounds read memory access.
The vulnerabilities are reported in versions prior to 1.10.2, 1.9.4, and 1.8.5.
---------------------------------------------
https://secunia.com/advisories/55987
*** Icinga Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
A vulnerability has been reported in Icinga, which can be exploited by malicious people to conduct cross-site request forgery attacks.
The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions if a logged-in administrator visits a malicious web site.
The vulnerability is reported in version 1.10.2. Other versions may also be affected.
---------------------------------------------
https://secunia.com/advisories/55990
*** A peek inside the booming underground market for stealth Bitcoin/Litecoin mining tools ***
---------------------------------------------
The over-hyped market valuation of the buzzing P2P E-currency, Bitcoin, quickly gained the attention of cybercriminals internationally who promptly adapted to its sky rocketing valuation by releasing commercially available stealth Bitcoin miners, Bitcoin wallet stealing malware, as well as actually starting to offer the source code for their releases in an attempt to monetize their know-how and expertise in this area. Throughout 2013, we profiled several subscription based stealth Bitcoin
---------------------------------------------
http://feedproxy.google.com/~r/WebrootThreatBlog/~3/nKXPdGwlKk4/
*** IBM Domino / iNotes Script Insertion and Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
Multiple vulnerabilities have been reported in IBM Domino and IBM iNotes, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct cross-site scripting attacks.
---------------------------------------------
https://secunia.com/advisories/56164
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 17-12-2013 18:00 − Mittwoch 18-12-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Cybercriminals offer fellow cybercriminals training in Operational Security (OPSEC) ***
---------------------------------------------
In need of a fresh example that malicious and fraudulent adversaries continue professionalizing, and standardizing demanded cybercrime-friendly products and services, all for the sake of monetizing their experience and expertise in the profitable world of cybercrime? Publicly launched around the middle of 2013, a product/training course targeting novice cybercriminals is offering them a manual, recommendations for open source/free software, as well as access to a private forum set up for...
---------------------------------------------
http://www.webroot.com/blog/2013/12/17/cybercriminals-offer-fellow-cybercri…
*** Apple stopft Lücken in WebKit und Safari ***
---------------------------------------------
Mit den Safari-Versionen 6.1.1 und 7.0.1 behebt Apple einige Speicherverwaltungsfehler in WebKit, die zur Ausführung von Schadcode über das Internet missbraucht werden können.
---------------------------------------------
http://www.heise.de/security/meldung/Apple-stopft-Luecken-in-WebKit-und-Saf…
*** DGA Changer Malware Able to Modify Domain-Generation Seed on the Fly ***
---------------------------------------------
Malware authors have been using domain-generation algorithms for a few years now, often in botnet-related malware that needs to stay one step ahead of takedown attempts and law enforcement agencies. Now, researchers have discovered that a strain of malware that may have been part of the attack in October on PHP.net is employing a DGA...
---------------------------------------------
http://threatpost.com/dga-changer-malware-able-to-modify-domain-generation-…
*** The Biggest Skimmers of All: Fake ATMs ***
---------------------------------------------
This blog has spotlighted some incredibly elaborate and minaturized ATM skimmers, fraud devices that thieves attach to ATMs in a bid to steal card data and PINs. But a skimmer discovered in Brazil last month takes this sort of fraud to another level, using a completely fake ATM designed to be stacked directly on top...
---------------------------------------------
http://krebsonsecurity.com/2013/12/the-biggest-skimmers-of-all-fake-atms/
*** A quick look at a (new?) cross-platform DDoS botnet ***
---------------------------------------------
At the beginning of December we started to observe a new botnet spreading on both Linux and Windows machines. In case of the Linux operating systems, the bot was installed through an SSH dictionary attack. The attacker logged in to compromised server and simply downloaded and executed a bot file. The malware...
---------------------------------------------
https://www.cert.pl/news/7849/langswitch_lang/en
*** [SECURITY] [DSA 2821-1] gnupg security update ***
---------------------------------------------
http://lists.debian.org/debian-security-announce/2013/msg00235.html
*** Cisco ONS 15454 Transport Node Controller Denial of Service Vulnerability ***
---------------------------------------------
An issue in the tNetTaskLimit process of the Cisco ONS 15454 Transport Node Controller (TNC) could allow an unauthenticated, remote attacker to cause the TNC to reload due to a watchdog timeout.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013…
*** Security Bulletin: Multiple vulnerabilities in IBM SPSS Collaboration and Deployment Services ***
---------------------------------------------
Multiple vulnerabilities exist in IBM SPSS Collaboration and Deployment Services. See the individual descriptions for details.
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21660191
*** IBM Scale Out Network Attached Storage (SONAS) Multiple Vulnerabilities ***
---------------------------------------------
Multiple vulnerabilities have been reported in IBM Scale Out Network Attached Storage, which can be exploited by malicious people to conduct spoofing attacks, disclose potentially sensitive information, bypass certain security restrictions, and compromise a user's system.
---------------------------------------------
https://secunia.com/advisories/56095
*** Security Bulletin: GSKit SSL negotiation vulnerability in Tivoli Access Manager for e-business (CVE-2013-6329) ***
---------------------------------------------
A vulnerability has been identified in the GSKit component utilized by Tivoli Access Manager for e-business (TAM). A specially crafted SSL message can cause the TAM server component using GSKit to crash CVE(s): CVE-2013-6329 Affected product(s) and affected version(s): All supported Tivoli Access Manager for e-business versions are affected.
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_gsk…
*** RealOne RMP File Heap Overflow Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1029511
*** Vuln: Juvia Ruby on Rails secret_token.rb Default Secret Key Security Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/64368
*** Vuln: ownCloud Admin Page Unspecified Security Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63926
*** Zimbra Collaboration Server Unspecified Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56138
*** Python Hash Collision Denial of Service Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55955
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 16-12-2013 18:00 − Dienstag 17-12-2013 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Rapid7 Webcasts: A Great Week to Learn About Pentesting SAP Infrastructures ***
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2013/12/16/rapid7-we…
*** Three Books You Too Should Read This Year (Or Early 2014) ***
---------------------------------------------
For the holiday season, The Grumpy Reader fishes out a selecton of recent books you should read even if you think youre too busy.Im sure youve had that feeling too: There are times when theres too much coming your way when youre already busy, so some things just fall by the wayside for too long. In my case the victims of my unpredictable schedule were books that publishers sent me for review in one form or the other, and those reviews just never got written as I wanted to in between other...
---------------------------------------------
http://bsdly.blogspot.com/2013/12/three-books-you-too-should-read-this.html
*** How hackers made minced meat of Department of Engergy networks ***
---------------------------------------------
Hint: Some critical security patches not installed for years.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/HKg_RoYby0g/story01…
*** Predictions for 2014 and the December 2013 Security Bulletin Webcast, Q&A, and Slide Deck ***
---------------------------------------------
Today we're publishing the December 2013 Security Bulletin Webcast Questions & Answers page. We answered 17 questions in total, with the majority of questions focusing on the Graphics Component bulletin (MS13-096), Security Advisory 2915720 and Security Advisory 2905247. We also wanted to note a new blog on the Microsoft Security Blog site on the top cyber threat predications for 2014. Topics from ransomware to regulation are covered by seven of Trustworthy Computing's top...
---------------------------------------------
http://blogs.technet.com/b/msrc/archive/2013/12/16/predictions-for-2014-and…
*** Dissection of Zertsecurity - Banking Trojan. ***
---------------------------------------------
Zertsecurity is a well known banking Trojan based on phishing schemes targeting German Android users. Lets see how it works. After installing the application, it prompts the user for account and PIN numbers. The application takes the values of the account and PIN numbers via input boxes and saves them to the cfg.txt file. It then sends this file to a remote command and control (C&C)...
---------------------------------------------
http://research.zscaler.com/2013/12/dissection-of-zertsecurity-banking.html
*** The Case for a Compulsory Bug Bounty ***
---------------------------------------------
Security experts have long opined that one way to make software more secure is to hold software makers liable for vulnerabilities in their products. This idea is often dismissed as unrealistic and one that would stifle innovation in an industry that has been a major driver of commercial growth and productivity over the years. But a new study released this week presents perhaps the clearest economic case yet for compelling companies to pay for information about security vulnerabilities in their...
---------------------------------------------
http://krebsonsecurity.com/2013/12/the-case-for-a-compulsory-bug-bounty/
*** Big Data in Security ***
---------------------------------------------
Cisco's TRAC team about Big Data security challenges, tools and methodologies.
---------------------------------------------
http://blogs.cisco.com/security/big-data-in-security-part-i-trac-tools/http://blogs.cisco.com/security/big-data-in-security-part-ii-the-amplab-sta…http://blogs.cisco.com/security/big-data-in-security-part-iii-graph-analyti…http://blogs.cisco.com/security/big-data-in-security-part-iv-email-auto-rul…http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-i…
*** Hintergrund: iOS-Verschlüsselung durchleuchtet ***
---------------------------------------------
Neben der Hardware-Verschlüsselung bietet iOS noch eine optionale Datei-Verschlüsselung. Bei iOS 7 hat Apple deren Einsatz für Apps automatisiert. Allerdings genehmigt sich Apple selbst großzügige Ausnahmen für eigene Anwendungen.
---------------------------------------------
http://www.heise.de/security/artikel/iOS-Verschluesselung-durchleuchtet-206…
*** Android anti-virus apps CANT kill nasties on sight like normal AV - and thats Googles fault ***
---------------------------------------------
Bad news if youre not a tech-savvy fandroid Android users expecting Windows levels of performance from Android-specific anti-virus packages are likely to be disappointed because only Google can automatically delete dodgy apps on Android devices, say malware experts.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2013/12/17/android_ant…
*** Apple security updates Mac OS X and Safari, (Tue, Dec 17th) ***
---------------------------------------------
Apple have released the following security advisories and updates for Mac OS X and Safari. OS X Mavericks v10.9.1 and APPLE-SA-2013-12-16-1 Safari 6.1.1 and Safari 7.0.1. More information will be available from their web site: http://support.apple.com/kb/HT1222
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17234
*** Blog: ChewBacca - a new episode of Tor-based Malware ***
---------------------------------------------
We have discovered a new Tor-based malware, named "ChewBacca" and detected as "Trojan.Win32.Fsysna.fej". Adding Tor to malware is not unique to this sample, but it's still a rare feature. Lately Tor has become more attractive as a service to ensure users' anonymity. Also criminals use it for their activities, but they are only slowly adopting this to host their malicious infrastructure.
---------------------------------------------
http://www.securelist.com/en/blog/208214185/ChewBacca_a_new_episode_of_Tor_…
*** Trojan.Skimer.18 infects ATMs ***
---------------------------------------------
December 16, 2013 Russian anti-virus company Doctor Web is warning users about the Trojan program Trojan.Skimer.18. The criminals behind this malware are targeting ATMs of one of the worlds largest manufacturers. The Trojan can intercept and transmit bank card information processed by ATMs as well as data stored on the card and its PIN code. Trojan.Skimer.18 is by no means the first backdoor to infect ATM software, but it is the first to target devices so common throughout the world. The
---------------------------------------------
http://news.drweb.com/show/?i=4167&lng=en&c=9
*** Cisco EPC3925 cross-site request forgery ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89713
*** Bugtraq: [security bulletin] HPSBHF02953 rev.1 - HP B-series SAN Network Advisor, Remote Code Execution ***
---------------------------------------------
http://www.securityfocus.com/archive/1/530357
*** Asterisk Dialplan Functions Let Remote Authenticated Users Gain Elevated Privileges ***
---------------------------------------------
http://www.securitytracker.com/id/1029500
*** Asterisk SMS Message Buffer Overflow Lets Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1029499
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 13-12-2013 18:00 − Montag 16-12-2013 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Bitcoin Mining Operation Seen Across Numerous Malware Families ***
---------------------------------------------
The talent over at Malwarebytes broke a story this week regarding Fake Flash Player phishing attempts dropping malicious content onto victim machines for the purpose of mining Bitcoins. The threat tricks users into thinking that they are downloading a new version of Flash Player. In actuality, the threat drops a few malicious executables (stored in "[username]/AppData/Roaming/Data"), called...
---------------------------------------------
http://research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.ht…
*** IETF To Change TLS Implementation In Applications ***
---------------------------------------------
Trailrunner7 writes "The NSA surveillance scandal has created ripples all across the Internet, and the latest one is a new effort from the IETF to change the way that encryption is used in a variety of critical application protocols, including HTTP and SMTP. The new TLS application working group was formed to help developers and the people who deploy their applications incorporate the encryption protocol correctly. TLS is the successor to SSL and is used to encrypt information in a variety...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/5p7fpD5WwtY/story01.htm
*** Predictions for 2014 ***
---------------------------------------------
2014 is less than one month away, what better time to ask ourselves about the top security trends to watch for in the coming year. Malware Creation: OK, this won't sound too original but it is a safe bet to say that malware creation will hit a new record high in 2014. Actually, such was...
---------------------------------------------
http://pandalabs.pandasecurity.com/predictions-for-2014/
*** Botnet Enlists Firefox Users to Hack Web Sites ***
---------------------------------------------
An unusual botnet that has ensnared more than 12,500 systems disguises itself as a legitimate add-on for Mozilla Firefox and forces infected PCs to scour Web sites for vulnerabilities that can be used to install malware, an investigation by KrebsOnSecurity has discovered.
---------------------------------------------
http://krebsonsecurity.com/2013/12/botnet-enlists-firefox-users-to-hack-web…
*** Cybercriminals Using Targeted Attack Methodologies (Part 1) ***
---------------------------------------------
One of our 2014 security predictions is that cyber criminals will more frequently leverage targeted attack methodologies. Some of these tactics include using spear phishing attacks, as well as well-known vulnerabilities that have been used successfully in targeted attacks. Let's see why cybercriminals are taking a closer look at these techniques, and how this can...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/CY7n7WI2qUY/
*** Attacking Online Poker Players ***
---------------------------------------------
This story is about how at least two professional online poker players had their hotel rooms broken into and their computers infected with malware. I agree with the conclusion: So, whats the moral of the story? If you have a laptop that is used to move large amounts of money, take good care of it. Lock the keyboard when you...
---------------------------------------------
https://www.schneier.com/blog/archives/2013/12/attacking_onlin.html
*** P2P-Botnetz ZeroAccess kaum tot zu kriegen ***
---------------------------------------------
Die gemeinsame Aktion von Microsoft, dem FBI und Europol, die zum Ziel hatte, das Klickbetrug-Botnetz ZeroAccess lahmzulegen schoss wohl größtenteils am Ziel vorbei. Das Botnetz scheint nach wie vor quicklebendig.
---------------------------------------------
http://www.heise.de/security/meldung/P2P-Botnetz-ZeroAccess-kaum-tot-zu-kri…
*** Bogus Antivirus Program Uses a Dozen Stolen Signing Certificates ***
---------------------------------------------
A fake antivirus program in circulation uses at least a dozen stolen digital code-signing certificates, indicating cybercriminals are increasingly breaching the networks of software developers, Microsoft wrote on Sunday. The application, branded as "Antivirus Security Pro," was first detected in 2009 and has gone by a handful of other names over the years, according to a Microsoft advisory, which calls it by a single name, "Win32/Winwebsec."
---------------------------------------------
http://www.cio.com/article/744689/Bogus_Antivirus_Program_Uses_a_Dozen_Stol…
*** Old Apple Safaris leave IDs and passwords for scavengers to peck ***
---------------------------------------------
... the problem derives from Safaris retention of browser history as applied in the "Reopen All Windows from Last Session" feature that enables users to quickly revisit the sites they opened during a previous Safari session. Sadly, however, Kaspersky has found that the document Safari creates to allow such restoration is in plaintext and contains user IDs and passwords. The file is hidden, but isnt hard to find once you know what you are looking for.
---------------------------------------------
http://www.theregister.co.uk/2013/12/16/kaspersky_says_old_apple_safaris_ex…
*** Newly launched 'HTTP-based botnet setup as a service' empowers novice cybercriminals with bulletproof hosting capabilities - part three ***
---------------------------------------------
In a series of blog posts throughout 2013, we emphasized on the lowering of the entry barriers into the world of cybercrime, largely made possible by the rise of managed services, the re-emergence of the DIY (do-it-yourself) trend, and the development of niche market segments, like the practice of setting up and offering bulletproof hosting for a novice cybercriminal's botnet generating platform. The proliferation of these easy to use, once only found in the arsenal of tools of the
---------------------------------------------
http://www.webroot.com/blog/blog/2013/12/16/newly-launched-http-based-botne…
*** Siemens COMOS Privilege Escalation ***
---------------------------------------------
Siemens notified NCCIC/ICS-CERT of a privilege escalation vulnerability in the Siemens COMOS database application. An update has been produced by Siemens and is available to resolve the vulnerability.The client application used for accessing the database system might allow authenticated Windows users to elevate their rights in regard to the database access over the COMOS graphical user interface
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-347-01
*** Cisco WebEx Training Center open redirect ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89686
*** WordPress Broken Link Checker Plugin Two Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56053
*** IBM Rational Focal Point Webservice Axis Gateway information disclosure 1 ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/87293
*** IBM Rational Focal Point Webservice Axis Gateway information disclosure 2 ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/87294
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 12-12-2013 18:00 − Freitag 13-12-2013 18:00
Handler: Matthias Fraidl
Co-Handler: Robert Waldner
*** Android 4.4.2 Update Fixes Flash SMS DoS Vulnerability ***
---------------------------------------------
Google has patched a previously disclosed issue in its Nexus line of phones that could have opened a user up to a nasty series of SMS-based denial of service attacks.
---------------------------------------------
http://threatpost.com/android-4-4-2-update-fixes-flash-sms-dos-vulnerabilit…
*** Tumblr under fire from DIY CAPTCHA-solving, proxies-supporting automatic account registration tools ***
---------------------------------------------
Next to the ubiquitous for the cybercrime ecosystem, traffic acquisition tactics such as, blackhat SEO (search engine optimization), malvertising, embedded/injected redirectors/doorways on legitimate Web sites, establishing purely malicious infrastructure, and social engineering driven spam campaigns, cybercriminals are also masters of utilizing social media for the purpose of attracting traffic to their fraudulent/malicious campaigns.
---------------------------------------------
http://www.webroot.com/blog/blog/2013/12/12/tumblr-fire-diy-captcha-solving…
*** Bitcoin-Related Malware Continues to Flourish ***
---------------------------------------------
One good way to measure the popularity of an emerging technology or trend is to see how much attention attackers and malware authors are paying it. Using that as a yardstick, Bitcoin is moving its way up the charts in a hurry. The latest indication is some malware that researchers at Arbor Networks identified that ...
---------------------------------------------
http://threatpost.com/bitcoin-related-malware-continues-to-flourish/103177
*** WordPress OptimizePress Theme - File Upload Vulnerability ***
---------------------------------------------
We´re a few days short on this, but it´s still worth releasing as the number of attacks against this vulnerability are increasing ten-fold.
The folks at OSIRT were the first to report this in late November, 2013. In our cases we´re seeing mostly defacement attacks, and although not devastating, they can be a big nuisance for an unsuspecting website owner.
---------------------------------------------
http://blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vu…
*** Weekly Metasploit Update: New Meterpreter Extended API, Learning About HttpServer, HttpClient, and SAP ***
---------------------------------------------
Weekly Metasploit Update: New Meterpreter Extended API, Learning About HttpServer, HttpClient, and SAP
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2013/12/12/weekly-me…
*** VU#586958: SketchUp Viewer buffer overflow vulnerability ***
---------------------------------------------
Vulnerability Note VU#586958 SketchUp Viewer buffer overflow vulnerability Original Release date: 12 Dec 2013 | Last revised: 12 Dec 2013 Overview SketchUp Viewer version 13.0.4124 is vulnerable to a buffer overflow when opening a malformed .SKP file. Description CWE-121: Stack-based Buffer Overflow - CVE-2013-6038SketchUp Viewer version 13.0.4124 is vulnerable to a stack buffer overflow when parsing a specially crafted .SKP file. When executed, it may allow a remote unauthenticated attacker
---------------------------------------------
http://www.kb.cert.org/vuls/id/586958
*** Cooper Power Systems Improper Input Validation Vulnerability ***
---------------------------------------------
Adam Crain of Automatak and independent researcher Chris Sistrunk have identified an improper input validation vulnerability in the Cooper Power Systems SMP Gateway DNP3 protocol components. Cooper Power Systems has produced a new firmware version that mitigates this vulnerability. The researchers have tested the new firmware version to validate that it resolves the vulnerability.This vulnerability could be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-346-01
*** Dear Gmailer: I know what you read last summer (and last night and today) ***
---------------------------------------------
How Gmails image tweak is a boon to marketers, stalkers, and debt collectors.
---------------------------------------------
http://arstechnica.com/security/2013/12/dear-gmailer-i-know-what-you-read-l…
*** Report: Bot traffic is up to 61.5% of all website traffic ***
---------------------------------------------
Last March we published a study that showed the majority of website traffic (51%) was generated by non-human entities, 60% of which were clearly malicious. As we soon learned, these facts came as a surprise to many Internet users, for whom they served as a rare glimpse of 'in between the lines' of Google Analytics.
---------------------------------------------
http://www.incapsula.com/the-incapsula-blog/item/820-bot-traffic-report-2013
*** Five Deadly Security Venoms - Youre Still Doing it Wrong ***
---------------------------------------------
With all the hype and hooplah surrounding the US governments tapping of everything under the sun, I have seen an influx of articles related to security. "This is how you encrypt!", "this is how you secure!", "this is how... Youre doing it wrong."
---------------------------------------------
http://infiltrated.net/index.php?option=com_content&view=article&id=61
*** Tech Pick of the Week: Log anomaly detection tools ***
---------------------------------------------
An important part of creating successful digital services is the ability to monitor system´s health and to respond to exceptional situations in a timely fashion. Log files contain information that a maintainer needs in figuring out causes for application failures or unexpected behavior.
---------------------------------------------
http://blog.futurice.com/tech-pick-of-the-week-log-anomaly-detection-tools
*** New Gmail image server proxies raise security risks ***
---------------------------------------------
A new Gmail policy that allows e-mailed image attachments to load automatically comes at a price, say two security researchers. Google announced on Thursday that Gmail would once again load attached images by default. The feature had been disabled years ago, as a way of clamping down on malware and phishing attacks.
---------------------------------------------
http://news.cnet.com/8301-1009_3-57615502-83/new-gmail-image-server-proxies…
*** Top 8 breaches in 2013 ***
---------------------------------------------
>From the headline-grabbing Adobe breach to LivingSocials password debacle, here are the top 8 breaches that have occurred this year and created even more security awareness.
---------------------------------------------
http://www.scmagazine.com/top-8-breaches-in-2013/slideshow/1673/
*** Hacked Via RDP: Really Dumb Passwords ***
---------------------------------------------
Businesses spend billions of dollars annually on software and hardware to block external cyberattacks, but a shocking number of these same organizations shoot themselves in the foot by poking gaping holes in their digital defenses and then advertising those vulnerabilities to attackers. Todays post examines an underground service which rents access to hacked PCs at organizations that make this all-too-common mistake.
---------------------------------------------
http://krebsonsecurity.com/2013/12/hacked-via-rdp-really-dumb-passwords/
*** Safari Stores Previous Secure Browsing Session Data Unencrypted ***
---------------------------------------------
The Safari browser stores data from previous sessions in an unencrypted format on a hidden folder that leaves users vulnerable to information loss.
---------------------------------------------
http://threatpost.com/safari-stores-previous-secure-browsing-session-data-u…
*** Debian update for php5 ***
---------------------------------------------
https://secunia.com/advisories/55918
*** Cisco Unified Communications Manager - TFTP Service ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120093
*** libvirt Bugs Let Remote and Local Users Deny Service and Let Local Users Gain Elevated Privileges ***
---------------------------------------------
http://www.securitytracker.com/id/1029444
*** Ruby Gem Webbynode 1.0.5.3 Command injection ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120095
*** Vuln: Monitorix HTTP Server handle_request() Remote Command Execution Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/64178
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 11-12-2013 18:00 − Donnerstag 12-12-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** How cybercriminals efficiently violate YouTube, Facebook, Twitter, Instagram, SoundCloud and Google+'s ToS ***
---------------------------------------------
With social media, now an inseparable part of the marketing expenditures for every modern organization, cybercriminals quickly adapted to the ongoing buzz, and over the last couple of years, have been persistently supplying the market segment with social media metrics performance boosts, in the the form of bogus likes, dislikes, comments, favorites, subscribers, and video/music plays.
---------------------------------------------
http://www.webroot.com/blog/2013/12/11/cybercriminals-efficiently-violate-m…
*** Inside the TextSecure, CyanogenMod Integration ***
---------------------------------------------
Moxie Marlinspike explains how Open WhisperSystems plans to bring end-to-end encrypted secure communications to major platforms such as Android, iOS and popular Web browsers.
---------------------------------------------
http://threatpost.com/inside-the-textsecure-cyanogenmod-integration/103164
*** The Kernel is calling a zero(day) pointer - CVE-2013-5065 - Ring Ring ***
---------------------------------------------
SpiderLabs investigates a number of suspicious binary files on a daily basis. A week ago we came across a PDF file which had two different vulnerabilities, a remote-code-execution vulnerability in Adobe Reader and a new escalation-of-privileges vulnerability in Windows Kernel.
---------------------------------------------
http://blog.spiderlabs.com/2013/12/the-kernel-is-calling-a-zeroday-pointer-…
*** Software defense: mitigating common exploitation techniques ***
---------------------------------------------
In our previous posts in this series, we described various mitigation improvements that attempt to prevent the exploitation of specific classes of memory safety vulnerabilities such as those that involve stack corruption, heap corruption, and unsafe list management and reference count mismanagement. These mitigations are typically associated with a specific developer mistake such as writing beyond the bounds of a stack or heap buffer, failing to correctly track reference counts, and so on.
---------------------------------------------
http://blogs.technet.com/b/srd/archive/2013/12/11/software-defense-mitigati…
*** Operation Ke3chang: Targeted Attacks Against Ministries of Foreign Affairs ***
---------------------------------------------
This week, FireEye released a report detailing how Chinese-speaking advanced persistent threat (APT) actors systematically attacked European ministries of foreign affairs (MFAs). Within 24 hours, the Chinese government officially responded.
---------------------------------------------
http://www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke…
*** Blog: Forecasts for 2014 - expert opinion ***
---------------------------------------------
In 2014 we expect significant growth in the number of threats related to economic and domestic cyber-espionage, with cyber-mercenaries/cyber-detectives playing an active role in such attacks.
---------------------------------------------
http://www.securelist.com/en/blog/8167/Forecasts_for_2014_expert_opinion
Tausende Online-Shops auf Basis von xt:Commerce akut bedroht
---------------------------------------------
Die Shop-Software xt:Commerce 3 und deren Ableger wie Gambio und Modified enthalten zwei Fehler, die es in Kombination erlauben, Shops komplett zu übernehmen. Ersten groben Schätzungen zufolge wird die Software ungefähr 50.000 Shops eingesetzt. Zum Glück gibt es Workarounds und Patches, um sich zu schützen.
---------------------------------------------
http://www.heise.de/security/meldung/Tausende-Online-Shops-auf-Basis-von-xt…
*** D-Link DSL-6740U Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55999
*** InstantCMS "orderby" SQL Injection Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56041
*** PHP OpenSSL Extension X.509 Certificate Parsing Memory Corruption Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56055
*** Adobe ColdFusion 9/10 Administrative Login Bypass ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120084
*** Vtiger 5.4.0 Cross Site Scripting ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120088
*** Plone Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56015
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 10-12-2013 18:00 − Mittwoch 11-12-2013 18:00
Handler: Matthias Fraidl
Co-Handler: Robert Waldner
*** Summary for December 2013 - Version: 1.0 ***
---------------------------------------------
This bulletin summary lists security bulletins released for December 2013.
With the release of the security bulletins for December 2013, this bulletin summary replaces the bulletin advance notification originally issued December 5, 2013.
For information about how to receive automatic notifications whenever Microsoft security bulletins are issued, visit Microsoft Technical Security Notifications.
---------------------------------------------
http://technet.microsoft.com/en-us/security/bulletin/ms13-dec
*** Rotbrow: the Sefnit distributor ***
---------------------------------------------
This months addition to the Microsoft Malicious Software Removal Tool is a family that is both old and new. Win32/Rotbrow existed as far back as 2011, but the first time we saw it used for malicious purposes was only in the past few months. In September, Geoff blogged about the dramatic resurgence of Win32/Sefnit (aka Mevade). At the time, we knew of several ways in which Sefnit was distributed, but we continued investigating how it was able to get on so many machines. When we concentrated on
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2013/12/10/rotbrow-the-sefnit-distr…
*** Firefox 26 Makes Java Plugins Click-to-Play, Fixes 14 Security Flaws ***
---------------------------------------------
Mozilla has released a major new version of Firefox, which includes fixes for more than a dozen security vulnerabilities as well as an important change that makes all Java plugins click-to-play be default. This feature prevents those plugins from running automatically on Web pages, which helps protect users against some Web-based attacks. The modification to […]
---------------------------------------------
http://threatpost.com/firefox-26-makes-java-plugins-click-to-play-fixes-14-…
*** DSA-2815 munin ***
---------------------------------------------
Christoph Biedl discovered two denial of service vulnerabilities in munin, a network-wide graphing framework.
---------------------------------------------
http://www.debian.org/security/2013/dsa-2815
*** Zero-Day Fixes From Adobe, Microsoft ***
---------------------------------------------
Adobe and Microsoft today each separately released security updates to remedy zero-day bugs and other critical vulnerabilities in their software. Adobe issued fixes for its Flash and Shockwave players, while Microsoft pushed out 11 updates addressing addressing at least two dozen flaws in Windows and other software.
---------------------------------------------
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/gWnv_MqLeM4/
*** WordPress 3.7.1 Maintenance Release ***
---------------------------------------------
WordPress 3.7.1 is now available! This maintenance release addresses 11 bugs in WordPress 3.7
---------------------------------------------
http://wordpress.org/news/2013/10/wordpress-3-7-1/
*** Adobe Shockwave Player Two Memory Corruption Vulnerabilities ***
---------------------------------------------
Two vulnerabilities have been reported in Adobe Shockwave Player, which can be exploited by malicious people to compromise a user's system.
1) An unspecified error can be exploited to cause memory corruption.
2) Another unspecified error can be exploited to cause memory corruption.
Successful exploitation of the vulnerabilities may allow execution of arbitrary code.
---------------------------------------------
https://secunia.com/advisories/55952
*** Thought your Android phone was locked? THINK AGAIN ***
---------------------------------------------
Another day, another vulnerability Android has taken another step to cement its place behind Java in the world of repeatedly-vulnerable software, with German group Curesec discovering that an attacker can get past users PINs to unlock the phone.…
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2013/12/10/android_has…
*** ENISA lists top cyber-threats in this year’s Threat Landscape Report. ***
---------------------------------------------
The EU’s cyber security Agency ENISA has issued its annual Threat Landscape 2013 report, where over 200 publicly available reports and articles have been analysed. Questions addressed are: What are the top cyber-threats of 2013? Who are the adversaries? What are the important cyber-threat trends in the digital ecosystem?
---------------------------------------------
http://www.enisa.europa.eu/media/press-releases/enisa-lists-top-cyber-threa…
*** HP Officejet Pro 8500 Printer Input Validation Flaw Permits Cross-Site Scripting Attacks ***
---------------------------------------------
A vulnerability was reported in the HP Officejet Pro 8500 Printer. A remote user can conduct cross-site scripting attacks.
The printer interface does not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the HP Printer interface and will run in the security context of that site...
---------------------------------------------
http://www.securitytracker.com/id/1029466
*** A New Vulnerability in the Android Framework: Fragment Injection ***
---------------------------------------------
We have recently disclosed a new vulnerability to the Android Security Team. The vulnerability affected many apps, including Settings (the one that is found on every Android device), Gmail, Google Now, DropBox and Evernote. To be more accurate, any App which extended the PreferenceActivity class using an exported activity was automatically vulnerable.
---------------------------------------------
http://securityintelligence.com/new-vulnerability-android-framework-fragmen…
*** TYPO3-FLOW-SA-2013-001: Cross-Site Scripting in TYPO3 Flow ***
---------------------------------------------
Problem Description: The errorAction method in the ActionController base class of Flow returns error messages without properly encoding them. Because these error messages can contain user input, this could lead to a Cross-Site Scripting vulnerability in Flow driven applications.
---------------------------------------------
http://typo3.org/teams/security/security-bulletins/typo3-flow/typo3-flow-sa…
*** Creepware - Who’s Watching You? ***
---------------------------------------------
Some people stick a piece of tape over the webcam on their laptop, maybe you even do it yourself. Are they over cautious, paranoid, a little strange? Are you? Or is there reason behind this madness? Many of us have heard the stories about people being spied on using their own computer or people being blackmailed using embarrassing or incriminating video footage unknowingly recorded from compromised webcams...
---------------------------------------------
http://www.symantec.com/connect/blogs/creepware-who-s-watching-you
*** Blog: The inevitable move - 64-bit ZeuS has come enhanced with Tor ***
---------------------------------------------
The more people switch to 64-bit platforms, the more 64-bit malware appears. We have been following this process for several years now. The more people work on 64-bit platforms, the more 64-bit applications that are developed as well. Sometimes these include some very specific applications, for example, banking applications.... If someone wants to hack into an application like this and steal information, the best tool for that would also be a 64-bit agent. And what’s the most notorious
---------------------------------------------
http://www.securelist.com/en/blog/208214171/The_inevitable_move_64_bit_ZeuS…
*** TYPO3 Multiple Vulnerabilities ***
---------------------------------------------
A weakness and multiple vulnerabilities have been reported in TYPO3, which can be exploited by malicious users to disclose sensitive information, conduct script insertion attacks, manipulate certain data, and bypass certain security restrictions and by malicious people to conduct cross-site scripting and spoofing attacks.
---------------------------------------------
https://secunia.com/advisories/55958
*** SAProuter Authentication Bypass Security Bypass Vulnerability ***
---------------------------------------------
ERPScan has reported a vulnerability in SAProuter, which can be exploited by malicious people to bypass certain security restrictions.
The vulnerability is caused due to the application not properly restricting access to certain functionalities, which can be exploited to e.g. manipulate the configuration.
---------------------------------------------
https://secunia.com/advisories/56060
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 09-12-2013 18:00 − Dienstag 10-12-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** French Government Spoofs Google Certificate ***
---------------------------------------------
Google revoked digital certificates for some of its domains that had been fraudulently signed by an intermediate certificate authority with links to ANSSI, Frances cyber-defense agency.
---------------------------------------------
http://threatpost.com/french-government-spoofs-google-certificate/103128
*** How We Decoded Some Nasty Multi-Level Encoded Malware ***
---------------------------------------------
>From time to time, we come up with interesting bits of malware that are just calling us to decode and learn more about them. This is one of those cases. Recently, I crossed pathes with this little gem: That snippet is encoded malicious content.
---------------------------------------------
http://blog.sucuri.net/2013/12/how-we-decoded-some-nasty-multi-level-encode…
*** Microsoft Security Advisory (2916652): Improperly Issued Digital Certificates Could Allow Spoofing - Version: 1.0 ***
---------------------------------------------
Microsoft is aware of an improperly issued subordinate CA certificate that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. The subordinate CA certificate was improperly issued by the Directorate General of the Treasury (DG Trésor), subordinate to the Government of France CA (ANSSI), which is a CA present in the Trusted Root Certification Authorities Store. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue.
---------------------------------------------
http://technet.microsoft.com/en-us/security/advisory/2916652
*** Untouched P2P Communication Infrastructure Keeps ZeroAccess Up and Running ***
---------------------------------------------
Microsofts takedown of the ZeroAccess botnet wasnt a complete success. Experts point out that Microsoft targeted only the money-making aspects of the botnet, and that its communication protocol was untouched.
---------------------------------------------
http://threatpost.com/untouched-p2p-communication-infrastructure-keeps-zero…
*** The Curious Case of the Malicious IIS Module ***
---------------------------------------------
Recently, we´ve seen a few instances of a malicious DLL that is installed as an IIS module making its rounds in forensic cases. This module is of particular concern as it is currently undetectable by almost all anti-virus products. The malware is used by attackers to target sensitive information in POST requests, and has mechanisms in place for data exfiltration.
---------------------------------------------
http://blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-mo…
*** CyanogenMod to have built in text message encryption system ***
---------------------------------------------
People are now more concerned regarding their privacy after discovering about efforts made by governments to spy on their communications. The most practical solution to keep messages, emails and calls secure is to use a cryptographic encryption mechanism. However, just like the name of the method, the installation process is complex for most users. To solve this, CyanogenMod will come equipped with built in encryption system for text messages.
---------------------------------------------
http://www.muktware.com/2013/12/cyanogenmod-built-text-message-encryption-s…
*** Phantom menace? A guide to APTs - and why most of us have little to fear from these 'cyberweapons' ***
---------------------------------------------
APTs - or Advanced Persistent Threats - are the most menacing cyber attack there is, some say. Orchestrated by teams of hundreds of experts, they penetrate systems so deeply that they can remain for years, stealing secrets by the terabyte.
---------------------------------------------
http://www.welivesecurity.com/2013/12/09/phantom-menace-a-guide-to-apts-and…
*** New security features added to Microsoft accounts ***
---------------------------------------------
We´re excited to announce that over the next couple of days we´re rolling out a few new capabilities - based on your ongoing feedback - that give you more visibility and control of your Microsoft account.
---------------------------------------------
http://blogs.technet.com/b/microsoft_blog/archive/2013/12/09/new-security-f…
*** Analysis: Kaspersky Security Bulletin 2013. Overall statistics for 2013 ***
---------------------------------------------
This section of the report forms part of the Kaspersky Security Bulletin 2013 and is based on data obtained and processed using Kaspersky Security Network. KSN integrates cloud-based technologies into personal and corporate products, and is one of Kaspersky Lab´s most important innovations.
---------------------------------------------
http://www.securelist.com/en/analysis/204792318/Kaspersky_Security_Bulletin…
*** November 2013 virus activity review from Doctor Web ***
---------------------------------------------
December 2, 2013 Virus analysts at the Russian anti-virus company Doctor Web discovered and examined quite a variety of information security threats in November 2013. In particular, a Trojan targeting SAP business software and malware that generates fake search results on Windows machines were added to the Dr.Web virus database at the beginning of the month.
---------------------------------------------
http://news.drweb.com/show/?i=4122&lng=en&c=9
*** DSA-2812 samba ***
---------------------------------------------
http://www.debian.org/security/2013/dsa-2812
*** RSA Security Analytics Core Can Be Accessed By Remote Users ***
---------------------------------------------
http://www.securitytracker.com/id/1029446
*** pam_userdb password hashes arent compared case-sensitive ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120069
*** TYPO3-CORE-SA-2013-004: Multiple Vulnerabilities in TYPO3 CMS ***
---------------------------------------------
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa…
*** McAfee Email Gateway 7.6 multiple vulnerabilities ***
---------------------------------------------
http://seclists.org/fulldisclosure/2013/Dec/18
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 06-12-2013 18:00 − Montag 09-12-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** RuggedCom ROS Multiple Vulnerabilities ***
---------------------------------------------
Siemens has reported to NCCIC/ICS-CERT multiple vulnerabilities in the RuggedCom Rugged OS (ROS). Siemens has produced a firmware update that mitigates these vulnerabilities. Exploitation of these vulnerabilities could allow an attacker to hijack an active Web session and access administrative functions on the devices without proper authorization. These vulnerabilities could be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-340-01
*** The Biggest Security Stories of 2013 ***
---------------------------------------------
As 2013 comes to a close, security experts are looking back at the major stories and developments of the year, including the Edward Snowden NSA leaks and major malware attacks. In this video, Vitaly Kamluk of Kaspersky Lab examines the biggest security news of 2013 and talks about the lasting effects they may have.
---------------------------------------------
http://threatpost.com/the-biggest-security-stories-of-2013/103125
*** Microsoft teams up with Feds, Europol in ZeroAccess botnet zombie hunt ***
---------------------------------------------
Just dont bork our crim-busting honeypots again Microsoft has teamed up with the FBI to launch a renewed attempt to disrupt the operations of the infamous ZeroAccess botnet.
---------------------------------------------
http://www.theregister.co.uk/2013/12/06/zeroaccess_zombienet_takedown/
*** FAQ: Pony Malware Payload Discovery ***
---------------------------------------------
Our team´s discovery of the spoils of yet another instance of Pony 1.9 has kept us busy the past couple of days. We´ve enjoyed explaining our discovery to journalists and trying our best to answer the questions that arise over social networks and email with each publication of a story. A lot of those questions tend to be similar.
---------------------------------------------
http://blog.spiderlabs.com/2013/12/faq-pony-malware-payload-discovery.html
*** 2014 Predictions: Blurring Boundaries ***
---------------------------------------------
The past year has been an interesting one in the world of cyber security. Mobile malware has become a large-scale threat, government surveillance has users asking "does privacy still exist?", cybercrime continues to steal money from individuals and businesses, and new targets for hackers like AIS and SCADA have been identified. 2013 was many things, but boring was not one of them.
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/2014-predictions…
*** The state of targeted attacks ***
---------------------------------------------
Trusteer announced the results of a recent study on the State of Targeted Attacks, which took into consideration the feedback from over 750 IT and IT security practitioners who have involvement in defensive efforts against APTs launched at their organisations.
---------------------------------------------
http://www.net-security.org/secworld.php?id=16059
*** Android-Apps: Sicherheitslücke durch fehlerhafte SSL-Prüfung ***
---------------------------------------------
Das Fraunhofer-Institut für Sichere Informationstechnologie hat mehrere Android-Apps ausfindig gemacht, bei denen die fehlerhafte Prüfung des SSL-Zertifikats den Zugriff auf Zugangsdaten möglich macht. Nur etwa die Hälfte aller kontaktierten Hersteller hat die Sicherheitslücke bisher geschlossen.
---------------------------------------------
http://www.golem.de/news/android-apps-sicherheitsluecke-durch-fehlerhafte-s…
*** The world´s most dangerous mobile phone spying app just moved into the tablet and iPad market ***
---------------------------------------------
The evolution of GPS and the smart-phone market has spawned a macabre industry of surveillance apps designed to be covertly installed onto the cellphones of vulnerable employees, business associates, partners and children.
---------------------------------------------
http://www.privacysurgeon.org/blog/incision/the-worlds-most-dangerous-mobil…
*** Bypassing Windows AppLocker using a Time of Check Time of Use vulnerability ***
---------------------------------------------
Windows AppLocker is Microsoft´s replacement to Software Restriction Policies in Windows 7, Windows 8, Server 2008 and Server 2012. Windows AppLocker has been promoted by several government agencies such as the National Security Agency and the New Zealand National Cyber Security Center as an effective mechanism to combat the execution of unauthorized code on modern Microsoft Windows based systems.
---------------------------------------------
http://www.nccgroup.com/media/495634/2013-12-04_-_ncc_-_technical_paper_-_b…
*** Automater - IP URL and MD5 OSINT Analysis ***
---------------------------------------------
Automater is a URL/Domain, IP Address, and Md5 Hash OSINT tool aimed at making the analysis process easier for intrusion Analysts. Given a target (URL, IP, or HASH) or a file full of targets Automater will return relevant results from sources like the following: IPvoid.com, Robtex.com, Fortiguard.com, unshorten.me, Urlvoid.com, Labs.alienvault.com, ThreatExpert, VxVault, and VirusTotal.
---------------------------------------------
http://www.tekdefense.com/automater/
*** Drei GIMP-Lücken auf einen Streich ***
---------------------------------------------
Das Sicherheits-Team von Red Hat hat drei Speicherverwaltungsprobleme in der Bildverarbeitungssoftware GIMP gefunden und beseitigt, die dazu ausgenutzt werden könnten, dem Benutzer Schadcode unterzuschieben.
---------------------------------------------
http://www.heise.de/security/meldung/Drei-GIMP-Luecken-auf-einen-Streich-20…
*** Malicious multi-hop iframe campaign affects thousands of Web sites, leads to a cocktail of client-side exploits - part two ***
---------------------------------------------
Ever since we exposed and profiled the evasive, multi-hop, mass iframe campaign that affected thousands of Web sites in November, we continued to monitor it, believing that the cybercriminal(s) behind it, would continue operating it, basically switching to new infrastructure once the one exposed in the post got logically blacklisted, thereby undermining the impact of the campaign internationally.
---------------------------------------------
http://www.webroot.com/blog/2013/12/09/malicious-multi-hop-iframe-campaign-…
*** Putting malware in the picture ***
---------------------------------------------
Spammers actively spread malware using fake notifications on behalf of various financial and banking institutions, booking and delivery services and other companies. The arsenal of tricks used by cybercriminals is constantly being updated. In particular, in recent years we have registered a number of English- and German-language mass mailings in which the attackers try to hide malware under photos and pictures.
---------------------------------------------
https://www.securelist.com/en/blog/8159/Putting_malware_in_the_picture
*** [webapps] - Zimbra 0day exploit / Privilegie escalation via LFI ***
---------------------------------------------
http://www.exploit-db.com/exploits/30085
*** D-Link DSR Router Remote Root Shell Exploit ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120055
*** WordPress DZS Video Gallery 3.1.3 Remote File Disclosure ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120050
*** cURL Certificate Validation Flaw Lets Remote Users Spoof SSL Servers ***
---------------------------------------------
http://www.securitytracker.com/id/1029434
*** Security Bulletin: Multiple Security vulnerability fix for IBM Tivoli Storage Manager Administration Center (CVE-2012-5081, CVE-2013-0169, CVE-2013-0443). ***
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul…
*** Steinberg MyMp3PRO SEH buffer overflow ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89468
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 05-12-2013 18:00 − Freitag 06-12-2013 18:00
Handler: Stephan Richter
Co-Handler: Robert Waldner
*** Advance Notification Service for December 2013 Security Bulletin Release ***
---------------------------------------------
Today we're providing advance notification for the release of 11 bulletins, five Critical and six Important, for December 2013. The Critical updates address vulnerabilities in Internet Explorer, Windows, Microsoft Exchange and GDI+. The Critical update for GDI+ fully addresses the publicly disclosed issue described in Security Advisory 2896666. This release won't include an update for the issue described in Security Advisory 2914486. We're still working to develop a security...
---------------------------------------------
http://blogs.technet.com/b/msrc/archive/2013/12/05/advance-notification-ser…
*** Google Docs Scam Stealing Passwords ***
---------------------------------------------
Scammers are up to mischief again by tricking users into clicking false webmail widgets. The core goal of any phishing attempt is to compromise the victims access to a particular service. Usually this is done by posing as the service the attacker wants to hijack from the victim, and sending the username and password information back to the attacker. Ive seen plenty phishing schemes in the
---------------------------------------------
http://research.zscaler.com/2013/12/google-docs-scam-stealing-passwords-in.…
*** Study finds zero-day vulnerabilities abound in popular software ***
---------------------------------------------
Organizations selling exploits for vulnerabilities in software from major companies including Microsoft, Apple, Oracle, and Adobe
---------------------------------------------
http://www.csoonline.com/article/744307/study-finds-zero-day-vulnerabilitie…
*** EU cyber security Agency ENISA argues that better protection of SCADA Systems is needed ***
---------------------------------------------
How long can we afford having critical infrastructures that use unpatched SCADA systems, the EU's cyber security Agency ENISA asks? ENISA argues that the EU Member States could proactively deploy patch management to enhance the security of SCADA systems.
---------------------------------------------
http://www.enisa.europa.eu/media/press-releases/eu-cyber-security-agency-en…
*** Hacking a Reporter: Sleepless Nights Outside a Brooklyn Brownstone (Part 3 of 3) ***
---------------------------------------------
This post is the conclusion of a three-part series that goes into more depth about our experience hacking journalist Adam Penenberg, which resulted in an article on PandoDaily in October. Parts one and two detail the malware aspects of our hack with contributions from Josh Grunzweig, Matt Jakubowski and Daniel Chechik. I, Garret Picchioni (voted to be the bald hacker with a heart tattoo in the original article artwork), will discuss the details of the...
---------------------------------------------
http://blog.spiderlabs.com/2013/12/hacking-a-reporter-sleepless-nights-outs…
*** Weekly Metasploit Update: SAP and Silverlight ***
---------------------------------------------
We've been all SAP all the time here in the Independent Nations of Metasploit, and expect to be for the rest of the week. You might recall that Metasploit exploit dev, Juan Vazquez published his SAP survey paper a little while back; on Tuesday, we did a moderated twitter chat on the hashtag #pwnSAP with the major SAP-focused Metasploit contributors Bruno Morrison, Chris John Riley, and Dave Hartley; and today (Thursday, December 5), Juan and I will be hosting a webcast on the various and sundry SAP exposures that Metasploit covers, and There Will Be Demos and Q&A, so it should be fun.
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2013/12/05/weekly-me…
*** CVE-2013-3346/5065 Technical Analysis ***
---------------------------------------------
In our last post, we warned of a new Windows local privilege escalation vulnerability being used in the wild. We noted that the Windows bug (CVE-2013-5065) was exploited in conjunction with a patched Adobe Reader bug (CVE-2013-3346) to evade the...
---------------------------------------------
http://www.fireeye.com/blog/technical/cyber-exploits/2013/12/cve-2013-33465…
*** Security Bulletin: Multiple Security Vulnerabilities in IBM Sterling Control Center ***
---------------------------------------------
A number of security vulnerabilities have been discovered in the Java Runtime Environment and the Cognos Business Intelligence components included in IBM SCC.CVE(s): CVE-2013-1557, CVE-2013-1478, CVE-2013-1571, CVE-2013-1500, CVE-2013-2988, CVE-2013-2978 and CVE-2013-0586 Affected product(s) and affected version(s): IBM InfoSphere Information Server Versions 8.0, 8.1, 8.5, 8.7, and 9.1 running on all platforms Refer to the following reference URLs for remediation and additional vulnerability...
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul…
*** Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-4066 and CVE-2013-4067) ***
---------------------------------------------
Multiple security vulnerabilities exist in the IBM JRE that is shipped with the Rational Reporting for Development Intelligence (RRDI). The same security vulnerabilities also exist in the IBM Java SDK that is shipped with the IBM WebSphere Application Server (WAS). CVE(s): CVE-2013-4066 and CVE-2013-4067 Affected product(s) and affected version(s): IBM InfoSphere Information Server Versions 8.0, 8.1, 8.5, 8.7, and 9.1 running on all platforms Refer to the following reference URLs for...
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul…
*** Sonicwall GMS 7.x Filter Bypass ***
---------------------------------------------
Topic: Sonicwall GMS 7.x Filter Bypass Risk: Low Text:Document Title: Sonicwall GMS v7.x - Filter Bypass & Persistent Vulnerability References (Source): == http...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120048
*** VMware ESX Server Service Console Two Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55917
*** SSA-568732 (Last Update 2013-12-06): Privilege Escalation in COMOS ***
---------------------------------------------
https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit…
*** WordPress JS Hotel Plugin "roomid" Cross-Site Scripting Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55919
*** NVIDIA Graphics Drivers GPU Access Privilege Escalation Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55904
*** HP-UX update for Java ***
---------------------------------------------
https://secunia.com/advisories/55978
*** IBM Forms Viewer XFDL buffer overflow ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/87911
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 04-12-2013 18:00 − Donnerstag 05-12-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Phishing-Mail ködert WordPress-Admins ***
---------------------------------------------
Mit einer kostenlosen Version eines beliebten SEO-Plugins für WordPress versuchen Spammer, Administratoren zu ködern. Das Plugin entpuppt sich als Malware, dass eine Hintertür im Server öffnet und Besucher der Seite infiziert.
---------------------------------------------
http://www.heise.de/security/meldung/Phishing-Mail-koedert-WordPress-Admins…
*** In new campaign, Dexter point-of-sale malware strikes U.S. and abroad ***
---------------------------------------------
After recently impacting banks in South Africa, the malware is now infecting point-of-sale systems throughout the globe, including those in the U.S., a security firm found.
---------------------------------------------
http://www.scmagazine.com/in-new-campaign-dexter-point-of-sale-malware-stri…
*** Bugtraq: [PT-2013-63] Hash Length Extension in HTMLPurifier ***
---------------------------------------------
http://www.securityfocus.com/archive/1/530142
*** SA-CONTRIB-2013-097 - OG Features - Access bypass ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2013-097
Project: OG Features (third-party module)Version: 6.x
Date: 2013-December-04Security risk: Not Critical
Exploitable from: Remote
Vulnerability: Access bypass
---------------------------------------------
https://drupal.org/node/2149791
*** Siemens SINAMICS S/G Authentication Bypass Vulnerability ***
---------------------------------------------
Siemens has identified an authentication bypass vulnerability in the SINAMICS S/G product family. Siemens has produced a firmware update that mitigates this vulnerability and has tested the update to validate that it resolves the vulnerability. Exploitation of this vulnerability could allow an attacker to access administrative functions on the device without authentication. This vulnerability could be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-338-01
*** Security Bulletins: Rational Insight and Rational Reporting for Development Intelligence - Oracle CPU June 2013 (CVE-2013-2407, CVE-2013-2450) ***
---------------------------------------------
Multiple security vulnerabilities exist in the IBM JRE that is shipped with Rational Insight and Rational Reporting for Development Intelligence.
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_rat…https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_rat…
*** IBM QRadar SIEM Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55895https://secunia.com/advisories/55891
*** Imagam iFiles 1.16.0 File Inclusion / Shell Upload / Command Injection ***
---------------------------------------------
Topic: Imagam iFiles 1.16.0 File Inclusion / Shell Upload / Command Injection Risk: High Text:Document Title: Imagam iFiles v1.16.0 iOS - Multiple Web Vulnerabilities References (Source): == http://ww...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120038
*** bugs in IJG jpeg6b & libjpeg-turbo ***
---------------------------------------------
jpeg6b and some of its optimized clones (e.g., libjpeg-turbo) will use uninitialized memory when decoding images with missing SOS data for the luminance component (Y) in presence of valid chroma data (Cr, Cb).
---------------------------------------------
http://www.securityfocus.com/archive/1/530137
*** IQ3 Series Trend LAN Controllers "ovrideStart" Multiple Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55827
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 03-12-2013 18:00 − Mittwoch 04-12-2013 18:00
Handler: Stephan Richter
Co-Handler: Robert Waldner
*** Mitigating attacks on Industrial Control Systems (ICS); the new Guide from EU Agency ENISA ***
---------------------------------------------
The EU's cyber security agency ENISA has provided a new manual for better mitigating attacks on Industrial Control Systems (ICS), supporting vital industrial processes primarily in the area of critical information infrastructure (such as the energy and chemical transportation industries) where sufficient knowledge is often lacking. As ICS are now often connected to Internet platforms, extra security preparations have to be taken. This new guide provides the necessary key considerations...
---------------------------------------------
http://www.enisa.europa.eu/media/press-releases/mitigating-attacks-on-indus…
*** Elecsys Director Gateway Improper Input Validation Vulnerability ***
---------------------------------------------
Adam Crain of Automatak and independent researchers Chris Sistrunk and Adam Todorski have identified an improper input validation in the Elecsys Director Gateway application. Elecsys has produced a patch that mitigates this vulnerability. Adam Todorski has tested the patch to validate that it resolves the vulnerability.This vulnerability could be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-337-01
*** Ruby on Rails Multiple Bugs Let Remote Users Deny Service, Conduct Cross-Site Scripting Attacks, and Generate Unsafe Queries ***
---------------------------------------------
Ruby on Rails Multiple Bugs Let Remote Users Deny Service, Conduct Cross-Site Scripting Attacks, and Generate Unsafe Queries
---------------------------------------------
http://www.securitytracker.com/id/1029420
*** Cisco ONS 15454 Controller Cards Can Be Reset By Remote Users ***
---------------------------------------------
http://www.securitytracker.com/id/1029421
*** D-Link DIR Series Routers __show_info.php information disclosure ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89343
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 02-12-2013 18:00 − Dienstag 03-12-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** A Pentester's Introduction to SAP & ABAP ***
---------------------------------------------
If you’re conducting security assessments on enterprise networks, chances are that you’ve run into SAP systems. In this blog post, I’d like to give you an introduction to SAP and ABAP to help you with your security audit.
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2013/12/02/a-pentest…
*** Analysis: Kaspersky Security Bulletin 2013. Malware Evolution ***
---------------------------------------------
Once again, it’s time for us to deliver our customary retrospective of the key events that have defined the threat landscape in 2013. Let’s start by looking back at the things we thought would shape the year ahead, based on the trends we observed in the previous year.
---------------------------------------------
http://www.securelist.com/en/analysis/204792316/Kaspersky_Security_Bulletin…
*** How does the NSA break SSL? ***
---------------------------------------------
A few weeks ago I wrote a long post about the NSAs BULLRUN project to subvert modern encryption standards. I had intended to come back to this at some point, since I didnt have time to discuss the issues in detail.
---------------------------------------------
http://blog.cryptographyengineering.com/2013/12/how-does-nsa-break-ssl.html
*** On Covert Acoustical Mesh Networks in Air ***
---------------------------------------------
Fraunhofer FKIE, Wachtberg, Germany
Abstract: Covert channels can be used to circumvent system and network policies by establishing communications that have not been considered in the design of the computing system. We construct a covert channel between different computing systems that utilizes audio modulation/demodulation to exchange data between the computing systems over the air medium. The underlying network stack is based on a...
---------------------------------------------
http://www.jocm.us/index.php?m=content&c=index&a=show&catid=124&id=600
*** Cisco ASA Malformed DNS Reply Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the DNS code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause the reload of an affected system.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013…
*** phpThumb 1.7.12 Server Side Request Forgery ***
---------------------------------------------
Topic: phpThumb 1.7.12 Server Side Request Forgery Risk: Low Text:#phpThumb phpThumbDebug Server Side Request Forgery #Google Dork: inurl:phpThumb.php #Author: Rafay Baloch And Deepanker Ar...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120020
*** Folo theme for WordPress jplayer.swf cross-site scripting ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89318
*** Orange Themes for WordPress upload-handler.php file upload ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89325
*** Zend Framework application.ini information disclosure ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89328
*** TP-Link TD-8840t change administrator password cross-site request forgery ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89329
*** JMultimedia component for Joomla! phpThumb.php file upload ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89333
*** Bugtraq: Multiple issues in OpenSSL - BN (multiprecision integer arithmetics). ***
---------------------------------------------
http://www.securityfocus.com/archive/1/530120
*** Bugtraq: D-Link DIR-XXX remote root access exploit. ***
---------------------------------------------
http://www.securityfocus.com/archive/1/530119
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 29-11-2013 18:00 − Montag 02-12-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** SMS-Angriff zwingt Nexus-Smartphones in die Knie ***
---------------------------------------------
Der Empfang vieler Flash-SMS-Nachrichten soll Google-Nexus-Geräte rebooten. Davon betroffen sind auch Nexus-Smartphones mit aktuellem Android 4.4 (Kitkat).
---------------------------------------------
http://www.heise.de/security/meldung/SMS-Angriff-zwingt-Nexus-Smartphones-i…
*** Windows TIFF-Lücke bereits seit Juli ausgenutzt - Patch Fehlanzeige ***
---------------------------------------------
Bereits im Sommer wurden E-Mails verschickt, die mit TIFF-Bildern eine kürzlich bekannt gewordene Windows-Lücke ausnutzten. Und während die Zahl dieser Schädlinge weiter wächst, gibt es immer noch keinen Patch vom Microsoft.
---------------------------------------------
http://www.heise.de/security/meldung/Windows-TIFF-Luecke-bereits-seit-Juli-…
*** Nachholbedarf beim Schutz von industriellen Kontrollsystemen ***
---------------------------------------------
Sicherheitsprobleme mit industriellen Kontrollsystemen machen immer wieder Schlagzeilen. Das BSI gibt Betreibern nun mit einem 124-seitigen Leitfaden bewährte Methoden an die Hand, um ihre Systeme abzusichern.
---------------------------------------------
http://www.heise.de/security/meldung/Nachholbedarf-beim-Schutz-von-industri…
*** Important Security Update for D-Link Routers ***
---------------------------------------------
D-Link has released an important security update for some of its older Internet routers. The patch closes a backdoor in the devices that could let attackers seize remote control over vulnerable routers.
---------------------------------------------
krebsonsecurity.com/2013/12/important-security-update-for-d-link-routers/
*** File Sharing Apps Expose iOS To Security Risks - Trustwave ***
---------------------------------------------
File sharing apps for Apple iOS mobile devices can potentially represent a security risk to users, according to a Trustwave security researcher.
---------------------------------------------
http://www.techweekeurope.co.uk/news/researcher-file-sharing-apps-expose-io…
*** Manipulation of hard drive firmware to conceal entire partitions ***
---------------------------------------------
Tools created by the computer hacking community to circumvent security protection on hard drives can have unintentional consequences for digital forensics. Tools originally developed to circumvent Microsoft's Xbox 360 hard drive protection can be used, independently of the Xbox 360 system, to change the reported size/model of a hard drive enabling criminals to hide data from digital forensic software and hardware.
---------------------------------------------
https://www.comp.glam.ac.uk/staff/kxynos/papers/read13-DI-HDD-manipulation.…
*** Description of Cumulative Update 3 for Exchange Server 2013 ***
---------------------------------------------
This article describes Cumulative Update 3 for Microsoft Exchange Server 2013 that provides the latest fixes for Exchange Server 2013 and contains stability and performance improvements.
---------------------------------------------
http://support.microsoft.com/kb/2892464
*** Uptime Agent 5.0.1 Stack Overflow Vulnerability ***
---------------------------------------------
Topic: Uptime Agent 5.0.1 Stack Overflow Vulnerability Risk: Medium Text:# Exploit Title: Up.Time Agent 5.0.1 Stack Overflow # Date: 28/11/2013 # Exploit Author: Denis Andzakovic # Vendor Homepage:...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120009
*** Vuln: ABB MicroSCADA wserver.exe Remote Code Execution Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63901
*** Vuln: Jenkins Exclusion Plugin CVE-2013-6373 Unspecified Security Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63876
*** Google Nexus SMS Processing Flaw Lets Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1029414
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 28-11-2013 18:00 − Freitag 29-11-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Stealing Credit Cards - A WordPress and vBulletin Hack ***
---------------------------------------------
What better way to celebrate Thanksgiving than to share an interesting case that involves two of the most popular CMS applications out there - vBulletin and WordPress. Here is a real case that we just worked on this week, involving an attacker dead set on stealing credit card information. Enjoy! The Environment The client runs...
---------------------------------------------
http://blog.sucuri.net/2013/11/stealing-credit-cards-a-wordpress-and-vbulle…
*** JPEG Files Used For Targeted Attack Malware ***
---------------------------------------------
We recently came across some malware of the SOGOMOT and MIRYAGO families that update themselves in an unusual way: they download JPEG files that contain encrypted configuration files/binaries. Not only that, we believe that this activity has been ongoing since at least the middle of 2010. A notable detail of the malware we came across...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/l94pQWbJ28g/
*** Security Bulletin: IBM BladeCenter Advanced Management Module Account Information Exposure (CVE-2013-6718) ***
---------------------------------------------
An interface on the IBM BladeCenter Advanced Management Module (AMM) may expose user account names and passwords that have been configured on that AMM. CVE(s): CVE-2013-6718 Affected product(s) and affected version(s): These IBM BladeCenter Advanced Management Module Firmware versions are affected: v3.64B (BPET64B, BBET64B, and BPEO64B) v3.64C (BPET64C, BBET64C, and BPEO64C) v3.64G (BPET64G, BBET64G, and BPEO64G) This applies to the following hardware products: BladeCenter
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…
*** Google Android com.android.settings Lets Local Applications Remove Device Locks ***
---------------------------------------------
http://www.securitytracker.com/id/1029410
*** Cisco IOS XR SNMP Memory Leak Lets Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1029408
*** Cisco IOS XE MPLS Processing Flaw Let Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1029407
*** Joomla! All Video Share Component "avssearch" SQL Injection Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55888
*** FFmpeg Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55802
*** WordPress Highlight - Powerful Premium Theme Arbitrary File Upload Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55671
*** WordPress Store Locator Plugin Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55276
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 27-11-2013 18:00 − Donnerstag 28-11-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** Fake 'October´s Billing Address Code' (BAC) form themed spam campaign leads to malware ***
---------------------------------------------
Have you received a casual-sounding email enticing you into signing a Billing Address Code (BAC) form for October, in order for the Payroll Manager to proceed with the transaction? Based on our statistics, tens of thousands of users received these malicious spam emails over the last 24 hours, with the cybercriminal(s) behind them clearly interested in expanding the size of their botnet through good old fashioned 'casual social engineering' campaigns.
---------------------------------------------
http://www.webroot.com/blog/2013/11/27/fake-octobers-billing-address-code-b…
*** Sharik Back for More After Php.Net Compromise ***
---------------------------------------------
Sharik is a Trojan which injects itself into legitimate processes and adds registry entries for an added level of persistence. The infection also sends information about the victims PC to a remote server. The threat can also receive commands from a known CnC server to download further malicious files.
---------------------------------------------
http://research.zscaler.com/2013/11/sharik-back-for-more-after-phpnet.html
*** ATM Traffic + TCPDump + Video = Good or Evil?, (Wed, Nov 27th) ***
---------------------------------------------
I was working with a client recently, working through the move of a Credit Union branch. In passing, he mentioned that they were looking at a new security camera setup, and the vendor had mentioned that it would need a SPAN or MIRROR port on the switch set up. At that point my antennae came online - SPAN or MIRROR ports set up a session where all packets from one switch ports are "mirrored" to another switch port.
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17111
*** Microsoft Security Advisory (2914486): Vulnerability in Microsoft Windows Kernel Could Allow Elevation of Privilege - Version: 1.0 ***
---------------------------------------------
Microsoft is investigating new reports of a vulnerability in a kernel component of Windows XP and Windows Server 2003. We are aware of limited, targeted attacks that attempt to exploit this vulnerability.
---------------------------------------------
http://technet.microsoft.com/en-ca/security/advisory/2914486
*** THOUSANDS of Ruby on Rails sites leave logins lying around ***
---------------------------------------------
A security researcher has warned that a Ruby on Rails vulnerability first outlined in September is continuing to linger on the Web, courtesy of admins that don't realise a vulnerability exists in its default CookieStore session storage mechanism.
---------------------------------------------
http://www.theregister.co.uk/2013/11/28/thousands_of_ror_sites_leave_logins…
*** FakeAV + Ransomware = Windows Expert Console ***
---------------------------------------------
During the last months we have been talking mainly about police virus infections, and more recently about CryptoLocker, the new major ransomware family. However that doesn´t mean that our good 'old friends' known as FakeAV aren´t around.
---------------------------------------------
http://pandalabs.pandasecurity.com/fakeav-ransomware-windows-expert-console/
*** Linux Worm Targeting Hidden Devices ***
---------------------------------------------
Symantec has discovered a new Linux worm that appears to be engineered to target the 'Internet of things'. The worm is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers. Variants exist for chip architectures usually found in devices such as home routers, set-top boxes and security cameras.
---------------------------------------------
http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices
*** You have a Skype voicemail. PSYCHE! Its just some fiendish Trojan-flinging spam ***
---------------------------------------------
A spam run of fake Skype voicemail alert emails actually comes packed with malware, a UK police agency warns.
Action Fraud said the zip file attachments come contaminated with a variant of the notorious ZeuS banking Trojan.
---------------------------------------------
http://www.theregister.co.uk/2013/11/28/skype_voicemail_alert_spam_flings_z…
*** Microsoft Cybersecurity Report: Top 10 Most Wanted Enterprise Threats ***
---------------------------------------------
The latest report found that in the enterprise environment, on average about 11% of systems encountered malware, worldwide between the third quarter of 2012 (3Q12) and the second quarter of 2013 (2Q13). The "encounter rate" is defined as the percentage of computers running Microsoft real-time security software that report detecting malware - typically resulting in a blocked installation of malware.
---------------------------------------------
http://blogs.technet.com/b/security/archive/2013/11/25/microsoft-cybersecur…
*** Quassel IRC Backlog Access Bypass Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55640
*** DSA-2804 drupal7 ***
---------------------------------------------
http://www.debian.org/security/2013/dsa-2804
*** DSA-2803 quagga ***
---------------------------------------------
http://www.debian.org/security/2013/dsa-2803
*** HP Service Manager and ServiceCenter Unspecified Flaw Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1029400
*** Subversion mod_dontdothat Path Validation Flaw Lets Remote Users Bypass Security Restrictions ***
---------------------------------------------
http://www.securitytracker.com/id/1029402
*** Yahoo Open Redirect Vulnerability or "Designing vulnerabilities" ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110200
*** ownCloud Unspecified Security Bypass Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55792
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 26-11-2013 18:00 − Mittwoch 27-11-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** The Season For Danger: Holiday Season Spam And Phishing ***
---------------------------------------------
For many, the holiday season is a season for shopping and spending. But cybercriminals see it in a different light-they see it as a prime opportunity to steal. Take, for example, online shopping. Malicious websites to try and trick online shoppers into giving them their money instead of the legitimate shopping websites.
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/the-season-for-d…
*** InMobi: Another Vulnaggressive Adware Opens Billions of JavaScript 'Sidedoors' on Android Devices ***
---------------------------------------------
FireEye mobile security researchers identified another new mobile threat, which we call 'JavaScript Sidedoors', which we discovered in the popular InMobi ad library. InMobi exposes dangerous behaviors such as making phone calls without user consent through JavaScript interfaces, which creates a 'sidedoor' for attackers to exploit by injecting malicious JavaScript through hijacking InMobi's HTTP traffic. ...
---------------------------------------------
http://www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-anothe…
*** Ruby on Rails CookieStore Vulnerability Plagues Prominent Websites ***
---------------------------------------------
Websites using an older version of Ruby on Rails, including Kickstarter and UrbanSpoon, remain vulnerable to a vulnerability in the frameworks cookie storage mechanism.
---------------------------------------------
http://threatpost.com/ruby-on-rails-cookiestore-vulnerability-plagues-promi…
*** An Anti-Fraud Service for Fraudsters ***
---------------------------------------------
Many online businesses rely on automated fraud detection tools to weed out suspicious and unauthorized purchases. Oddly enough, the sorts of dodgy online businesses advertised by spam do the same thing, only they tend to use underground alternatives that are far cheaper and tuned to block not only fraudulent purchases, but also "test buys" from security researchers, law enforcement and other meddlers.
---------------------------------------------
http://krebsonsecurity.com/2013/11/anti-fraud-service-for-fraudsters/
*** Security and policy surrounding bring your own devices (BYOD) ***
---------------------------------------------
As the proliferation of devices continues to capture the imagination of consumers, and has ignited what is referred to as bring your own device (BYOD) revolution, many IT departments across the globe are now facing increased security considerations. While organizations encourage BYOD for cost savings and productivity, it is also important to have robust security policies supporting BYOD.
---------------------------------------------
http://blogs.technet.com/b/msrc/archive/2013/11/26/security-and-policy-surr…
*** Our protection metrics - October results ***
---------------------------------------------
​Last month we introduced our monthly protection metrics and talked about our September results. Today, we'd like to talk about our results from October. If you want a refresh on the definition of the metrics we use in our monthly results, see our prior post: Our protection metrics - September results. During October 2013, while our rate of incorrect detections remained low, and our performance metrics stayed fairly consistent, the infection rate of 0.18 percent was higher in
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2013/11/26/our-protection-metrics-o…
*** White hat Wi-Fi hacking shows vulnerability of business data ***
---------------------------------------------
White hat hackers have shown that usernames, passwords, contact lists, details of e-commerce accounts and banking details can be sniffed easily from public Wi-Fi hotspots.
---------------------------------------------
http://www.computerweekly.com/news/2240209927/White-hat-Wi-Fi-hacking-shows…
*** Volatility 2.3 and FireEyes diskless, memory-only Trojan.APT.9002 ***
---------------------------------------------
FireEyes Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method, posted 10 NOV 2013 is specific to an attack that "loaded the payload directly into memory without first writing to disk." As such, this "will further complicate network defenders ability to triage compromised systems, using traditional forensics methods."
---------------------------------------------
http://holisticinfosec.blogspot.co.uk/2013/11/volatility-23-and-fireeyes-di…
*** Malware creation hits record-high numbers In 2013, according to PandaLabs Q3 Report ***
---------------------------------------------
Panda Security, The Cloud Security Company, has just published the results of its Quarterly Report for Q3 2013, drawn up by PandaLabs, the company's anti-malware laboratory. One of the main conclusions that can be drawn from this global study is that malware creation has hit a new record high, with nearly 10 million new strains identified so far this year.
---------------------------------------------
http://press.pandasecurity.com/news/malware-creation-hits-record-high-numbe…
*** Security Headers on the Top 1,000,000 Websites: November 2013 Report ***
---------------------------------------------
It has been almost exactly a year since we conducted the first top 1 million security headers report so it is a great time to re-run the analysis and see how well security header adoption is growing. As before, the latest Chrome and Firefox User-Agent strings were used to make requests to the top 1 million sites over both HTTP and HTTPS.
---------------------------------------------
https://www.veracode.com/blog/2013/11/security-headers-on-the-top-1000000-w…
*** Finding Cryptolocker Encrypted Files using the NTFS Master File Table ***
---------------------------------------------
For the most part, everyone seems to be familiar with the new variants of Cyptolocker making the rounds these days. To quickly summarize, this form of ransomware that encrypts documents and pictures found on local and mapped network drives in an attempt to obtain payment for the decryption keys.
---------------------------------------------
http://securitybraindump.blogspot.ru/2013/11/finding-cryptolocker-encrypted…
*** Rogue that takes webcam pictures of you ***
---------------------------------------------
Recently we heard of a rogue fake antivirus that takes screenshots and webcam images in an attempt to further scare you into succumbing to it's scam. We gathered a sample and sure enough, given some time it will indeed use the webcam and take a picture of what's in front of the camera at that time. This variant is called "Antivirus Security Pro" and it's as nasty as you can get.
---------------------------------------------
http://www.webroot.com/blog/2013/11/27/new-rogue-now-takes-screenshots/
*** Vuln: Drupal Core Image Module HTML Injection Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63848
*** Xen Privileged Ring Access Flaw Lets Local Users Gain Elevated Privileges ***
---------------------------------------------
http://www.securitytracker.com/id/1029396
*** Debian Security Advisory DSA-2804 drupal7 ***
---------------------------------------------
http://www.debian.org/security/2013/dsa-2804
*** Debian Security Advisory DSA-2803 quagga ***
---------------------------------------------
http://www.debian.org/security/2013/dsa-2803
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 25-11-2013 18:00 − Dienstag 26-11-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** Rätselhafte Entführungen im Internet ***
---------------------------------------------
Geheimdienste müssen gar nicht direkt am Kabel lauschen. Der Netzwerkdienstleister Renesys berichtet von einer deutlichen Zunahme von seltsamen Routing-Vorfällen, bei denen Netzwerkverkehr über andere Länder, manchmal sogar Kontinente umgeleitet wird.
---------------------------------------------
http://www.heise.de/security/meldung/Raetselhafte-Entfuehrungen-im-Internet…
*** The Need for Incident Response ***
---------------------------------------------
On an average day in the UK more than 100 .co.uk domain websites are hacked according to the statistics in the Zone-h.org online database. Website hacks are increasing the volume of targeted attacks today.
---------------------------------------------
http://www.fireeye.com/blog/corporate/2013/11/the-need-for-incident-respons…
*** Fake tech support scam is trouble for legitimate remote help company ***
---------------------------------------------
Fraud victims mistake legitimate tech company for fraudsters.
---------------------------------------------
http://arstechnica.com/information-technology/2013/11/fake-tech-support-sca…
*** VBScript Malware SOYSOS Deletes CAD Files ***
---------------------------------------------
Cybercriminals can do just as much damage deleting users´ data as stealing it because file deletion can result in both data or monetary loss. One example would be CryptoLocker, which became notorious for combining the two - demanding money with the threat of data destruction. We recently came across a malware, detected as VBS_SOYSOS, that deletes important image files including .DWG files.
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/vbscript-malware…
*** Surge in "BlackShades" infections exposes machines worldwide to RAT ***
---------------------------------------------
Over the last two months, attackers have opted to spread the malware via the Neutrino exploit kit, researchers found.
---------------------------------------------
http://www.scmagazine.com/surge-in-blackshades-infections-exposes-machines-…
*** A Look At A Silverlight Exploit ***
---------------------------------------------
Recently, independent security researchers found that the Angler Exploit Kit had added Silverlight to their list of targeted software, using CVE-2013-0074. When we analyzed the available exploit, we found that in addition to CVE-2013-0074, a second vulnerability, CVE-2013-3896, in order to bypass ASLR.
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-a-silv…
*** [Honeypot Alert] More PHP-CGI Scanning (apache-magika.c) ***
---------------------------------------------
In the past 24 hours, one of the WASC Distributed Web Honeypot participant's sensors picked up continued scanning for CVE-2012-1823 which is a vulnerability within PHP-CGI.
---------------------------------------------
http://blog.spiderlabs.com/2013/11/honeypot-alert-more-php-cgi-scanning-apa…
*** New Exploit Kit Atrax Boasts Tor Connectivity, Bitcoin Extraction ***
---------------------------------------------
Yet another commercial crimekit has been spotted making the rounds on the underground malware forums that uses the anonymity network Tor to stealthily communicate with its command and control servers.
---------------------------------------------
http://threatpost.com/new-exploit-kit-atrax-boasts-tor-connectivity-bitcoin…
*** The internet mystery that has the world baffled ***
---------------------------------------------
For the past two years, a mysterious online organisation has been setting the worlds finest code-breakers a series of seemingly unsolveable problems. But to what end? Welcome to the world of Cicada 3301.
---------------------------------------------
http://www.telegraph.co.uk/technology/internet/10468112/The-internet-myster…
*** Das Stuxnet-Duo: Bösartige Geschwister ***
---------------------------------------------
Der deutsche Experte Ralph Langner hat nach drei Jahren Analyse ein abschließendes Papier zu Stuxnet vorgelegt. Demnach besteht die Cyber-Waffe aus zwei Schädlingen, von denen nur die zweite richtig bekannt wurde - zu Unrecht, meint Langner.
---------------------------------------------
http://www.heise.de/security/meldung/Das-Stuxnet-Duo-Boesartige-Geschwister…
*** Analysis: Online banking faces a new threat ***
---------------------------------------------
Neverquest supports just about every possible trick on online bank attacks. In light of Neverquest´s self-replication capabilities, the number of users attacked could increase over a short period of time.
---------------------------------------------
http://www.securelist.com/en/analysis/204792315/Online_banking_faces_a_new_…
*** Nachholbedarf bei IT-Sicherheit: EU-Parlamentarier tappten in Hotspot-Falle ***
---------------------------------------------
Alle EU-Parlamentarier sollen jetzt dringend ihre Passwörter ändern, fordert eine Mail der IT-Abteilung. Sie bestätigt, dass durch Angriffe im ungesicherten Parlaments-WLAN Zugangspasswörter ausspioniert wurden.
---------------------------------------------
http://www.heise.de/security/meldung/Nachholbedarf-bei-IT-Sicherheit-EU-Par…
*** How To Combat Online Surveillance ***
---------------------------------------------
Governments have transformed the internet into a surveillance platform, but they are not omnipotent. They´re limited by material resources as much as the rest of us. We might not all be able to prevent the NSA and GCHQ from spying on us, but we can at least create more obstacles and make surveilling us more expensive. The more infrastructure you run, the safer the communication will be.
---------------------------------------------
http://theoccupiedtimes.org/?p=12362
*** Why Crimekit Atrax will attract attention ***
---------------------------------------------
CSIS researchers have observed an introduction of a new commercial crimekit being sold on several underground web forums. The kit is dubbed 'Atrax' and is both a cheap kit - costs less than $250 for the main platform - as well as it utilizes the TOR protocol for stealthy communication with C&Cs from where it is intended to get instructions, updates and new modules.
---------------------------------------------
https://www.csis.dk/en/csis/blog/4103
*** Blackhole and Cool Exploit Kits Nearly Extinct ***
---------------------------------------------
When authorities in Russia arrested Paunch, the alleged creator of the Blackhole exploit kit, last month, security researchers and watchers of the malware underground predicted that taking him off the board would put a dent in the use of Blackhole and force its customers onto other platforms. Six weeks later, it now appears that Blackhole is almost gone and the Cool exploit kit, another alleged creation of Paunch, has essentially disappeared, as well.
---------------------------------------------
http://threatpost.com/blackhole-and-cool-exploit-kits-nearly-extinct/103034
*** IBM WebSphere Application Server Java Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55870
*** WordPress Contact Form 7 3.5.2 Shell Upload ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110177
*** WordPress Pinboard Shell Upload ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110175
*** TPLINK WR740N / WR740ND Cross Site Request Forgery ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110181
*** NETGEAR ReadyNAS Perl Code Evaluation ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110179
*** Vuln: HP LoadRunner Virtual User Generator CVE-2013-4837 Remote Code Execution Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63475
*** Bugtraq: Open-Xchange Security Advisory 2013-11-25 ***
---------------------------------------------
http://www.securityfocus.com/archive/1/530008
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 22-11-2013 18:00 − Montag 25-11-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** Second Look at Stuxnet Reveals Older Dangerous Variant ***
---------------------------------------------
ICS expert Ralph Langner has thrown back the covers on Stuxnet revealing a two-pronged attack intent not only on disrupting Irans nuclear capabilities, but flexing the attackers muscle in building weaponized malware.
---------------------------------------------
http://threatpost.com/second-look-at-stuxnet-reveals-older-dangerous-varian…
*** Google fixes flaw in Gmail password reset process ***
---------------------------------------------
According to the researcher who discovered the bug, Google swiftly addressed the security issue, which could leave users passwords vulnerable to theft.
---------------------------------------------
http://www.scmagazine.com/google-fixes-flaw-in-gmail-password-reset-process…
*** Five Years Old And Still On The Run: DOWNAD ***
---------------------------------------------
Five years ago, Conficker/DOWNAD was first seen and quickly became notorious due to how quickly it spread and how much damage it caused. Remarkably, after all that time, it´s still alive. It can still pose a serious problem, as it can propagate to other systems on the same network as an infected machine - a factor that may explain its high rate of infection to this day.
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/five-years-old-a…
*** Another Fake WordPress Plugin - And Yet Another SPAM Infection! ***
---------------------------------------------
We clean hundreds and thousands of infected websites, a lot of the cleanups can be considered to be somewhat "routine". If you follow our blog, you often hear us say we´ve seen "this" numerous times, we´ve cleaned "that" numerous times.
---------------------------------------------
http://blog.sucuri.net/2013/11/another-fake-wordpress-plugin-and-yet-anothe…
*** Top Security Predictions for 2014 ***
---------------------------------------------
As 2013 draws to a close, FireEye researchers are already looking ahead to 2014 and the shifting threat landscape. Expect fewer Java zero-day exploits and more browser-based ones. Watering-hole attacks may supplant spear-phishing attacks.
---------------------------------------------
http://www.fireeye.com/blog/corporate/2013/11/top-security-predictions-for-…
*** Port 0 DDOS, (Fri, Nov 22nd) ***
---------------------------------------------
Following on the stories of amplification DDOS attacks using Chargen, and stories of "booters" via Brian Kreb's, I am watching with interest the increase in port 0 amplification DDOS attacks.
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17081
*** Spam-Friendly Registrar 'Dynamic Dolphin' Shuttered ***
---------------------------------------------
The organization that oversees the Internet domain name registration industry last week revoked the charter of Dynamic Dolphin, a registrar that has long been closely associated with spam and cybercrime.
---------------------------------------------
http://krebsonsecurity.com/2013/11/spam-friendly-registrar-dynamic-dolphin-…
*** LG smart TV snooping extends to home networks, second blogger says ***
---------------------------------------------
A second blogger has published evidence that his LG-manufactured smart television is sharing sensitive user data with the Korea-based company in a post that offers support for the theory that the snooping isnt isolated behavior that affects a small number of sets.
---------------------------------------------
http://arstechnica.com/security/2013/11/lg-smart-tv-snooping-extends-to-hom…
*** CryptoLocker gang teams with botnet-builders on ransomware ***
---------------------------------------------
The cyber-gang running the CryptoLocker extortion racket is sharing a big cut of any payments they squeeze out of their victims with criminal botnet owners working closely with them, says Symantec, which has been monitoring this underworld activity online.
---------------------------------------------
http://www.pcworld.com/article/2066741/cryptolocker-gang-teams-with-botnet-…
*** DSA-2802 nginx ***
---------------------------------------------
http://www.debian.org/security/2013/dsa-2802
*** DSA-2801 libhttp-body-perl ***
---------------------------------------------
http://www.debian.org/security/2013/dsa-2801
*** [webapps] - TPLINK WR740N/WR740ND - Multiple CSRF Vulnerabilities ***
---------------------------------------------
http://www.exploit-db.com/exploits/29802
*** ImpressPages CMS 3.8 Stored XSS Vulnerability ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110168
*** Pirelli Discus DRG A125g Remote Change SSID Value Vulnerability ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110167
*** Google Gmail IOS Mobile Application - Persistent / Stored XSS ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110170
*** Ruby Heap Overflow in Floating Point Parsing Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1029388
*** Drupal Core Bugs Let Remote Users Conduct Cross-Site Scripting, Cross-Site Request Forgery, and Open Redirect Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1029386
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 21-11-2013 18:00 − Freitag 22-11-2013 18:00
Handler: Stephan Richter
Co-Handler: Robert Waldner
*** DNP3 Implementation Vulnerability (Update A) ***
---------------------------------------------
Adam Crain of Automatak and independent researcher Chris Sistrunk reported an improper input validation vulnerability to NCCIC/ICS-CERT that was evident in numerous slave and/or master station software products. The researchers emphasize that the vulnerability is not with the DNP3 stack but with the
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-291-01A
*** Facebook Vulnerability Discloses Friends Lists Defined as Private ***
---------------------------------------------
Researchers from the Quotium Seeker Research Center identified a security flaw in Facebook privacy controls. The vulnerability allows attackers to see the friends list of any user on Facebook. This attack is carried out by abusing the 'People You May Know' mechanism on Facebook, ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110157
*** Imperva WAF/DAF 9.5 patch8 and 10.0 patch 2 localroot vulnerability ***
---------------------------------------------
Topic: Imperva WAF/DAF 9.5 patch8 and 10.0 patch 2 localroot vulnerability
Risk: High
Text: Imperva use hardened centos 5.4 to run Web Application Firewall and Database Activity Monitoring product. It could be expl...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110158
*** Instagram for iOS Flattr account security bypass ***
---------------------------------------------
Instagram for iOS could allow a remote attacker to bypass security restrictions, caused by an implementation error when the Instagram for iOS and Flattr are linked. An attacker could exploit this vulnerability by flattring the photos causing the money from the users account to be redirected.
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89162
*** Instagram for iOS upload module file upload ***
---------------------------------------------
Instagram for iOS could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system.
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89160
*** prettyPhoto Cross-Site Scripting Vulnerability ***
---------------------------------------------
Input appended to the URL after /#!prettyPhoto/ is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerability is confirmed in version 3.1.4. Prior versions may also be affected.
---------------------------------------------
https://secunia.com/advisories/55769
*** Security Bulletin: IBM iNotes Cross-Site Scripting Vulnerability (CVE-2013-0595) ***
---------------------------------------------
IBM iNotes versions 8.5.3 and 9.0 contain a cross-site scripting vulnerability. The fix for this issue is available starting in IBM Domino versions 8.5.3 Fix Pack 5 and 9.0.1.
CVE(s): CVE-2013-0595
Affected product(s) and affected version(s): IBM iNotes 9.0 IBM iNotes 8.5.3 through 8.5.3 Fix Pack 4
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…
*** VU#893462: Thomson Reuters Velocity Analytics Vhayu Analytic Server version 6.9.4 build 2995 contains a code injection vulnerability ***
---------------------------------------------
Overview Thomson Reuters Velocity Analytics Vhayu Analytic Server version 6.94 build 2995 and possibly earlier versions contain a code injection vulnerability (CWE-94).
Description CWE-94: Improper Control of Generation of Code (Code Injection)
---------------------------------------------
http://www.kb.cert.org/vuls/id/893462
*** Dovecot checkpassword-reply Security Bypass Security Issue ***
---------------------------------------------
A security issue has been reported in Dovecot, which can be exploited by malicious, local users to bypass certain security restrictions.
---------------------------------------------
https://secunia.com/advisories/54808
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 20-11-2013 18:00 − Donnerstag 21-11-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** EFF Scorecard Shows Crypto Leaders and Laggards ***
---------------------------------------------
The Electronic Frontier Foundation (EFF) released its Encrypt the Web Report demonstrating how much encryption leading Internet companies and service providers are deploying.
---------------------------------------------
http://threatpost.com/eff-scorecard-shows-crypto-leaders-and-laggards/102987
*** Tomcat-Wurm springt von Server zu Server ***
---------------------------------------------
Symantec hat einen Wurm entdeckt, der Apaches Java-Webserver infiziert und als Java-Servlet von Server zu Server springt. Infizierte Rechner werden als DDoS-Schleudern und Proxys missbraucht.
---------------------------------------------
http://www.heise.de/security/meldung/Tomcat-Wurm-springt-von-Server-zu-Serv…
*** Are large scale Man in The Middle attacks underway?, (Thu, Nov 21st) ***
---------------------------------------------
Renesys is reporting two separate incidents where they observed traffic for 1500 IP blocks being diverted for extended periods of time. They observed the traffic redirection for more than 2 months over the last year. Does it seem unusual for internet traffic between Ashburn Virginia (63.218.44.78) and Washington DC (63.234.113.110) to go through Russia to Belarus? That is exactly what they observed. Once traffic flows through your routers there are countless opportunities to capture and modify...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17075&rss
*** A look at security effectiveness by industry ***
---------------------------------------------
BitSight analyzed security ratings for over 70 Fortune 200 companies in four industries - energy, finance, retail and technology. The objective was to uncover quantifiable differences in security effectiveness and performance across industries from October 2012 through September 2013.
---------------------------------------------
http://www.net-security.org/secworld.php?id=15991
*** 5 Considerations For Post-Breach Security Analytics ***
---------------------------------------------
Preparing collection mechanisms ahead of time, preserving chain of custody on forensics data, and performing focused analysis all key in inspecting security data after a compromise
---------------------------------------------
http://www.darkreading.com/5-considerations-for-post-breach-securit/2401641…
*** EMC Document Sciences xPression cross-site request forgery ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89073
*** SA-CORE-2013-003 - Drupal core - Multiple vulnerabilities ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CORE-2013-003
Project: Drupal coreVersion: 6.x, 7.x
Date: 2013-November-20
Security risk: Highly critical
Exploitable from: Remote
Vulnerability: Multiple vulnerabilities
Description: Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation - Drupal 6 and 7)Drupals form API has built-in cross-site request forgery (CSRF) validation, and also allows any...
---------------------------------------------
https://drupal.org/SA-CORE-2013-003
*** SA-CONTRIB-2013-096 - Entity reference - Access bypass ***
*** SA-CONTRIB-2013-095 - Organic Groups - Access bypass ***
*** SA-CONTRIB-2013-094 - EU Cookie Compliance - Cross Site Scripting (XSS) ***
*** SA-CONTRIB-2013-093 - Invitation - Access Bypass ***
---------------------------------------------
https://drupal.org/node/2140237https://drupal.org/node/2140217https://drupal.org/node/2140123https://drupal.org/node/2140097
*** Vuln: SAP NetWeaver SHSTI_UPLOAD_XML() Function XML External Entity Injection Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63779
*** Vuln: SAP NetWeaver Logviewer Security Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/58615
*** Vuln: SAP NetWeaver SAP Portal URI Redirection Weakness ***
---------------------------------------------
http://www.securityfocus.com/bid/63783
*** Vuln: SAProuter NI Route Message Handling Heap Buffer Overflow Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/60054
*** Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Master Data Management - Collaborative Edition (CVE-2013-0478, CVE-2013-0477) ***
---------------------------------------------
IBM InfoSphere Master Data Management - Collaborative Edition versions 10.1, 10.0 and IBM InfoSphere Master Data Management Server for Product Information Management versions 9.1, 9.0, 6.0 are vulnerable to cross-site scripting and content spoofing. CVE(s): CVE-2013-0477, and CVE-2013-0478 Affected product(s) and affected version(s): IBM InfoSphere Master Data Management - Collaborative Edition Versions 10.1 and 10.0 IBM InfoSphere Master Data Management Server for Product Information...
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul…
*** SKIDATA RFID Freemotion.Gate Unauthenticated Web Service Aribtrary Remote Command Execution ***
---------------------------------------------
Title: SKIDATA RFID Freemotion.Gate Unauthenticated Web Service Aribtrary Remote Command Execution Product: Freemotion.Gate Vendor: SKIDATA, http://www.skidata.com/en/ Vulnerable Versions: 4.1.3.5 and likely all prior versions.
---------------------------------------------
http://www.keepingkidsonshred.com/2013/11/skidata-rfid-freemotiongate.html
*** Splunk Cross-Site Scripting Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55774
*** WHMCS "unserialize()" PHP Code Execution and Multiple Unspecified Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55717
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 19-11-2013 18:00 − Mittwoch 20-11-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** New variant of Android ransomware "Fake Defender" surfaces ***
---------------------------------------------
Symantec researchers believe the malicious app is a variant of "Fake Defender," malware used in earlier ransomware scams.
---------------------------------------------
http://www.scmagazine.com/new-variant-of-android-ransomware-fake-defender-s…
*** Google Extends Scope of External Bug Bounty ***
---------------------------------------------
Google has expanded the bounds of its Patch Rewards Program to include open source components of Android, Apache, Sendmail, OpenVPN and other services.
---------------------------------------------
http://threatpost.com/google-extends-scope-of-external-bug-bounty/102962
*** TrustKeeper Scan Engine Update - November 14, 2013 ***
---------------------------------------------
It's time again for another TrustKeeper Scan Engine update. This release contains over 30 new tests vulnerabilities in Cisco ASA/IOS, JIRA, jQuery, Microsoft Windows, Oracle Database/MySQL, and more. This release also contains default credential checks for both WordPress and Cisco ASA SSL VPN (aka: AnyConnect).
---------------------------------------------
http://blog.spiderlabs.com/2013/11/trustkeeper-scan-engine-update-november-…
*** VU#295276: Adobe ColdFusion is vulnerable to cross-site scripting via the logviewer directory ***
---------------------------------------------
Adobe ColdFusion 10 update 11 and possibly earlier versions contains a reflected cross-site scripting (XSS) vulnerability. An attacker can inject arbitrary HTML content (including script) within the /logviewer/ directory.
The vulnerability requires using a relative path, although there is no directory traversal vulnerability.
---------------------------------------------
http://www.kb.cert.org/vuls/id/295276
*** Understanding Google´s Blacklist Cleaning Your Hacked Website and Removing From Blacklist ***
---------------------------------------------
Today we found an interesting case where Google was blacklisting a client´s site but not sharing the reason why. The fact they were sharing very little info should not be new, but what we found as we dove a little deeper should be. The idea is to provide you webmasters with the required insight toRead More
---------------------------------------------
http://blog.sucuri.net/2013/11/understanding-googles-blacklist-cleaning-you…
*** Searching live memory on a running machine with winpmem, (Wed, Nov 20th) ***
---------------------------------------------
Winpmem may appear to be a simple a memory acquisition tool, but it is really much more. One of my favorite parts of Winpmem is that it has the ability to analyze live memory on a running computer. Rather than dumping the memory and analyzing it in two seperate steps you can search for memory on a running system.
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17063
*** Netflixers Beware: Angler Exploit Kit Targets Silverlight Vulnerability ***
---------------------------------------------
Developers behind the Angler Exploit Kit have added a new exploit over the last week that leverages a vulnerability in Microsoft´s Silverlight framework.
---------------------------------------------
http://threatpost.com/netflixers-beware-angler-exploit-kit-targets-silverli…
*** Mobile threats in October 2013 ***
---------------------------------------------
In 2013, Russian anti-virus company Doctor Web started using a new system to collect statistics, so that it could promptly obtain information about the malicious applications that are threatening Google Android. An analysis of the data collected in October showed that the Dr.Web resident monitor under Android detected malware about 11 million times, and over 4 million threats to Android were detected by the scanner. These figures correspond to data obtained in September 2013.
---------------------------------------------
http://news.drweb.com/show/?i=4061&lng=en&c=9
*** Repeated attacks hijack huge chunks of Internet traffic, researchers warn ***
---------------------------------------------
Man-in-the-middle attacks divert data on scale never before seen in the wild.
---------------------------------------------
http://arstechnica.com/security/2013/11/repeated-attacks-hijack-huge-chunks…
*** US police department pays $750 Cryptolocker Trojan ransom demand ***
---------------------------------------------
A US police department was so determined to get back important files that had been encrypted by the rampaging Cryptolocker Trojan it decided to pay the sizable ransom being demanded by the criminals.
---------------------------------------------
http://news.techworld.com/security/3489937/us-police-department-pays-750-cr…
*** Backup the best defense against (Cri)locked files ***
---------------------------------------------
Crilock also known as CryptoLocker - is one notorious ransomware that´s been making the rounds since early September. Its primary payload is to target and encrypt your files, such as your pictures and Office documents. All of the file types that can be encrypted are listed in our Trojan:Win32/Crilock.A and Trojan:Win32/Crilock.B descriptions.
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2013/11/19/backup-the-best-defense-…
*** JBoss Attacks Up Since Exploit Code Disclosure ***
---------------------------------------------
Researchers at Imperva have detected a surge in attacks against webservers running JBoss Application Server since the public disclosure of exploit code last month.
---------------------------------------------
http://threatpost.com/jboss-attacks-up-since-exploit-code-disclosure/102971
*** [webapps] - Ruckus Wireless Zoneflex 2942 Wireless Access Point - Authentication Bypass ***
---------------------------------------------
http://www.exploit-db.com/exploits/29709
*** nginx URI Parsing Flaw Lets Remote Users Bypass Security Restrictions ***
---------------------------------------------
http://www.securitytracker.com/id/1029363
*** PayPal Billsafe Cross Site Scripting ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110142
*** EMC Document Sciences xPression XSS / CSRF / Redirect / SQL Injection ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110139
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 18-11-2013 18:00 − Dienstag 19-11-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Am I Sending Traffic to a "Sinkhole"?, (Mon, Nov 18th) ***
---------------------------------------------
It has become common practice to setup "Sinkholes" to capture traffic sent my infected hosts to command and control servers. These Sinkholes are usually established after a malicious domain name has been discovered and registrars agreed to redirect respective NS records to a specific name server configured by the entity operating the Sinkhole. More recently for example Microsoft gained court orders to take over...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17048
*** Google Completes Upgrade of its SSL Certificates to 2048-Bit RSA ***
---------------------------------------------
Google announced today it has completed upgrading all of its SSL certificates to 2048-bit RSA or better, up from 1024.
---------------------------------------------
http://threatpost.com/google-completes-upgrade-of-its-ssl-certificates-to-2…
*** Facebook URL redirection vulnerability patched ***
---------------------------------------------
A Facebook URL redirection vulnerability discovered last week was patched just a day after a blog post detailing the bug went live.
---------------------------------------------
http://www.scmagazine.com//facebook-url-redirection-vulnerability-patched/a…
*** Winpmem - Mild mannered memory aquisition tool??, (Tue, Nov 19th) ***
---------------------------------------------
There should be little argument that with todays threats you should always acquire a memory image when dealing with any type of malware. Modern desktops can have 16 gigabytes of RAM or more filled with evidence that is usually crutial to understanding what was happening on that machine. Failure to acquire that memory will make analyzing the other forensic artifacts difficult or in some cases impossible. Chad Tilbury (@chadtilbury) recently told me about a new memory acquisition tool that I want...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17054&rss
*** Old JBoss vuln in the wild, needs patching ***
---------------------------------------------
Remote code execution, the usual thing JBoss sysadmins need to get busy hardening their systems, with a rising number of attacks against the system, according to Imperva.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2013/11/19/old_jboss_v…
*** Cybercriminals spamvertise tens of thousands of fake "Sent from my iPhone" themed emails, expose users to malware ***
---------------------------------------------
Cybercriminals are currently mass mailing tens of thousands of malicious emails, supposedly including a photo attachment that's been "Sent from an iPhone". The social engineering driven spam campaign is, however, the latest attempt by a cybercriminal/group of cybercriminals that we've been monitor for a while, to attempt to trick gullible users into unknowingly joining the botnet operated by the malicious actor(s) behind the campaign. Detection rate for the spamvertised...
---------------------------------------------
http://www.webroot.com/blog/2013/11/19/cybercriminals-spamvertise-tens-thou…
*** A .BIT Odd ***
---------------------------------------------
Like many security researchers, I see a lot of new malicious sites every week, far too many in fact. One thing that sets security researchers apart is that we can see a top-level domain (TLD) like .cc and recall instantly that it belongs to the Cocos Islands in the Indian Ocean, with a tiny population,...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/rFeNuxSPHUg/
*** Vuln: Chainfire SuperSU CVE-2013-6775 Arbitrary Command Execution Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63715
*** Vuln: Multiple Android Superuser Packages CVE-2013-6769 Arbitrary Command Execution Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63712
*** Opera Unspecified Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55720
*** Network Security Services (NSS) Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55557
*** Vuln: MIT Kerberos 5 CVE-2013-6800 Remote Denial of Service Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63770
*** Elastix Multiple Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55739
*** Splunk Test Scripts Let Remote Authenticated Users Execute Arbitrary Shell Scripts on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1029316
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 15-11-2013 18:00 − Montag 18-11-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Password hack of vBulletin.com fuels fears of in-the-wild 0-day attacks ***
---------------------------------------------
Hacks on sites using the widely used forum software spread to its maker.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/FIA9t0-8N04/story01…
*** BKDR_SHIZ Responsible For SAP Attacks, And More ***
---------------------------------------------
There have been recent reports of malware that targeted SAP users for information theft. We detect this threat as BKDR_SHIZ.TO, and it belongs to a malware family that has been detected since 2010. So far, this particular family has received little attention, but its targeting of SAP applications has raised its profile considerably. So what...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/O578f6Dl3Js/
*** Exploiting the Supermicro Onboard IPMI Controller ***
---------------------------------------------
Last week @hdmoore published the details about several vulnerabilities into the Supermicro IPMI firmware. With the advisory's release, several modules were landed into Metasploit in order to check Supermicro's device against several of the published vulnerabilities.
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2013/11/15/exploitin…
*** Explaining and Speculating About QUANTUM ***
---------------------------------------------
Nicholas Weaver has a great essay explaining how the NSAs QUANTUM packet injection system works, what we know it does, what else it can possibly do, and how to defend against it. Remember that while QUANTUM is an NSA program, other countries engage in these sorts of attacks as well. By securing the Internet against QUANTUM, we protect ourselves against...
---------------------------------------------
https://www.schneier.com/blog/archives/2013/11/explaining_and.html
*** Various Schneier Audio and Video Talks and Interviews ***
---------------------------------------------
News articles about me (or with good quotes by me). My talk at the IETF Vancouver meeting on NSA and surveillance. Im the first speaker after the administrivia. Press articles about me and the IETF meeting. Other video interviews with me....
---------------------------------------------
https://www.schneier.com/blog/archives/2013/11/various_schneie.html
*** Sagan as a Log Normalizer, (Sat, Nov 16th) ***
---------------------------------------------
"Sagan is an open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine that run under *nix operating systems (Linux/FreeBSD/ OpenBSD/etc)."[1] Sagan is a log analysis engine that uses structure rules with the same basic structure as Snort rules. The alerts can be written to a Snort IDS/IPS database in the Unified2 file format using Barnyard2. This mean the alerts can be read using Sguil, BASE or SQueRT to name a few. It is easy to setup, just need to
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17039&rss
*** SpiderLabs Radio November 15, 2013 w/ Space Rogue ***
---------------------------------------------
This weeks episode of SpiderLabs Radio hosted by Space Rogue is brought to you by Trustwave SpiderLabs and features stories about Stuxnet on ISS, Facebook scans for Adobe, MacRumours, SEA hits Vice, bitcash.cz, Cracked gets cracked, Loyaltybuild, No Nukes in JP, OWASP AppSec USA, SRs Last SLR and more! Listen to SpiderLabs radio in iTunes. Or you can download the MP3 file directly here. Or listen right from your browser with this embedded player.
---------------------------------------------
http://blog.spiderlabs.com/2013/11/spiderlabs-radio-november-15-2013-w-spac…
*** Vendor of TDoS products/services releases new multi-threaded SIP-based TDoS tool ***
---------------------------------------------
Telephony Denial of Service Attacks (TDoS) continue representing a growing market segment within the Russian/Eastern European underground market, with more vendors populating it with propositions for products and services aiming to disrupt the phone communications of prospective victims. From purely malicious in-house infrastructure - dozens of USB hubs with 3G USB modems using fraudulently obtained, non-attributable SIM cards - abuse of legitimate infrastructure, like Skype, ICQ, a...
---------------------------------------------
http://www.webroot.com/blog/2013/11/15/vendor-tdos-productsservices-release…
*** Bugtraq: Cross-Site Scripting (XSS) in Tweet Blender Wordpress Plugin ***
---------------------------------------------
http://www.securityfocus.com/archive/1/529853
*** Vuln: GnuTLS libdane/dane.c CVE-2013-4487 Incomplete Fix Remote Buffer Overflow Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63469
*** MS13-095 - Important : Vulnerability in Digital Signatures Could Allow Denial of Service (2868626) - Version: 1.0 ***
---------------------------------------------
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service when an affected web service processes a specially crafted X.509 certificate.
---------------------------------------------
http://technet.microsoft.com/en-gb/security/bulletin/ms13-095
*** SAP Netweaver Web Application Server J2EE SAP Portal Redirection Weakness ***
*** SAP Netweaver DataCollector and JavaDumpService Servlets Multiple Cross-Site Scripting Vulnerabilities ***
*** SAP NetWeaver Input Validation Flaw in SRTT_GET_COUNT_BEFORE_KEY_RFC Function Lets Remote Authenticated Users Inject SQL Commands ***
---------------------------------------------
https://secunia.com/advisories/55778https://secunia.com/advisories/55777http://www.securitytracker.com/id/1029352
*** gitlab-shell Multiple Vulnerabilities ***
*** GitLab API Access Security Bypass Security Issue ***
---------------------------------------------
https://secunia.com/advisories/55683https://secunia.com/advisories/55691
*** IBM Tivoli System Automation Application Manager Java Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55794
*** Foreman Host and Host Group SQL Injection Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55722
*** [webapps] - ManageEngine DesktopCentral 8.0.0 build 80293 - Arbitrary File Upload Vulnerability ***
---------------------------------------------
http://www.exploit-db.com/exploits/29674
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 14-11-2013 18:00 − Freitag 15-11-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** Blog: The rush for CVE-2013-3906 - a hot commodity ***
---------------------------------------------
Two days ago FireEye reported that the recent CVE-2013-3906 exploit has begun to be used by new threat actors other than the original ones. The new infected documents share similarities with previously detected exploits but carry a different payload. This time these exploits are being used to deliver Taidoor and PlugX backdoors, according to FireEye.
---------------------------------------------
http://www.securelist.com/en/blog/208214158/The_rush_for_CVE_2013_3906_a_ho…
*** CVE-2012-1889 is still alive! ***
---------------------------------------------
In Zscaler´s daily scanning, we identified an instance where CVE-2012-1889 (MSXML Uninitialized Memory Corruption Vulnerability) is still alive. Lets take a look.
---------------------------------------------
http://research.zscaler.com/2013/11/cve-2012-1889-is-still-alive.html
*** Febipos for Internet Explorer ***
---------------------------------------------
In a previous blog post we discussed Trojan:JS/Febipos.A, a malicious browser extension that targets the Facebook profiles of Google Chrome and Mozilla Firefox users. We recently came across a new Febipos sample that was specifically developed for Internet Explorer - we detect it as Trojan:Win32/Febipos.B!dll.
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2013/11/14/febipos-for-internet-exp…
*** Linux backdoor squirts code into SSH to keep its badness buried ***
---------------------------------------------
Fokirtor! It LOOKED like legitimate traffic...
Security researchers have discovered a Linux backdoor that uses a covert communication protocol to disguise its presence on compromised systems.
---------------------------------------------
http://www.theregister.co.uk/2013/11/15/stealthy_linux_backdoor/
*** Mobile Pwn2Own: Internet Explorer 11 geknackt, Chrome schon geflickt ***
---------------------------------------------
Die von Pinkie Pie benutzte Chrome-Lücke wurde von Google mittlerweile geschlossen. Forscher der Zero Day Initiative gelang es unterdessen, Internet Explorer 11 auf einem Surface Pro zu übernehmen.
---------------------------------------------
http://www.heise.de/security/meldung/Mobile-Pwn2Own-Internet-Explorer-11-ge…
*** Blog: AutoCAD - new platform for start page Trojans ***
---------------------------------------------
In China, start page Trojans have become a popular type of malware because by changing users´ browser start pages to point to some navigation site, the owner of the site can get a large amount of web traffic which can then be converted into large sums of money. In order to spread such Trojans as broadly as possible, Trojan authors have even turned their sights to AutoCAD.
---------------------------------------------
http://www.securelist.com/en/blog/8141/AutoCAD_new_platform_for_start_page_…
*** Research Into BIOS Attacks Underscores Their Danger ***
---------------------------------------------
For three years, Dragos Ruiu has attempted to track down a digital ghost in his network, whose presence is only felt in strange anomalies and odd system behavior. The anomalies ranged from system instability, to "bricked" USB sticks and data seemingly modified on the fly, according to online posts.
---------------------------------------------
http://www.darkreading.com/advanced-threats/research-into-bios-attacks-unde…
*** Eight Security Predictions for 2014 ***
---------------------------------------------
2013 was not an easy year in cybersecurity and we expect 2014 attacks will be even more complex. In a new report out today, Websense Security Labs researchers collectively outlined eight predictions and recommendations for 2014.
---------------------------------------------
http://community.websense.com/blogs/securitylabs/archive/2013/11/14/eight-s…
*** The Security Impact of HTTP Caching Headers, (Fri, Nov 15th) ***
---------------------------------------------
Earlier this week, an update for Media-Wiki fixed a bug in how it used caching headers. The headers allowed authenticated content to be cached, which may lead to sessions being shared between users using the same proxy server. I think this is a good reason to talk a bit about caching in web applications and why it is important for security.
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17033&rss
*** Google Chrome for Android Multiple Memory Corruption Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55744
*** Nagios XI "tfPassword" SQL Injection Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55695
*** VMSA-2013-0013 ***
---------------------------------------------
VMware Workstation host privilege escalation vulnerability
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2013-0013.html
*** Cisco IOS CSG Parse Error Drop Function Flaw Lets Remote Users Bypass Access Controls ***
---------------------------------------------
http://www.securitytracker.com/id/1029342
*** Cisco ASA IPv6 NAT Bug Lets Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1029341
*** mod_nss FakeBasicAuth authentication bypass ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110110
*** APPLE-SA-2013-11-14-1 iOS 7.0.4 ***
---------------------------------------------
http://prod.lists.apple.com/archives/security-announce/2013/Nov/msg00000.ht…
*** Security Bulletin: IBM Platform Cluster Manager Standard Edition (CVE-2013-2251 CVE-2013-2248 CVE-2013-2135 CVE-2013-2134 CVE-2013-2115 CVE-2013-1966 CVE-2013-1965 CVE-2013-4310) ***
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 13-11-2013 18:00 − Donnerstag 14-11-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** Stanford Metaphone Project Aims to Show Dangers of Metadata Collection ***
---------------------------------------------
When the first NSA surveillance story broke in June, about the agency´s collection of phone metadata from Verizon, most people likely had never heard the word metadata before. Even some security and privacy experts weren´t sure what the term encompassed, and now a group of security researchers at Stanford have started a new project to collect data from Android users to see exactly how much information can be drawn from the logs of phone calls and texts.
---------------------------------------------
http://threatpost.com/stanford-metaphone-project-aims-to-show-dangers-of-me…
*** Thunderbird gibt falschem Absender das Echtheits-Siegel ***
---------------------------------------------
Eigentlich sollen digitale Signaturen sicherstellen, dass man sich auf den Absender einer E-Mail verlassen kann. Allerdings stellt sich Thunderbird im Umgang mit signierten E-Mails so ungeschickt an, dass man falsche Absender vortuschen kann.
---------------------------------------------
http://www.heise.de/security/meldung/Thunderbird-gibt-falschem-Absender-das…
*** Unusual BHEK-Like Spam With Attachment Found ***
---------------------------------------------
Soon after Paunch was arrested, we found that the flow of spam campaigns going to sites with the Blackhole Exploit Kit (BHEK) had slowed down considerably. Instead, we saw an increase in messages with a malicious attachment.
Recently, however, we came across rather unusual spam samples that combines characteristics of both attacks.
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/unusual-bhek-lik…
*** Mobile Pwn2Own: Galaxy S4 und iOS gehackt ***
---------------------------------------------
Am ersten Tag des Wettbewerbs Mobile Pwn2Own in Tokio wurde auf Samsungs Galaxy S4 eine Sicherheitslücke gezeigt, die es ermöglicht, beliebige Apps zu installieren. Chinesische Hacker zeigten Schwachstellen in Safari unter iOS 6.1.4 und 7.0.3.
---------------------------------------------
http://www.heise.de/security/meldung/Mobile-Pwn2Own-Galaxy-S4-und-iOS-gehac…
*** Analysis: IT Threat Evolution: Q3 2013 ***
---------------------------------------------
IT Threat Evolution: Q3 2013
Targeted Attacks / APT
Malware Stories
Web security and data breaches
Mobile malware
---------------------------------------------
http://www.securelist.com/en/analysis/204792312/IT_Threat_Evolution_Q3_2013
*** A-DOH!-BE hack: Facebook warns users whose logins were spilled ***
---------------------------------------------
Facebook is using a list of hacked Adobe accounts posted by the miscreants themselves to warn its own customers about password reuse.
---------------------------------------------
http://www.theregister.co.uk/2013/11/14/facebook_adobe_password_leak_warnin…
*** New OSX/Crisis or Business Cards Gone Wild ***
---------------------------------------------
In these days of computer conspiracies, the Mac is not left out. A new variant of Remote Control System, Hacking Team´s spyware, landed on VirusTotal with a detection rate of 0 out of 47 scanners. RCS, also known as OSX/Crisis, is an expensive rootkit used by governments during targeted attacks.
---------------------------------------------
http://www.intego.com/mac-security-blog/new-osx-crisis-business-cards-gone-…
*** Cracked.com Serving Malware in Drive-By Downloads ***
---------------------------------------------
The popular humor website, Cracked[dot]com reportedly hosted malware that infected the machines of of its visitors over the weekend and may still be doing so, according to Barracuda Labs research.
---------------------------------------------
http://threatpost.com/cracked-com-serving-malware-in-drive-by-downloads/102…
*** eGroupware HTML File Uploads Script Insertion Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/54368
*** LastPass Android Container PIN / Auto-Wipe Bypass ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110101
*** IBM Multiple Storage Products Apache Struts Security Bypass Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55706
*** SA-CONTRIB-2013-091 - Groups, Communities and Co (GCC) - Access Bypass ***
---------------------------------------------
Remote Vulnerability: Access bypassDescriptionThis module enables you to manage groups and assign content and users to groups.The module doesnt sufficiently check permissions to some of the configuration pages allowing unprivileged users to access the roles and permissions pages of the GCC module.CVE
---------------------------------------------
https://drupal.org/node/2135267
*** SA-CONTRIB-2013-090 - Revisioning - Access Bypass ***
---------------------------------------------
Remote Vulnerability: Access bypassDescriptionThis module enables you to create content publication workflows whereby one version of the content is "live" (publicly visible), while another is being edited and moderated privately until found fit for publication.The module doesnt sufficiently apply node access permissions
---------------------------------------------
https://drupal.org/node/2135257
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 12-11-2013 18:00 − Mittwoch 13-11-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** Summary for November 2013 - Version: 1.0 ***
---------------------------------------------
This bulletin summary lists security bulletins released for November 2013. With the release of the security bulletins for November 2013, this bulletin summary replaces the bulletin advance notification originally issued November 7, 2013.
---------------------------------------------
http://technet.microsoft.com/en-us/security/bulletin/ms13-nov
*** Blog: Sinkholing the Hlux/Kelihos botnet - what happened? ***
---------------------------------------------
Back in March 2012 we teamed up with Crowdstrike, the Honeynet Project and Dell SecureWorks in disabling the second version of the Hlux/Kelihos-Botnet. Now we thought it would be a good time for an update on what has happened to that sinkhole-server over the last 19 months.
---------------------------------------------
http://www.securelist.com/en/blog/208214147/Sinkholing_the_Hlux_Kelihos_bot…
*** Microsoft Warns Customers Away From SHA-1 and RC4 ***
---------------------------------------------
The RC4 and SHA-1 algorithms have taken a lot of hits in recent years, with new attacks popping up on a regular basis. Many security experts and cryptographers have been recommending that vendors begin phasing the two out, and Microsoft on Tuesday said that is now recommending to developers that they deprecate RC4 and stop using the SHA-1 hash algorithm.
---------------------------------------------
http://threatpost.com/microsoft-warns-customers-away-from-sha-1-and-rc4/102…
*** Introducing Enhanced Mitigation Experience Toolkit (EMET) 4.1 ***
---------------------------------------------
In June 2013, we released EMET 4.0 and customer response has been fantastic. Many customers across the world now include EMET as part of their defense-in-depth strategy and appreciate how EMET helps businesses prevent attackers from gaining access to computers systems. Today, we´re releasing a new version, EMET 4.1, with updates that simplify configuration and accelerate deployment.
---------------------------------------------
http://blogs.technet.com/b/srd/archive/2013/11/12/introducing-enhanced-miti…
*** Adobe Patches Flash, ColdFusion Flaws Unrelated to Breach ***
---------------------------------------------
Adobe patched critical vulnerabilities in its Flash Player and ColdFusion Web application server; the company said the bugs are unrelated to the recent breach and source code theft.
---------------------------------------------
http://threatpost.com/adobe-patches-flash-coldfusion-flaws-unrelated-to-bre…
*** Simulated attacks give London banks a trial run in readiness ***
---------------------------------------------
The planned event, called "Waking Shark II," marks the second year the city of London had participated in the security preparedness exercises.
---------------------------------------------
http://www.scmagazine.com//simulated-attacks-give-london-banks-a-trial-run-…
*** November Patch Tuesday Addresses New IE Zero-Day Exploit, But TIFF Vulnerability Still Unpatched ***
---------------------------------------------
It´s worth noting that another recent TIFF-related zero-day that we discussed has not been patched as part of this month´s update, so the recommendations and work-arounds that were suggested at that time remain in effect.
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/november-patch-t…
*** Malicious multi-hop iframe campaign affects thousands of Web sites, leads to a cocktail of client-side exploits ***
---------------------------------------------
Sharing is caring. In this post, I´ll put the spotlight on a currently circulating, massive - thousands of sites affected - malicious iframe campaign, that attempts to drop malicious software on the hosts of unaware Web site visitors through a cocktail of client-side exploits. The campaign, featuring a variety of evasive tactics making it harder to analyze, continues to efficiently pop up on thousands of legitimate Web sites.
---------------------------------------------
http://www.webroot.com/blog/2013/11/13/malicious-multi-hop-iframe-campaign-…
*** Cross-site scripting vulnerabilities in EMC Documentum eRoom ***
---------------------------------------------
Due to improper input validation, Documentum eRoom suffers from multiple cross-site scripting vulnerabilities, which allow an attacker to steal other users sessions, to impersonate other users and to gain unauthorized access to documents hosted in eRooms.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2013…
*** BlackBerry Patches Remote Access Feature Vulnerable to Exploit ***
---------------------------------------------
BlackBerry patched two serious vulnerabilities in its BlackBerry Link product.
---------------------------------------------
http://threatpost.com/blackberry-patches-remote-access-feature-vulnerable-t…
*** cPanel Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55478
*** Red Hat Network Satellite Server Grants Administrative Access to Remote Users ***
---------------------------------------------
http://www.securitytracker.com/id/1029331
*** JunOS 11.4 Cross Site Scripting ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110085
*** FortiAnalyzer 5.0.4 - CSRF Vulnerability ***
---------------------------------------------
http://www.exploit-db.com/exploits/29550
*** Security Bulletin: Potential Security Vulnerability fixed in WebSphere Virtual Enterprise (CVE-2013-5425) ***
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_pot…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 11-11-2013 18:00 − Dienstag 12-11-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** ActiveX Control issue being addressed in Update Tuesday ***
---------------------------------------------
Late last Friday, November 8, 2013, a vulnerability, CVE-2013-3918, affecting an Internet Explorer ActiveX Control was publically disclosed. We have confirmed that this vulnerability is an issue already scheduled to be addressed in 'Bulletin 3', which will be released as MS13-090, as listed in the November Advanced Notification Service (ANS).
---------------------------------------------
http://blogs.technet.com/b/msrc/archive/2013/11/11/activex-control-issue-be…
*** Samsung, Nokia say they don´t know how to track a powered-down phone ***
---------------------------------------------
Back in July 2013, The Washington Post reported that nearly a decade ago, the National Security Agency developed a new technique that allowed spooks to find cellphones even when they were turned off.
---------------------------------------------
http://arstechnica.com/security/2013/11/samsung-nokia-say-they-dont-know-ho…
*** Chinese Bitcoin exchange shutters, taking £2.5 MEEELION ***
---------------------------------------------
Another one Bits the dust... Chinese Bitcoin exchange GBL has shut down, taking with it over 25 million yuan ($US4.1m) of investors´ money, in another warning to those who don't look before they leap with the digital currency.
---------------------------------------------
http://www.theregister.co.uk/2013/11/12/bitcoin_gbl_hong_kong_collapse/
MSRT November 2013 - Napolar
---------------------------------------------
We first noticed the new family we named Win32/Napolar being distributed in the wild in early August this year. It quickly became a big problem on our customers´ machines. Napolar is one of two families targeted by the Malicious Software Removal Tool (MSRT) this month. The other is the bitcoin mining family Win32/Deminnix.
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2013/11/12/msrt-november-2013-napol…
*** GCHQ Used Fake LinkedIn Pages to Target Engineers ***
---------------------------------------------
The Belgacom employees probably thought nothing was amiss when they pulled up their profiles on LinkedIn, the professional networking site. The pages looked the way they always did, and they didnt take any longer than usual to load.
---------------------------------------------
http://www.spiegel.de/international/world/ghcq-targets-engineers-with-fake-…
*** Smartphone PIN revealed by camera and microphone ***
---------------------------------------------
The PIN for a smartphone can be revealed by its camera and microphone, researchers have warned. Using a programme called PIN Skimmer a team from the University of Cambridge found that codes entered on a number-only soft keypad could be identified.
---------------------------------------------
http://www.bbc.co.uk/news/technology-24897581
*** A Peek Inside a Customer-ized API-enabled DIY Online Lab for Generating Multi-OS Mobile Malware ***
---------------------------------------------
The exponential growth of mobile malware over the last couple of years, can be attributed to a variety of growth factors, the majority of which continue playing an inseparable role in the overall success and growth of the cybercrime ecosystem in general.
---------------------------------------------
http://ddanchev.blogspot.co.uk/2013/11/a-peek-inside-customer-ized-api-enab…
*** Cyber Attack on Finland is a Warning for the EU ***
---------------------------------------------
A highly sophisticated multi-year cyber attack targeting Finland´s diplomatic communications is likely to have been replicated against other EU and Western countries.
---------------------------------------------
http://www.chathamhouse.org/media/comment/view/195392?
*** Selfish Miners Could Exploit P2P Nature of Bitcoin Network ***
---------------------------------------------
While researchers and academics are just at the beginning of the process of trying to judge the value of a recent paper on a vulnerability in the Bitcoin protocol, some are arguing that there is a smaller point that´s being missed in all of the back and forth: There is a problem with the peer-to-peer set-up of the Bitcoin network that could be exploited for profit.
---------------------------------------------
http://threatpost.com/selfish-miners-could-exploit-p2p-nature-of-bitcoin-ne…
*** Vuln: strongSwan CVE-2013-6075 Authorization Security Bypass and Denial of Service Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63489
*** FOSCAM IP-Cameras SSID cross-site scripting ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/88629
*** Belkin NetCam Wifi Camera Hardcoded Credentials ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110079
*** WordPress Curvo Themes - Arbitrary code execution ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110081
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 08-11-2013 18:00 − Montag 11-11-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** New IE Zero-Day found in Watering Hole Attack ***
---------------------------------------------
FireEye Labs has identified a new IE zero-day exploit hosted on a breached website based in the U.S. It´s a brand new IE zero-day that compromises anyone visiting a malicious website; classic drive-by download attack. The exploit leverages a new information leakage vulnerability and an IE out-of-bounds memory access vulnerability to achieve code execution.
---------------------------------------------
http://www.fireeye.com/blog/technical/2013/11/new-ie-zero-day-found-in-wate…
FOLLOW-UP:
*** Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method ***
---------------------------------------------
Recently, we discovered a new IE zero-day exploit in the wild, which has been used in a strategic Web compromise. Specifically, the attackers inserted this zero-day exploit into a strategically important website, known to draw visitors that are likely interested in national and international security policy.
---------------------------------------------
http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephe…
*** No Patch Tuesday update for Microsoft zero-day vulnerability ***
---------------------------------------------
Microsoft is preparing eight fixes for next weeks upcoming Nov. 12 Patch Tuesday, but an update to a recently discovered zero-day vulnerability is not one of them.
---------------------------------------------
http://www.scmagazine.com/no-patch-tuesday-update-for-microsoft-zero-day-vu…
*** Case Study: Analyzing a WordPress Attack - Dissecting the webr00t cgi shell - Part I ***
---------------------------------------------
November 1st started like any other day on the web. Billions of requests were being shot virtually between servers in safe and not so safe attempts to access information. After months of waiting, finally one of those not so safe request hit one of our honeypots.
---------------------------------------------
http://blog.sucuri.net/2013/11/case-study-analyzing-a-wordpress-attack-diss…
*** CryptoLocker Emergence Connected to Blackhole Exploit Kit Arrest ***
---------------------------------------------
The past few weeks have seen the ransomware CryptoLocker emerge as a significant threat for many users. Our monitoring of this threat has revealed details on how it spreads, specifically its connection to spam and ZeuS. However, it looks there is more to the emergence of this thread than initially discovered.
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/cryptolocker-eme…
*** October 2013 virus activity overview ***
---------------------------------------------
November 5, 2013 Mid-autumn 2013 was marked by an upsurge in the number of encryption Trojans: hundreds of users whose systems were compromised by encoders contacted Doctor Webs support service in October. Also discovered were new malicious programs for Android, which has long been targeted by intruders. Viruses Statistics collected in October by Dr.Web CureIt! indicate that the downloader Trojan.LoadMoney.1 tops the list of detected threats.
---------------------------------------------
http://news.drweb.com/show/?i=4052&lng=en&c=9
*** Supertrojaner BadBIOS: Unwahrscheinlich, aber möglich ***
---------------------------------------------
Der Sicherheitsforscher Dragos Ruiu behauptet, auf seinen Rechnern wüte ein im BIOS verankerter Supertrojaner, der auch ohne Netzanschluss kommuniziert. Es mehren sich skeptische Stimmen - technisch unmöglich ist Malware wie BadBIOS jedoch nicht.
---------------------------------------------
http://www.heise.de/security/meldung/Supertrojaner-BadBIOS-Unwahrscheinlich…
*** Hintergrund: ENISA-Empfehlungen zu Krypto-Verfahren ***
---------------------------------------------
Die oberste, europäische Sicherheitsbehörde, die ENISA gibt Empfehlungen zu Algorithmen und Schlüssellängen.
---------------------------------------------
http://www.heise.de/security/artikel/ENISA-Empfehlungen-zu-Krypto-Verfahren…
*** Learn to Pentest SAP with Metasploit As ERP Attacks Go Mainstream ***
---------------------------------------------
This month, a security researcher disclosed that a version of the old banking Trojan 'Trojan.ibank' has been modified to look for SAP GUI installations, a concerning sign that SAP system hacking has gone into mainstream cybercrime.
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2013/11/11/learn-to-…
*** Erweiterungen für Googles Webbrowser Chrome nur noch aus offiziellem Store ***
---------------------------------------------
Google will Windows-Anwender besser vor Malware schützen. Chrome-Versionen für andere Plattformen sind von der Maßnahme nicht betroffen.
---------------------------------------------
http://www.heise.de/security/meldung/Erweiterungen-fuer-Googles-Webbrowser-…
*** Horde Groupware Web Mail Edition 5.1.2 - CSRF Vulnerability ***
---------------------------------------------
http://www.exploit-db.com/exploits/29519
*** Debian Security Advisory DSA-2793 libav ***
---------------------------------------------
http://www.debian.org/security/2013/dsa-2793
*** Redaxo 4.5 CMS Vulnerabilities ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110070
*** Bugtraq: Belkin WiFi NetCam video stream backdoor with unchangeable admin/admin credentials ***
---------------------------------------------
http://www.securityfocus.com/archive/1/529722
*** D-Link Router 2760N Multiple XSS ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110075
*** Security Bulletin: IBM WebSphere Portal vulnerable to URL Manipulation CVE-2013-5454 PM99205 ***
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…
*** Security Bulletin: Multiple vulnerabilities in Security AppScan Enterprise (CVE-2013-5453, CVE-2013-5450) ***
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 07-11-2013 18:00 − Freitag 08-11-2013 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Advance Notification for November 2013 - Version: 1.0 ***
---------------------------------------------
This is an advance notification of security bulletins that Microsoft is intending to release on November 12, 2013.
---------------------------------------------
http://technet.microsoft.com/en-us/security/bulletin/ms13-nov
*** Clarification on Security Advisory 2896666 and the ANS for the November 2013 Security Bulletin Release ***
---------------------------------------------
Today, we're providing advance notification for the release of eight bulletins, three Critical and five Important, for November 2013. The Critical updates address vulnerabilities in Internet Explorer and Microsoft Windows, and the Important updates address issues in Windows and Office. While this release won't include an update for the issue first described in Security Advisory 2896666, we'd like to tell you a bit more about it. We're working to develop a security update...
---------------------------------------------
http://blogs.technet.com/b/msrc/archive/2013/11/07/clarification-on-securit…
*** Exploits of critical Microsoft zero day more widespread than thought ***
---------------------------------------------
At least two hacker gangs exploit TIFF vulnerability to hijack users computers.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/6hCE3JS8yQI/story01…
*** Despite patches, Supermicros IPMI firmware is far from secure, researchers say ***
---------------------------------------------
The IPMI in Supermicro motherboards has vulnerabilities that can give attackers unuathorized access to servers, Rapid7 researchers said
---------------------------------------------
http://www.csoonline.com/article/742836/despite-patches-supermicro-39-s-ipm…
*** PCI council publishes updated payment security standards ***
---------------------------------------------
Version 3.0 of the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS) became available today.
---------------------------------------------
http://feedproxy.google.com/~r/SCMagazineHome/~3/Ktdq0wWA1L8/
*** VU#274923: Dual_EC_DRBG output using untrusted curve constants may be predictable ***
---------------------------------------------
Vulnerability Note VU#274923 Dual_EC_DRBG output using untrusted curve constants may be predictable Original Release date: 07 Nov 2013 | Last revised: 07 Nov 2013 Overview Output of the Dual Elliptic Curve Deterministic Random Bit Generator (DUAL_EC_DRBG) algorithm may be predictable by an attacker who has chosen elliptic curve parameters in advance. Description NIST SP 800-90A defines three elliptic curves for use in Dual_EC_DBRG but does not describe the provenance of the parameters used
---------------------------------------------
http://www.kb.cert.org/vuls/id/274923
*** Source code for proprietary spam bot offered for sale, acts as force multiplier for cybercrime-friendly activity ***
---------------------------------------------
In a professional cybercrime ecosystem, largely resembling that of a legitimate economy, market participants constantly strive to optimize their campaigns, achieve stolen assets liquidity, and most importantly, aim to reach a degree of efficiency that would help them gain market share. Thus, help them secure multiple revenue streams. Despite the increased transparency on the Russian/Easter European underground market - largely thanks to improved social networking courtesy of the...
---------------------------------------------
http://www.webroot.com/blog/2013/11/07/source-code-proprietary-spam-bot-off…
*** Security Bulletin: Vulnerabilities in Sametime Enterprise Meeting Server (CVE-2013-3044, CVE-2013-3045, CVE-2013-0537, CVE-2013-3985) ***
---------------------------------------------
The security bulletin addresses various vulnerabilities found in the Sametime Enterprise Meeting Server regarding spoofing and domain cookies. CVE(s): and CVE-2013-3044, CVE-2013-3045, CVE-2013-0537, CVE-2013-3985 Affected product(s) and affected version(s): IBM Lotus Sametime WebPlayer versions 8.5.2 and 8.5.2.1 Refer to the following reference URLs for remediation and additional vulnerability details. Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21654355 X-Force
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_vul…
*** Security Bulletin: IBM Lotus Sametime WebPlayer Denial-of-Service (CVE-2013-3986) ***
---------------------------------------------
An attacker participating in a Sametime Audio Visual (AV) session may be able to crash the IBM Sametime WebPlayer extension (Firefox extension) session of other users. CVE(s): and CVE-2013-3986 Affected product(s) and affected version(s): IBM Lotus Sametime WebPlayer versions 8.5.2 and 8.5.2.1 Refer to the following reference URLs for remediation and additional vulnerability details. Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21654041 X-Force Database:
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…
*** Security Bulletin: For safer administration of IBM Domino server, use Domino Administrator client instead of Domino Web Administrator ***
---------------------------------------------
IBM Domino Web Administrator (webadmin.nsf) has two cross-site scripting vulnerabilities and one cross-site request forgery of low CVSS score. These vulnerabilities do not exist in the Domino Administrator client. To prevent the potential for these attacks, use the Domino Administrator client or mitigations listed below. Domino Web Administrator is deprecated. CVE(s): CVE-2013-4051, CVE-2013-4055, CVE-2013-4050..
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_for…
*** IBM WebSphere Real Time Java Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55618
*** CTF365: A New Capture The Flag Platform for Ongoing Competitions ***
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2013/11/08/ctf365--i…
*** OpenSSH Security Advisory: gcmrekey.adv ***
---------------------------------------------
A memory corruption vulnerability exists in the post-authentication sshd process when an AES-GCM cipher (aes128-gcm(a)openssh.com or aes256-gcm(a)openssh.com) is selected during kex exchange.
---------------------------------------------
http://www.openssh.org/txt/gcmrekey.adv
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 06-11-2013 18:00 − Donnerstag 07-11-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** The Dual Use Exploit: CVE-2013-3906 Used in Both Targeted Attacks and Crimeware Campaigns ***
---------------------------------------------
A zero-day vulnerability was recently discovered that exploits a Microsoft graphics component using malicious Word documents as the initial infection vector. Microsoft has confirmed that this exploit has been used in "attacks observed are very limited and carefully carried out...
---------------------------------------------
http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/the-dual-use-e…
*** Analysis: Spam in Q3 2013 ***
---------------------------------------------
The percentage of spam in total email traffic decreased by 2.4% from the second quarter of 2013 and came to 68.3%.
---------------------------------------------
http://www.securelist.com/en/analysis/204792311/Spam_in_Q3_2013
*** Blackhat SEO and ASP Sites ***
---------------------------------------------
It's all too easy to scream and holler at PHP based websites and the various malware variants associate with the technology, but perhaps we're a bit too biased. Here is a quick post on ASP variant. Thought we'd give you Microsoft types some love too. Today we found this nice BlackHat SEO attack: Finding it...
---------------------------------------------
http://blog.sucuri.net/2013/11/blackhat-seo-and-asp-sites.html
*** Bugtraq: CVE-2013-4425: Private key disclosure, Osirix (lite, 64bit and FDA cleader version) (Medical Application) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/529659
*** Vuln: Imperva SecureSphere Web Application Firewall Search Field SQL Injection Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/62948
*** Security Bulletin: Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Edition ***
---------------------------------------------
Issues disclosed in the Oracle October 2013 Java SE Critical Patch Update, plus 6 additional vulnerabilities
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21655201
*** [20131103] Joomla! Core XSS Vulnerability ***
---------------------------------------------
Inadequate filtering leads to XSS vulnerability in com_contact.
---------------------------------------------
http://developer.joomla.org/security/572-core-xss-20131103.html
*** Vuln: Google Android Signature Verification Security Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63547
*** SA-CONTRIB-2013-089 - Node Access Keys - Access Bypass ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2013-089Project: Node Access Keys (third-party module)Version: 7.xDate: 2013-November-06Security risk: Moderately criticalExploitable from: RemoteVulnerability: Access bypassDescriptionNode Access Keys helps to grant users temporary view permissions to selected content types on a per user role basis. However, it only implements hook_node_access() and not hook_query_alter(), which means any listing of nodes does not respect the node view access.CVE identifier(s)...
---------------------------------------------
https://drupal.org/node/2129379
*** SA-CONTRIB-2013-088 - Secure Pages - Missing Encryption of Sensitive Data ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2013-088Project: Secure Pages (third-party module)Version: 6.xDate: 2013-November-06Security risk: Less criticalExploitable from: RemoteVulnerability: Missing Encryption of Sensitive DataDescriptionThe Secure Pages module manages redirects between HTTP and HTTPS pages.A flaw in the URL path matching could lead some pages and forms to be transmitted via plain HTTP, even if the administrator intended those pages to use HTTPS. This flaw may surface either due to a...
---------------------------------------------
https://drupal.org/node/2129381
*** SA-CONTRIB-2013-087 - Payment for Webform - Access Bypass ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2013-087Project: Payment for Webform (third-party module)Version: 7.xDate: 2013-November-06Security risk: Not criticalExploitable from: RemoteVulnerability: Access bypassDescriptionThis module enables you to ask for or require payments before users can submit webforms. It previously allowed anonymous users to sometimes use other anonymous users payments when submitting a form. Payment for Webform never supported anonymous users, but there was also nothing that...
---------------------------------------------
https://drupal.org/node/2129373
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 05-11-2013 18:00 − Mittwoch 06-11-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Attacks on New Microsoft Zero Day Using Multi-Stage Malware ***
---------------------------------------------
Attackers exploiting the Microsoft Windows and Office zero day revealed yesterday are using an exploit that includes a malicious RAR file as well as a fake Office document as the lure, and are installing a wide variety of malicious components on newly infected systems. The attacks seen thus far are mainly centered in Pakistan. The...
---------------------------------------------
http://threatpost.com/attacks-on-new-microsoft-zero-day-using-multi-stage-m…
*** Malicious PDF Analysis Evasion Techniques ***
---------------------------------------------
In many exploit kits, malicious PDF files are some of the most common threats used to try to infect users with various malicious files. Naturally, security vendors invest in efforts to detect these files properly - and their creators invest in efforts to evade those vendors. Using feedback provided by the Smart Protection Network, we...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/XOJob_q_Zag/
*** Asus fixt schwerwiegende Sicherheitslücke in WebStorage ***
---------------------------------------------
Die Client-Software WebStorage gehört zu einer Reihe von Apps, die Asus auf seinen Android-Geräten ab Werk installiert. heise netze hatte bei Routine-Kontrollen einen Implementierungsfehler aufgedeckt.
---------------------------------------------
http://www.heise.de/security/meldung/Asus-fixt-schwerwiegende-Sicherheitslu…
*** Google Bots Doing SQL Injection Attacks ***
---------------------------------------------
One of the things we have to be very sensitive about when writing rules for our CloudProxy Website Firewall is to never block any major search engine bot (ie., Google, Bing, Yahoo, etc..). To date, we've been pretty good about this, but every now and then you come across unique scenarios like the one in this post, that make you scratch your head and think, what if a legitimate search engine bot was being used to attack the site? Should we still allow the attack to go through?
---------------------------------------------
http://blog.sucuri.net/2013/11/google-bots-doing-sql-injection-attacks.html
*** Security Bulletin: IBM Sterling Certificate Wizard Shared Memory Permission Vulnerability (CVE-2013-1500) ***
---------------------------------------------
The IBM Sterling Certificate Wizard is susceptible to a shared memory permission vulnerability. CVE(s): CVE-2013-1500 Affected product(s) and affected version(s): IBM Sterling Certificate Wizard: 1.3, 1.4
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…
*** Security Bulletin: Potential security vulnerability exist in the IBM Java SDKs TLS implementation that is shipped with Tivoli Netcool/OMNIbus Web GUI (CVE-2012-5081) ***
---------------------------------------------
The JDKs TLS implementation does not strictly check the TLS vector length as set out in the latest RFC 5246. CVE(s): CVE-2012-5081 Affected product(s) and affected version(s): Tivoli Netcool/OMNIbus Web GUI: 7.3.0, 7.3.1, 7.4.0
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_pot…
*** Security Bulletin: IBM Sterling Connect:Enterprise Secure Client Shared Memory Permission Vulnerability (CVE-2013-1500) ***
---------------------------------------------
The IBM Sterling Connect:Enterprise Secure Client is susceptible to a shared memory permission vulnerability. CVE(s): CVE-2013-1500 Affected product(s) and affected version(s): IBM Sterling Secure Client: 1.3, 1.4
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…
*** Vivotek IP Cameras RTSP Authentication Bypass ***
---------------------------------------------
Topic: Vivotek IP Cameras RTSP Authentication Bypass Risk: High Text:Core Security - Corelabs Advisory http://corelabs.coresecurity.com Vivotek IP Cameras RTSP Authentication Bypass 1. *A...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110038
*** Bugtraq: Open-Xchange Security Advisory 2013-11-06 ***
---------------------------------------------
http://www.securityfocus.com/archive/1/529635
*** Kerberos Multi-realm KDC NULL Pointer Dereference Denial of Service Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55588
*** Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco WAAS Mobile Remote Code Execution Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco TelePresence VX Clinical Assistant Administrative Password Reset Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Tweetbot for Mac / for iOS Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55462
*** Arbor Peakflow X Security Bypass and Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55536
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 04-11-2013 18:00 − Dienstag 05-11-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Switzerland to set up Swiss cloud free of NSA, GCHQ snooping (it hopes) ***
---------------------------------------------
Gnomes of Zurich want spook-immune system Swisscom, the Swiss telco thats majority owned by its government, will set up a "Swiss cloud" hosted entirely in the land of cuckoo clocks and fine chocolate - and try to make the service impervious to malware and uninvited spooks.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2013/11/04/switzerland…
*** Is your vacuum cleaner sending spam?, (Tue, Nov 5th) ***
---------------------------------------------
Past week, a story in a Saint Petersburg (the icy one, not the beach) newspaper caught quite some attention, and was picked up by The Register [1]. The story claimed that appliances like tea kettles, vacuum cleaners and iron(y|ing) irons shipped from China and sold in Russia were discovered to contain rogue, WiFi enabled chip sets. As soon as power was applied, the vacuum cleaner began trolling for open WiFi access points, and if it found one, it would hook up to a spam relay and start ...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=16958
*** When attackers use your DNS to check for the sites you are visiting, (Mon, Nov 4th) ***
---------------------------------------------
Nowadays, attackers are definitely interested in checking what sites you are visiting. Depending on that information, they can setup attacks like the following: Phising websites and e-mail scams targeted to specific people so they leave their private information. Network spoofing with tools like dsniff, where attackers can tell computers that the sites they want to visit are located somewhere else, therefore enabling them to interact with victims posing like the original site.
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=16955
*** Manifest: Bei XMPP/Jabber soll Verschlüsselung zur Pflicht werden ***
---------------------------------------------
Entwickler und Betreiber von XMPP-/Jabber-Software und -Diensten, darunter auch der Jabber-Erfinder Jeremie Miller, wollen es zur Pflicht machen, die Kommunikation über XMPP in Zukunft zu verschlüsseln.
---------------------------------------------
http://www.golem.de/news/manifest-bei-xmpp-jabber-soll-verschluesselung-zur…
*** Biggest Risks in IPv6 Security Today ***
---------------------------------------------
Although IPv6 packets have started to flow, network engineers still tread lightly because of lingering security concerns. Here are the top six security risks in IPv6 network security today as voted by gogoNET members, a community of 95,000 network professionals.
---------------------------------------------
http://www.cio.com/article/742652/Biggest_Risks_in_IPv6_Security_Today
*** WhatsApp-Backup speichert Klartext bei Apple ***
---------------------------------------------
Die eingebaute Backup-Funktion des beliebten Messaging-Programms speichert auf dem iPhone alle Texte und Bilder bei Apples iCloud - und zwar völlig unverschlüsselt.
---------------------------------------------
http://www.heise.de/security/meldung/WhatsApp-Backup-speichert-Klartext-bei…
*** Cisco Security Notices ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013…http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013…http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013…http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013…http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013…http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013…http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013…
*** Vuln: Cisco Prime Central for Hosted Collaboration Solution CVE-2013-5564 Denial of Service Vulnerability ***
---------------------------------------------
Cisco Prime Central for Hosted Collaboration Solution CVE-2013-5564 Denial of Service Vulnerability
---------------------------------------------
http://www.securityfocus.com/bid/63490
*** Bugtraq: ESA-2013-070: EMC Documentum Cross Site Scripting Vulnerability. ***
---------------------------------------------
http://www.securityfocus.com/archive/1/529620
*** Bugtraq: ESA-2013-073: EMC Documentum eRoom Multiple Cross Site Scripting Vulnerabilities. ***
---------------------------------------------
http://www.securityfocus.com/archive/1/529621
*** VU#436214: Attachmate Verastream Host Integrator Vulnerable to Arbitrary File Uploads ***
---------------------------------------------
Vulnerability Note VU#436214 Attachmate Verastream Host Integrator Vulnerable to Arbitrary File Uploads Original Release date: 04 Nov 2013 | Last revised: 04 Nov 2013 Overview The Attachmate Verastream Host Integrator (VHI) is vulnerable to arbitrary file uploads.
---------------------------------------------
http://www.kb.cert.org/vuls/id/436214
*** GitLab Remote code execution vulnerability in the code search feature ***
---------------------------------------------
Topic: GitLab Remote code execution vulnerability in the code search feature Risk: High Text:Remote code execution vulnerability in the code search feature of GitLab There is a remote code execution vulnerability in t...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110026
*** GitLab Remote code execution vulnerability in the SSH key upload ***
---------------------------------------------
Topic: GitLab Remote code execution vulnerability in the SSH key upload Risk: High Text:# Remote code execution vulnerability in the SSH key upload feature of GitLab There is a remote code execution vulnerability...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110025
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 31-10-2013 18:00 − Montag 04-11-2013 18:00
Handler: Otmar Lendl
Co-Handler: Stephan Richter
*** Top three recommendations for securing your personal data using cryptography, by EU cyber security Agency ENISA in new report ***
---------------------------------------------
ENISA, the European Union's "cyber security" Agency today launched a report that all authorities should better promote cryptographic measure to safeguard personal data.
---------------------------------------------
http://www.enisa.europa.eu/media/press-releases/top-three-recommendations-f…
*** Know Your Enemy: Tracking A Rapidly Evolving APT Actor ***
---------------------------------------------
Between Oct. 24-25 FireEye detected two spear-phishing attacks attributed a threat actor we have previously dubbed admin(a)338.[1] The newly discovered attacks targeted a number of organizations and were apparently focused on gathering data related to international trade, finance and economic...
---------------------------------------------
http://www.fireeye.com/blog/technical/2013/10/know-your-enemy-tracking-a-ra…
*** How To Avoid CryptoLocker Ransomware ***
---------------------------------------------
Over the past several weeks, a handful of frantic Microsoft Windows users have written in to ask what they might do to recover from PC infections from "CryptoLocker," the generic name for an increasingly prevalent and nasty strain of malicious software that encrypts your files until you pay a ransom. Unfortunately, the answer for these folks is usually either to pay up or suck it up. This post offers a few pointers to help readers avoid becoming the next victim.
---------------------------------------------
http://krebsonsecurity.com/2013/11/how-to-avoid-cryptolocker-ransomware/
*** Why Motivated Attackers Often Get What They Want ***
---------------------------------------------
Do you work for a company possessing information which could be of financial value to people outside the organization? Or, perhaps even a foreign state would find it useful to gain access to the documents youre storing on that shared network drive? Yes? Then congratulations, you may already be the target of a persistent and motivated attacker (who sometimes, but rarely, is also advanced).According to this CERT-FI presentation, even Finland has seen nearly a decade of these attacks. Nowadays,
---------------------------------------------
http://www.f-secure.com/weblog/archives/00002632.html
*** Google-dorks based mass Web site hacking/SQL injecting tool helps facilitate malicious online activity ***
---------------------------------------------
Among the most common misconceptions regarding the exploitation (hacking) of Web sites, is that no one would exclusively target *your* Web site, given that the there are so many high profile Web sites to hack into. In reality though, thanks to the public/commercial availability of tools relying on the exploitation of remote Web application vulnerabilities, the insecurely configured Web sites/forums/blogs, as well as the millions of malware-infected hosts internationally, virtually every Web
---------------------------------------------
http://www.webroot.com/blog/2013/11/01/peek-inside-google-dorks-based-mass-…
*** Secunias PSI Country Report - Q3 2013, (Fri, Nov 1st) ***
---------------------------------------------
On the heels of discussing Microsofts Security Intelligence Report v15 wherein the obvious takeaway is "Windows XP be gone!", Secunias just-released PSI Country Report - Q3 2013 is an interesting supplemental read. Here are the summary details: Programs Installed: 75, from 25 different vendors 40% (30 of 75) of these programs are Microsoft programs 60% (45 of 75) of these programs are from third-party vendors Users with unpatched Operating Systems: 14.6% (WinXP, Win7, Win8,
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=16943&rss
*** July-September 2013 ***
---------------------------------------------
NOTE 1: The "ICS-CERT Monitor" newsletter offers a means of promoting preparedness, information sharing, and collaboration with the 16 critical infrastructure sectors. ICS-CERT accomplishes this on a day-to-day basis through sector briefings, meetings, conferences, and information product releases.
---------------------------------------------
http://ics-cert.us-cert.gov/monitors/ICS-MM201310
*** SOHO Router Horror Stories: German Webcast with Mike Messner ***
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2013/11/04/soho-rout…
*** Nordex NC2 - Cross-Site Scripting Vulnerability ***
---------------------------------------------
NCCIC/ICS-CERT is aware of a public report of a Cross-Site Scripting vulnerability affecting the Nordex Control 2 (NC2) application, a supervisory control and data acquisition/human-machine interface (SCADA/HMI) product. According to this report, the vulnerability is exploitable by allowing a specially crafted request that could execute arbitrary script code. This report was released without coordination with either the vendor or NCCIC/ICS-CERT. NCCIC/ICS-CERT is attempting to...
---------------------------------------------
http://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-304-01
*** VU#450646: Tiki Wiki CMS Groupware version 11.0 contains a cross-site scripting (XSS) vulnerability ***
---------------------------------------------
Vulnerability Note VU#450646 Tiki Wiki CMS Groupware version 11.0 contains a cross-site scripting (XSS) vulnerability Original Release date: 31 Oct 2013 | Last revised: 31 Oct 2013 Overview Tiki Wiki CMS Groupware version 11.0 and possibly earlier versions contain a cross-site scripting (XSS) vulnerability (CWE-79). Description CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)Tiki Wiki CMS Groupware version 11.0 and possibly earlier versions contain a
---------------------------------------------
http://www.kb.cert.org/vuls/id/450646
*** VMSA-2013-0009.2 ***
---------------------------------------------
VMware vSphere, ESX and ESXi updates to third party libraries
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2013-0009.html
*** TP-Link Cross Site Request Forgery Vulnerability ***
---------------------------------------------
Topic: TP-Link Cross Site Request Forgery Vulnerability Risk: Medium Text:I. Introduction Today the majority of wired Internet connections is used with an embedded NAT router, which allows using ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013100223
*** Zend Framework Proxied Request Processing IP Spoofing Weakness ***
---------------------------------------------
https://secunia.com/advisories/55529
*** Novell ZENworks Configuration Management Directory Traversal Flaw Lets Remote Users Obtain Files ***
---------------------------------------------
http://www.securitytracker.com/id/1029289
*** Security Bulletins for multiple HP Products ***
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** Security Bulletins for multiple IBM Products ***
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_inf…https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_pot…https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul…http://www.securityfocus.com/bid/62018
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 30-10-2013 18:00 − Donnerstag 31-10-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** VU#326830: NAS4Free version 9.1.0.1 contains a remote command execution vulnerability ***
---------------------------------------------
NAS4Free version 9.1.0.1.804 and possibly earlier versions contain a remote code execution vulnerability. NAS4Free allows an authenticated user to post PHP code to an HTTP script and have the code executed remotely. By default, NAS4Free runs with root privileges. A remotely authenticated attacker can send an HTTP POST request that contains a malicious PHP file which can cause the script to run directly on the machine.
---------------------------------------------
http://www.kb.cert.org/vuls/id/326830
*** Mozilla Fixes 10 Vulnerabilities with Firefox 25 ***
---------------------------------------------
Mozilla released Firefox 25 yesterday, fixing 10 vulnerabilities, five of them critical.
---------------------------------------------
http://threatpost.com/mozilla-fixes-10-vulnerabilities-with-firefox-25/1027…
*** A New Wave of WIN32/CAPHAW Attacks - A ThreatLabZ Analysis ***
---------------------------------------------
Introduction and setting the context Over the last month, the ThreatLabZ researchers have been actively monitoring a recent uptick in the numbers of Win32/Caphaw (henceforward known as Caphaw) infections that have been actively targeting users bank accounts since 2011.
---------------------------------------------
http://research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html
*** Silent Circle and Lavabit launch 'DarkMail Alliance' to thwart e-mail spying ***
---------------------------------------------
Silent Circle CTO: "What we're getting rid of is SMTP."
---------------------------------------------
http://arstechnica.com/business/2013/10/silent-circle-and-lavabit-launch-da…
*** MS Security Intelligence Report Volume 15: January 2013 to June 2013 ***
---------------------------------------------
The Microsoft Security Intelligence Report (SIR) analyzes the threat landscape of exploits, vulnerabilities, and malware using data from Internet services and over 600 million computers worldwide. Threat awareness can help you protect your organization, software, and people.
---------------------------------------------
http://download.microsoft.com/download/5/0/3/50310CCE-8AF5-4FB4-83E2-03F1DA…
*** Meet 'badBIOS', the mysterious Mac and PC malware that jumps airgaps ***
---------------------------------------------
Like a super strain of bacteria, the rookkit plaguing Dragos Ruiu is omnipotent.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/jeFXBU0x_Vc/story01…
*** Compliance Checklist: Cloud Encryption Best Practices for Banks and Insurance Companies ***
---------------------------------------------
For industries whose handling of sensitive consumer data renders them subject to strict regulations, the cloud is anything but a simple choice. Before you can commit to the cloud, you'll have to understand exactly what cloud information protection measures you must take to remain in regulatory compliance.
---------------------------------------------
http://blog.ciphercloud.com/compliance-checklist-cloud-encryption-practices…
*** Weekly Update: Exploiting (Kind of) Popular FOSS Apps ***
---------------------------------------------
- Moodle Remote Command Execution
- vTigerCRM v5.4.0/v5.3.0 Authenticated Remote Code Execution
- Zabbix Authenticated Remote Command Execution
- Mac OS X Persistent Payload Installer
- Persistent Payload in Windows Volume Shadow Copy
- and many more
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2013/10/30/weekly-up…
*** Cisco IOS XE Multiple Bugs Let Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1029277
*** Moodle Remote Command Execution ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013100211
*** D-Link Backdoor Czechr Exploit ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013100219
*** ISPConfig Authenticated Arbitrary PHP Code Execution ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013100215
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 29-10-2013 18:00 − Mittwoch 30-10-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** Nuclear Exploit Pack Getting More Aggresive ***
---------------------------------------------
Churning through our logs, we recently observed a significant rise in the number of transactions involving the Nuclear Exploit Pack, which has been in the news for quite some time now. In the past week, we stumbled upon thousands of transactions involving the Nuclear Exploit Pack infestation.
---------------------------------------------
http://research.zscaler.com/2013/10/nuclear-exploit-pack-getting-more.html
*** A Tour Through The Chinese Underground ***
---------------------------------------------
The Chinese underground has played host to many cybercriminals over the years. In the research brief titled Beyond Online Gaming Cybercrime: Revisiting the Chinese Underground Market, we provide some details of the current state of the Chinese underground economy. Last year, we looked into this underground sector, and this brief is a continuation of those efforts.
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/a-tour-through-t…
*** Major Corporations Fail to Defend Against Social Engineering ***
---------------------------------------------
Companies such as Apple and General Motors gave up crucial company information to social engineers during the annual Capture the Flag contest at Def Con.
---------------------------------------------
http://threatpost.com/major-corporations-fail-to-defend-against-social-engi…
*** iOS apps can be hijacked to show fraudulent content and intercept data ***
---------------------------------------------
A large number of apps for iPhones and iPads are susceptible to hacks that cause them to surreptitiously send and receive data to and from malicious servers instead of the legitimate ones they were designed to connect to, security researchers said on Tuesday.
---------------------------------------------
http://arstechnica.com/security/2013/10/ios-apps-can-be-hijacked-to-show-fr…
*** New Injection Campaign Peddling Rogue Software Downloads ***
---------------------------------------------
A mass injection campaign surfaced over the last two weeks that´s already compromised at least 40,000 web pages worldwide and is tricking victims into downloading rogue, unwanted software to their computer.
---------------------------------------------
http://threatpost.com/new-injection-campaign-peddling-rogue-software-downlo…
*** Defending Against CryptoLocker ***
---------------------------------------------
CryptoLocker infections were found across different regions, including North America, Europe Middle East and the Asia Pacific. Almost two-thirds of the affected victims - 64% - were from the US. Other affected countries include the UK and Canada, with 11% and 6% of global victims, respectively.
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/defending-agains…
*** Analysis: Kaspersky Lab Report: Java under attack - the evolution of exploits in 2012-2013 ***
---------------------------------------------
One of the biggest problems facing the IT security industry is the use of vulnerabilities in legitimate software to launch malware attacks. Malicious programs can use these vulnerabilities to infect a computer without attracting the attention of the user and, in some cases, without triggering an alert from security software.
---------------------------------------------
http://www.securelist.com/en/analysis/204792310/Kaspersky_Lab_Report_Java_u…
*** Microsoft sieht Rückgang der Virengefahr, aber steigende Infektionen ***
---------------------------------------------
In fast allen großen Ländern habe die Zahl der 'Begegnungen mit Schad-Software' deutlich abgenommen, konstatiert der aktuelle Microsoft Security Intelligence Report. Für Entwarnung ist es jedoch zu früh - denn die Zahl der Infektionen nimmt trotzdem zu.
---------------------------------------------
http://www.heise.de/security/meldung/Microsoft-sieht-Rueckgang-der-Virengef…
*** Joomla! Media Manager allows arbitrary file upload and execution ***
---------------------------------------------
A vulnerability has been discovered in older versions of the Joomla! content management software that allow an authenticated attacker to upload active content through the media manager form ('administrator/components/com_media/helpers/media.php'). Joomla! allows files with a trailing '.' to pass the upload checks.
---------------------------------------------
http://www.kb.cert.org/vuls/id/639620
*** Apples Siri is helping users bypass iOS security ***
---------------------------------------------
Siri was designed to be an effective personal assistant, but since the release of iOS 7, the artificial intelligence is bringing the bad with the good.
---------------------------------------------
http://www.scmagazine.com/apples-siri-is-helping-users-bypass-ios-security/…
*** [remote] - Apache / PHP 5.x Remote Code Execution Exploit ***
---------------------------------------------
+++ Betrifft veraltete Versionen +++
Unaffected versions are patched by CVE-2012-1823.
---------------------------------------------
http://www.exploit-db.com/exploits/29290
*** Vuln: Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-5599 Remote Memory Corruption Vulnerability ***
---------------------------------------------
+++ Betrifft veraltete Versionen +++
---------------------------------------------
http://www.securityfocus.com/bid/63423
*** ASUS RT-N13U Backdoor Account ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013100206
*** Vuln: XAMPP for Windows Multiple Cross Site Scripting and SQL Injection Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/bid/53979
*** Citrix XenDesktop Upgrade Feature Bug Lets Remote Authenticated Users Bypass Policy Controls ***
---------------------------------------------
http://www.securitytracker.com/id/1029263
*** WordPress MoneyTheme Cross Site Scripting / Shell Upload ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013100199
*** WordPress Curvo Shell Upload ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013100197
*** Google Play Billing Bypass ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013100203
*** sup Remote Command Execution ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013100202
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 28-10-2013 18:00 − Dienstag 29-10-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** Hintergrund: iOS-Virenscanner mit zweifelhaftem Nutzen ***
---------------------------------------------
Avira hat eine Virenschutz-App für iOS herausgegeben, die vor schadhaften Prozessen schützen soll. Welche das sind und wie diese erkannt werden, verrät das Unternehmen nicht.
---------------------------------------------
http://www.heise.de/security/artikel/iOS-Virenscanner-mit-zweifelhaftem-Nut…
*** Exploit cocktail (Struts, Java, Windows) going after 3-month old vulnerabilities ***
---------------------------------------------
When ISC reader Yin reported earlier today that one of their servers had been hacked via the Apache Struts remote command execution vulnerability (CVE-2013-2251), at first this was flagged as "business as usual". Said vulnerability, after all, is known since July, and weve been seeing exploit attempts since early August (diary here).
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=16913
*** ATM malware Ploutus updated with English-language version ***
---------------------------------------------
The Spanish-language ATM malware, which allowed attackers in Mexico to force ATMs to spit out cash, now has an updated English-language version.
---------------------------------------------
http://www.scmagazine.com//atm-malware-ploutus-updated-with-english-languag…
*** Adobe Breach Impacted At Least 38 Million Users ***
---------------------------------------------
The recent data breach at Adobe that exposed user account information and prompted a flurry of password reset emails impacted at least 38 million users, the company now says. It also appears that the already massive source code leak at Adobe is broadening to include the companys Photoshop family of graphical design products.
---------------------------------------------
http://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-millio…
*** Analysis: Spam in September 2013 ***
---------------------------------------------
In September, the proportion of world spam in mail traffic continued to decline and reached 66%. As always the spammers focused on advertising seasonal goods and services. For example, the number of offers related to energy saving and insulating buildings increased significantly.
---------------------------------------------
http://www.securelist.com/en/analysis/204792309/Spam_in_September_2013
*** Routerpwn ***
---------------------------------------------
Routerpwn is a web application that helps you in the exploitation of vulnerabilities in residential routers. It is a compilation of ready to run local and remote web exploits.
---------------------------------------------
http://www.routerpwn.com/
*** Windows XP ist und bleibt ein hochriskantes System ***
---------------------------------------------
Im aktuellen Security Intelligence Report (SIR) warnt Microsoft erneut vor Windows XP. Sicherheits-Chef Tim Rains verteidigt die Entscheidung, den Support einzustellen.
---------------------------------------------
http://futurezone.at/digital-life/windows-xp-ist-und-bleibt-ein-hochriskant…
*** Internet Safety - Tips for Parents ***
---------------------------------------------
Internet basics can be as straightforward as pushing buttons or clicking a mouse. Understanding how youth use the Internet, however, can be an overwhelming task, especially for adults who don't spend much time online.
---------------------------------------------
http://bc.rcmp-grc.gc.ca/ViewPage.action?siteNodeId=87&languageId=1&content…
*** Cyber Security Assesment Netherlands ***
---------------------------------------------
Cybercrime and digital espionage remain the biggest threats to both governments and the business community. The threat of disruption of online services has increased. Clearly visible in the past year has been the rise of the criminal cyber services sector. Cyber-attack tools are made commercially available through `cybercrime as a service´.
---------------------------------------------
https://www.ncsc.nl/english/current-topics/news/cyber-security-assesment-ne…
*** Social media and digital identity. Prevention and incident response ***
---------------------------------------------
The hack of a social media account is a common incident that could have a serious impact of our digital identity. How to prevent it? What to do in case of hack?
---------------------------------------------
http://securityaffairs.co/wordpress/19143/cyber-crime/social-media-security…
*** Angebliches Fritzbox-Fax entpuppt sich als Trojaner ***
---------------------------------------------
Schadhafte E-Mails, die sich als Fax-Benachrichtigungen einer Fritzbox tarnen, verbreiten sich momentan rapide. In dem beigefügten Zip-Archiv befindet sich nicht etwa ein Fax, sondern ein Trojaner.
---------------------------------------------
http://www.heise.de/security/meldung/Angebliches-Fritzbox-Fax-entpuppt-sich…
*** Facebook Android Flaws Enable Any App to Get User's Access Tokens ***
---------------------------------------------
A researcher has discovered serious vulnerabilities in the main Facebook and Facebook Messenger apps for Android that enable any other app on a device to access the user's Facebook access token and take over her account.
---------------------------------------------
http://threatpost.com/facebook-android-flaws-enable-any-app-to-get-users-ac…
*** [webapps] - Pirelli Discus DRG A125g - Password Disclosure Vulnerability. ***
---------------------------------------------
http://www.exploit-db.com/exploits/29262
*** DSA-2786 icu ***
---------------------------------------------
http://www.debian.org/security/2013/dsa-2786
*** vBulletin 4.1.x / 5.x.x Administrative User Injection ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013100192
*** MobileIron 4.5.4 Cross Site Scripting ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013100190
*** SAP Financial Services Statutory Reporting for Insurance (FS-SR) Unspecified Flaw Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1029256
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 25-10-2013 18:00 − Montag 28-10-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** Email contains phishing scam, not iPhone 5S ***
---------------------------------------------
A new phishing email circulating the globe is preying on Apple fans who cant wait to get their hands on the coming iPhone 5S and iPhone 5c devices.
---------------------------------------------
http://www.scmagazine.com/email-contains-phishing-scam-not-iphone-5s/articl…
*** Blog: Cryptolocker Wants Your Money! ***
---------------------------------------------
A new ransomware Trojan is on the loose. The attackers give you roughly three days to pay them, otherwise your data is gone forever.
---------------------------------------------
http://www.securelist.com/en/blog/208214109/Cryptolocker_Wants_Your_Money
*** Blog-Software Wordpress 3.7 aktualisiert sich selbst ***
---------------------------------------------
In der neuen Version 3.7 hält sich die Blog-Software Wordpress selbst aktuell: Sicherheitsupdates werden künftig im Hintergrund automatisch eingespielt, wenn die Konfiguration das zulässt. Weitere Neuerungen dienen ebenfalls vorrangig der Sicherheit.
---------------------------------------------
http://www.heise.de/security/meldung/Blog-Software-Wordpress-3-7-aktualisie…
*** Periodic Connections to Control Server Offer New Way to Detect Botnets ***
---------------------------------------------
A number of recent botnets and advanced threats use HTTP as their primary communications channel with their control servers. McAfee Labs research during the last couple of years reveals that more than 60 percent of the top botnet families depend on HTTP. These numbers have increased significantly over the last few quarters.
---------------------------------------------
http://blogs.mcafee.com/mcafee-labs/periodic-links-to-control-server-offer-…
*** Improving Hadoop Security with Host Intrusion Detection (Part 2) ***
---------------------------------------------
This is a continuation of our previous post on Hadoop security. As we mentioned in our earlier post, we can use OSSEC to monitor for the file integrity of these existing Hadoop and HBase systems. OSSEC creates logs which a system administrator can use to check for various system events. It´s worth noting that big data systems ...
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/improving-hadoop…
*** Active Perl/Shellbot Trojan ***
---------------------------------------------
ISC received a submission from Zach of a Perl/Shellbot.B trojan served by fallencrafts[.]info/download/himad.png. The trojan has limited detection on Virustotal and the script contains a 'hostauth' of sosick[.]net[3] and the IRC server where the compromised systems are connecting to is located at 89.248.172.144. What we have so far, it appears it is exploiting older version of Plesk.
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=16907&rss
*** LinkedIn kann Mails mitlesen ***
---------------------------------------------
Die kürzlich eingeführte Intro-Technik für iOS bringt dem Berufsnetzwerk Kritik ein: Sie sei ein Traum für Angreifer und Sicherheitsdienste. Die Firma verteidigt sich: Alles sei sicher und man respektiere die Privatsphäre der Nutzer.
---------------------------------------------
http://www.heise.de/security/meldung/LinkedIn-kann-Mails-mitlesen-2034490.h…
*** Einbruch bei Buffer ***
---------------------------------------------
Der Social-Media-Dienst wurde gestern gehackt. Laut Unternehmensblog sollen weder Passwörter noch Kreditkarteninformationen abhanden gekommen sein.
---------------------------------------------
http://www.heise.de/security/meldung/Einbruch-bei-Buffer-2034519.html
*** Storewize: IBM warnt vor Sicherheitslücke in Storage-Systemen ***
---------------------------------------------
In den SAN-Controllern der Serie Storewize von IBM steckt eine Lücke, mit der ein Angreifer die Konfiguration ändern und auch Daten löschen kann. Abhilfe schafft ein Firmware-Update, das schon bereitsteht. (IBM, Netzwerk)
---------------------------------------------
http://www.golem.de/news/storewize-ibm-warnt-vor-sicherheitsluecke-in-stora…
*** End User Devices Security and Configuration Guidance ***
---------------------------------------------
UK Gov Configuration guidance for the following platforms:
End User Devices Security Guidance: Windows Phone 8
End User Devices Security Guidance: Android 4.2
End User Devices Security Guidance: Windows 7 and Windows 8
End User Devices Security Guidance: Ubuntu 12.04
End User Devices Security Guidance: Windows 8 RT
...
---------------------------------------------
https://www.gov.uk/government/collections/end-user-devices-security-guidanc…
*** Bypassing security scanners by changing the system language ***
---------------------------------------------
Luiz Eduardo and Joaquim Espinhara´s found that the majority of pentesting tools analyze specific problems in web applications - such as SQL injection - via the return messages that are provided by the application, and not by the error code that is reported by the database management system. So, what would happen if the setup language was not English, but Chinese or Portuguese? As their research showed, if the target SQL server doesnt use English by default, the scanners wont be able to
---------------------------------------------
http://www.net-security.org/secworld.php?id=15832
*** Cisco Identity Services Engine contains an input validation vulnerability ***
---------------------------------------------
Vulnerability Note VU#952422 Cisco Identity Services Engine contains an input validation vulnerability Original Release date: 28 Oct 2013 | Last revised: 28 Oct 2013 Overview Cisco Identity Services Engine contains an input validation vulnerability (CWE-20). Description CWE-20: Improper Input ValidationCisco Identity Services Engine (ISE) contains an input validation vulnerability.
---------------------------------------------
http://www.kb.cert.org/vuls/id/952422
*** I challenged hackers to investigate me and what they found out is chilling ***
---------------------------------------------
It´s my first class of the semester at New York University. I´m discussing the evils of plagiarism and falsifying sources with 11 graduate journalism students when, without warning, my computer freezes. I fruitlessly tap on the keyboard as my laptop takes on a life of its own and reboots. Seconds later the screen flashes a message.
---------------------------------------------
http://pandodaily.com/2013/10/26/i-challenged-hackers-to-investigate-me-and…
*** Spam-Versender. Schauen Sie doch mal bitte in Ihren Junk-Ordner ***
---------------------------------------------
Werbefilter funktionieren inzwischen ziemlich zuverlässig. Das wissen auch die Spam-Versender. Deshalb schicken sie noch eine zweite Nachricht hinterher.
---------------------------------------------
http://www.heise.de/security/meldung/Spam-Versender-Schauen-Sie-doch-mal-bi…
*** Scan Shows 65% of ReadyNAS Boxes on Web Vulnerable to Critical Bug ***
---------------------------------------------
It´s been known for some time now several months, in fact that there is a critical, remotely exploitable vulnerability in some of Netgear´s ReadyNAS storage boxes, and a patch has been available since July. However, many of the boxes exposed to the Web are still vulnerable, and a recent scan by HD Moore of Rapid7 found that ...
---------------------------------------------
http://threatpost.com/scan-shows-65-of-readynas-boxes-on-web-vulnerable-to-…
*** Vuln: Cisco Catalyst 3750 Series Switches Default Credentials Security Bypass Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/bid/63342
*** Bugtraq: Multiple CSRF Horde Groupware Web mail Edition 5.1.2 ***
---------------------------------------------
http://www.securityfocus.com/archive/1/529466
*** Bugtraq: DD-WRT v24-sp2 Command Injection ***
---------------------------------------------
http://www.securityfocus.com/archive/1/529463
*** Apache Struts2 showcase multiple XSS ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013100185
*** DSA-2787 roundcube ***
---------------------------------------------
http://www.debian.org/security/2013/dsa-2787
*** Woltlab Burning Board Regenbogenwiese 2007 Addon SQL Injection Exploit. ***
---------------------------------------------
http://www.exploit-db.com/exploits/29023
*** GnuPG Side-Channel Attack Lets Local Users Recover RSA Secret Keys ***
---------------------------------------------
http://www.securitytracker.com/id/1029242
*** DSA-2785 chromium-browser ***
---------------------------------------------
http://www.debian.org/security/2013/dsa-2785
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 24-10-2013 18:00 − Freitag 25-10-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Periodic Links to Control Server Offer New Way to Detect Botnets ***
---------------------------------------------
A number of recent botnets and advanced threats use HTTP as their primary communications channel with their control servers. McAfee Labs research during the last couple of years reveals that more than 60 percent of the top botnet families depend on HTTP. These numbers have increased significantly over the last few quarters. The following pie […]
---------------------------------------------
http://blogs.mcafee.com/mcafee-labs/periodic-links-to-control-server-offer-…
*** DDoS mitigation firm notes dramatic increase in reflection attack style ***
---------------------------------------------
Between Q3 2012 and Q3 2013, distributed reflection denial-of-service (DrDoS) attacks increased 265 percent, a global attack report found.
---------------------------------------------
http://www.scmagazine.com/ddos-mitigation-firm-notes-dramatic-increase-in-r…
*** LinkedIn Intro App Equivalent to Man in the Middle Attack, Experts Say ***
---------------------------------------------
LinkedIn’s release of its Intro app yesterday for Apple iOS mobile devices raised more than a few eyebrows for behaviors that are tantamount to a man-in-the-middle attack, experts said.
---------------------------------------------
http://threatpost.com/linkedin-intro-app-equivalent-to-man-in-the-middle-at…
*** Evasive Tactics: Terminator RAT ***
---------------------------------------------
FireEye Labs has been tracking a variety of APT threat actors that have been slightly changing their tools, techniques and procedures (TTPs) in order to evade network defenses. Earlier, we documented changes to Aumlib, the malware used in the attack...
---------------------------------------------
http://www.fireeye.com/blog/technical/malware-research/2013/10/evasive-tact…
*** Cybercriminals release new commercially available Android/BlackBerry supporting mobile malware bot ***
---------------------------------------------
Thanks to the growing adoption of mobile banking, in combination with the utilization of mobile devices to conduct financial transactions, opportunistic cybercriminals are quickly capitalizing on this emerging market segment. Made evident by the release of Android/BlackBerry compatible mobile malware bots. This site is empowering potential cybercriminals with the necessary ‘know-how’ when it comes to ‘cashing out’ compromised accounts of E-banking victims who have...
---------------------------------------------
http://www.webroot.com/blog/2013/10/25/cybercriminals-release-new-commercia…
*** OSX/Leverage.a Analysis ***
---------------------------------------------
A few days ago, a new OSX malware was detected in the wild. It looks like a picture and behaves like it when you click on it. Everything looks fine when the clicked picture is opened on the screen, but the malware also performs some other actions. After the first look, we saw that the malware copies itself to /Users/Shared/UserEvent.app with the ditto command, and creates a LaunchAgent to load itself when the computer starts with these shell commands: mkdir ~/Library/LaunchAgents echo
---------------------------------------------
http://www.alienvault.com/open-threat-exchange/blog/osx-leveragea-analysis
*** PHP.net zur Verbreitung von Malware missbraucht ***
---------------------------------------------
Entgegen früherer Aussagen der Administratoren wurde die Projektseite von PHP doch Opfer eines Hackerangriffs. Zwei Server wurden gekapert und zur Verteilung von Schadcode eingesetzt.
---------------------------------------------
http://www.heise.de/security/meldung/PHP-net-zur-Verbreitung-von-Malware-mi…
*** ProSoft Technology RadioLinx ControlScape PRNG Vulnerability ***
---------------------------------------------
RadioLinx ControlScape is prone to a predictable random number generator weakness. Attackers can leverage this weakness to aid in brute-force attacks. Other attacks are also possible.
---------------------------------------------
http://www.securityfocus.com/bid/62238/http://ics-cert.us-cert.gov/advisories/ICSA-13-248-01
*** Vuln: OpenStack Keystone Tokens Validation CVE-2013-4222 Security Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/61725
*** Vuln: OpenStack Nova CVE-2013-4261 Denial of Service Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/62200
*** Vuln: OpenStack Nova CVE-2013-4278 Security Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/62016
*** CA SiteMinder Input Validation Flaw Permits Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1029237
*** libvirt API Access Control Flaw Lets Remote Authenticated Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1029241
*** Vuln: GnuTLS CVE-2013-4466 libdane/dane.c Remote Buffer Overflow Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63326
*** Vuln: VICIDIAL manager_send.php CVE-2013-4468 Command Injection Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63288
*** Security Bulletin: Tivoli Netcool/OMNIbus Web GUI - IBM WebSphere Application Server PM44303 security bypass (CVE-2012-3325) and Hash denial of service (CVE-2011-4858) ***
---------------------------------------------
CVE-2012-3325: After installing an Interim Fix for PM44303 or a Fix Pack containing PM44303, there is a potential security exposure with IBM WebSphere Application Server. CVE-2011-4858: Potential Denial of Service (DoS) security exposure when using web-based applications due to Java HashTable implementation vulnerability.
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_tiv…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 23-10-2013 18:00 − Donnerstag 24-10-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Neutrino: Caught in the Act ***
---------------------------------------------
Last week, we got a tip from Kafeine about hacked sites serving injected iframes leading to an exploit kit. We thought it was quite interesting so we looked at one of the infected websites and found this sneaky piece of code: The deobfuscated code shows the location from where the...
---------------------------------------------
http://www.f-secure.com/weblog/archives/00002626.html
*** Neue und alte Router-Lücken bei Netgear, Tenda und DrayTek ***
---------------------------------------------
Sicherheitsexperten haben eine Hintertür in Routern der WNDR-Reihe von Netgear gefunden, die ohne Passwort-Abfrage vollen Zugrif auf das Gerät erlaubt. Bei Modellen der Firmen Tenda und DrayTek kann man Schadcode ausführen, ohne sich einloggen zu müssen.
---------------------------------------------
http://www.heise.de/security/meldung/Neue-und-alte-Router-Luecken-bei-Netge…
*** Industrial software flaw could allow manipulation of energy processes ***
---------------------------------------------
The vulnerability lies in industrial automation software that uses a weak encryption algorithm for user authentication, researchers at IOActive found.
---------------------------------------------
http://www.scmagazine.com/industrial-software-flaw-could-allow-manipulation…
*** Bugtraq: ESA-2013-067: RSA® Authentication Agent for Web for Internet Information Services (IIS) Security Controls Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/529394
*** Bugtraq: RPS/APS vulnerability in snom/yealink and others ***
---------------------------------------------
http://www.securityfocus.com/archive/1/529397
*** Security Bulletin: IBM Flex System Manger expired USERID password vulnerability (CVE-2013-5424) ***
---------------------------------------------
Security Bulletin: IBM Flex System Manger expired USERID password vulnerability (CVE-2013-5424) Affected product(s) and affected version(s): IBM Flex System Manager Node, Types 7955, 8731, 8734 all models, Version 1.3.0
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…
*** Cisco IOS XR Software Route Processor Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Multiple Vulnerabilities in Cisco Identity Services Engine ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Secure ACS Distributed Deployment Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013…
*** Vuln: Multiple Cisco Appliances CVE-2013-5537 Denial of Service Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63280
*** Vuln: Joomla! Maian15 Component name Parameter Arbitrary Shell Upload Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63287
*** Vuln: Drupal Spaces Module Access Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63305
*** WordPress Blue Wrench Video Widget Plugin Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55456
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 21-10-2013 18:00 − Dienstag 22-10-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Fake Dropbox Password Reset Spam Leads to Malware ***
---------------------------------------------
A new spam campaign has been circulating over the last few weeks in hopes of duping users of the popular cloud storage service Dropbox. The e-mails purport to come from the service but instead lead those who click through to a malware landing page.
---------------------------------------------
http://threatpost.com/fake-dropbox-password-reset-spam-leads-to-malware/102…
*** New DIY compromised hosts/proxies syndicating tool spotted in the wild ***
---------------------------------------------
Compromised, hacked hosts and PCs are a commodity in underground markets today. More cybercriminals are populating the market segment with services tailored to fellow cybercriminals looking for access to freshly compromised PCs to be later abused in a variety of fraudulent/malicious ways, all the while taking advantage of their clean IP reputation. Naturally, once the commoditization took place, cybercriminals quickly realized that the supply of such hosts also shaped several different market...
---------------------------------------------
http://www.webroot.com/blog/2013/10/21/new-diy-compromised-hostsproxies-syn…
*** Cryptolocker Update, Request for Info, (Tue, Oct 22nd) ***
---------------------------------------------
It was briefly mentioned in a previous posting, but the Cryptolocker ransomware is still going strong. In essence, post infection is encrypts all of your "document" files based on file extension and then gives the user 72 hours to pay the ransom ($300 USD or 2 BTC). It is one f the few pieces of ransomware that does encryption right so at present, short of paying the ransom, there is no other means to decrypt. Bleeping Computer has a good write up, but below are the TL;DR highlights.
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=16871&rss
*** Touch ID: Biometrics Dont Make For Good Passwords ***
---------------------------------------------
Theres an Apple event scheduled for tomorrow which will showcase this years iPad lineup. Among the more credible rumors is that at least one version of the iPad will include Apples Touch ID, its fingerprint identity sensor.And so it seems somewhat inevitable that all of our "smart" devices will soon include fingerprint readers.That being the case, we strongly recommend the following by @dustinkirkland: • Fingerprints are Usernames, not PasswordsWe welcome intelligent use of
---------------------------------------------
http://www.f-secure.com/weblog/archives/00002624.html
*** Defending Against Crypto Backdoors ***
---------------------------------------------
We already know the NSA wants to eavesdrop on the Internet. It has secret agreements with telcos to get direct access to bulk Internet traffic. It has massive systems like TUMULT, TURMOIL, and TURBULENCE to sift through it all. And it can identify ciphertext -- encrypted information -- and figure out which programs could have created it. But what the...
---------------------------------------------
https://www.schneier.com/blog/archives/2013/10/defending_again_1.html
*** Security Bulletins: Citrix XenServer Multiple Security Updates ***
---------------------------------------------
A number of security vulnerabilities have been identified in Citrix XenServer. These vulnerabilities affect all currently supported versions of Citrix XenServer up to and including version 6.2.
---------------------------------------------
http://support.citrix.com/article/CTX139295
*** Vuln: 7T Interactive Graphical SCADA System Multiple Security Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/bid/46936
*** WordPress Portable phpMyAdmin Plugin Security Bypass Security Issue ***
---------------------------------------------
https://secunia.com/advisories/55270
*** WatchGuard Extensible Threat Management and System Manager Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55388
*** Vuln: D-Link DIR-605L CAPTCHA Data Stack Based Buffer Overflow Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/56330
*** Bugtraq: [CVE-2013-2751, CVE-2013-2752] NETGEAR ReadyNAS Remote Root ***
---------------------------------------------
http://www.securityfocus.com/archive/1/529364
*** Cisco ASA VPN Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the VPN authentication code that handles parsing of the username from the certificate on the Cisco ASA firewall could allow an unauthenticated, remote attacker to cause a reload of the affected device.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013…
*** Security Bulletin: IBM SONAS fix available for Cross Frame Scripting vulnerability via Graphical User Interface (CVE-2013-5376) ***
---------------------------------------------
An issue in IBM SONAS allows remote attackers to access the system as an authorized administrative user.
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…
*** Security Bulletin: IBM SONAS Fix Available for SONAS Cross Protocol Vulnerability (CVE-2013-0500) ***
---------------------------------------------
IBM SONAS includes a flaw in the handling of special files created by an NFS client resulting in a vulnerability reported against IBM SONAS. ---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…
*** IBM WebSphere Message Broker and IBM Integration Bus Security Vulnerability: XML4J denial of service attack (CVE-2013-5372) ***
---------------------------------------------
XML4J is vulnerable to a denial of service attack triggered by a specially crafted XML document
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21653087
*** IBM Domino / iNotes Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55405https://secunia.com/advisories/55409
*** IBM WebSphere DataPower XC10 Two Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55402
*** F5 BIG-IP Traffic Management Microkernel Component Lets Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1029220
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 18-10-2013 18:00 − Montag 21-10-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Card Data Siphon with Google Analytics ***
---------------------------------------------
The introduction of EMV (Chip & Pin) payment devices in 2003 resulted in a rapid decline in physical credit card cloning in Europe. EMV technology has also led to an increase in attacks on e-commerce systems targeting cardholder data. Each year, Trustwave SpiderLabs investigates hundreds of incidents of data compromise. I work on some of these investigations and occasionally get to evaluate some rather unusual attack vectors. This blog post details a novel data extraction technique using...
---------------------------------------------
http://blog.spiderlabs.com/2013/10/card-data-siphon-with-google-analytics.h…
*** New tricks that may bring DNS spoofing back or: "Why you should enable DNSSEC even if it is a pain to do", (Mon, Oct 21st) ***
---------------------------------------------
Recently, two papers independently outlined new attacks against DNS, undermining some of the security features protecting us from DNS spoofing. As Dan Kaminsky showed [1], 16 bit query IDs are an insufficient protection against DNS spoofing. As a result, DNS servers started to randomize the source port of DNS queries in order to make DNS spoofing harder. This was never meant to "fix" DNS spoofing, but worked well enough for DNSSEC to be pushed back yet again. Overall, to
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=16859&rss
*** Darkleech in Europe, Middle East and Africa ***
---------------------------------------------
In a previous blog post, we discussed how Darkleech-related malware wound up on a FireEye partner’s website. We followed up with a post detailing a major wave of Darkleech activity linked to a major global malvertising campaign. In this post,...
---------------------------------------------
http://www.fireeye.com/blog/corporate/2013/10/darkleech-in-europe-middle-ea…
*** Threatpost News Wrap, October 18, 2013 ***
---------------------------------------------
Dennis Fisher and Mike Mimoso discuss the big stories of the last couple of weeks, including the grassroots effort to audit the TrueCrypt source code, the Apple iMessage security model and Yahoo enabling SSL by default.
---------------------------------------------
http://threatpost.com/threatpost-news-wrap-october-18-2013/102624
*** Bugtraq: OWASP Vulnerable Web Applications Directory Project ***
---------------------------------------------
The OWASP Vulnerable Web Applications Directory (VWAD) Project is a
comprehensive and well maintained registry of all known vulnerable web
applications currently available. These vulnerable web applications
can be used by web developers, security auditors and penetration
testers to put in practice their knowledge and skills during training...
---------------------------------------------
http://www.securityfocus.com/archive/1/529293
*** DNP3 Implementation Vulnerability ***
---------------------------------------------
OVERVIEW: Adam Crain of Automatak and independent researcher Chris Sistrunk reported an improper input validation vulnerability to NCCIC/ICS-CERT that was evident in numerous slave and/or master station software products. The researchers emphasize that the vulnerability is not with the DNP3 stack but with the implementation.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-291-01
*** Yet Another WHMCS SQL Injection Exploit, (Sat, Oct 19th) ***
---------------------------------------------
WHMCS, a popular billing/support/customer management system, is still suffering from critical SQL injection issues. Today, yet another vulnerability, including exploit was released...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=16853&rss
*** Vuln: WordPress Quick Paypal Payments Plugin Multiple HTML Injection Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/bid/63213
*** Wordpress WooCommerce Plugin 2.0.17 Cross-Site Scripting Vulnerability ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013100127
*** Wordpress spreadsheet Plugin Cross site scripting ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013100130
*** Cisco Unified Computing System Bugs Let Remote Users Conduct Man-in-the-Middle Attacks and Obtain Information and Let Local Users View Files ***
---------------------------------------------
http://www.securitytracker.com/id/1029209
*** Vuln: OpenLDAP rwm_conn_destroy Denial of Service Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63190
*** IBM WebSphere Partner Gateway Java Spoofing and Denial of Service Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55406
*** Vulnerability Note VU#303900 - SAP Sybase Adaptive Server Enterprise vulnerable to XML injection ***
---------------------------------------------
SAP Sybase Adaptive Server Enterprise Version 15.7 ESD 2 and possibly earlier versions contains an XML injection vulnerability (CWE-91).
---------------------------------------------
http://www.kb.cert.org/vuls/id/303900
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 17-10-2013 18:00 − Freitag 18-10-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** You´re infected - if you want to see your data again, pay us $300 in Bitcoins ***
---------------------------------------------
Ransomware comes of age with unbreakable crypto, anonymous payments.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/VLDxuwIP36Q/story01…
*** DNS-Experten diskutieren Risiken neuer Angriffsszenarien ***
---------------------------------------------
Forscher beschreiben Angriffsszenarien auf das Domain Name System, bei dem die Fragmentierung von IP-Paketen ausgenutzt wird.
---------------------------------------------
http://www.heise.de/security/meldung/DNS-Experten-diskutieren-Risiken-neuer…
*** Kankan - eine chinesische Trojaner-Geschichte ***
---------------------------------------------
Die Analysten von Eset haben eine mysteriöse Geschichte über einen Trojaner zusammengetragen, der vor allem in China Verbreitung fand. Die Bestandteile: infizierte PCs und Smartphones, ein reumütiger Software-Hersteller und mehrere offene Rätsel.
---------------------------------------------
http://www.heise.de/security/meldung/Kankan-eine-chinesische-Trojaner-Gesch…
*** Got a mobile phone? Then youve got a Trojan problem too ***
---------------------------------------------
This time it´s personal Something wonderful has happened: phones have got smart, but the bad news is they may open the door to those you don´t want to let in.
---------------------------------------------
http://www.theregister.co.uk/2013/10/18/feature_mobile_security_malware/
*** VMware Release Multiple Security Updates ***
---------------------------------------------
VMware released the following security updates. The first one is VMSA-2013-0012 which address multiple vulnerabilities in vCenter Server, vSphere Update Manager, ESXi and ESX. The second is VMSA-2013-0006.1 which address multiple vulnerabilities in vCenter Server Appliances and vCenter Server running on Windows. The last is VMSA-2013-0009.1 which address multiple vulnerabilities in vCenter Server, ESX and ESXi that updates third party libraries.
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=16847&rss
*** Fiendish CryptoLocker ransomware: Whatever you do, dont PAY ***
---------------------------------------------
Create remote backups before infection, advise infosec bods Vid A fiendishly nasty strain of Windows malware that uses advanced encryption to lock up user files before demanding a ransom is doing the rounds.
---------------------------------------------
http://www.theregister.co.uk/2013/10/18/cryptolocker_ransmware/
*** Sybase Adaptive Server Enterprise XML injection ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/88105
*** cPanel CloudFlare Plugin Unspecified Privilege Escalation Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55273
*** osCommerce Flaws Permit Cross-Site Scripting and Cross-Site Request Forgery Attacks to Create New Admin Accounts ***
---------------------------------------------
http://www.securitytracker.com/id/1029189
*** Level One Enterprise Access Points Password Disclosure ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013100123
*** Bugtraq: CSRF vulnerability in LinkedIn ***
---------------------------------------------
http://www.securityfocus.com/archive/1/529270
*** Summary for October 2013 - Version: 1.1 ***
---------------------------------------------
http://technet.microsoft.com/en-za/security/bulletin/ms13-oct
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 16-10-2013 18:00 − Donnerstag 17-10-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** Bug Hunters Find 25 ICS, SCADA Vulnerabilities ***
---------------------------------------------
A trio of researchers have uncovered 25 security vulnerabilities in various supervisory control and data acquisition (SCADA) and industrial control system (ICS) protocols.
---------------------------------------------
http://threatpost.com/bug-hunters-find-25-ics-scada-vulnerabilities/102599
*** Researchers uncover holes that open power stations to hacking ***
---------------------------------------------
Hacks could cause power outages and dont need physical access to substations.
---------------------------------------------
http://arstechnica.com/security/2013/10/researchers-uncover-holes-that-open…
*** Raising awareness quickly: A look at basic password hygiene ***
---------------------------------------------
Rapid7s tips for strengthing your first line of defense
---------------------------------------------
http://www.csoonline.com/article/741540/raising-awareness-quickly-a-look-at…
*** Mass iFrame injection campaign leads to Adobe Flash exploits ***
---------------------------------------------
We´ve intercepted an ongoing malicious campaign, relying on injected/embedded iFrames at Web sites acting as intermediaries for a successful client-side exploits to take place. Let´s dissect the campaign, expose the malicious domains portfolio/infrastructure it relies on, as well as directly connect it with historical malicious activity, in this particular case, a social engineering campaign pushing fake browser updates.
---------------------------------------------
http://www.webroot.com/blog/2013/10/17/mass-iframe-injection-campaign-leads…
*** Top 20 Free Digital Forensic Investigation Tools for SysAdmins ***
---------------------------------------------
Here are 20 of the best free tools that will help you conduct a digital forensic investigation. Whether it´s for an internal human resources case, an investigation into unauthorized access to a server, or if you just want to learn a new skill, these suites and utilities will help you conduct memory forensic analysis, hard drive forensic analysis, forensic image exploration, forensic imaging and mobile forensics.
---------------------------------------------
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-fo…
*** Hintergrund: Standardpasswörter kein Sicherheitsrisiko? ***
---------------------------------------------
Das ICS-CERT, zuständig für kritische Infrastruktur wie Staudämme und Atomkraftwerke, sagt Standardpasswörter stellen kein Sicherheitsrisiko dar solange sie gut dokumentiert und änderbar sind. Ist das wirklich so?
---------------------------------------------
http://www.heise.de/security/artikel/Standardpasswoerter-kein-Sicherheitsri…
*** Apple iMessage Open to Man in the Middle, Spoofing Attacks ***
---------------------------------------------
The Apple iMessage protocol has been shrouded in secrecy for years now, but a pair of security researchers have reverse-engineered the protocol and found that Apple controls the encryption key infrastructure for the system and therefore has the ability to read users´ text messages or decrypt them and hand them over at the order of a government agency.
---------------------------------------------
http://threatpost.com/apple-imessage-open-to-man-in-the-middle-spoofing-att…
*** IBM Storwize V7000 Unified Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55247
*** Bugtraq: PayPal Inc Bug Bounty #61 - Persistent Mail Encoding Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/529250
*** Puppet Enterprise Dashboard Report YAML Handling Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55362
*** Drupal Context Mulitple Vulnerabilities ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013100111
*** Drupal Simplenews Cross Site Scripting ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013100112
*** Vuln: Cisco Identity Services Engine CVE-2013-5539 Arbitrary File Upload Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63031
*** Bugtraq: Security Advisory for Bugzilla 4.4.1, 4.2.7 and 4.0.11 ***
---------------------------------------------
http://www.securityfocus.com/archive/1/529262
*** Panda Security for Business Pagent.exe code execution ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/88091
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 15-10-2013 18:00 − Mittwoch 16-10-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** ORACLE Critical Patch Update - October 2013 ***
---------------------------------------------
Critical Patch Update - October 2013
---------------------------------------------
http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
** Follow-up **
*** Critical Java Update Plugs 51 Security Holes ***
---------------------------------------------
Oracle has released a critical security update that fixes at least 51 security vulnerabilities in its Java software. Patches are available for Linux, Mac OS X, Solaris and Windows versions of the software.
---------------------------------------------
http://krebsonsecurity.com/2013/10/java-update-plugs-51-security-holes/
*** Android-Verschlüsselung wurde verschlimbessert ***
---------------------------------------------
Android bevorzugt offenbar seit einigen Jahren für Internet-Verbindungen Verschlüsselungsverfahren, die eigentlich als geknackt gelten. Die Motivation dahinter ist unklar.
---------------------------------------------
http://www.heise.de/security/meldung/Android-Verschluesselung-wurde-verschl…
*** Google Fixes Three High-Risk Flaws in Chrome ***
---------------------------------------------
There is a trio of high-risk security vulnerabilities in Google Chrome that have been patched in a new version of the browser released on Tuesday. The vulnerabilities all are use-after-free bugs, and Google paid a total of $5,000 in rewards to researchers who discovered and reported them.
---------------------------------------------
http://threatpost.com/google-fixes-three-high-risk-flaws-in-chrome/102586
*** Registrar in Metasploit DNS Hijacking Not Duped by Fax ***
---------------------------------------------
Rapid7 said today that an employee at its registrar, Register.com, was duped out of their credentials leading to a DNS hijacking attack against the Rapid7 and Metasploit websites.
---------------------------------------------
http://threatpost.com/registrar-in-metasploit-dns-hijacking-not-duped-by-fa…
*** How Vulnerable Are Your Phishing Targets? ***
---------------------------------------------
How Vulnerable Are Your Phishing Targets?
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2013/10/16/how-vulne…
*** ASLR Bypass Apocalypse in Lately Zero-Day Exploits ***
---------------------------------------------
ASLR (Address Space Layout Randomization) is one of the most effective protection mechanisms in the modern operation system. However, there were many innovative ASLR bypass techniques used in recent APT attacks.
---------------------------------------------
http://www.fireeye.com/blog/technical/cyber-exploits/2013/10/aslr-bypass-ap…
*** Vulnerabilities Discovered in Global Vessel Tracking Systems ***
---------------------------------------------
Text by Marco Balduzzi and Kyle Wilhoit Trend Micro researchers have discovered that flaws in the AIS vessel tracking system can allow attackers to hijack communications of existing vessels, create fake vessels, trigger false SOS or collision alerts and even permanently disable AIS tracking on any vessel. Figure 1.
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-…
*** Blog: Under Pressure ***
---------------------------------------------
Any online project - be it a long-lost blog, or a new start-up's web app - has a very important performance feature called a "maximum load". This indicator makes itself known when a web app either partially or fully fails to perform its assigned functions to process user requests.
---------------------------------------------
http://www.securelist.com/en/blog/8136/Under_Pressure
*** Yet another Bitcoin accepting E-shop offering access to thousands of hacked PCs spotted in the wild ***
---------------------------------------------
The never-ending supply of access to compromised/hacked PCs - the direct result of the general availability of DIY/cracked/leaked malware/botnet generating tools - continues to grow in terms of the number and variety of such type of underground market propositions.
---------------------------------------------
http://www.webroot.com/blog/2013/10/16/yet-another-bitcoin-accepting-e-shop…
*** Honeydroid: Android-Handy wird zur Hackerfalle ***
---------------------------------------------
Experten der Deutschen Telekom machen aus Android-Smartphones mobile Honeypots. So haben sie in drei Monaten über 10.000 Angriffe auf ein einzelnes Gerät im Mobilnetz protokollieren können.
---------------------------------------------
http://www.heise.de/security/meldung/Honeydroid-Android-Handy-wird-zur-Hack…
*** Convincing "Urgent Windows Error Fix" phishing email doing rounds ***
---------------------------------------------
A pretty convincing email phishing campaign is targeting one of the largest user bases out there - those who use Microsofts Windows OS - by taking advantage of the recent problems that the company has been having with updates.
---------------------------------------------
http://www.net-security.org/secworld.php?id=15779
*** HP Service Manager Bugs Permit Cross-Site Scripting, Information Disclosure, and Code Injection Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1029180
*** UbiDisk File Manager v2.0 iOS - Multiple Web Vulnerabilities ***
---------------------------------------------
http://www.exploit-db.com/exploits/28977
*** Apple iOS 7.0.2 SIM Lock Screen Display Bypass ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013100103
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 14-10-2013 18:00 − Dienstag 15-10-2013 18:00
Handler: Matthias Fraidl
Co-Handler: Robert Waldner
*** Fingerprinting Ubuntu OS Versions using OpenSSH ***
---------------------------------------------
Over the past couples weeks, I’ve been working on enhancing the operating system detection logic in the TrustKeeper Scan Engine. Having the capability to detect a target’s operating system can be very useful. Whether you’re performing a simple asset identification scan or doing an in depth review, this information helps you make more informed decisions. In this blog post, I’ll be talking about a technique that that you can use to fingerprint a server operating system
---------------------------------------------
http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/e7s2jWmx7bU/fingerprin…
*** October 2013 Security Bulletin Webcast, Q&A, and Slide Deck ***
---------------------------------------------
Today we’re publishing the October 2013 Security Bulletin Webcast Questions & Answers page. We fielded 11 questions during the webcast, with specific bulletin questions focusing primarily on the SharePoint (MS13-084) and Kernel-Mode Drivers (MS13-081) bulletins. There was one additional question that we were unable to answer on air, and we have included a response to that question on the Q&A page. We invite our customers to join us for the next public webcast on Wednesday,
---------------------------------------------
http://blogs.technet.com/b/msrc/archive/2013/10/14/october-2013-security-bu…
*** Vuln: osCommerce products_id Parameter HTML Injection Vulnerability ***
---------------------------------------------
osCommerce is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input.
Hostile HTML and script code may be injected into vulnerable sections of the application. When an unsuspecting user visits the affected site and views the affected section, the attacker-supplied code is rendered in the user's browser in the context of that site.
osCommerce 2.3.3 is vulnerable. Other versions may also be affected.
---------------------------------------------
http://www.securityfocus.com/bid/62997
*** Insecurities in the Linux /dev/random ***
---------------------------------------------
New paper: "Security Analysis of Pseudo-Random Number Generators with Input: /dev/random is not Robust, by Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault, Damien Vergnaud, and Daniel Wichs. Abstract: A pseudo-random number generator (PRNG) is a deterministic algorithm that produces numbers whose distribution is indistinguishable from uniform. A formal security model for PRNGs with input was proposed in 2005 by Barak and...
---------------------------------------------
https://www.schneier.com/blog/archives/2013/10/insecurities_in.html
*** Thousands of Sites Hacked Via vBulletin Hole ***
---------------------------------------------
Attackers appear to have compromised tens of thousands of Web sites using a security weakness in sites powered by the forum software vBulletin, security experts warn.
---------------------------------------------
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/Mc94cSf4_Mc/
*** Juniper Junos SRX Series Gateway Buffer Overflow in Telnet Firewall Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
Juniper Junos SRX Series Gateway Buffer Overflow in Telnet Firewall Lets Remote Users Execute Arbitrary Code
---------------------------------------------
http://www.securitytracker.com/id/1029175
*** Sensoren verraten Identität des Smartphones ***
---------------------------------------------
Die Messwerte eines Smartphones können den Benutzer wie ein digitaler Fingerabdruck verraten. Das haben Forscher der US-Universität Stanford nachgewiesen.
---------------------------------------------
http://futurezone.at/digital-life/sensoren-verraten-identitaet-des-smartpho…
*** Steam-Client verhilft Angreifern zu Systemrechten ***
---------------------------------------------
Die Windows-Version der Spieleplattform Steam enthält eine Schwachstelle, die es einem Angreifer ermöglicht, Schadcode mit Systemrechten auszuführen. Valve schweigt zu der Lücke.
---------------------------------------------
http://www.heise.de/security/meldung/Steam-Client-verhilft-Angreifern-zu-Sy…
*** We scanned the Internet for port 22 ***
---------------------------------------------
We scanned the entire Internet for port 22 - the port reserved for SSH, the protocol used by sysadmins to remotely log into machines. Unlike our normal scans of port 80 or 443, this generated a lot more abuse complaints, so I thought Id explain the scan.
---------------------------------------------
http://blog.erratasec.com/2013/09/we-scanned-internet-for-port-22.html
*** Blog: Pharmaceutical ‘phishing’ ***
---------------------------------------------
Adverts for medication to improve male sex drive are a staple of spam mailings. Like any other unsolicited messages, emails of this nature have evolved with time and today’s versions no longer merely contain promises of enahnced potency and a link to a site selling pills. In August and September we noted a series of mailings that used the names of well-known companies, that looked just like typical phishing messages. However, instead of a phishing site the links they contained led to an advert for “male medication”.
---------------------------------------------
http://www.securelist.com/en/blog/8135/Pharmaceutical_phishing
*** Cisco Video Surveillance 4000 Series IP Camera Analytics Page Hardcoded Credentials Security Issue ***
---------------------------------------------
A security issue has been reported in Cisco Video Surveillance 4000 Series IP Camera, which can be exploited by malicious people to bypass certain security restrictions.
The security issue is caused due to the device allowing access to the analytics page using hardcoded credentials, which can be exploited to gain access to an otherwise restricted video feed.
The security issue is reported in versions 2.4(0.1) and 3.1(0.52).
---------------------------------------------
https://secunia.com/advisories/55283
*** [2013-10-15] Multiple critical vulnerabilities in SpamTitan ***
---------------------------------------------
SpamTitan suffers from multiple critical vulnerabilities. Unauthenticated attackers are able to completely compromise the system and extract or manipulate database contents.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2013…
*** WordPress security threats, protection tips and tricks ***
---------------------------------------------
To start off with, there are some things that you can do just once to improve the security of your WordPress blog or website, but you still have to always follow a number of rules while using WordPress. By following such rules you will be safe from most of the automated targeted WordPress attacks which typically spread like wild fires ...
---------------------------------------------
http://www.net-security.org/article.php?id=1895
*** D-link to Padlock Router Backdoor By Halloween ***
---------------------------------------------
D-Link will address by the end of October a security issue in some of its routers that could allow attackers to change the device settings without requiring a username and password.The issue consists of a backdoor-type function built into the firmware of some D-Link routers that can be used to bypass the normal authentication procedure on their Web-based user interfaces.
---------------------------------------------
http://www.cio.com/article/741414/D_link_to_Padlock_Router_Backdoor_By_Hall…
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 11-10-2013 18:00 − Montag 14-10-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
*** 2013-10 Security Bulletin: Junos: GNU libc glob(3) GLOB_LIMIT Remote Denial of Service Vulnerability (CVE-2010-2632) ***
---------------------------------------------
The glob implementation in libc allows authenticated remote users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames. This vulnerability can be exploited against a device running Junos OS with FTP services enabled to launch a high CPU utilization partial denial of service attack.
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10598
*** Top sites (and maybe the NSA) track users with 'device fingerprinting' ***
---------------------------------------------
May make it easier to follow privacy-minded users on the darknet.
---------------------------------------------
http://arstechnica.com/security/2013/10/top-sites-and-maybe-the-nsa-track-u…
*** Threat Refinement Ensues with Crypto Locker, SHOTODOR Backdoor ***
---------------------------------------------
In our 2013 Security Predictions, we anticipated that cybercriminals would focus on refining existing tools, instead of creating new threats. Two threats that both represent refinements of previously known threats show this effectively.
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/threat-refinemen…
*** Critical Patch Update - October 2013 - Pre-Release Announcement ***
---------------------------------------------
Critical Patch Update - October 2013 - Pre-Release Announcement
---------------------------------------------
http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
*** Blackhole, Supreme No More ***
---------------------------------------------
Blackhole exploit kit has always been a favorite example when discussing the impact of kits to internet users. Weve previously mentioned in our posts how fast it was in supporting new vulnerabilities, how it was related to Cool, and that it was the leading kit in our telemetry data. Blackhole and Cool almost always had special mentions in our Threat Reports.
---------------------------------------------
http://www.f-secure.com/weblog/archives/00002622.html
*** Debian Security Advisory DSA-2776 drupal6 ***
---------------------------------------------
several vulnerabilities
---------------------------------------------
http://www.debian.org/security/2013/dsa-2776
*** Debian Security Advisory DSA-2777 systemd ***
---------------------------------------------
several vulnerabilities
---------------------------------------------
http://www.debian.org/security/2013/dsa-2777
*** Stabiles Debian 7.2 behebt Fehler und löst Sicherheitsprobleme ***
---------------------------------------------
Das Debian-Projekt aktualisiert die Linux-Distribution Debian 7 (Wheezy) auf Version 7.2 und behebt dabei eine lange Liste von Fehlern und schließt Sicherheitslöcher.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Stabiles-Debian-7-2-behebt-Fehler-un…
*** Google Chrome speichert Kreditkarten-Daten als Klartext ***
---------------------------------------------
Der Google-Browser Chrome ist einmal mehr unter Beschuss von Sicherheitsexperten. Diese kritisieren, dass Chrome sensible Daten als Klartext auf der Festplatte speichert.
---------------------------------------------
http://futurezone.at/produkte/google-chrome-speichert-kreditkarten-daten-al…
*** Security Bulletin: WebSphere eXtreme Scale Monitoring Console Web Vulnerabilities (CVE-2013-5390, CVE-2013-5393, CVE-2013-5394) ***
---------------------------------------------
Three web security vulnerabilities were identified in the WebSphere eXtreme Scale monitoring console, those being a cross site scripting vulnerability, a log-off processing weakness, and vulnerability to a phishing attack.
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_web…
*** Back door found in D-Link routers ***
---------------------------------------------
D-secret is D-logon string allowing access to everything A group of embedded device hackers has turned up a vulnerability in D-Link consumer-level devices that provides unauthenticated access to the units admin interfaces.
---------------------------------------------
http://www.theregister.co.uk/2013/10/13/dlink_routers_have_admin_backdoor/
*** Spamvertised T-Mobile 'Picture ID Type:MMS' themed emails lead to malware ***
---------------------------------------------
The cybercriminals behind last week's profiled fake T-Mobile themed email campaign have resumed operations, and have just spamvertised another round of tens of thousands of malicious emails impersonating the company, in order to trick its customers into executing the malicious attachment, which in this case is once again supposedly a legitimate MMS notification message.
---------------------------------------------
http://www.webroot.com/blog/2013/10/14/spamvertised-t-mobile-picture-id-typ…
*** Captain, Where Is Your Ship Compromising Vessel Tracking Systems ***
---------------------------------------------
In recent years, automated identification systems (AIS) have been introduced to enhance ship tracking and provide extra safety to marine traffic, on top of conventional radar installations. AIS is currently mandatory for all passenger ships and commercial (non-fishing) ships over 300 metric tons. It works by acquiring GPS coordinates and exchanging vessel's position, course and ...
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/captain-where-is…
*** WordPress Cart66 Lite Plugin Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
WordPress Cart66 Lite Plugin Cross-Site Request Forgery Vulnerability
---------------------------------------------
https://secunia.com/advisories/55265
*** End User Devices Security Guidance: Windows 7 and Windows 8 ***
---------------------------------------------
This guidance is applicable to devices running Enterprise versions of Windows 7 and Windows 8, acting as client operating systems, which include BitLocker Drive Encryption, AppLocker and Windows VPN features.
---------------------------------------------
https://www.gov.uk/government/publications/end-user-devices-security-guidan…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 10-10-2013 18:00 − Freitag 11-10-2013 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** WhatsApp Crypto Error Exposes Messages ***
---------------------------------------------
WhatsApp, a popular mobile message application, suffers from crypto implementation vulnerability that leaves messages exposed. Thijs Alkemade, a computer science student at Utrecht University in The Netherlands who works on the open source Adium instant messaging project, disclosed a serious issue this week with the encryption used to secure WhatsApp messages, namely that the same...
---------------------------------------------
http://threatpost.com/whatsapp-crypto-error-exposes-messages/102565
*** Some Bing Ads Redirecting To Malware ***
---------------------------------------------
An anonymous reader writes "Security firm ThreatTrack Security Labs today spotted that certain Bing ads are linking to sites that infect users with malware. Those who click are redirected to a dynamic DNS service subdomain which in turns serves the Sirefef malware from 109(dot)236(dot)81(dot)176. ThreatTrack notes that the scammers could of course be targeting other keywords aside from YouTube. The more popular the keywords, the bigger the potential for infection." Read more of
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/7RRrvRPB5JM/story01.htm
*** Top 15 Indicators Of Compromise ***
---------------------------------------------
In the quest to detect data breaches more quickly, indicators of compromise can act as important breadcrumbs for security pros watching their IT environments. Unusual activity on the network or odd clues on systems can frequently help organizations spot attacker activity on systems more quickly so that they can either prevent an eventual breach from happening -- or at least stop it in its earliest stages.
---------------------------------------------
http://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise…
*** Vuln: libtar th_read() Function Multiple Heap Buffer Overflow Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/bid/62922
*** libtar "tar_extract_glob()" and "tar_extract_all()" Directory Traversal Vulnerabilities ***
---------------------------------------------
libtar "tar_extract_glob()" and "tar_extract_all()" Directory Traversal Vulnerabilities
---------------------------------------------
https://secunia.com/advisories/55138
*** Bugtraq: [security bulletin] HPSBMU02901 rev.1 - HP Business Process Monitor running on Windows, Remote Execution of Arbitrary Code and Disclosure of Information ***
---------------------------------------------
http://www.securityfocus.com/archive/1/529117
*** Juniper Junos TCP Packet Handling Denial of Service Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55218
*** Juniper Junos Telnet Messages Handling Buffer Overflow Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55109
*** Hitachi JP1/VERITAS Backup Exec Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55261
*** Cisco Unified IP Phones 9900 Series webapp Interface Buffer Overflow Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55275
*** Dropbear SSH Server User Enumeration Weakness and Denial of Service Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55173
*** Network Security Services (NSS) Uninitialized Memory Read Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55050
*** InduSoft Thin Client ActiveX control buffer overflow ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/87788
*** Security Bulletin: IBM InfoSphere Information Server Data Quality Console and Information Analyzer are vulnerable to cross-site request forgery attacks (CVE-2013-4056) ***
---------------------------------------------
A cross-site request forgery vulnerability exists in IBM InfoSphere Information Server Data Quality Console and Information Analyzer which can allow an attacker to trick a legitimate user into opening a URL that results in an action being taken as that user, potentially without the knowledge of that user. Any actions taken require the user being tricked to either be previously authenticated or to authenticate as part of the attack.
---------------------------------------------
https://www-304.ibm.com/support/docview.wss?uid=swg21652413
*** IBM WebSphere Message Broker and IBM Integration Bus Security Vulnerability: Multiple security vulnerabilities in IBM JREs 5 & 7 ***
---------------------------------------------
Multiple security vulnerabilities exist in the IBM Java Runtime Environment component of WebSphere Message Broker for IBM JRE 5.0 SR16-FP3 (and earlier) and the IBM Java Runtime Environment component of IBM Integration Bus for JRE 7.0 SR5 (and earlier).
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_websphere_message…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 09-10-2013 18:00 − Donnerstag 10-10-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** BlackBerry Fixes Remote Code Vulnerability in BES10 ***
---------------------------------------------
Blackberry added to Patch Tuesdays patches with an update for its BlackBerry Enterprise Service 10 mobile device management product, fixing a remote code execution vulnerability.
---------------------------------------------
http://threatpost.com/blackberry-fixes-remote-code-vulnerability-in-bes10/1…
*** Unexpected IE Zero Day Used in Banking, Gaming Attacks ***
---------------------------------------------
Microsoft released a patch for a second zero-day vulnerability in Internet Explorer yesterday, one that caught administrators off-guard.
---------------------------------------------
http://threatpost.com/unexpected-ie-zero-day-used-in-banking-gaming-attacks…
*** vBulletin vuln opens backdoor to rogue accounts ***
---------------------------------------------
The workaround is easy, though The widespread vBulletin CMS has a vulnerability that allows remote attackers to create new administrative accounts.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2013/10/10/vbulletin_v…
*** Invensys Wonderware InTouch Improper Input Validation Vulnerability ***
---------------------------------------------
OVERVIEW: This advisory was originally posted to the US-CERT secure Portal library on October 03, 2013, and is now being released to the NCCIC/ICS-CERT-Web page. This advisory provides mitigation details for a vulnerability that impacts the Invensys Wonderware InTouch application.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-276-01
*** Quassel IRC SQL injection ***
---------------------------------------------
Topic: Quassel IRC SQL injection Risk: Medium Text: Please assign a CVE to the following issue: Quassel IRC is vulnerable to SQL injection on all current versions (0.9.0 being...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013100064
*** McAfee Web Reporter Servlet Access Control Flaw Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1029154
*** MyBB Session Hijacking and Security Bypass Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/54994
*** OXID eShop "searchrecomm" Cross-Site Scripting Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55193
*** Security Bulletin: Multiple IBM Eclipse Help System (IEHS) vulnerabilities used in IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed (CVE-2013-0599, CVE-2013-0464, CVE-2013-0467) ***
---------------------------------------------
IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed ships with IBM Eclipse Help System (IEHS). The IBM Eclipse Help System (IEHS) is vulnerable to: a XSS attacks, reading source code via a crafted URL and reading the debug information associated with the 500 HTTP status...
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21651947
*** Multiple Vulnerabilities in Cisco ASA Software ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Multiple Vulnerabilities in Cisco Firewall Services Module Software ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** HP Intelligent Management Center Unspecified Flaws Let Remote Users Execute Arbitrary Code and Obtain Information ***
---------------------------------------------
http://www.securitytracker.com/id/1029164
*** HP Intelligent Management Center Multiple Flaws Lets Remote Users Bypass Authentication, Gain Unauthorized Acess, Inject SQL Commands, and Obtain Information ***
---------------------------------------------
http://www.securitytracker.com/id/1029165
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 08-10-2013 18:00 − Mittwoch 09-10-2013 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** WhatsApp-Verschlüsselung ruft Zweifel hervor ***
---------------------------------------------
Dem Chefentwickler des IM-Clients Adium zufolge müssen WhatsApp-Nutzer alle bisher versandten Nachrichten als entschlüsselbar betrachten.
---------------------------------------------
http://www.heise.de/security/meldung/WhatsApp-Verschluesselung-ruft-Zweifel…
*** The October 2013 security updates ***
---------------------------------------------
This month we release eight bulletins - four Critical and four Important - which address 26 unique CVEs in Microsoft Windows, Internet Explorer, SharePoint, .NET Framework, Office, and Silverlight. For those who need to prioritize their deployment planning, we recommend focusing on MS13-080, MS13-081, and MS13-083. Our Bulletin Deployment Priority graph provides an overview of this month's priority releases...
---------------------------------------------
http://blogs.technet.com/b/msrc/archive/2013/10/08/the-october-2013-securit…
*** Other Patch Tuesday Updates (Adobe, Apple), (Wed, Oct 9th) ***
---------------------------------------------
Adobe released two bulletins today: APSB13-24: Security update for RoboHelp http://www.adobe.com/support/security/bulletins/apsb13-24.html I dont remember seeing a pre-anouncement for this one. The update fixes an arbitrary code execution vulnerability (CVE-2013-5327) . Robohelp is only available for Window. APSB13-25: Security update for Adobe Acrobat and Adobe Reader http://www.adobe.com/support/security/bulletins/apsb13-25.html This update fixes a problem that was introduced in a recent
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=16763&rss
*** September 2013 Virus Activity Overview ***
---------------------------------------------
October 1, 2013 The first autumn month in 2013 was marked by a number of important events that could have a profound impact on IT security in the future. In particular, in early September a dangerous backdoor that can execute commands from a remote server was discovered, and a bit later Doctor Webs analysts identified the largest known botnet comprised of more than 200,000 infected devices running Android. Overall, numerous malignant programs for this platform were found in September. Viruses
---------------------------------------------
http://news.drweb.com/show/?i=3962&lng=en&c=9
*** ENISA - Can we learn from SCADA security incidents - White Paper ***
---------------------------------------------
Security experts across the world continue to sound the alarm bells about the security of Industrial Control Systems (ICS). Industrial Control Systems look more and more like consumer PCs. They are used everywhere and involve a considerable amount of software, often outdated and unpatched. Recent security incidents in the context of SCADA and Industrial Control Systems emphasise greatly the importance of good governance and control of SCADA infrastructures.
---------------------------------------------
https://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrast…
*** Staying Stealthy: Passive Network Discovery with Metasploit ***
---------------------------------------------
One of the first steps in your penetration test is to map out the network, which is usually done with an active scan. In situations where you need to be stealthy or where active scanning may cause instability in the target network, such as in SCADA environments, you can run a passive network scan to avoid detection and reduce disruptions. A passive network scan stealthily...
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2013/10/09/passive-n…
*** Twitter Malware ***
---------------------------------------------
NCC Group has observed a sharp rise in threats using Twitter direct messages (often abbreviated to DMs) as a method of delivery over the last few months. These threats originate from compromised Twitter accounts. These accounts, once compromised, send direct messages to their followers. If received by email,...
---------------------------------------------
http://www.nccgroup.com/en/blog/2013/10/twitter-malware/
*** Alstom e-Terracontrol DNP3 Master Improper Input Validation ***
---------------------------------------------
OVERVIEW: Adam Crain of Automatak and independent researcher Chris Sistrunk have identified an improper input validation in the Alstom e-terracontrol software. Alstom has produced a patch that mitigates this vulnerability. Adam Crain and Chris Sistrunk have tested the patch to validate that it resolves the vulnerability. This vulnerability could be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-282-01
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 07-10-2013 18:00 − Dienstag 08-10-2013 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Rockwell Automation FactoryTalk and RSLinx Multiple Vulnerabilities (Update A) ***
---------------------------------------------
This updated advisory is a follow-up to the original advisory titled ICSA-13-095-02 Rockwell Automation FactoryTalk and RSLinx Multiple Vulnerabilities that was published April 5, 2013, on the ICS-CERT Web page.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-095-02A
*** Quarian Group Targets Victims With Spearphishing Attacks ***
---------------------------------------------
The current generation of targeted attacks are getting more sophisticated and evasive. These attacks employ media-savvy stories in their social engineering themes to lure unsuspecting users. We have seen heightened activity by one of the groups, dubbed Quarian. It is believed to be targeting government agencies and embassies around the world including the United States. [...]
---------------------------------------------
http://blogs.mcafee.com/mcafee-labs/quarian-group-targets-victims-with-spea…
*** xinetd security update ***
---------------------------------------------
It was found that xinetd ignored the user and group configuration directives for services running under the tcpmux-server service. This flaw could cause the associated services to run as root. If there was a flaw in such a service, a remote attacker could use it to execute arbitrary code with the privileges of the root user. (CVE-2013-4342)
---------------------------------------------
https://rhn.redhat.com/errata/RHSA-2013-1409.html
*** Hackerangriff auf WhatsApp ***
---------------------------------------------
Einer politische motivieren Hackergruppe ist es offenbar gelungen, die Kontrolle über die WhatsApp-Domain zu übernehmen.
---------------------------------------------
http://www.heise.de/security/meldung/Hackerangriff-auf-WhatsApp-1974342.html
*** ecoTrialog #9: Blackout ***
---------------------------------------------
NEA und USV sind im Datacenter seit vielen Jahren ein gängiger Begleiter – Welche Entwicklungen, Trends und Visionen zeigen uns die Lösungsanbieter? – Welche möglichen Fehler sind bei einer Planung zu vermeiden? Das ist das zentrale Thema des neunten ecoTrialogs in Ahrensburg bei Hamburg.
---------------------------------------------
http://datacenter.eco.de/2013/07/26/ecotrialog-10-blackout/
*** Ad Vulna: A Vulnaggressive (Vulnerable & Aggressive) Adware Threatening Millions ***
---------------------------------------------
FireEye researchers have discovered a rapidly-growing class of mobile threats represented by a popular ad library affecting apps with over 200 million downloads in total. This ad library, anonymized as “Vulna,” is aggressive at collecting sensitive data and is able to perform dangerous operations such as downloading and running new components on demand. Vulna is also plagued with various classes of vulnerabilities that enable attackers to turn Vulna’s aggressive behaviors against
---------------------------------------------
http://www.fireeye.com/blog/technical/2013/10/ad-vulna-a-vulnaggressive-vul…
*** Introducing Kvasir ***
---------------------------------------------
During our typical assessments we may analyze anywhere between 2,000 and 10,000 hosts for vulnerabilities, perform various exploitation methods such as account enumeration and password attempts, buffer/stack overflows, administrative bypasses, and others. ... We think this isn’t good enough which is why we are releasing our tool, Kvasir, as open source for you to analyze, integrate, update, or ignore. We like the tool a lot and we think it fills a missing key part of penetration testin
---------------------------------------------
http://blogs.cisco.com/security/introducing-kvasir/
*** CSAM - RFI with a small twist ***
---------------------------------------------
Logs are under appreciated. We all collect them, but in a majority of organisations you will find that they are only ever looked at once something has gone wrong. Which is unfortunately usually when people discover that either they didnt collect "that" log or timestamps are out of whack, log files rolled over, etc. Which is unfortunate because log files can tell you quite a bit of information as we are hoping to show throughout October as part of the Cyber Security Awareness Month.
---------------------------------------------
https://isc.sans.edu/diary/CSAM+-+RFI+with+a+small+twist/16748
*** Mehrere Verwundbarketen in Cisco Identity Services Engine ***
---------------------------------------------
Blind SQL Injection:
- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013…
Sponsor Portal cross-frame scripting:
- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013…
Parameter cross-site scripting:
- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013…
---------------------------------------------
http://tools.cisco.com/security/center/publicationListing.x#~CiscoSecurityN…
*** Cisco IOS Software DHCP Server remember Functionality Vulnerability ***
---------------------------------------------
An issue in the DHCP server code of Cisco IOS Software could allow an unauthenticated, adjacent attacker to cause the device to reload. The issue is due to the remember functionality of the DHCP server. An attacker could exploit this issue by obtaining a lease and then releasing it. An exploit could allow the attacker to cause the affected device to reload.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013…
*** How the Bible and YouTube are fueling the next frontier of password cracking ***
---------------------------------------------
Crackers tap new sources to uncover "givemelibertyorgivemedeath" and other phrases.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/w9PZonWnTIA/story01…
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 04-10-2013 18:00 − Montag 07-10-2013 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Security Bulletin: Denial of Service Vulnerability in DB2 for Unix, Linux and Windowss Fast Communications Manager. (CVE-2013-4032) ***
---------------------------------------------
Vulnerability in IBM DB2 for Unix, Linux and Windows server products could allow arbitrary data sent to the Fast Communications Manager (FCM) to cause server denial of service. CVE(s): CVE-2013-4032
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_den…
*** Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-4066 and CVE-2013-4067) ***
---------------------------------------------
Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-4066 and CVE-2013-4067) CVE(s): CVE-2013-4066, and CVE-2013-4067
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul…
*** Prenotification: Upcoming Security Updates for Adobe Reader and Acrobat (APSB13-25) ***
---------------------------------------------
A prenotification Security Advisory has been posted in regards to upcoming Adobe Reader and Acrobat security updates scheduled for Tuesday, October 8, 2013. There are no known exploits in the wild for these updates. We will continue to provide updates …
---------------------------------------------
http://blogs.adobe.com/psirt/2013/10/prenotification-upcoming-security-upda…
*** Cisco NX-OS RIP denial of service ***
---------------------------------------------
Cisco NX-OS is vulnerable to a denial of service, caused by an error in the Routing Information Protocol (RIP) service engine. By sending a specially-crafted RIPv4 or RIPv6 message to UDP port 520, a remote attacker could exploit this vulnerability to cause the RIP service engine to restart.
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/87669
*** Cisco NX-OS configuration files information disclosure ***
---------------------------------------------
Cisco NX-OS could allow a remote authenticated attacker to obtain sensitive information, caused by the improper sanitization of configuration files. By accessing the Cisco NX-OS management interface as a network-operator, an attacker could exploit this vulnerability to view restricted information within configuration files.
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/87670
*** The Hail Mary Cloud and the Lessons Learned ***
---------------------------------------------
badger.foo writes "Against ridiculous odds and even after gaining some media focus, the botnet dubbed The Hail Mary Cloud apparently succeeded in staying under the radar and kept compromising Linux machines for several years. This article sums up the known facts about the botnet and suggests some practical measures to keep your servers safe." Read more of this story at Slashdot.
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/QrqADehWUPU/story01.htm
*** Why the state of application security is not so healthy ***
---------------------------------------------
Web applications are often a common portal for breaches, so why arent they being better protected?
---------------------------------------------
http://www.csoonline.com/article/740164/why-the-state-of-application-securi…
*** [local] - FreeBSD Intel SYSRET Kernel Privilege Escalation Exploit ***
---------------------------------------------
* FreeBSD 9.0 Intel SYSRET Kernel Privilege Escalation exploit
* Author by CurcolHekerLink
*
* This exploit based on open source project, I can make it open source too. Right?
---------------------------------------------
http://www.exploit-db.com/exploits/28718
*** Cybercrime in the Deep Web ***
---------------------------------------------
Earlier, we published a blog post talking about the recent shut down of the Silk Road marketplace. There, we promised to release a new white paper looking at cybercrime activity on the Deep Web in more detail. This paper can now be found on our site here. While the Deep Web has often been uniquely associated […]Post from: Trendlabs Security Intelligence Blog - by Trend MicroCybercrime in the Deep Web
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/RYkDXfurPWU/
*** Aanval SAS Cross-Site Scripting and SQL Injection Vulnerabilities ***
---------------------------------------------
Multiple vulnerabilities have been discovered in Aanval SAS, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks.
---------------------------------------------
https://secunia.com/advisories/55134
*** Abzockversuche: Anbieter werben mit angeblichem iOS-7-Jailbreak ***
---------------------------------------------
Viele iPhone-Nutzer warten sehnsüchtig auf ein Jailbreak-Tool für iOS 7 – und einige von ihnen fallen auf Abzocker herein. Ein Test zeigt, wie die Masche funktioniert.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Abzockversuche-Anbieter-werben-mit-a…
*** Philips Xper Connect HTTP Request Handling Buffer Overflow Vulnerability ***
---------------------------------------------
A vulnerability has been reported in Philips Xper Connect, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to a boundary error when handling HTTP requests and can be exploited to cause a heap-based buffer overflow by sending a specially crafted HTTP request to TCP port 6000.
---------------------------------------------
https://secunia.com/advisories/55152
*** Door Control Systems: An Examination of Lines of Attack ***
---------------------------------------------
In this blog post, we shall show that there are serious security vulnerabilities in one of the market-leading door control systems, and that these can be exploited not only to gain physical access to secure premises, but also to obtain confidential information about the organisation to whom the premises belong.
---------------------------------------------
http://www.nccgroup.com/en/blog/2013/09/door-control-systems-an-examination…
*** McAfee Web Reporter Premium EJBInvokerServlet / JMXInvokerServlet Marshaled Object Arbitrary Code Execution Vulnerability ***
---------------------------------------------
Andrea Micalizzi has discovered a vulnerability in McAfee Web Reporter Premium, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to the application not properly restricting access to the invoker/EJBInvokerServlet and invoker/JMXInvokerServlet servlets within Apache Tomcat, which can be exploited to deploy and execute arbitrary Java code by sending a specially crafted marshaled object to TCP port 9111.
---------------------------------------------
https://secunia.com/advisories/55112
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 03-10-2013 18:00 − Freitag 04-10-2013 18:00
Handler: Robert Waldner
Co-Handler: Matthias Fraidl
*** Adobe Preparing Critical Patches for Reader, Acrobat Next Week ***
---------------------------------------------
Adobe has announced that it plans next week to patch critical vulnerabilities in two products, Adobe Reader and Acrobat XI (11.0.04) for Windows.
---------------------------------------------
http://threatpost.com/adobe-preparing-critical-patches-for-reader-acrobat-n…
*** Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-4066 and CVE-2013-4067) ***
---------------------------------------------
Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-4066 and CVE-2013-4067) CVE(s): CVE-2013-4066, CVE-2013-4067 Affected product(s) and affected version(s): IBM InfoSphere Information Server Versions 8.0, 8.1, 8.5, 8.7, and 9.1 running on all platforms
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul…
*** Hacking Summit Names Nations With Cyberwarfare Capabilities ***
---------------------------------------------
In 2009, I read with great interest a paper published in the Journal of International Security Affairs titled The Art of (Cyber) War. In this paper, Brian M. Mazanec explained the People's Republic of China was interested in cyberwarfare and had improved its capabilities to conduct military operations in the cyberspace.
---------------------------------------------
http://blogs.mcafee.com/mcafee-labs/hacking-summit-names-nations-with-cyber…
*** AIX printer commands vulnerability (CVE-2013-5419) ***
---------------------------------------------
AIX printer commands vulnerability. CVE(s): CVE-2013-5419 Affected product(s) and affected version(s): AIX 6.1 and 7.1 releases Refer to the following reference URLs for remediation and additional vulnerability details. Source Bulletin: http://aix.software.ibm.com/aix/efixes/security/cmdque_advisory.asc
X-Force Database: http://xforce.iss.net/xforce/xfdb/87481
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/aix_printer_commands_…
*** CSAM: Web Honeypot Logs, (Thu, Oct 3rd) ***
---------------------------------------------
Todays logs come from a honeypot. The fun part about honeypots is that you dont have to worry about filtering out "normal" logs. Usually I check the honeypot for anything new and interesting first, then look on my real web server to figure out if I see similar attacks. In the real web server, these attack would otherwise drown in the noise. SSL Conection to a web server not supporting SSL Invalid method in request \x80w\x01\x03\x01 The first few bytes of the request are interpreted
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=16718&rss
*** Blog: Ekoparty Security Conference 2013 ***
---------------------------------------------
The Ekoparty Security Conference 2013 was held in the beautiful city of Buenos Aires, Argentina, from 25 to 27 September, This event,the most important security conference in Latin America, is now in is ninth year and was attended by 1,500 people
---------------------------------------------
http://www.securelist.com/en/blog/208214073/Ekoparty_Security_Conference_20…
*** Adobe To Announce Source Code, Customer Data Breach ***
---------------------------------------------
Adobe Systems Inc. is expected to announce today that hackers broke into its network and stole source code for an as-yet undetermined number of software titles, including its Cold Fusion Web application platform, and possibly its Acrobat family of products. The company said hackers also accessed nearly three million customer credit card records, and stole login data for an undetermined number of Adobe user accounts.
---------------------------------------------
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/jWJBDb7eE-o/
*** October Patch Tuesday Preview (CVE-2013-3893 patch coming!) ***
---------------------------------------------
So far, we got pre-announcements from Microsoft and Adobe. Microsoft promises 8 bulletins, split evenly between critical and important. The critical bulletins affect Windows, Internet Explorer and the .Net framework, while the important bulletins affect Office and Silverlight. So this sounds like an average, very client heavy patch Tuesday. On the server end, only Sharepoint server (again) and Office Server are affected. Important: The cumulative IE update included will include a patch for
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=16721&rss
*** EMC Atmos Unauthenticated Database Access ***
---------------------------------------------
Topic: EMC Atmos Unauthenticated Database Access Risk: High Text:ESA-2013-062: EMC Atmos Unauthenticated Database Access Vulnerability EMC Identifier: ESA-2013-062 CVE Identifier: C...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013100034
*** SQL injection vulnerability in Zabbix ***
---------------------------------------------
The monitoring solution Zabbix is vulnerable to SQL injection. Attackers are able to gain access to database contents or elevate privileges and even take over the monitoring system.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2013…
*** Commercially available Blackhat SEO enabled multi-third-party product licenses empowered VPSs spotted in the wild ***
---------------------------------------------
In this post, I'll discuss a recent example of standardization, in particular, a blackhat SEO friendly VPS (Virtual Private Server) that comes with over a dozen multi-blackhat-seo-friendly product licenses from third-party products integrated. It empowers potential customers new to this unethical and potentially fraudulent/malicious practice with everything they need to hijack legitimate traffic from major search engines internationally.
---------------------------------------------
http://www.webroot.com/blog/2013/10/04/commercially-available-blackhat-seo-…
*** Certain HP FutureSmart MFP, Weak PDF Encryption, Local Disclosure of Information ***
---------------------------------------------
Potential security vulnerabilities have been identified with certain HP FutureSmart LaserJet printers. The vulnerabilities might lead to weak encryption of PDF documents or local disclosure of scanned information. References: CVE-2013-4828 (SSRT101249) CVE-2013-4829 (SSRT101327)
---------------------------------------------
http://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n…
*** Apple OS X Directory Services Authentication Flaw Lets Local Users Gain Elevated Privileges ***
---------------------------------------------
OS X v10.8.5 Supplemental Update Directory Services Available for: OS X Mountain Lion v10.8 to v10.8.5 Impact: A local user may modify Directory Services records with system privileges Description: A logic issue existed in Directory Servicess verification of authentication credentials allowing a local attacker to bypass password validation. The issue was addressed through improved credential validation.
---------------------------------------------
http://support.apple.com/kb/HT5964
*** Hintergrund: Todesurteil für Verschlüsselung in den USA ***
---------------------------------------------
Die Anordnung eines US-Gerichts, Ermittlungsbeamten den geheimen Schlüssel zu übergeben, mit dem sie Zugriff auf die Daten aller Lavabit-Kunden erhielten, ruiniert den letzten Rest Vertrauen in die amerikanischen Cloud-Anbieter.
---------------------------------------------
http://www.heise.de/security/artikel/Todesurteil-fuer-Verschluesselung-in-d…
*** Corel PaintShop Pro X5 / X6 Insecure Library Loading Vulnerability ***
---------------------------------------------
Corel PaintShop Pro X5 / X6 Insecure Library Loading Vulnerability
---------------------------------------------
https://secunia.com/advisories/53618
*** McAfee Agent Framework Service Denial of Service Vulnerability ***
---------------------------------------------
McAfee Agent Framework Service Denial of Service Vulnerability
---------------------------------------------
https://secunia.com/advisories/55158