- Daily - CERT.at

Tageszusammenfassung - Donnerstag 5-12-2013
by Daily end-of-shift report 05 Dec '13

05 Dec '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 04-12-2013 18:00 − Donnerstag 05-12-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Phishing-Mail ködert WordPress-Admins *** --------------------------------------------- Mit einer kostenlosen Version eines beliebten SEO-Plugins für WordPress versuchen Spammer, Administratoren zu ködern. Das Plugin entpuppt sich als Malware, dass eine Hintertür im Server öffnet und Besucher der Seite infiziert. --------------------------------------------- http://www.heise.de/security/meldung/Phishing-Mail-koedert-WordPress-Admins… *** In new campaign, Dexter point-of-sale malware strikes U.S. and abroad *** --------------------------------------------- After recently impacting banks in South Africa, the malware is now infecting point-of-sale systems throughout the globe, including those in the U.S., a security firm found. --------------------------------------------- http://www.scmagazine.com/in-new-campaign-dexter-point-of-sale-malware-stri… *** Bugtraq: [PT-2013-63] Hash Length Extension in HTMLPurifier *** --------------------------------------------- http://www.securityfocus.com/archive/1/530142 *** SA-CONTRIB-2013-097 - OG Features - Access bypass *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2013-097 Project: OG Features (third-party module)Version: 6.x Date: 2013-December-04Security risk: Not Critical Exploitable from: Remote Vulnerability: Access bypass --------------------------------------------- https://drupal.org/node/2149791 *** Siemens SINAMICS S/G Authentication Bypass Vulnerability *** --------------------------------------------- Siemens has identified an authentication bypass vulnerability in the SINAMICS S/G product family. Siemens has produced a firmware update that mitigates this vulnerability and has tested the update to validate that it resolves the vulnerability. Exploitation of this vulnerability could allow an attacker to access administrative functions on the device without authentication. This vulnerability could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-338-01 *** Security Bulletins: Rational Insight and Rational Reporting for Development Intelligence - Oracle CPU June 2013 (CVE-2013-2407, CVE-2013-2450) *** --------------------------------------------- Multiple security vulnerabilities exist in the IBM JRE that is shipped with Rational Insight and Rational Reporting for Development Intelligence. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_rat… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_rat… *** IBM QRadar SIEM Cross-Site Scripting Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55895 https://secunia.com/advisories/55891 *** Imagam iFiles 1.16.0 File Inclusion / Shell Upload / Command Injection *** --------------------------------------------- Topic: Imagam iFiles 1.16.0 File Inclusion / Shell Upload / Command Injection Risk: High Text:Document Title: Imagam iFiles v1.16.0 iOS - Multiple Web Vulnerabilities References (Source): == http://ww... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013120038 *** bugs in IJG jpeg6b & libjpeg-turbo *** --------------------------------------------- jpeg6b and some of its optimized clones (e.g., libjpeg-turbo) will use uninitialized memory when decoding images with missing SOS data for the luminance component (Y) in presence of valid chroma data (Cr, Cb). --------------------------------------------- http://www.securityfocus.com/archive/1/530137 *** IQ3 Series Trend LAN Controllers "ovrideStart" Multiple Cross-Site Scripting Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55827

1 0

Tageszusammenfassung - Mittwoch 4-12-2013
by Daily end-of-shift report 04 Dec '13

04 Dec '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 03-12-2013 18:00 − Mittwoch 04-12-2013 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner *** Mitigating attacks on Industrial Control Systems (ICS); the new Guide from EU Agency ENISA *** --------------------------------------------- The EU's cyber security agency ENISA has provided a new manual for better mitigating attacks on Industrial Control Systems (ICS), supporting vital industrial processes primarily in the area of critical information infrastructure (such as the energy and chemical transportation industries) where sufficient knowledge is often lacking. As ICS are now often connected to Internet platforms, extra security preparations have to be taken. This new guide provides the necessary key considerations... --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/mitigating-attacks-on-indus… *** Elecsys Director Gateway Improper Input Validation Vulnerability *** --------------------------------------------- Adam Crain of Automatak and independent researchers Chris Sistrunk and Adam Todorski have identified an improper input validation in the Elecsys Director Gateway application. Elecsys has produced a patch that mitigates this vulnerability. Adam Todorski has tested the patch to validate that it resolves the vulnerability.This vulnerability could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-337-01 *** Ruby on Rails Multiple Bugs Let Remote Users Deny Service, Conduct Cross-Site Scripting Attacks, and Generate Unsafe Queries *** --------------------------------------------- Ruby on Rails Multiple Bugs Let Remote Users Deny Service, Conduct Cross-Site Scripting Attacks, and Generate Unsafe Queries --------------------------------------------- http://www.securitytracker.com/id/1029420 *** Cisco ONS 15454 Controller Cards Can Be Reset By Remote Users *** --------------------------------------------- http://www.securitytracker.com/id/1029421 *** D-Link DIR Series Routers __show_info.php information disclosure *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/89343

1 0

Tageszusammenfassung - Dienstag 3-12-2013
by Daily end-of-shift report 03 Dec '13

03 Dec '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 02-12-2013 18:00 − Dienstag 03-12-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** A Pentester's Introduction to SAP & ABAP *** --------------------------------------------- If you’re conducting security assessments on enterprise networks, chances are that you’ve run into SAP systems. In this blog post, I’d like to give you an introduction to SAP and ABAP to help you with your security audit. --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2013/12/02/a-pentest… *** Analysis: Kaspersky Security Bulletin 2013. Malware Evolution *** --------------------------------------------- Once again, it’s time for us to deliver our customary retrospective of the key events that have defined the threat landscape in 2013. Let’s start by looking back at the things we thought would shape the year ahead, based on the trends we observed in the previous year. --------------------------------------------- http://www.securelist.com/en/analysis/204792316/Kaspersky_Security_Bulletin… *** How does the NSA break SSL? *** --------------------------------------------- A few weeks ago I wrote a long post about the NSAs BULLRUN project to subvert modern encryption standards. I had intended to come back to this at some point, since I didnt have time to discuss the issues in detail. --------------------------------------------- http://blog.cryptographyengineering.com/2013/12/how-does-nsa-break-ssl.html *** On Covert Acoustical Mesh Networks in Air *** --------------------------------------------- Fraunhofer FKIE, Wachtberg, Germany Abstract: Covert channels can be used to circumvent system and network policies by establishing communications that have not been considered in the design of the computing system. We construct a covert channel between different computing systems that utilizes audio modulation/demodulation to exchange data between the computing systems over the air medium. The underlying network stack is based on a... --------------------------------------------- http://www.jocm.us/index.php?m=content&c=index&a=show&catid=124&id=600 *** Cisco ASA Malformed DNS Reply Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the DNS code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause the reload of an affected system. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… *** phpThumb 1.7.12 Server Side Request Forgery *** --------------------------------------------- Topic: phpThumb 1.7.12 Server Side Request Forgery Risk: Low Text:#phpThumb phpThumbDebug Server Side Request Forgery #Google Dork: inurl:phpThumb.php #Author: Rafay Baloch And Deepanker Ar... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013120020 *** Folo theme for WordPress jplayer.swf cross-site scripting *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/89318 *** Orange Themes for WordPress upload-handler.php file upload *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/89325 *** Zend Framework application.ini information disclosure *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/89328 *** TP-Link TD-8840t change administrator password cross-site request forgery *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/89329 *** JMultimedia component for Joomla! phpThumb.php file upload *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/89333 *** Bugtraq: Multiple issues in OpenSSL - BN (multiprecision integer arithmetics). *** --------------------------------------------- http://www.securityfocus.com/archive/1/530120 *** Bugtraq: D-Link DIR-XXX remote root access exploit. *** --------------------------------------------- http://www.securityfocus.com/archive/1/530119

1 0

Tageszusammenfassung - Montag 2-12-2013
by Daily end-of-shift report 02 Dec '13

02 Dec '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 29-11-2013 18:00 − Montag 02-12-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** SMS-Angriff zwingt Nexus-Smartphones in die Knie *** --------------------------------------------- Der Empfang vieler Flash-SMS-Nachrichten soll Google-Nexus-Geräte rebooten. Davon betroffen sind auch Nexus-Smartphones mit aktuellem Android 4.4 (Kitkat). --------------------------------------------- http://www.heise.de/security/meldung/SMS-Angriff-zwingt-Nexus-Smartphones-i… *** Windows TIFF-Lücke bereits seit Juli ausgenutzt - Patch Fehlanzeige *** --------------------------------------------- Bereits im Sommer wurden E-Mails verschickt, die mit TIFF-Bildern eine kürzlich bekannt gewordene Windows-Lücke ausnutzten. Und während die Zahl dieser Schädlinge weiter wächst, gibt es immer noch keinen Patch vom Microsoft. --------------------------------------------- http://www.heise.de/security/meldung/Windows-TIFF-Luecke-bereits-seit-Juli-… *** Nachholbedarf beim Schutz von industriellen Kontrollsystemen *** --------------------------------------------- Sicherheitsprobleme mit industriellen Kontrollsystemen machen immer wieder Schlagzeilen. Das BSI gibt Betreibern nun mit einem 124-seitigen Leitfaden bewährte Methoden an die Hand, um ihre Systeme abzusichern. --------------------------------------------- http://www.heise.de/security/meldung/Nachholbedarf-beim-Schutz-von-industri… *** Important Security Update for D-Link Routers *** --------------------------------------------- D-Link has released an important security update for some of its older Internet routers. The patch closes a backdoor in the devices that could let attackers seize remote control over vulnerable routers. --------------------------------------------- krebsonsecurity.com/2013/12/important-security-update-for-d-link-routers/ *** File Sharing Apps Expose iOS To Security Risks - Trustwave *** --------------------------------------------- File sharing apps for Apple iOS mobile devices can potentially represent a security risk to users, according to a Trustwave security researcher. --------------------------------------------- http://www.techweekeurope.co.uk/news/researcher-file-sharing-apps-expose-io… *** Manipulation of hard drive firmware to conceal entire partitions *** --------------------------------------------- Tools created by the computer hacking community to circumvent security protection on hard drives can have unintentional consequences for digital forensics. Tools originally developed to circumvent Microsoft's Xbox 360 hard drive protection can be used, independently of the Xbox 360 system, to change the reported size/model of a hard drive enabling criminals to hide data from digital forensic software and hardware. --------------------------------------------- https://www.comp.glam.ac.uk/staff/kxynos/papers/read13-DI-HDD-manipulation.… *** Description of Cumulative Update 3 for Exchange Server 2013 *** --------------------------------------------- This article describes Cumulative Update 3 for Microsoft Exchange Server 2013 that provides the latest fixes for Exchange Server 2013 and contains stability and performance improvements. --------------------------------------------- http://support.microsoft.com/kb/2892464 *** Uptime Agent 5.0.1 Stack Overflow Vulnerability *** --------------------------------------------- Topic: Uptime Agent 5.0.1 Stack Overflow Vulnerability Risk: Medium Text:# Exploit Title: Up.Time Agent 5.0.1 Stack Overflow # Date: 28/11/2013 # Exploit Author: Denis Andzakovic # Vendor Homepage:... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013120009 *** Vuln: ABB MicroSCADA wserver.exe Remote Code Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63901 *** Vuln: Jenkins Exclusion Plugin CVE-2013-6373 Unspecified Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63876 *** Google Nexus SMS Processing Flaw Lets Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1029414

1 0

Tageszusammenfassung - Freitag 29-11-2013
by Daily end-of-shift report 29 Nov '13

29 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 28-11-2013 18:00 − Freitag 29-11-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Stealing Credit Cards - A WordPress and vBulletin Hack *** --------------------------------------------- What better way to celebrate Thanksgiving than to share an interesting case that involves two of the most popular CMS applications out there - vBulletin and WordPress. Here is a real case that we just worked on this week, involving an attacker dead set on stealing credit card information. Enjoy! The Environment The client runs... --------------------------------------------- http://blog.sucuri.net/2013/11/stealing-credit-cards-a-wordpress-and-vbulle… *** JPEG Files Used For Targeted Attack Malware *** --------------------------------------------- We recently came across some malware of the SOGOMOT and MIRYAGO families that update themselves in an unusual way: they download JPEG files that contain encrypted configuration files/binaries. Not only that, we believe that this activity has been ongoing since at least the middle of 2010. A notable detail of the malware we came across... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/l94pQWbJ28g/ *** Security Bulletin: IBM BladeCenter Advanced Management Module Account Information Exposure (CVE-2013-6718) *** --------------------------------------------- An interface on the IBM BladeCenter Advanced Management Module (AMM) may expose user account names and passwords that have been configured on that AMM. CVE(s): CVE-2013-6718 Affected product(s) and affected version(s): These IBM BladeCenter Advanced Management Module Firmware versions are affected: v3.64B (BPET64B, BBET64B, and BPEO64B) v3.64C (BPET64C, BBET64C, and BPEO64C) v3.64G (BPET64G, BBET64G, and BPEO64G) This applies to the following hardware products: BladeCenter --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Google Android com.android.settings Lets Local Applications Remove Device Locks *** --------------------------------------------- http://www.securitytracker.com/id/1029410 *** Cisco IOS XR SNMP Memory Leak Lets Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1029408 *** Cisco IOS XE MPLS Processing Flaw Let Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1029407 *** Joomla! All Video Share Component "avssearch" SQL Injection Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55888 *** FFmpeg Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55802 *** WordPress Highlight - Powerful Premium Theme Arbitrary File Upload Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55671 *** WordPress Store Locator Plugin Cross-Site Request Forgery Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55276

1 0

Tageszusammenfassung - Donnerstag 28-11-2013
by Daily end-of-shift report 28 Nov '13

28 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 27-11-2013 18:00 − Donnerstag 28-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Fake 'October´s Billing Address Code' (BAC) form themed spam campaign leads to malware *** --------------------------------------------- Have you received a casual-sounding email enticing you into signing a Billing Address Code (BAC) form for October, in order for the Payroll Manager to proceed with the transaction? Based on our statistics, tens of thousands of users received these malicious spam emails over the last 24 hours, with the cybercriminal(s) behind them clearly interested in expanding the size of their botnet through good old fashioned 'casual social engineering' campaigns. --------------------------------------------- http://www.webroot.com/blog/2013/11/27/fake-octobers-billing-address-code-b… *** Sharik Back for More After Php.Net Compromise *** --------------------------------------------- Sharik is a Trojan which injects itself into legitimate processes and adds registry entries for an added level of persistence. The infection also sends information about the victims PC to a remote server. The threat can also receive commands from a known CnC server to download further malicious files. --------------------------------------------- http://research.zscaler.com/2013/11/sharik-back-for-more-after-phpnet.html *** ATM Traffic + TCPDump + Video = Good or Evil?, (Wed, Nov 27th) *** --------------------------------------------- I was working with a client recently, working through the move of a Credit Union branch. In passing, he mentioned that they were looking at a new security camera setup, and the vendor had mentioned that it would need a SPAN or MIRROR port on the switch set up. At that point my antennae came online - SPAN or MIRROR ports set up a session where all packets from one switch ports are "mirrored" to another switch port. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17111 *** Microsoft Security Advisory (2914486): Vulnerability in Microsoft Windows Kernel Could Allow Elevation of Privilege - Version: 1.0 *** --------------------------------------------- Microsoft is investigating new reports of a vulnerability in a kernel component of Windows XP and Windows Server 2003. We are aware of limited, targeted attacks that attempt to exploit this vulnerability. --------------------------------------------- http://technet.microsoft.com/en-ca/security/advisory/2914486 *** THOUSANDS of Ruby on Rails sites leave logins lying around *** --------------------------------------------- A security researcher has warned that a Ruby on Rails vulnerability first outlined in September is continuing to linger on the Web, courtesy of admins that don't realise a vulnerability exists in its default CookieStore session storage mechanism. --------------------------------------------- http://www.theregister.co.uk/2013/11/28/thousands_of_ror_sites_leave_logins… *** FakeAV + Ransomware = Windows Expert Console *** --------------------------------------------- During the last months we have been talking mainly about police virus infections, and more recently about CryptoLocker, the new major ransomware family. However that doesn´t mean that our good 'old friends' known as FakeAV aren´t around. --------------------------------------------- http://pandalabs.pandasecurity.com/fakeav-ransomware-windows-expert-console/ *** Linux Worm Targeting Hidden Devices *** --------------------------------------------- Symantec has discovered a new Linux worm that appears to be engineered to target the 'Internet of things'. The worm is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers. Variants exist for chip architectures usually found in devices such as home routers, set-top boxes and security cameras. --------------------------------------------- http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices *** You have a Skype voicemail. PSYCHE! Its just some fiendish Trojan-flinging spam *** --------------------------------------------- A spam run of fake Skype voicemail alert emails actually comes packed with malware, a UK police agency warns. Action Fraud said the zip file attachments come contaminated with a variant of the notorious ZeuS banking Trojan. --------------------------------------------- http://www.theregister.co.uk/2013/11/28/skype_voicemail_alert_spam_flings_z… *** Microsoft Cybersecurity Report: Top 10 Most Wanted Enterprise Threats *** --------------------------------------------- The latest report found that in the enterprise environment, on average about 11% of systems encountered malware, worldwide between the third quarter of 2012 (3Q12) and the second quarter of 2013 (2Q13). The "encounter rate" is defined as the percentage of computers running Microsoft real-time security software that report detecting malware - typically resulting in a blocked installation of malware. --------------------------------------------- http://blogs.technet.com/b/security/archive/2013/11/25/microsoft-cybersecur… *** Quassel IRC Backlog Access Bypass Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55640 *** DSA-2804 drupal7 *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2804 *** DSA-2803 quagga *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2803 *** HP Service Manager and ServiceCenter Unspecified Flaw Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1029400 *** Subversion mod_dontdothat Path Validation Flaw Lets Remote Users Bypass Security Restrictions *** --------------------------------------------- http://www.securitytracker.com/id/1029402 *** Yahoo Open Redirect Vulnerability or "Designing vulnerabilities" *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110200 *** ownCloud Unspecified Security Bypass Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55792

1 0

Tageszusammenfassung - Mittwoch 27-11-2013
by Daily end-of-shift report 27 Nov '13

27 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 26-11-2013 18:00 − Mittwoch 27-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** The Season For Danger: Holiday Season Spam And Phishing *** --------------------------------------------- For many, the holiday season is a season for shopping and spending. But cybercriminals see it in a different light-they see it as a prime opportunity to steal. Take, for example, online shopping. Malicious websites to try and trick online shoppers into giving them their money instead of the legitimate shopping websites. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/the-season-for-d… *** InMobi: Another Vulnaggressive Adware Opens Billions of JavaScript 'Sidedoors' on Android Devices *** --------------------------------------------- FireEye mobile security researchers identified another new mobile threat, which we call 'JavaScript Sidedoors', which we discovered in the popular InMobi ad library. InMobi exposes dangerous behaviors such as making phone calls without user consent through JavaScript interfaces, which creates a 'sidedoor' for attackers to exploit by injecting malicious JavaScript through hijacking InMobi's HTTP traffic. ... --------------------------------------------- http://www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-anothe… *** Ruby on Rails CookieStore Vulnerability Plagues Prominent Websites *** --------------------------------------------- Websites using an older version of Ruby on Rails, including Kickstarter and UrbanSpoon, remain vulnerable to a vulnerability in the frameworks cookie storage mechanism. --------------------------------------------- http://threatpost.com/ruby-on-rails-cookiestore-vulnerability-plagues-promi… *** An Anti-Fraud Service for Fraudsters *** --------------------------------------------- Many online businesses rely on automated fraud detection tools to weed out suspicious and unauthorized purchases. Oddly enough, the sorts of dodgy online businesses advertised by spam do the same thing, only they tend to use underground alternatives that are far cheaper and tuned to block not only fraudulent purchases, but also "test buys" from security researchers, law enforcement and other meddlers. --------------------------------------------- http://krebsonsecurity.com/2013/11/anti-fraud-service-for-fraudsters/ *** Security and policy surrounding bring your own devices (BYOD) *** --------------------------------------------- As the proliferation of devices continues to capture the imagination of consumers, and has ignited what is referred to as bring your own device (BYOD) revolution, many IT departments across the globe are now facing increased security considerations. While organizations encourage BYOD for cost savings and productivity, it is also important to have robust security policies supporting BYOD. --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2013/11/26/security-and-policy-surr… *** Our protection metrics - October results *** --------------------------------------------- Last month we introduced our monthly protection metrics and talked about our September results. Today, we'd like to talk about our results from October. If you want a refresh on the definition of the metrics we use in our monthly results, see our prior post: Our protection metrics - September results. During October 2013, while our rate of incorrect detections remained low, and our performance metrics stayed fairly consistent, the infection rate of 0.18 percent was higher in --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2013/11/26/our-protection-metrics-o… *** White hat Wi-Fi hacking shows vulnerability of business data *** --------------------------------------------- White hat hackers have shown that usernames, passwords, contact lists, details of e-commerce accounts and banking details can be sniffed easily from public Wi-Fi hotspots. --------------------------------------------- http://www.computerweekly.com/news/2240209927/White-hat-Wi-Fi-hacking-shows… *** Volatility 2.3 and FireEyes diskless, memory-only Trojan.APT.9002 *** --------------------------------------------- FireEyes Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method, posted 10 NOV 2013 is specific to an attack that "loaded the payload directly into memory without first writing to disk." As such, this "will further complicate network defenders ability to triage compromised systems, using traditional forensics methods." --------------------------------------------- http://holisticinfosec.blogspot.co.uk/2013/11/volatility-23-and-fireeyes-di… *** Malware creation hits record-high numbers In 2013, according to PandaLabs Q3 Report *** --------------------------------------------- Panda Security, The Cloud Security Company, has just published the results of its Quarterly Report for Q3 2013, drawn up by PandaLabs, the company's anti-malware laboratory. One of the main conclusions that can be drawn from this global study is that malware creation has hit a new record high, with nearly 10 million new strains identified so far this year. --------------------------------------------- http://press.pandasecurity.com/news/malware-creation-hits-record-high-numbe… *** Security Headers on the Top 1,000,000 Websites: November 2013 Report *** --------------------------------------------- It has been almost exactly a year since we conducted the first top 1 million security headers report so it is a great time to re-run the analysis and see how well security header adoption is growing. As before, the latest Chrome and Firefox User-Agent strings were used to make requests to the top 1 million sites over both HTTP and HTTPS. --------------------------------------------- https://www.veracode.com/blog/2013/11/security-headers-on-the-top-1000000-w… *** Finding Cryptolocker Encrypted Files using the NTFS Master File Table *** --------------------------------------------- For the most part, everyone seems to be familiar with the new variants of Cyptolocker making the rounds these days. To quickly summarize, this form of ransomware that encrypts documents and pictures found on local and mapped network drives in an attempt to obtain payment for the decryption keys. --------------------------------------------- http://securitybraindump.blogspot.ru/2013/11/finding-cryptolocker-encrypted… *** Rogue that takes webcam pictures of you *** --------------------------------------------- Recently we heard of a rogue fake antivirus that takes screenshots and webcam images in an attempt to further scare you into succumbing to it's scam. We gathered a sample and sure enough, given some time it will indeed use the webcam and take a picture of what's in front of the camera at that time. This variant is called "Antivirus Security Pro" and it's as nasty as you can get. --------------------------------------------- http://www.webroot.com/blog/2013/11/27/new-rogue-now-takes-screenshots/ *** Vuln: Drupal Core Image Module HTML Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63848 *** Xen Privileged Ring Access Flaw Lets Local Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1029396 *** Debian Security Advisory DSA-2804 drupal7 *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2804 *** Debian Security Advisory DSA-2803 quagga *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2803

1 0

Tageszusammenfassung - Dienstag 26-11-2013
by Daily end-of-shift report 26 Nov '13

26 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 25-11-2013 18:00 − Dienstag 26-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Rätselhafte Entführungen im Internet *** --------------------------------------------- Geheimdienste müssen gar nicht direkt am Kabel lauschen. Der Netzwerkdienstleister Renesys berichtet von einer deutlichen Zunahme von seltsamen Routing-Vorfällen, bei denen Netzwerkverkehr über andere Länder, manchmal sogar Kontinente umgeleitet wird. --------------------------------------------- http://www.heise.de/security/meldung/Raetselhafte-Entfuehrungen-im-Internet… *** The Need for Incident Response *** --------------------------------------------- On an average day in the UK more than 100 .co.uk domain websites are hacked according to the statistics in the Zone-h.org online database. Website hacks are increasing the volume of targeted attacks today. --------------------------------------------- http://www.fireeye.com/blog/corporate/2013/11/the-need-for-incident-respons… *** Fake tech support scam is trouble for legitimate remote help company *** --------------------------------------------- Fraud victims mistake legitimate tech company for fraudsters. --------------------------------------------- http://arstechnica.com/information-technology/2013/11/fake-tech-support-sca… *** VBScript Malware SOYSOS Deletes CAD Files *** --------------------------------------------- Cybercriminals can do just as much damage deleting users´ data as stealing it because file deletion can result in both data or monetary loss. One example would be CryptoLocker, which became notorious for combining the two - demanding money with the threat of data destruction. We recently came across a malware, detected as VBS_SOYSOS, that deletes important image files including .DWG files. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/vbscript-malware… *** Surge in "BlackShades" infections exposes machines worldwide to RAT *** --------------------------------------------- Over the last two months, attackers have opted to spread the malware via the Neutrino exploit kit, researchers found. --------------------------------------------- http://www.scmagazine.com/surge-in-blackshades-infections-exposes-machines-… *** A Look At A Silverlight Exploit *** --------------------------------------------- Recently, independent security researchers found that the Angler Exploit Kit had added Silverlight to their list of targeted software, using CVE-2013-0074. When we analyzed the available exploit, we found that in addition to CVE-2013-0074, a second vulnerability, CVE-2013-3896, in order to bypass ASLR. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-a-silv… *** [Honeypot Alert] More PHP-CGI Scanning (apache-magika.c) *** --------------------------------------------- In the past 24 hours, one of the WASC Distributed Web Honeypot participant's sensors picked up continued scanning for CVE-2012-1823 which is a vulnerability within PHP-CGI. --------------------------------------------- http://blog.spiderlabs.com/2013/11/honeypot-alert-more-php-cgi-scanning-apa… *** New Exploit Kit Atrax Boasts Tor Connectivity, Bitcoin Extraction *** --------------------------------------------- Yet another commercial crimekit has been spotted making the rounds on the underground malware forums that uses the anonymity network Tor to stealthily communicate with its command and control servers. --------------------------------------------- http://threatpost.com/new-exploit-kit-atrax-boasts-tor-connectivity-bitcoin… *** The internet mystery that has the world baffled *** --------------------------------------------- For the past two years, a mysterious online organisation has been setting the worlds finest code-breakers a series of seemingly unsolveable problems. But to what end? Welcome to the world of Cicada 3301. --------------------------------------------- http://www.telegraph.co.uk/technology/internet/10468112/The-internet-myster… *** Das Stuxnet-Duo: Bösartige Geschwister *** --------------------------------------------- Der deutsche Experte Ralph Langner hat nach drei Jahren Analyse ein abschließendes Papier zu Stuxnet vorgelegt. Demnach besteht die Cyber-Waffe aus zwei Schädlingen, von denen nur die zweite richtig bekannt wurde - zu Unrecht, meint Langner. --------------------------------------------- http://www.heise.de/security/meldung/Das-Stuxnet-Duo-Boesartige-Geschwister… *** Analysis: Online banking faces a new threat *** --------------------------------------------- Neverquest supports just about every possible trick on online bank attacks. In light of Neverquest´s self-replication capabilities, the number of users attacked could increase over a short period of time. --------------------------------------------- http://www.securelist.com/en/analysis/204792315/Online_banking_faces_a_new_… *** Nachholbedarf bei IT-Sicherheit: EU-Parlamentarier tappten in Hotspot-Falle *** --------------------------------------------- Alle EU-Parlamentarier sollen jetzt dringend ihre Passwörter ändern, fordert eine Mail der IT-Abteilung. Sie bestätigt, dass durch Angriffe im ungesicherten Parlaments-WLAN Zugangspasswörter ausspioniert wurden. --------------------------------------------- http://www.heise.de/security/meldung/Nachholbedarf-bei-IT-Sicherheit-EU-Par… *** How To Combat Online Surveillance *** --------------------------------------------- Governments have transformed the internet into a surveillance platform, but they are not omnipotent. They´re limited by material resources as much as the rest of us. We might not all be able to prevent the NSA and GCHQ from spying on us, but we can at least create more obstacles and make surveilling us more expensive. The more infrastructure you run, the safer the communication will be. --------------------------------------------- http://theoccupiedtimes.org/?p=12362 *** Why Crimekit Atrax will attract attention *** --------------------------------------------- CSIS researchers have observed an introduction of a new commercial crimekit being sold on several underground web forums. The kit is dubbed 'Atrax' and is both a cheap kit - costs less than $250 for the main platform - as well as it utilizes the TOR protocol for stealthy communication with C&Cs from where it is intended to get instructions, updates and new modules. --------------------------------------------- https://www.csis.dk/en/csis/blog/4103 *** Blackhole and Cool Exploit Kits Nearly Extinct *** --------------------------------------------- When authorities in Russia arrested Paunch, the alleged creator of the Blackhole exploit kit, last month, security researchers and watchers of the malware underground predicted that taking him off the board would put a dent in the use of Blackhole and force its customers onto other platforms. Six weeks later, it now appears that Blackhole is almost gone and the Cool exploit kit, another alleged creation of Paunch, has essentially disappeared, as well. --------------------------------------------- http://threatpost.com/blackhole-and-cool-exploit-kits-nearly-extinct/103034 *** IBM WebSphere Application Server Java Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55870 *** WordPress Contact Form 7 3.5.2 Shell Upload *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110177 *** WordPress Pinboard Shell Upload *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110175 *** TPLINK WR740N / WR740ND Cross Site Request Forgery *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110181 *** NETGEAR ReadyNAS Perl Code Evaluation *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110179 *** Vuln: HP LoadRunner Virtual User Generator CVE-2013-4837 Remote Code Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63475 *** Bugtraq: Open-Xchange Security Advisory 2013-11-25 *** --------------------------------------------- http://www.securityfocus.com/archive/1/530008

1 0

Tageszusammenfassung - Montag 25-11-2013
by Daily end-of-shift report 25 Nov '13

25 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 22-11-2013 18:00 − Montag 25-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Second Look at Stuxnet Reveals Older Dangerous Variant *** --------------------------------------------- ICS expert Ralph Langner has thrown back the covers on Stuxnet revealing a two-pronged attack intent not only on disrupting Irans nuclear capabilities, but flexing the attackers muscle in building weaponized malware. --------------------------------------------- http://threatpost.com/second-look-at-stuxnet-reveals-older-dangerous-varian… *** Google fixes flaw in Gmail password reset process *** --------------------------------------------- According to the researcher who discovered the bug, Google swiftly addressed the security issue, which could leave users passwords vulnerable to theft. --------------------------------------------- http://www.scmagazine.com/google-fixes-flaw-in-gmail-password-reset-process… *** Five Years Old And Still On The Run: DOWNAD *** --------------------------------------------- Five years ago, Conficker/DOWNAD was first seen and quickly became notorious due to how quickly it spread and how much damage it caused. Remarkably, after all that time, it´s still alive. It can still pose a serious problem, as it can propagate to other systems on the same network as an infected machine - a factor that may explain its high rate of infection to this day. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/five-years-old-a… *** Another Fake WordPress Plugin - And Yet Another SPAM Infection! *** --------------------------------------------- We clean hundreds and thousands of infected websites, a lot of the cleanups can be considered to be somewhat "routine". If you follow our blog, you often hear us say we´ve seen "this" numerous times, we´ve cleaned "that" numerous times. --------------------------------------------- http://blog.sucuri.net/2013/11/another-fake-wordpress-plugin-and-yet-anothe… *** Top Security Predictions for 2014 *** --------------------------------------------- As 2013 draws to a close, FireEye researchers are already looking ahead to 2014 and the shifting threat landscape. Expect fewer Java zero-day exploits and more browser-based ones. Watering-hole attacks may supplant spear-phishing attacks. --------------------------------------------- http://www.fireeye.com/blog/corporate/2013/11/top-security-predictions-for-… *** Port 0 DDOS, (Fri, Nov 22nd) *** --------------------------------------------- Following on the stories of amplification DDOS attacks using Chargen, and stories of "booters" via Brian Kreb's, I am watching with interest the increase in port 0 amplification DDOS attacks. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17081 *** Spam-Friendly Registrar 'Dynamic Dolphin' Shuttered *** --------------------------------------------- The organization that oversees the Internet domain name registration industry last week revoked the charter of Dynamic Dolphin, a registrar that has long been closely associated with spam and cybercrime. --------------------------------------------- http://krebsonsecurity.com/2013/11/spam-friendly-registrar-dynamic-dolphin-… *** LG smart TV snooping extends to home networks, second blogger says *** --------------------------------------------- A second blogger has published evidence that his LG-manufactured smart television is sharing sensitive user data with the Korea-based company in a post that offers support for the theory that the snooping isnt isolated behavior that affects a small number of sets. --------------------------------------------- http://arstechnica.com/security/2013/11/lg-smart-tv-snooping-extends-to-hom… *** CryptoLocker gang teams with botnet-builders on ransomware *** --------------------------------------------- The cyber-gang running the CryptoLocker extortion racket is sharing a big cut of any payments they squeeze out of their victims with criminal botnet owners working closely with them, says Symantec, which has been monitoring this underworld activity online. --------------------------------------------- http://www.pcworld.com/article/2066741/cryptolocker-gang-teams-with-botnet-… *** DSA-2802 nginx *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2802 *** DSA-2801 libhttp-body-perl *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2801 *** [webapps] - TPLINK WR740N/WR740ND - Multiple CSRF Vulnerabilities *** --------------------------------------------- http://www.exploit-db.com/exploits/29802 *** ImpressPages CMS 3.8 Stored XSS Vulnerability *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110168 *** Pirelli Discus DRG A125g Remote Change SSID Value Vulnerability *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110167 *** Google Gmail IOS Mobile Application - Persistent / Stored XSS *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110170 *** Ruby Heap Overflow in Floating Point Parsing Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1029388 *** Drupal Core Bugs Let Remote Users Conduct Cross-Site Scripting, Cross-Site Request Forgery, and Open Redirect Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1029386

1 0

Tageszusammenfassung - Freitag 22-11-2013
by Daily end-of-shift report 22 Nov '13

22 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 21-11-2013 18:00 − Freitag 22-11-2013 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner *** DNP3 Implementation Vulnerability (Update A) *** --------------------------------------------- Adam Crain of Automatak and independent researcher Chris Sistrunk reported an improper input validation vulnerability to NCCIC/ICS-CERT that was evident in numerous slave and/or master station software products. The researchers emphasize that the vulnerability is not with the DNP3 stack but with the --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-291-01A *** Facebook Vulnerability Discloses Friends Lists Defined as Private *** --------------------------------------------- Researchers from the Quotium Seeker Research Center identified a security flaw in Facebook privacy controls. The vulnerability allows attackers to see the friends list of any user on Facebook. This attack is carried out by abusing the 'People You May Know' mechanism on Facebook, ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110157 *** Imperva WAF/DAF 9.5 patch8 and 10.0 patch 2 localroot vulnerability *** --------------------------------------------- Topic: Imperva WAF/DAF 9.5 patch8 and 10.0 patch 2 localroot vulnerability Risk: High Text: Imperva use hardened centos 5.4 to run Web Application Firewall and Database Activity Monitoring product. It could be expl... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110158 *** Instagram for iOS Flattr account security bypass *** --------------------------------------------- Instagram for iOS could allow a remote attacker to bypass security restrictions, caused by an implementation error when the Instagram for iOS and Flattr are linked. An attacker could exploit this vulnerability by flattring the photos causing the money from the users account to be redirected. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/89162 *** Instagram for iOS upload module file upload *** --------------------------------------------- Instagram for iOS could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/89160 *** prettyPhoto Cross-Site Scripting Vulnerability *** --------------------------------------------- Input appended to the URL after /#!prettyPhoto/ is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability is confirmed in version 3.1.4. Prior versions may also be affected. --------------------------------------------- https://secunia.com/advisories/55769 *** Security Bulletin: IBM iNotes Cross-Site Scripting Vulnerability (CVE-2013-0595) *** --------------------------------------------- IBM iNotes versions 8.5.3 and 9.0 contain a cross-site scripting vulnerability. The fix for this issue is available starting in IBM Domino versions 8.5.3 Fix Pack 5 and 9.0.1. CVE(s): CVE-2013-0595 Affected product(s) and affected version(s): IBM iNotes 9.0 IBM iNotes 8.5.3 through 8.5.3 Fix Pack 4 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** VU#893462: Thomson Reuters Velocity Analytics Vhayu Analytic Server version 6.9.4 build 2995 contains a code injection vulnerability *** --------------------------------------------- Overview Thomson Reuters Velocity Analytics Vhayu Analytic Server version 6.94 build 2995 and possibly earlier versions contain a code injection vulnerability (CWE-94). Description CWE-94: Improper Control of Generation of Code (Code Injection) --------------------------------------------- http://www.kb.cert.org/vuls/id/893462 *** Dovecot checkpassword-reply Security Bypass Security Issue *** --------------------------------------------- A security issue has been reported in Dovecot, which can be exploited by malicious, local users to bypass certain security restrictions. --------------------------------------------- https://secunia.com/advisories/54808

1 0

Tageszusammenfassung - Donnerstag 21-11-2013
by Daily end-of-shift report 21 Nov '13

21 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 20-11-2013 18:00 − Donnerstag 21-11-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** EFF Scorecard Shows Crypto Leaders and Laggards *** --------------------------------------------- The Electronic Frontier Foundation (EFF) released its Encrypt the Web Report demonstrating how much encryption leading Internet companies and service providers are deploying. --------------------------------------------- http://threatpost.com/eff-scorecard-shows-crypto-leaders-and-laggards/102987 *** Tomcat-Wurm springt von Server zu Server *** --------------------------------------------- Symantec hat einen Wurm entdeckt, der Apaches Java-Webserver infiziert und als Java-Servlet von Server zu Server springt. Infizierte Rechner werden als DDoS-Schleudern und Proxys missbraucht. --------------------------------------------- http://www.heise.de/security/meldung/Tomcat-Wurm-springt-von-Server-zu-Serv… *** Are large scale Man in The Middle attacks underway?, (Thu, Nov 21st) *** --------------------------------------------- Renesys is reporting two separate incidents where they observed traffic for 1500 IP blocks being diverted for extended periods of time. They observed the traffic redirection for more than 2 months over the last year. Does it seem unusual for internet traffic between Ashburn Virginia (63.218.44.78) and Washington DC (63.234.113.110) to go through Russia to Belarus? That is exactly what they observed. Once traffic flows through your routers there are countless opportunities to capture and modify... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17075&rss *** A look at security effectiveness by industry *** --------------------------------------------- BitSight analyzed security ratings for over 70 Fortune 200 companies in four industries - energy, finance, retail and technology. The objective was to uncover quantifiable differences in security effectiveness and performance across industries from October 2012 through September 2013. --------------------------------------------- http://www.net-security.org/secworld.php?id=15991 *** 5 Considerations For Post-Breach Security Analytics *** --------------------------------------------- Preparing collection mechanisms ahead of time, preserving chain of custody on forensics data, and performing focused analysis all key in inspecting security data after a compromise --------------------------------------------- http://www.darkreading.com/5-considerations-for-post-breach-securit/2401641… *** EMC Document Sciences xPression cross-site request forgery *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/89073 *** SA-CORE-2013-003 - Drupal core - Multiple vulnerabilities *** --------------------------------------------- Advisory ID: DRUPAL-SA-CORE-2013-003 Project: Drupal coreVersion: 6.x, 7.x Date: 2013-November-20 Security risk: Highly critical Exploitable from: Remote Vulnerability: Multiple vulnerabilities Description: Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation - Drupal 6 and 7)Drupals form API has built-in cross-site request forgery (CSRF) validation, and also allows any... --------------------------------------------- https://drupal.org/SA-CORE-2013-003 *** SA-CONTRIB-2013-096 - Entity reference - Access bypass *** *** SA-CONTRIB-2013-095 - Organic Groups - Access bypass *** *** SA-CONTRIB-2013-094 - EU Cookie Compliance - Cross Site Scripting (XSS) *** *** SA-CONTRIB-2013-093 - Invitation - Access Bypass *** --------------------------------------------- https://drupal.org/node/2140237 https://drupal.org/node/2140217 https://drupal.org/node/2140123 https://drupal.org/node/2140097 *** Vuln: SAP NetWeaver SHSTI_UPLOAD_XML() Function XML External Entity Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63779 *** Vuln: SAP NetWeaver Logviewer Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/58615 *** Vuln: SAP NetWeaver SAP Portal URI Redirection Weakness *** --------------------------------------------- http://www.securityfocus.com/bid/63783 *** Vuln: SAProuter NI Route Message Handling Heap Buffer Overflow Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/60054 *** Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Master Data Management - Collaborative Edition (CVE-2013-0478, CVE-2013-0477) *** --------------------------------------------- IBM InfoSphere Master Data Management - Collaborative Edition versions 10.1, 10.0 and IBM InfoSphere Master Data Management Server for Product Information Management versions 9.1, 9.0, 6.0 are vulnerable to cross-site scripting and content spoofing. CVE(s): CVE-2013-0477, and CVE-2013-0478 Affected product(s) and affected version(s): IBM InfoSphere Master Data Management - Collaborative Edition Versions 10.1 and 10.0 IBM InfoSphere Master Data Management Server for Product Information... --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul… *** SKIDATA RFID Freemotion.Gate Unauthenticated Web Service Aribtrary Remote Command Execution *** --------------------------------------------- Title: SKIDATA RFID Freemotion.Gate Unauthenticated Web Service Aribtrary Remote Command Execution Product: Freemotion.Gate Vendor: SKIDATA, http://www.skidata.com/en/ Vulnerable Versions: 4.1.3.5 and likely all prior versions. --------------------------------------------- http://www.keepingkidsonshred.com/2013/11/skidata-rfid-freemotiongate.html *** Splunk Cross-Site Scripting Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55774 *** WHMCS "unserialize()" PHP Code Execution and Multiple Unspecified Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55717

1 0

Tageszusammenfassung - Mittwoch 20-11-2013
by Daily end-of-shift report 20 Nov '13

20 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 19-11-2013 18:00 − Mittwoch 20-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** New variant of Android ransomware "Fake Defender" surfaces *** --------------------------------------------- Symantec researchers believe the malicious app is a variant of "Fake Defender," malware used in earlier ransomware scams. --------------------------------------------- http://www.scmagazine.com/new-variant-of-android-ransomware-fake-defender-s… *** Google Extends Scope of External Bug Bounty *** --------------------------------------------- Google has expanded the bounds of its Patch Rewards Program to include open source components of Android, Apache, Sendmail, OpenVPN and other services. --------------------------------------------- http://threatpost.com/google-extends-scope-of-external-bug-bounty/102962 *** TrustKeeper Scan Engine Update - November 14, 2013 *** --------------------------------------------- It's time again for another TrustKeeper Scan Engine update. This release contains over 30 new tests vulnerabilities in Cisco ASA/IOS, JIRA, jQuery, Microsoft Windows, Oracle Database/MySQL, and more. This release also contains default credential checks for both WordPress and Cisco ASA SSL VPN (aka: AnyConnect). --------------------------------------------- http://blog.spiderlabs.com/2013/11/trustkeeper-scan-engine-update-november-… *** VU#295276: Adobe ColdFusion is vulnerable to cross-site scripting via the logviewer directory *** --------------------------------------------- Adobe ColdFusion 10 update 11 and possibly earlier versions contains a reflected cross-site scripting (XSS) vulnerability. An attacker can inject arbitrary HTML content (including script) within the /logviewer/ directory. The vulnerability requires using a relative path, although there is no directory traversal vulnerability. --------------------------------------------- http://www.kb.cert.org/vuls/id/295276 *** Understanding Google´s Blacklist Cleaning Your Hacked Website and Removing From Blacklist *** --------------------------------------------- Today we found an interesting case where Google was blacklisting a client´s site but not sharing the reason why. The fact they were sharing very little info should not be new, but what we found as we dove a little deeper should be. The idea is to provide you webmasters with the required insight toRead More --------------------------------------------- http://blog.sucuri.net/2013/11/understanding-googles-blacklist-cleaning-you… *** Searching live memory on a running machine with winpmem, (Wed, Nov 20th) *** --------------------------------------------- Winpmem may appear to be a simple a memory acquisition tool, but it is really much more. One of my favorite parts of Winpmem is that it has the ability to analyze live memory on a running computer. Rather than dumping the memory and analyzing it in two seperate steps you can search for memory on a running system. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17063 *** Netflixers Beware: Angler Exploit Kit Targets Silverlight Vulnerability *** --------------------------------------------- Developers behind the Angler Exploit Kit have added a new exploit over the last week that leverages a vulnerability in Microsoft´s Silverlight framework. --------------------------------------------- http://threatpost.com/netflixers-beware-angler-exploit-kit-targets-silverli… *** Mobile threats in October 2013 *** --------------------------------------------- In 2013, Russian anti-virus company Doctor Web started using a new system to collect statistics, so that it could promptly obtain information about the malicious applications that are threatening Google Android. An analysis of the data collected in October showed that the Dr.Web resident monitor under Android detected malware about 11 million times, and over 4 million threats to Android were detected by the scanner. These figures correspond to data obtained in September 2013. --------------------------------------------- http://news.drweb.com/show/?i=4061&lng=en&c=9 *** Repeated attacks hijack huge chunks of Internet traffic, researchers warn *** --------------------------------------------- Man-in-the-middle attacks divert data on scale never before seen in the wild. --------------------------------------------- http://arstechnica.com/security/2013/11/repeated-attacks-hijack-huge-chunks… *** US police department pays $750 Cryptolocker Trojan ransom demand *** --------------------------------------------- A US police department was so determined to get back important files that had been encrypted by the rampaging Cryptolocker Trojan it decided to pay the sizable ransom being demanded by the criminals. --------------------------------------------- http://news.techworld.com/security/3489937/us-police-department-pays-750-cr… *** Backup the best defense against (Cri)locked files *** --------------------------------------------- Crilock also known as CryptoLocker - is one notorious ransomware that´s been making the rounds since early September. Its primary payload is to target and encrypt your files, such as your pictures and Office documents. All of the file types that can be encrypted are listed in our Trojan:Win32/Crilock.A and Trojan:Win32/Crilock.B descriptions. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2013/11/19/backup-the-best-defense-… *** JBoss Attacks Up Since Exploit Code Disclosure *** --------------------------------------------- Researchers at Imperva have detected a surge in attacks against webservers running JBoss Application Server since the public disclosure of exploit code last month. --------------------------------------------- http://threatpost.com/jboss-attacks-up-since-exploit-code-disclosure/102971 *** [webapps] - Ruckus Wireless Zoneflex 2942 Wireless Access Point - Authentication Bypass *** --------------------------------------------- http://www.exploit-db.com/exploits/29709 *** nginx URI Parsing Flaw Lets Remote Users Bypass Security Restrictions *** --------------------------------------------- http://www.securitytracker.com/id/1029363 *** PayPal Billsafe Cross Site Scripting *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110142 *** EMC Document Sciences xPression XSS / CSRF / Redirect / SQL Injection *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110139

1 0

Tageszusammenfassung - Dienstag 19-11-2013
by Daily end-of-shift report 19 Nov '13

19 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 18-11-2013 18:00 − Dienstag 19-11-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Am I Sending Traffic to a "Sinkhole"?, (Mon, Nov 18th) *** --------------------------------------------- It has become common practice to setup "Sinkholes" to capture traffic sent my infected hosts to command and control servers. These Sinkholes are usually established after a malicious domain name has been discovered and registrars agreed to redirect respective NS records to a specific name server configured by the entity operating the Sinkhole. More recently for example Microsoft gained court orders to take over... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17048 *** Google Completes Upgrade of its SSL Certificates to 2048-Bit RSA *** --------------------------------------------- Google announced today it has completed upgrading all of its SSL certificates to 2048-bit RSA or better, up from 1024. --------------------------------------------- http://threatpost.com/google-completes-upgrade-of-its-ssl-certificates-to-2… *** Facebook URL redirection vulnerability patched *** --------------------------------------------- A Facebook URL redirection vulnerability discovered last week was patched just a day after a blog post detailing the bug went live. --------------------------------------------- http://www.scmagazine.com//facebook-url-redirection-vulnerability-patched/a… *** Winpmem - Mild mannered memory aquisition tool??, (Tue, Nov 19th) *** --------------------------------------------- There should be little argument that with todays threats you should always acquire a memory image when dealing with any type of malware. Modern desktops can have 16 gigabytes of RAM or more filled with evidence that is usually crutial to understanding what was happening on that machine. Failure to acquire that memory will make analyzing the other forensic artifacts difficult or in some cases impossible. Chad Tilbury (@chadtilbury) recently told me about a new memory acquisition tool that I want... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17054&rss *** Old JBoss vuln in the wild, needs patching *** --------------------------------------------- Remote code execution, the usual thing JBoss sysadmins need to get busy hardening their systems, with a rising number of attacks against the system, according to Imperva. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2013/11/19/old_jboss_v… *** Cybercriminals spamvertise tens of thousands of fake "Sent from my iPhone" themed emails, expose users to malware *** --------------------------------------------- Cybercriminals are currently mass mailing tens of thousands of malicious emails, supposedly including a photo attachment that's been "Sent from an iPhone". The social engineering driven spam campaign is, however, the latest attempt by a cybercriminal/group of cybercriminals that we've been monitor for a while, to attempt to trick gullible users into unknowingly joining the botnet operated by the malicious actor(s) behind the campaign. Detection rate for the spamvertised... --------------------------------------------- http://www.webroot.com/blog/2013/11/19/cybercriminals-spamvertise-tens-thou… *** A .BIT Odd *** --------------------------------------------- Like many security researchers, I see a lot of new malicious sites every week, far too many in fact. One thing that sets security researchers apart is that we can see a top-level domain (TLD) like .cc and recall instantly that it belongs to the Cocos Islands in the Indian Ocean, with a tiny population,... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/rFeNuxSPHUg/ *** Vuln: Chainfire SuperSU CVE-2013-6775 Arbitrary Command Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63715 *** Vuln: Multiple Android Superuser Packages CVE-2013-6769 Arbitrary Command Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63712 *** Opera Unspecified Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55720 *** Network Security Services (NSS) Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55557 *** Vuln: MIT Kerberos 5 CVE-2013-6800 Remote Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63770 *** Elastix Multiple Cross-Site Scripting Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55739 *** Splunk Test Scripts Let Remote Authenticated Users Execute Arbitrary Shell Scripts on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1029316

1 0

Tageszusammenfassung - Montag 18-11-2013
by Daily end-of-shift report 18 Nov '13

18 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 15-11-2013 18:00 − Montag 18-11-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Password hack of vBulletin.com fuels fears of in-the-wild 0-day attacks *** --------------------------------------------- Hacks on sites using the widely used forum software spread to its maker. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/FIA9t0-8N04/story01… *** BKDR_SHIZ Responsible For SAP Attacks, And More *** --------------------------------------------- There have been recent reports of malware that targeted SAP users for information theft. We detect this threat as BKDR_SHIZ.TO, and it belongs to a malware family that has been detected since 2010. So far, this particular family has received little attention, but its targeting of SAP applications has raised its profile considerably. So what... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/O578f6Dl3Js/ *** Exploiting the Supermicro Onboard IPMI Controller *** --------------------------------------------- Last week @hdmoore published the details about several vulnerabilities into the Supermicro IPMI firmware. With the advisory's release, several modules were landed into Metasploit in order to check Supermicro's device against several of the published vulnerabilities. --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2013/11/15/exploitin… *** Explaining and Speculating About QUANTUM *** --------------------------------------------- Nicholas Weaver has a great essay explaining how the NSAs QUANTUM packet injection system works, what we know it does, what else it can possibly do, and how to defend against it. Remember that while QUANTUM is an NSA program, other countries engage in these sorts of attacks as well. By securing the Internet against QUANTUM, we protect ourselves against... --------------------------------------------- https://www.schneier.com/blog/archives/2013/11/explaining_and.html *** Various Schneier Audio and Video Talks and Interviews *** --------------------------------------------- News articles about me (or with good quotes by me). My talk at the IETF Vancouver meeting on NSA and surveillance. Im the first speaker after the administrivia. Press articles about me and the IETF meeting. Other video interviews with me.... --------------------------------------------- https://www.schneier.com/blog/archives/2013/11/various_schneie.html *** Sagan as a Log Normalizer, (Sat, Nov 16th) *** --------------------------------------------- "Sagan is an open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine that run under *nix operating systems (Linux/FreeBSD/ OpenBSD/etc)."[1] Sagan is a log analysis engine that uses structure rules with the same basic structure as Snort rules. The alerts can be written to a Snort IDS/IPS database in the Unified2 file format using Barnyard2. This mean the alerts can be read using Sguil, BASE or SQueRT to name a few. It is easy to setup, just need to --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17039&rss *** SpiderLabs Radio November 15, 2013 w/ Space Rogue *** --------------------------------------------- This weeks episode of SpiderLabs Radio hosted by Space Rogue is brought to you by Trustwave SpiderLabs and features stories about Stuxnet on ISS, Facebook scans for Adobe, MacRumours, SEA hits Vice, bitcash.cz, Cracked gets cracked, Loyaltybuild, No Nukes in JP, OWASP AppSec USA, SRs Last SLR and more! Listen to SpiderLabs radio in iTunes. Or you can download the MP3 file directly here. Or listen right from your browser with this embedded player. --------------------------------------------- http://blog.spiderlabs.com/2013/11/spiderlabs-radio-november-15-2013-w-spac… *** Vendor of TDoS products/services releases new multi-threaded SIP-based TDoS tool *** --------------------------------------------- Telephony Denial of Service Attacks (TDoS) continue representing a growing market segment within the Russian/Eastern European underground market, with more vendors populating it with propositions for products and services aiming to disrupt the phone communications of prospective victims. From purely malicious in-house infrastructure - dozens of USB hubs with 3G USB modems using fraudulently obtained, non-attributable SIM cards - abuse of legitimate infrastructure, like Skype, ICQ, a... --------------------------------------------- http://www.webroot.com/blog/2013/11/15/vendor-tdos-productsservices-release… *** Bugtraq: Cross-Site Scripting (XSS) in Tweet Blender Wordpress Plugin *** --------------------------------------------- http://www.securityfocus.com/archive/1/529853 *** Vuln: GnuTLS libdane/dane.c CVE-2013-4487 Incomplete Fix Remote Buffer Overflow Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63469 *** MS13-095 - Important : Vulnerability in Digital Signatures Could Allow Denial of Service (2868626) - Version: 1.0 *** --------------------------------------------- This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service when an affected web service processes a specially crafted X.509 certificate. --------------------------------------------- http://technet.microsoft.com/en-gb/security/bulletin/ms13-095 *** SAP Netweaver Web Application Server J2EE SAP Portal Redirection Weakness *** *** SAP Netweaver DataCollector and JavaDumpService Servlets Multiple Cross-Site Scripting Vulnerabilities *** *** SAP NetWeaver Input Validation Flaw in SRTT_GET_COUNT_BEFORE_KEY_RFC Function Lets Remote Authenticated Users Inject SQL Commands *** --------------------------------------------- https://secunia.com/advisories/55778 https://secunia.com/advisories/55777 http://www.securitytracker.com/id/1029352 *** gitlab-shell Multiple Vulnerabilities *** *** GitLab API Access Security Bypass Security Issue *** --------------------------------------------- https://secunia.com/advisories/55683 https://secunia.com/advisories/55691 *** IBM Tivoli System Automation Application Manager Java Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55794 *** Foreman Host and Host Group SQL Injection Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55722 *** [webapps] - ManageEngine DesktopCentral 8.0.0 build 80293 - Arbitrary File Upload Vulnerability *** --------------------------------------------- http://www.exploit-db.com/exploits/29674

1 0

Tageszusammenfassung - Freitag 15-11-2013
by Daily end-of-shift report 15 Nov '13

15 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 14-11-2013 18:00 − Freitag 15-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Blog: The rush for CVE-2013-3906 - a hot commodity *** --------------------------------------------- Two days ago FireEye reported that the recent CVE-2013-3906 exploit has begun to be used by new threat actors other than the original ones. The new infected documents share similarities with previously detected exploits but carry a different payload. This time these exploits are being used to deliver Taidoor and PlugX backdoors, according to FireEye. --------------------------------------------- http://www.securelist.com/en/blog/208214158/The_rush_for_CVE_2013_3906_a_ho… *** CVE-2012-1889 is still alive! *** --------------------------------------------- In Zscaler´s daily scanning, we identified an instance where CVE-2012-1889 (MSXML Uninitialized Memory Corruption Vulnerability) is still alive. Lets take a look. --------------------------------------------- http://research.zscaler.com/2013/11/cve-2012-1889-is-still-alive.html *** Febipos for Internet Explorer *** --------------------------------------------- In a previous blog post we discussed Trojan:JS/Febipos.A, a malicious browser extension that targets the Facebook profiles of Google Chrome and Mozilla Firefox users. We recently came across a new Febipos sample that was specifically developed for Internet Explorer - we detect it as Trojan:Win32/Febipos.B!dll. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2013/11/14/febipos-for-internet-exp… *** Linux backdoor squirts code into SSH to keep its badness buried *** --------------------------------------------- Fokirtor! It LOOKED like legitimate traffic... Security researchers have discovered a Linux backdoor that uses a covert communication protocol to disguise its presence on compromised systems. --------------------------------------------- http://www.theregister.co.uk/2013/11/15/stealthy_linux_backdoor/ *** Mobile Pwn2Own: Internet Explorer 11 geknackt, Chrome schon geflickt *** --------------------------------------------- Die von Pinkie Pie benutzte Chrome-Lücke wurde von Google mittlerweile geschlossen. Forscher der Zero Day Initiative gelang es unterdessen, Internet Explorer 11 auf einem Surface Pro zu übernehmen. --------------------------------------------- http://www.heise.de/security/meldung/Mobile-Pwn2Own-Internet-Explorer-11-ge… *** Blog: AutoCAD - new platform for start page Trojans *** --------------------------------------------- In China, start page Trojans have become a popular type of malware because by changing users´ browser start pages to point to some navigation site, the owner of the site can get a large amount of web traffic which can then be converted into large sums of money. In order to spread such Trojans as broadly as possible, Trojan authors have even turned their sights to AutoCAD. --------------------------------------------- http://www.securelist.com/en/blog/8141/AutoCAD_new_platform_for_start_page_… *** Research Into BIOS Attacks Underscores Their Danger *** --------------------------------------------- For three years, Dragos Ruiu has attempted to track down a digital ghost in his network, whose presence is only felt in strange anomalies and odd system behavior. The anomalies ranged from system instability, to "bricked" USB sticks and data seemingly modified on the fly, according to online posts. --------------------------------------------- http://www.darkreading.com/advanced-threats/research-into-bios-attacks-unde… *** Eight Security Predictions for 2014 *** --------------------------------------------- 2013 was not an easy year in cybersecurity and we expect 2014 attacks will be even more complex. In a new report out today, Websense Security Labs researchers collectively outlined eight predictions and recommendations for 2014. --------------------------------------------- http://community.websense.com/blogs/securitylabs/archive/2013/11/14/eight-s… *** The Security Impact of HTTP Caching Headers, (Fri, Nov 15th) *** --------------------------------------------- Earlier this week, an update for Media-Wiki fixed a bug in how it used caching headers. The headers allowed authenticated content to be cached, which may lead to sessions being shared between users using the same proxy server. I think this is a good reason to talk a bit about caching in web applications and why it is important for security. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17033&rss *** Google Chrome for Android Multiple Memory Corruption Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55744 *** Nagios XI "tfPassword" SQL Injection Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55695 *** VMSA-2013-0013 *** --------------------------------------------- VMware Workstation host privilege escalation vulnerability --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2013-0013.html *** Cisco IOS CSG Parse Error Drop Function Flaw Lets Remote Users Bypass Access Controls *** --------------------------------------------- http://www.securitytracker.com/id/1029342 *** Cisco ASA IPv6 NAT Bug Lets Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1029341 *** mod_nss FakeBasicAuth authentication bypass *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110110 *** APPLE-SA-2013-11-14-1 iOS 7.0.4 *** --------------------------------------------- http://prod.lists.apple.com/archives/security-announce/2013/Nov/msg00000.ht… *** Security Bulletin: IBM Platform Cluster Manager Standard Edition (CVE-2013-2251 CVE-2013-2248 CVE-2013-2135 CVE-2013-2134 CVE-2013-2115 CVE-2013-1966 CVE-2013-1965 CVE-2013-4310) *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…

1 0

Tageszusammenfassung - Donnerstag 14-11-2013
by Daily end-of-shift report 14 Nov '13

14 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 13-11-2013 18:00 − Donnerstag 14-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Stanford Metaphone Project Aims to Show Dangers of Metadata Collection *** --------------------------------------------- When the first NSA surveillance story broke in June, about the agency´s collection of phone metadata from Verizon, most people likely had never heard the word metadata before. Even some security and privacy experts weren´t sure what the term encompassed, and now a group of security researchers at Stanford have started a new project to collect data from Android users to see exactly how much information can be drawn from the logs of phone calls and texts. --------------------------------------------- http://threatpost.com/stanford-metaphone-project-aims-to-show-dangers-of-me… *** Thunderbird gibt falschem Absender das Echtheits-Siegel *** --------------------------------------------- Eigentlich sollen digitale Signaturen sicherstellen, dass man sich auf den Absender einer E-Mail verlassen kann. Allerdings stellt sich Thunderbird im Umgang mit signierten E-Mails so ungeschickt an, dass man falsche Absender vortuschen kann. --------------------------------------------- http://www.heise.de/security/meldung/Thunderbird-gibt-falschem-Absender-das… *** Unusual BHEK-Like Spam With Attachment Found *** --------------------------------------------- Soon after Paunch was arrested, we found that the flow of spam campaigns going to sites with the Blackhole Exploit Kit (BHEK) had slowed down considerably. Instead, we saw an increase in messages with a malicious attachment. Recently, however, we came across rather unusual spam samples that combines characteristics of both attacks. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/unusual-bhek-lik… *** Mobile Pwn2Own: Galaxy S4 und iOS gehackt *** --------------------------------------------- Am ersten Tag des Wettbewerbs Mobile Pwn2Own in Tokio wurde auf Samsungs Galaxy S4 eine Sicherheitslücke gezeigt, die es ermöglicht, beliebige Apps zu installieren. Chinesische Hacker zeigten Schwachstellen in Safari unter iOS 6.1.4 und 7.0.3. --------------------------------------------- http://www.heise.de/security/meldung/Mobile-Pwn2Own-Galaxy-S4-und-iOS-gehac… *** Analysis: IT Threat Evolution: Q3 2013 *** --------------------------------------------- IT Threat Evolution: Q3 2013 Targeted Attacks / APT Malware Stories Web security and data breaches Mobile malware --------------------------------------------- http://www.securelist.com/en/analysis/204792312/IT_Threat_Evolution_Q3_2013 *** A-DOH!-BE hack: Facebook warns users whose logins were spilled *** --------------------------------------------- Facebook is using a list of hacked Adobe accounts posted by the miscreants themselves to warn its own customers about password reuse. --------------------------------------------- http://www.theregister.co.uk/2013/11/14/facebook_adobe_password_leak_warnin… *** New OSX/Crisis or Business Cards Gone Wild *** --------------------------------------------- In these days of computer conspiracies, the Mac is not left out. A new variant of Remote Control System, Hacking Team´s spyware, landed on VirusTotal with a detection rate of 0 out of 47 scanners. RCS, also known as OSX/Crisis, is an expensive rootkit used by governments during targeted attacks. --------------------------------------------- http://www.intego.com/mac-security-blog/new-osx-crisis-business-cards-gone-… *** Cracked.com Serving Malware in Drive-By Downloads *** --------------------------------------------- The popular humor website, Cracked[dot]com reportedly hosted malware that infected the machines of of its visitors over the weekend and may still be doing so, according to Barracuda Labs research. --------------------------------------------- http://threatpost.com/cracked-com-serving-malware-in-drive-by-downloads/102… *** eGroupware HTML File Uploads Script Insertion Vulnerability *** --------------------------------------------- https://secunia.com/advisories/54368 *** LastPass Android Container PIN / Auto-Wipe Bypass *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110101 *** IBM Multiple Storage Products Apache Struts Security Bypass Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55706 *** SA-CONTRIB-2013-091 - Groups, Communities and Co (GCC) - Access Bypass *** --------------------------------------------- Remote Vulnerability: Access bypassDescriptionThis module enables you to manage groups and assign content and users to groups.The module doesnt sufficiently check permissions to some of the configuration pages allowing unprivileged users to access the roles and permissions pages of the GCC module.CVE --------------------------------------------- https://drupal.org/node/2135267 *** SA-CONTRIB-2013-090 - Revisioning - Access Bypass *** --------------------------------------------- Remote Vulnerability: Access bypassDescriptionThis module enables you to create content publication workflows whereby one version of the content is "live" (publicly visible), while another is being edited and moderated privately until found fit for publication.The module doesnt sufficiently apply node access permissions --------------------------------------------- https://drupal.org/node/2135257

1 0

Tageszusammenfassung - Mittwoch 13-11-2013
by Daily end-of-shift report 13 Nov '13

13 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 12-11-2013 18:00 − Mittwoch 13-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Summary for November 2013 - Version: 1.0 *** --------------------------------------------- This bulletin summary lists security bulletins released for November 2013. With the release of the security bulletins for November 2013, this bulletin summary replaces the bulletin advance notification originally issued November 7, 2013. --------------------------------------------- http://technet.microsoft.com/en-us/security/bulletin/ms13-nov *** Blog: Sinkholing the Hlux/Kelihos botnet - what happened? *** --------------------------------------------- Back in March 2012 we teamed up with Crowdstrike, the Honeynet Project and Dell SecureWorks in disabling the second version of the Hlux/Kelihos-Botnet. Now we thought it would be a good time for an update on what has happened to that sinkhole-server over the last 19 months. --------------------------------------------- http://www.securelist.com/en/blog/208214147/Sinkholing_the_Hlux_Kelihos_bot… *** Microsoft Warns Customers Away From SHA-1 and RC4 *** --------------------------------------------- The RC4 and SHA-1 algorithms have taken a lot of hits in recent years, with new attacks popping up on a regular basis. Many security experts and cryptographers have been recommending that vendors begin phasing the two out, and Microsoft on Tuesday said that is now recommending to developers that they deprecate RC4 and stop using the SHA-1 hash algorithm. --------------------------------------------- http://threatpost.com/microsoft-warns-customers-away-from-sha-1-and-rc4/102… *** Introducing Enhanced Mitigation Experience Toolkit (EMET) 4.1 *** --------------------------------------------- In June 2013, we released EMET 4.0 and customer response has been fantastic. Many customers across the world now include EMET as part of their defense-in-depth strategy and appreciate how EMET helps businesses prevent attackers from gaining access to computers systems. Today, we´re releasing a new version, EMET 4.1, with updates that simplify configuration and accelerate deployment. --------------------------------------------- http://blogs.technet.com/b/srd/archive/2013/11/12/introducing-enhanced-miti… *** Adobe Patches Flash, ColdFusion Flaws Unrelated to Breach *** --------------------------------------------- Adobe patched critical vulnerabilities in its Flash Player and ColdFusion Web application server; the company said the bugs are unrelated to the recent breach and source code theft. --------------------------------------------- http://threatpost.com/adobe-patches-flash-coldfusion-flaws-unrelated-to-bre… *** Simulated attacks give London banks a trial run in readiness *** --------------------------------------------- The planned event, called "Waking Shark II," marks the second year the city of London had participated in the security preparedness exercises. --------------------------------------------- http://www.scmagazine.com//simulated-attacks-give-london-banks-a-trial-run-… *** November Patch Tuesday Addresses New IE Zero-Day Exploit, But TIFF Vulnerability Still Unpatched *** --------------------------------------------- It´s worth noting that another recent TIFF-related zero-day that we discussed has not been patched as part of this month´s update, so the recommendations and work-arounds that were suggested at that time remain in effect. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/november-patch-t… *** Malicious multi-hop iframe campaign affects thousands of Web sites, leads to a cocktail of client-side exploits *** --------------------------------------------- Sharing is caring. In this post, I´ll put the spotlight on a currently circulating, massive - thousands of sites affected - malicious iframe campaign, that attempts to drop malicious software on the hosts of unaware Web site visitors through a cocktail of client-side exploits. The campaign, featuring a variety of evasive tactics making it harder to analyze, continues to efficiently pop up on thousands of legitimate Web sites. --------------------------------------------- http://www.webroot.com/blog/2013/11/13/malicious-multi-hop-iframe-campaign-… *** Cross-site scripting vulnerabilities in EMC Documentum eRoom *** --------------------------------------------- Due to improper input validation, Documentum eRoom suffers from multiple cross-site scripting vulnerabilities, which allow an attacker to steal other users sessions, to impersonate other users and to gain unauthorized access to documents hosted in eRooms. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2013… *** BlackBerry Patches Remote Access Feature Vulnerable to Exploit *** --------------------------------------------- BlackBerry patched two serious vulnerabilities in its BlackBerry Link product. --------------------------------------------- http://threatpost.com/blackberry-patches-remote-access-feature-vulnerable-t… *** cPanel Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55478 *** Red Hat Network Satellite Server Grants Administrative Access to Remote Users *** --------------------------------------------- http://www.securitytracker.com/id/1029331 *** JunOS 11.4 Cross Site Scripting *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110085 *** FortiAnalyzer 5.0.4 - CSRF Vulnerability *** --------------------------------------------- http://www.exploit-db.com/exploits/29550 *** Security Bulletin: Potential Security Vulnerability fixed in WebSphere Virtual Enterprise (CVE-2013-5425) *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_pot…

1 0

Tageszusammenfassung - Dienstag 12-11-2013
by Daily end-of-shift report 12 Nov '13

12 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 11-11-2013 18:00 − Dienstag 12-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** ActiveX Control issue being addressed in Update Tuesday *** --------------------------------------------- Late last Friday, November 8, 2013, a vulnerability, CVE-2013-3918, affecting an Internet Explorer ActiveX Control was publically disclosed. We have confirmed that this vulnerability is an issue already scheduled to be addressed in 'Bulletin 3', which will be released as MS13-090, as listed in the November Advanced Notification Service (ANS). --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2013/11/11/activex-control-issue-be… *** Samsung, Nokia say they don´t know how to track a powered-down phone *** --------------------------------------------- Back in July 2013, The Washington Post reported that nearly a decade ago, the National Security Agency developed a new technique that allowed spooks to find cellphones even when they were turned off. --------------------------------------------- http://arstechnica.com/security/2013/11/samsung-nokia-say-they-dont-know-ho… *** Chinese Bitcoin exchange shutters, taking £2.5 MEEELION *** --------------------------------------------- Another one Bits the dust... Chinese Bitcoin exchange GBL has shut down, taking with it over 25 million yuan ($US4.1m) of investors´ money, in another warning to those who don't look before they leap with the digital currency. --------------------------------------------- http://www.theregister.co.uk/2013/11/12/bitcoin_gbl_hong_kong_collapse/ MSRT November 2013 - Napolar --------------------------------------------- We first noticed the new family we named Win32/Napolar being distributed in the wild in early August this year. It quickly became a big problem on our customers´ machines. Napolar is one of two families targeted by the Malicious Software Removal Tool (MSRT) this month. The other is the bitcoin mining family Win32/Deminnix. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2013/11/12/msrt-november-2013-napol… *** GCHQ Used Fake LinkedIn Pages to Target Engineers *** --------------------------------------------- The Belgacom employees probably thought nothing was amiss when they pulled up their profiles on LinkedIn, the professional networking site. The pages looked the way they always did, and they didnt take any longer than usual to load. --------------------------------------------- http://www.spiegel.de/international/world/ghcq-targets-engineers-with-fake-… *** Smartphone PIN revealed by camera and microphone *** --------------------------------------------- The PIN for a smartphone can be revealed by its camera and microphone, researchers have warned. Using a programme called PIN Skimmer a team from the University of Cambridge found that codes entered on a number-only soft keypad could be identified. --------------------------------------------- http://www.bbc.co.uk/news/technology-24897581 *** A Peek Inside a Customer-ized API-enabled DIY Online Lab for Generating Multi-OS Mobile Malware *** --------------------------------------------- The exponential growth of mobile malware over the last couple of years, can be attributed to a variety of growth factors, the majority of which continue playing an inseparable role in the overall success and growth of the cybercrime ecosystem in general. --------------------------------------------- http://ddanchev.blogspot.co.uk/2013/11/a-peek-inside-customer-ized-api-enab… *** Cyber Attack on Finland is a Warning for the EU *** --------------------------------------------- A highly sophisticated multi-year cyber attack targeting Finland´s diplomatic communications is likely to have been replicated against other EU and Western countries. --------------------------------------------- http://www.chathamhouse.org/media/comment/view/195392? *** Selfish Miners Could Exploit P2P Nature of Bitcoin Network *** --------------------------------------------- While researchers and academics are just at the beginning of the process of trying to judge the value of a recent paper on a vulnerability in the Bitcoin protocol, some are arguing that there is a smaller point that´s being missed in all of the back and forth: There is a problem with the peer-to-peer set-up of the Bitcoin network that could be exploited for profit. --------------------------------------------- http://threatpost.com/selfish-miners-could-exploit-p2p-nature-of-bitcoin-ne… *** Vuln: strongSwan CVE-2013-6075 Authorization Security Bypass and Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63489 *** FOSCAM IP-Cameras SSID cross-site scripting *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/88629 *** Belkin NetCam Wifi Camera Hardcoded Credentials *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110079 *** WordPress Curvo Themes - Arbitrary code execution *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110081

1 0

Tageszusammenfassung - Montag 11-11-2013
by Daily end-of-shift report 11 Nov '13

11 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 08-11-2013 18:00 − Montag 11-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** New IE Zero-Day found in Watering Hole Attack *** --------------------------------------------- FireEye Labs has identified a new IE zero-day exploit hosted on a breached website based in the U.S. It´s a brand new IE zero-day that compromises anyone visiting a malicious website; classic drive-by download attack. The exploit leverages a new information leakage vulnerability and an IE out-of-bounds memory access vulnerability to achieve code execution. --------------------------------------------- http://www.fireeye.com/blog/technical/2013/11/new-ie-zero-day-found-in-wate… FOLLOW-UP: *** Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method *** --------------------------------------------- Recently, we discovered a new IE zero-day exploit in the wild, which has been used in a strategic Web compromise. Specifically, the attackers inserted this zero-day exploit into a strategically important website, known to draw visitors that are likely interested in national and international security policy. --------------------------------------------- http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephe… *** No Patch Tuesday update for Microsoft zero-day vulnerability *** --------------------------------------------- Microsoft is preparing eight fixes for next weeks upcoming Nov. 12 Patch Tuesday, but an update to a recently discovered zero-day vulnerability is not one of them. --------------------------------------------- http://www.scmagazine.com/no-patch-tuesday-update-for-microsoft-zero-day-vu… *** Case Study: Analyzing a WordPress Attack - Dissecting the webr00t cgi shell - Part I *** --------------------------------------------- November 1st started like any other day on the web. Billions of requests were being shot virtually between servers in safe and not so safe attempts to access information. After months of waiting, finally one of those not so safe request hit one of our honeypots. --------------------------------------------- http://blog.sucuri.net/2013/11/case-study-analyzing-a-wordpress-attack-diss… *** CryptoLocker Emergence Connected to Blackhole Exploit Kit Arrest *** --------------------------------------------- The past few weeks have seen the ransomware CryptoLocker emerge as a significant threat for many users. Our monitoring of this threat has revealed details on how it spreads, specifically its connection to spam and ZeuS. However, it looks there is more to the emergence of this thread than initially discovered. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/cryptolocker-eme… *** October 2013 virus activity overview *** --------------------------------------------- November 5, 2013 Mid-autumn 2013 was marked by an upsurge in the number of encryption Trojans: hundreds of users whose systems were compromised by encoders contacted Doctor Webs support service in October. Also discovered were new malicious programs for Android, which has long been targeted by intruders. Viruses Statistics collected in October by Dr.Web CureIt! indicate that the downloader Trojan.LoadMoney.1 tops the list of detected threats. --------------------------------------------- http://news.drweb.com/show/?i=4052&lng=en&c=9 *** Supertrojaner BadBIOS: Unwahrscheinlich, aber möglich *** --------------------------------------------- Der Sicherheitsforscher Dragos Ruiu behauptet, auf seinen Rechnern wüte ein im BIOS verankerter Supertrojaner, der auch ohne Netzanschluss kommuniziert. Es mehren sich skeptische Stimmen - technisch unmöglich ist Malware wie BadBIOS jedoch nicht. --------------------------------------------- http://www.heise.de/security/meldung/Supertrojaner-BadBIOS-Unwahrscheinlich… *** Hintergrund: ENISA-Empfehlungen zu Krypto-Verfahren *** --------------------------------------------- Die oberste, europäische Sicherheitsbehörde, die ENISA gibt Empfehlungen zu Algorithmen und Schlüssellängen. --------------------------------------------- http://www.heise.de/security/artikel/ENISA-Empfehlungen-zu-Krypto-Verfahren… *** Learn to Pentest SAP with Metasploit As ERP Attacks Go Mainstream *** --------------------------------------------- This month, a security researcher disclosed that a version of the old banking Trojan 'Trojan.ibank' has been modified to look for SAP GUI installations, a concerning sign that SAP system hacking has gone into mainstream cybercrime. --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2013/11/11/learn-to-… *** Erweiterungen für Googles Webbrowser Chrome nur noch aus offiziellem Store *** --------------------------------------------- Google will Windows-Anwender besser vor Malware schützen. Chrome-Versionen für andere Plattformen sind von der Maßnahme nicht betroffen. --------------------------------------------- http://www.heise.de/security/meldung/Erweiterungen-fuer-Googles-Webbrowser-… *** Horde Groupware Web Mail Edition 5.1.2 - CSRF Vulnerability *** --------------------------------------------- http://www.exploit-db.com/exploits/29519 *** Debian Security Advisory DSA-2793 libav *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2793 *** Redaxo 4.5 CMS Vulnerabilities *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110070 *** Bugtraq: Belkin WiFi NetCam video stream backdoor with unchangeable admin/admin credentials *** --------------------------------------------- http://www.securityfocus.com/archive/1/529722 *** D-Link Router 2760N Multiple XSS *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110075 *** Security Bulletin: IBM WebSphere Portal vulnerable to URL Manipulation CVE-2013-5454 PM99205 *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Security Bulletin: Multiple vulnerabilities in Security AppScan Enterprise (CVE-2013-5453, CVE-2013-5450) *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul…

1 0

Tageszusammenfassung - Freitag 8-11-2013
by Daily end-of-shift report 08 Nov '13

08 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 07-11-2013 18:00 − Freitag 08-11-2013 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Advance Notification for November 2013 - Version: 1.0 *** --------------------------------------------- This is an advance notification of security bulletins that Microsoft is intending to release on November 12, 2013. --------------------------------------------- http://technet.microsoft.com/en-us/security/bulletin/ms13-nov *** Clarification on Security Advisory 2896666 and the ANS for the November 2013 Security Bulletin Release *** --------------------------------------------- Today, we're providing advance notification for the release of eight bulletins, three Critical and five Important, for November 2013. The Critical updates address vulnerabilities in Internet Explorer and Microsoft Windows, and the Important updates address issues in Windows and Office. While this release won't include an update for the issue first described in Security Advisory 2896666, we'd like to tell you a bit more about it. We're working to develop a security update... --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2013/11/07/clarification-on-securit… *** Exploits of critical Microsoft zero day more widespread than thought *** --------------------------------------------- At least two hacker gangs exploit TIFF vulnerability to hijack users computers. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/6hCE3JS8yQI/story01… *** Despite patches, Supermicros IPMI firmware is far from secure, researchers say *** --------------------------------------------- The IPMI in Supermicro motherboards has vulnerabilities that can give attackers unuathorized access to servers, Rapid7 researchers said --------------------------------------------- http://www.csoonline.com/article/742836/despite-patches-supermicro-39-s-ipm… *** PCI council publishes updated payment security standards *** --------------------------------------------- Version 3.0 of the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS) became available today. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/Ktdq0wWA1L8/ *** VU#274923: Dual_EC_DRBG output using untrusted curve constants may be predictable *** --------------------------------------------- Vulnerability Note VU#274923 Dual_EC_DRBG output using untrusted curve constants may be predictable Original Release date: 07 Nov 2013 | Last revised: 07 Nov 2013 Overview Output of the Dual Elliptic Curve Deterministic Random Bit Generator (DUAL_EC_DRBG) algorithm may be predictable by an attacker who has chosen elliptic curve parameters in advance. Description NIST SP 800-90A defines three elliptic curves for use in Dual_EC_DBRG but does not describe the provenance of the parameters used --------------------------------------------- http://www.kb.cert.org/vuls/id/274923 *** Source code for proprietary spam bot offered for sale, acts as force multiplier for cybercrime-friendly activity *** --------------------------------------------- In a professional cybercrime ecosystem, largely resembling that of a legitimate economy, market participants constantly strive to optimize their campaigns, achieve stolen assets liquidity, and most importantly, aim to reach a degree of efficiency that would help them gain market share. Thus, help them secure multiple revenue streams. Despite the increased transparency on the Russian/Easter European underground market - largely thanks to improved social networking courtesy of the... --------------------------------------------- http://www.webroot.com/blog/2013/11/07/source-code-proprietary-spam-bot-off… *** Security Bulletin: Vulnerabilities in Sametime Enterprise Meeting Server (CVE-2013-3044, CVE-2013-3045, CVE-2013-0537, CVE-2013-3985) *** --------------------------------------------- The security bulletin addresses various vulnerabilities found in the Sametime Enterprise Meeting Server regarding spoofing and domain cookies. CVE(s): and CVE-2013-3044, CVE-2013-3045, CVE-2013-0537, CVE-2013-3985 Affected product(s) and affected version(s): IBM Lotus Sametime WebPlayer versions 8.5.2 and 8.5.2.1 Refer to the following reference URLs for remediation and additional vulnerability details. Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21654355 X-Force --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_vul… *** Security Bulletin: IBM Lotus Sametime WebPlayer Denial-of-Service (CVE-2013-3986) *** --------------------------------------------- An attacker participating in a Sametime Audio Visual (AV) session may be able to crash the IBM Sametime WebPlayer extension (Firefox extension) session of other users. CVE(s): and CVE-2013-3986 Affected product(s) and affected version(s): IBM Lotus Sametime WebPlayer versions 8.5.2 and 8.5.2.1 Refer to the following reference URLs for remediation and additional vulnerability details. Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21654041 X-Force Database: --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Security Bulletin: For safer administration of IBM Domino server, use Domino Administrator client instead of Domino Web Administrator *** --------------------------------------------- IBM Domino Web Administrator (webadmin.nsf) has two cross-site scripting vulnerabilities and one cross-site request forgery of low CVSS score. These vulnerabilities do not exist in the Domino Administrator client. To prevent the potential for these attacks, use the Domino Administrator client or mitigations listed below. Domino Web Administrator is deprecated. CVE(s): CVE-2013-4051, CVE-2013-4055, CVE-2013-4050.. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_for… *** IBM WebSphere Real Time Java Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55618 *** CTF365: A New Capture The Flag Platform for Ongoing Competitions *** --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2013/11/08/ctf365--i… *** OpenSSH Security Advisory: gcmrekey.adv *** --------------------------------------------- A memory corruption vulnerability exists in the post-authentication sshd process when an AES-GCM cipher (aes128-gcm(a)openssh.com or aes256-gcm(a)openssh.com) is selected during kex exchange. --------------------------------------------- http://www.openssh.org/txt/gcmrekey.adv

1 0

Tageszusammenfassung - Donnerstag 7-11-2013
by Daily end-of-shift report 07 Nov '13

07 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 06-11-2013 18:00 − Donnerstag 07-11-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** The Dual Use Exploit: CVE-2013-3906 Used in Both Targeted Attacks and Crimeware Campaigns *** --------------------------------------------- A zero-day vulnerability was recently discovered that exploits a Microsoft graphics component using malicious Word documents as the initial infection vector. Microsoft has confirmed that this exploit has been used in "attacks observed are very limited and carefully carried out... --------------------------------------------- http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/the-dual-use-e… *** Analysis: Spam in Q3 2013 *** --------------------------------------------- The percentage of spam in total email traffic decreased by 2.4% from the second quarter of 2013 and came to 68.3%. --------------------------------------------- http://www.securelist.com/en/analysis/204792311/Spam_in_Q3_2013 *** Blackhat SEO and ASP Sites *** --------------------------------------------- It's all too easy to scream and holler at PHP based websites and the various malware variants associate with the technology, but perhaps we're a bit too biased. Here is a quick post on ASP variant. Thought we'd give you Microsoft types some love too. Today we found this nice BlackHat SEO attack: Finding it... --------------------------------------------- http://blog.sucuri.net/2013/11/blackhat-seo-and-asp-sites.html *** Bugtraq: CVE-2013-4425: Private key disclosure, Osirix (lite, 64bit and FDA cleader version) (Medical Application) *** --------------------------------------------- http://www.securityfocus.com/archive/1/529659 *** Vuln: Imperva SecureSphere Web Application Firewall Search Field SQL Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/62948 *** Security Bulletin: Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Edition *** --------------------------------------------- Issues disclosed in the Oracle October 2013 Java SE Critical Patch Update, plus 6 additional vulnerabilities --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21655201 *** [20131103] Joomla! Core XSS Vulnerability *** --------------------------------------------- Inadequate filtering leads to XSS vulnerability in com_contact. --------------------------------------------- http://developer.joomla.org/security/572-core-xss-20131103.html *** Vuln: Google Android Signature Verification Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63547 *** SA-CONTRIB-2013-089 - Node Access Keys - Access Bypass *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2013-089Project: Node Access Keys (third-party module)Version: 7.xDate: 2013-November-06Security risk: Moderately criticalExploitable from: RemoteVulnerability: Access bypassDescriptionNode Access Keys helps to grant users temporary view permissions to selected content types on a per user role basis. However, it only implements hook_node_access() and not hook_query_alter(), which means any listing of nodes does not respect the node view access.CVE identifier(s)... --------------------------------------------- https://drupal.org/node/2129379 *** SA-CONTRIB-2013-088 - Secure Pages - Missing Encryption of Sensitive Data *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2013-088Project: Secure Pages (third-party module)Version: 6.xDate: 2013-November-06Security risk: Less criticalExploitable from: RemoteVulnerability: Missing Encryption of Sensitive DataDescriptionThe Secure Pages module manages redirects between HTTP and HTTPS pages.A flaw in the URL path matching could lead some pages and forms to be transmitted via plain HTTP, even if the administrator intended those pages to use HTTPS. This flaw may surface either due to a... --------------------------------------------- https://drupal.org/node/2129381 *** SA-CONTRIB-2013-087 - Payment for Webform - Access Bypass *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2013-087Project: Payment for Webform (third-party module)Version: 7.xDate: 2013-November-06Security risk: Not criticalExploitable from: RemoteVulnerability: Access bypassDescriptionThis module enables you to ask for or require payments before users can submit webforms. It previously allowed anonymous users to sometimes use other anonymous users payments when submitting a form. Payment for Webform never supported anonymous users, but there was also nothing that... --------------------------------------------- https://drupal.org/node/2129373

1 0

Tageszusammenfassung - Mittwoch 6-11-2013
by Daily end-of-shift report 06 Nov '13

06 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 05-11-2013 18:00 − Mittwoch 06-11-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Attacks on New Microsoft Zero Day Using Multi-Stage Malware *** --------------------------------------------- Attackers exploiting the Microsoft Windows and Office zero day revealed yesterday are using an exploit that includes a malicious RAR file as well as a fake Office document as the lure, and are installing a wide variety of malicious components on newly infected systems. The attacks seen thus far are mainly centered in Pakistan. The... --------------------------------------------- http://threatpost.com/attacks-on-new-microsoft-zero-day-using-multi-stage-m… *** Malicious PDF Analysis Evasion Techniques *** --------------------------------------------- In many exploit kits, malicious PDF files are some of the most common threats used to try to infect users with various malicious files. Naturally, security vendors invest in efforts to detect these files properly - and their creators invest in efforts to evade those vendors. Using feedback provided by the Smart Protection Network, we... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/XOJob_q_Zag/ *** Asus fixt schwerwiegende Sicherheitslücke in WebStorage *** --------------------------------------------- Die Client-Software WebStorage gehört zu einer Reihe von Apps, die Asus auf seinen Android-Geräten ab Werk installiert. heise netze hatte bei Routine-Kontrollen einen Implementierungsfehler aufgedeckt. --------------------------------------------- http://www.heise.de/security/meldung/Asus-fixt-schwerwiegende-Sicherheitslu… *** Google Bots Doing SQL Injection Attacks *** --------------------------------------------- One of the things we have to be very sensitive about when writing rules for our CloudProxy Website Firewall is to never block any major search engine bot (ie., Google, Bing, Yahoo, etc..). To date, we've been pretty good about this, but every now and then you come across unique scenarios like the one in this post, that make you scratch your head and think, what if a legitimate search engine bot was being used to attack the site? Should we still allow the attack to go through? --------------------------------------------- http://blog.sucuri.net/2013/11/google-bots-doing-sql-injection-attacks.html *** Security Bulletin: IBM Sterling Certificate Wizard Shared Memory Permission Vulnerability (CVE-2013-1500) *** --------------------------------------------- The IBM Sterling Certificate Wizard is susceptible to a shared memory permission vulnerability. CVE(s): CVE-2013-1500 Affected product(s) and affected version(s): IBM Sterling Certificate Wizard: 1.3, 1.4 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Security Bulletin: Potential security vulnerability exist in the IBM Java SDKs TLS implementation that is shipped with Tivoli Netcool/OMNIbus Web GUI (CVE-2012-5081) *** --------------------------------------------- The JDKs TLS implementation does not strictly check the TLS vector length as set out in the latest RFC 5246. CVE(s): CVE-2012-5081 Affected product(s) and affected version(s): Tivoli Netcool/OMNIbus Web GUI: 7.3.0, 7.3.1, 7.4.0 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_pot… *** Security Bulletin: IBM Sterling Connect:Enterprise Secure Client Shared Memory Permission Vulnerability (CVE-2013-1500) *** --------------------------------------------- The IBM Sterling Connect:Enterprise Secure Client is susceptible to a shared memory permission vulnerability. CVE(s): CVE-2013-1500 Affected product(s) and affected version(s): IBM Sterling Secure Client: 1.3, 1.4 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Vivotek IP Cameras RTSP Authentication Bypass *** --------------------------------------------- Topic: Vivotek IP Cameras RTSP Authentication Bypass Risk: High Text:Core Security - Corelabs Advisory http://corelabs.coresecurity.com Vivotek IP Cameras RTSP Authentication Bypass 1. *A... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110038 *** Bugtraq: Open-Xchange Security Advisory 2013-11-06 *** --------------------------------------------- http://www.securityfocus.com/archive/1/529635 *** Kerberos Multi-realm KDC NULL Pointer Dereference Denial of Service Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55588 *** Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco WAAS Mobile Remote Code Execution Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco TelePresence VX Clinical Assistant Administrative Password Reset Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Tweetbot for Mac / for iOS Cross-Site Request Forgery Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55462 *** Arbor Peakflow X Security Bypass and Cross-Site Scripting Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55536

1 0

Tageszusammenfassung - Dienstag 5-11-2013
by Daily end-of-shift report 05 Nov '13

05 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 04-11-2013 18:00 − Dienstag 05-11-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Switzerland to set up Swiss cloud free of NSA, GCHQ snooping (it hopes) *** --------------------------------------------- Gnomes of Zurich want spook-immune system Swisscom, the Swiss telco thats majority owned by its government, will set up a "Swiss cloud" hosted entirely in the land of cuckoo clocks and fine chocolate - and try to make the service impervious to malware and uninvited spooks. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2013/11/04/switzerland… *** Is your vacuum cleaner sending spam?, (Tue, Nov 5th) *** --------------------------------------------- Past week, a story in a Saint Petersburg (the icy one, not the beach) newspaper caught quite some attention, and was picked up by The Register [1]. The story claimed that appliances like tea kettles, vacuum cleaners and iron(y|ing) irons shipped from China and sold in Russia were discovered to contain rogue, WiFi enabled chip sets. As soon as power was applied, the vacuum cleaner began trolling for open WiFi access points, and if it found one, it would hook up to a spam relay and start ... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16958 *** When attackers use your DNS to check for the sites you are visiting, (Mon, Nov 4th) *** --------------------------------------------- Nowadays, attackers are definitely interested in checking what sites you are visiting. Depending on that information, they can setup attacks like the following: Phising websites and e-mail scams targeted to specific people so they leave their private information. Network spoofing with tools like dsniff, where attackers can tell computers that the sites they want to visit are located somewhere else, therefore enabling them to interact with victims posing like the original site. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16955 *** Manifest: Bei XMPP/Jabber soll Verschlüsselung zur Pflicht werden *** --------------------------------------------- Entwickler und Betreiber von XMPP-/Jabber-Software und -Diensten, darunter auch der Jabber-Erfinder Jeremie Miller, wollen es zur Pflicht machen, die Kommunikation über XMPP in Zukunft zu verschlüsseln. --------------------------------------------- http://www.golem.de/news/manifest-bei-xmpp-jabber-soll-verschluesselung-zur… *** Biggest Risks in IPv6 Security Today *** --------------------------------------------- Although IPv6 packets have started to flow, network engineers still tread lightly because of lingering security concerns. Here are the top six security risks in IPv6 network security today as voted by gogoNET members, a community of 95,000 network professionals. --------------------------------------------- http://www.cio.com/article/742652/Biggest_Risks_in_IPv6_Security_Today *** WhatsApp-Backup speichert Klartext bei Apple *** --------------------------------------------- Die eingebaute Backup-Funktion des beliebten Messaging-Programms speichert auf dem iPhone alle Texte und Bilder bei Apples iCloud - und zwar völlig unverschlüsselt. --------------------------------------------- http://www.heise.de/security/meldung/WhatsApp-Backup-speichert-Klartext-bei… *** Cisco Security Notices *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… *** Vuln: Cisco Prime Central for Hosted Collaboration Solution CVE-2013-5564 Denial of Service Vulnerability *** --------------------------------------------- Cisco Prime Central for Hosted Collaboration Solution CVE-2013-5564 Denial of Service Vulnerability --------------------------------------------- http://www.securityfocus.com/bid/63490 *** Bugtraq: ESA-2013-070: EMC Documentum Cross Site Scripting Vulnerability. *** --------------------------------------------- http://www.securityfocus.com/archive/1/529620 *** Bugtraq: ESA-2013-073: EMC Documentum eRoom Multiple Cross Site Scripting Vulnerabilities. *** --------------------------------------------- http://www.securityfocus.com/archive/1/529621 *** VU#436214: Attachmate Verastream Host Integrator Vulnerable to Arbitrary File Uploads *** --------------------------------------------- Vulnerability Note VU#436214 Attachmate Verastream Host Integrator Vulnerable to Arbitrary File Uploads Original Release date: 04 Nov 2013 | Last revised: 04 Nov 2013 Overview The Attachmate Verastream Host Integrator (VHI) is vulnerable to arbitrary file uploads. --------------------------------------------- http://www.kb.cert.org/vuls/id/436214 *** GitLab Remote code execution vulnerability in the code search feature *** --------------------------------------------- Topic: GitLab Remote code execution vulnerability in the code search feature Risk: High Text:Remote code execution vulnerability in the code search feature of GitLab There is a remote code execution vulnerability in t... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110026 *** GitLab Remote code execution vulnerability in the SSH key upload *** --------------------------------------------- Topic: GitLab Remote code execution vulnerability in the SSH key upload Risk: High Text:# Remote code execution vulnerability in the SSH key upload feature of GitLab There is a remote code execution vulnerability... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110025

1 0

Tageszusammenfassung - Montag 4-11-2013
by Daily end-of-shift report 04 Nov '13

04 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 31-10-2013 18:00 − Montag 04-11-2013 18:00 Handler: Otmar Lendl Co-Handler: Stephan Richter *** Top three recommendations for securing your personal data using cryptography, by EU cyber security Agency ENISA in new report *** --------------------------------------------- ENISA, the European Union's "cyber security" Agency today launched a report that all authorities should better promote cryptographic measure to safeguard personal data. --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/top-three-recommendations-f… *** Know Your Enemy: Tracking A Rapidly Evolving APT Actor *** --------------------------------------------- Between Oct. 24-25 FireEye detected two spear-phishing attacks attributed a threat actor we have previously dubbed admin(a)338.[1] The newly discovered attacks targeted a number of organizations and were apparently focused on gathering data related to international trade, finance and economic... --------------------------------------------- http://www.fireeye.com/blog/technical/2013/10/know-your-enemy-tracking-a-ra… *** How To Avoid CryptoLocker Ransomware *** --------------------------------------------- Over the past several weeks, a handful of frantic Microsoft Windows users have written in to ask what they might do to recover from PC infections from "CryptoLocker," the generic name for an increasingly prevalent and nasty strain of malicious software that encrypts your files until you pay a ransom. Unfortunately, the answer for these folks is usually either to pay up or suck it up. This post offers a few pointers to help readers avoid becoming the next victim. --------------------------------------------- http://krebsonsecurity.com/2013/11/how-to-avoid-cryptolocker-ransomware/ *** Why Motivated Attackers Often Get What They Want *** --------------------------------------------- Do you work for a company possessing information which could be of financial value to people outside the organization? Or, perhaps even a foreign state would find it useful to gain access to the documents youre storing on that shared network drive? Yes? Then congratulations, you may already be the target of a persistent and motivated attacker (who sometimes, but rarely, is also advanced).According to this CERT-FI presentation, even Finland has seen nearly a decade of these attacks. Nowadays, --------------------------------------------- http://www.f-secure.com/weblog/archives/00002632.html *** Google-dorks based mass Web site hacking/SQL injecting tool helps facilitate malicious online activity *** --------------------------------------------- Among the most common misconceptions regarding the exploitation (hacking) of Web sites, is that no one would exclusively target *your* Web site, given that the there are so many high profile Web sites to hack into. In reality though, thanks to the public/commercial availability of tools relying on the exploitation of remote Web application vulnerabilities, the insecurely configured Web sites/forums/blogs, as well as the millions of malware-infected hosts internationally, virtually every Web --------------------------------------------- http://www.webroot.com/blog/2013/11/01/peek-inside-google-dorks-based-mass-… *** Secunias PSI Country Report - Q3 2013, (Fri, Nov 1st) *** --------------------------------------------- On the heels of discussing Microsofts Security Intelligence Report v15 wherein the obvious takeaway is "Windows XP be gone!", Secunias just-released PSI Country Report - Q3 2013 is an interesting supplemental read. Here are the summary details: Programs Installed: 75, from 25 different vendors 40% (30 of 75) of these programs are Microsoft programs 60% (45 of 75) of these programs are from third-party vendors Users with unpatched Operating Systems: 14.6% (WinXP, Win7, Win8, --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16943&rss *** July-September 2013 *** --------------------------------------------- NOTE 1: The "ICS-CERT Monitor" newsletter offers a means of promoting preparedness, information sharing, and collaboration with the 16 critical infrastructure sectors. ICS-CERT accomplishes this on a day-to-day basis through sector briefings, meetings, conferences, and information product releases. --------------------------------------------- http://ics-cert.us-cert.gov/monitors/ICS-MM201310 *** SOHO Router Horror Stories: German Webcast with Mike Messner *** --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2013/11/04/soho-rout… *** Nordex NC2 - Cross-Site Scripting Vulnerability *** --------------------------------------------- NCCIC/ICS-CERT is aware of a public report of a Cross-Site Scripting vulnerability affecting the Nordex Control 2 (NC2) application, a supervisory control and data acquisition/human-machine interface (SCADA/HMI) product. According to this report, the vulnerability is exploitable by allowing a specially crafted request that could execute arbitrary script code. This report was released without coordination with either the vendor or NCCIC/ICS-CERT. NCCIC/ICS-CERT is attempting to... --------------------------------------------- http://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-304-01 *** VU#450646: Tiki Wiki CMS Groupware version 11.0 contains a cross-site scripting (XSS) vulnerability *** --------------------------------------------- Vulnerability Note VU#450646 Tiki Wiki CMS Groupware version 11.0 contains a cross-site scripting (XSS) vulnerability Original Release date: 31 Oct 2013 | Last revised: 31 Oct 2013 Overview Tiki Wiki CMS Groupware version 11.0 and possibly earlier versions contain a cross-site scripting (XSS) vulnerability (CWE-79). Description CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)Tiki Wiki CMS Groupware version 11.0 and possibly earlier versions contain a --------------------------------------------- http://www.kb.cert.org/vuls/id/450646 *** VMSA-2013-0009.2 *** --------------------------------------------- VMware vSphere, ESX and ESXi updates to third party libraries --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2013-0009.html *** TP-Link Cross Site Request Forgery Vulnerability *** --------------------------------------------- Topic: TP-Link Cross Site Request Forgery Vulnerability Risk: Medium Text:I. Introduction Today the majority of wired Internet connections is used with an embedded NAT router, which allows using ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100223 *** Zend Framework Proxied Request Processing IP Spoofing Weakness *** --------------------------------------------- https://secunia.com/advisories/55529 *** Novell ZENworks Configuration Management Directory Traversal Flaw Lets Remote Users Obtain Files *** --------------------------------------------- http://www.securitytracker.com/id/1029289 *** Security Bulletins for multiple HP Products *** --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** Security Bulletins for multiple IBM Products *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_inf… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_pot… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul… http://www.securityfocus.com/bid/62018

1 0

Tageszusammenfassung - Donnerstag 31-10-2013
by Daily end-of-shift report 31 Oct '13

31 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 30-10-2013 18:00 − Donnerstag 31-10-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** VU#326830: NAS4Free version 9.1.0.1 contains a remote command execution vulnerability *** --------------------------------------------- NAS4Free version 9.1.0.1.804 and possibly earlier versions contain a remote code execution vulnerability. NAS4Free allows an authenticated user to post PHP code to an HTTP script and have the code executed remotely. By default, NAS4Free runs with root privileges. A remotely authenticated attacker can send an HTTP POST request that contains a malicious PHP file which can cause the script to run directly on the machine. --------------------------------------------- http://www.kb.cert.org/vuls/id/326830 *** Mozilla Fixes 10 Vulnerabilities with Firefox 25 *** --------------------------------------------- Mozilla released Firefox 25 yesterday, fixing 10 vulnerabilities, five of them critical. --------------------------------------------- http://threatpost.com/mozilla-fixes-10-vulnerabilities-with-firefox-25/1027… *** A New Wave of WIN32/CAPHAW Attacks - A ThreatLabZ Analysis *** --------------------------------------------- Introduction and setting the context Over the last month, the ThreatLabZ researchers have been actively monitoring a recent uptick in the numbers of Win32/Caphaw (henceforward known as Caphaw) infections that have been actively targeting users bank accounts since 2011. --------------------------------------------- http://research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html *** Silent Circle and Lavabit launch 'DarkMail Alliance' to thwart e-mail spying *** --------------------------------------------- Silent Circle CTO: "What we're getting rid of is SMTP." --------------------------------------------- http://arstechnica.com/business/2013/10/silent-circle-and-lavabit-launch-da… *** MS Security Intelligence Report Volume 15: January 2013 to June 2013 *** --------------------------------------------- The Microsoft Security Intelligence Report (SIR) analyzes the threat landscape of exploits, vulnerabilities, and malware using data from Internet services and over 600 million computers worldwide. Threat awareness can help you protect your organization, software, and people. --------------------------------------------- http://download.microsoft.com/download/5/0/3/50310CCE-8AF5-4FB4-83E2-03F1DA… *** Meet 'badBIOS', the mysterious Mac and PC malware that jumps airgaps *** --------------------------------------------- Like a super strain of bacteria, the rookkit plaguing Dragos Ruiu is omnipotent. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/jeFXBU0x_Vc/story01… *** Compliance Checklist: Cloud Encryption Best Practices for Banks and Insurance Companies *** --------------------------------------------- For industries whose handling of sensitive consumer data renders them subject to strict regulations, the cloud is anything but a simple choice. Before you can commit to the cloud, you'll have to understand exactly what cloud information protection measures you must take to remain in regulatory compliance. --------------------------------------------- http://blog.ciphercloud.com/compliance-checklist-cloud-encryption-practices… *** Weekly Update: Exploiting (Kind of) Popular FOSS Apps *** --------------------------------------------- - Moodle Remote Command Execution - vTigerCRM v5.4.0/v5.3.0 Authenticated Remote Code Execution - Zabbix Authenticated Remote Command Execution - Mac OS X Persistent Payload Installer - Persistent Payload in Windows Volume Shadow Copy - and many more --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2013/10/30/weekly-up… *** Cisco IOS XE Multiple Bugs Let Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1029277 *** Moodle Remote Command Execution *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100211 *** D-Link Backdoor Czechr Exploit *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100219 *** ISPConfig Authenticated Arbitrary PHP Code Execution *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100215

1 0

Tageszusammenfassung - Mittwoch 30-10-2013
by Daily end-of-shift report 30 Oct '13

30 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 29-10-2013 18:00 − Mittwoch 30-10-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Nuclear Exploit Pack Getting More Aggresive *** --------------------------------------------- Churning through our logs, we recently observed a significant rise in the number of transactions involving the Nuclear Exploit Pack, which has been in the news for quite some time now. In the past week, we stumbled upon thousands of transactions involving the Nuclear Exploit Pack infestation. --------------------------------------------- http://research.zscaler.com/2013/10/nuclear-exploit-pack-getting-more.html *** A Tour Through The Chinese Underground *** --------------------------------------------- The Chinese underground has played host to many cybercriminals over the years. In the research brief titled Beyond Online Gaming Cybercrime: Revisiting the Chinese Underground Market, we provide some details of the current state of the Chinese underground economy. Last year, we looked into this underground sector, and this brief is a continuation of those efforts. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/a-tour-through-t… *** Major Corporations Fail to Defend Against Social Engineering *** --------------------------------------------- Companies such as Apple and General Motors gave up crucial company information to social engineers during the annual Capture the Flag contest at Def Con. --------------------------------------------- http://threatpost.com/major-corporations-fail-to-defend-against-social-engi… *** iOS apps can be hijacked to show fraudulent content and intercept data *** --------------------------------------------- A large number of apps for iPhones and iPads are susceptible to hacks that cause them to surreptitiously send and receive data to and from malicious servers instead of the legitimate ones they were designed to connect to, security researchers said on Tuesday. --------------------------------------------- http://arstechnica.com/security/2013/10/ios-apps-can-be-hijacked-to-show-fr… *** New Injection Campaign Peddling Rogue Software Downloads *** --------------------------------------------- A mass injection campaign surfaced over the last two weeks that´s already compromised at least 40,000 web pages worldwide and is tricking victims into downloading rogue, unwanted software to their computer. --------------------------------------------- http://threatpost.com/new-injection-campaign-peddling-rogue-software-downlo… *** Defending Against CryptoLocker *** --------------------------------------------- CryptoLocker infections were found across different regions, including North America, Europe Middle East and the Asia Pacific. Almost two-thirds of the affected victims - 64% - were from the US. Other affected countries include the UK and Canada, with 11% and 6% of global victims, respectively. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/defending-agains… *** Analysis: Kaspersky Lab Report: Java under attack - the evolution of exploits in 2012-2013 *** --------------------------------------------- One of the biggest problems facing the IT security industry is the use of vulnerabilities in legitimate software to launch malware attacks. Malicious programs can use these vulnerabilities to infect a computer without attracting the attention of the user and, in some cases, without triggering an alert from security software. --------------------------------------------- http://www.securelist.com/en/analysis/204792310/Kaspersky_Lab_Report_Java_u… *** Microsoft sieht Rückgang der Virengefahr, aber steigende Infektionen *** --------------------------------------------- In fast allen großen Ländern habe die Zahl der 'Begegnungen mit Schad-Software' deutlich abgenommen, konstatiert der aktuelle Microsoft Security Intelligence Report. Für Entwarnung ist es jedoch zu früh - denn die Zahl der Infektionen nimmt trotzdem zu. --------------------------------------------- http://www.heise.de/security/meldung/Microsoft-sieht-Rueckgang-der-Virengef… *** Joomla! Media Manager allows arbitrary file upload and execution *** --------------------------------------------- A vulnerability has been discovered in older versions of the Joomla! content management software that allow an authenticated attacker to upload active content through the media manager form ('administrator/components/com_media/helpers/media.php'). Joomla! allows files with a trailing '.' to pass the upload checks. --------------------------------------------- http://www.kb.cert.org/vuls/id/639620 *** Apples Siri is helping users bypass iOS security *** --------------------------------------------- Siri was designed to be an effective personal assistant, but since the release of iOS 7, the artificial intelligence is bringing the bad with the good. --------------------------------------------- http://www.scmagazine.com/apples-siri-is-helping-users-bypass-ios-security/… *** [remote] - Apache / PHP 5.x Remote Code Execution Exploit *** --------------------------------------------- +++ Betrifft veraltete Versionen +++ Unaffected versions are patched by CVE-2012-1823. --------------------------------------------- http://www.exploit-db.com/exploits/29290 *** Vuln: Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-5599 Remote Memory Corruption Vulnerability *** --------------------------------------------- +++ Betrifft veraltete Versionen +++ --------------------------------------------- http://www.securityfocus.com/bid/63423 *** ASUS RT-N13U Backdoor Account *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100206 *** Vuln: XAMPP for Windows Multiple Cross Site Scripting and SQL Injection Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/53979 *** Citrix XenDesktop Upgrade Feature Bug Lets Remote Authenticated Users Bypass Policy Controls *** --------------------------------------------- http://www.securitytracker.com/id/1029263 *** WordPress MoneyTheme Cross Site Scripting / Shell Upload *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100199 *** WordPress Curvo Shell Upload *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100197 *** Google Play Billing Bypass *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100203 *** sup Remote Command Execution *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100202

1 0

Tageszusammenfassung - Dienstag 29-10-2013
by Daily end-of-shift report 29 Oct '13

29 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 28-10-2013 18:00 − Dienstag 29-10-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Hintergrund: iOS-Virenscanner mit zweifelhaftem Nutzen *** --------------------------------------------- Avira hat eine Virenschutz-App für iOS herausgegeben, die vor schadhaften Prozessen schützen soll. Welche das sind und wie diese erkannt werden, verrät das Unternehmen nicht. --------------------------------------------- http://www.heise.de/security/artikel/iOS-Virenscanner-mit-zweifelhaftem-Nut… *** Exploit cocktail (Struts, Java, Windows) going after 3-month old vulnerabilities *** --------------------------------------------- When ISC reader Yin reported earlier today that one of their servers had been hacked via the Apache Struts remote command execution vulnerability (CVE-2013-2251), at first this was flagged as "business as usual". Said vulnerability, after all, is known since July, and weve been seeing exploit attempts since early August (diary here). --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16913 *** ATM malware Ploutus updated with English-language version *** --------------------------------------------- The Spanish-language ATM malware, which allowed attackers in Mexico to force ATMs to spit out cash, now has an updated English-language version. --------------------------------------------- http://www.scmagazine.com//atm-malware-ploutus-updated-with-english-languag… *** Adobe Breach Impacted At Least 38 Million Users *** --------------------------------------------- The recent data breach at Adobe that exposed user account information and prompted a flurry of password reset emails impacted at least 38 million users, the company now says. It also appears that the already massive source code leak at Adobe is broadening to include the companys Photoshop family of graphical design products. --------------------------------------------- http://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-millio… *** Analysis: Spam in September 2013 *** --------------------------------------------- In September, the proportion of world spam in mail traffic continued to decline and reached 66%. As always the spammers focused on advertising seasonal goods and services. For example, the number of offers related to energy saving and insulating buildings increased significantly. --------------------------------------------- http://www.securelist.com/en/analysis/204792309/Spam_in_September_2013 *** Routerpwn *** --------------------------------------------- Routerpwn is a web application that helps you in the exploitation of vulnerabilities in residential routers. It is a compilation of ready to run local and remote web exploits. --------------------------------------------- http://www.routerpwn.com/ *** Windows XP ist und bleibt ein hochriskantes System *** --------------------------------------------- Im aktuellen Security Intelligence Report (SIR) warnt Microsoft erneut vor Windows XP. Sicherheits-Chef Tim Rains verteidigt die Entscheidung, den Support einzustellen. --------------------------------------------- http://futurezone.at/digital-life/windows-xp-ist-und-bleibt-ein-hochriskant… *** Internet Safety - Tips for Parents *** --------------------------------------------- Internet basics can be as straightforward as pushing buttons or clicking a mouse. Understanding how youth use the Internet, however, can be an overwhelming task, especially for adults who don't spend much time online. --------------------------------------------- http://bc.rcmp-grc.gc.ca/ViewPage.action?siteNodeId=87&languageId=1&content… *** Cyber Security Assesment Netherlands *** --------------------------------------------- Cybercrime and digital espionage remain the biggest threats to both governments and the business community. The threat of disruption of online services has increased. Clearly visible in the past year has been the rise of the criminal cyber services sector. Cyber-attack tools are made commercially available through `cybercrime as a service´. --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/cyber-security-assesment-ne… *** Social media and digital identity. Prevention and incident response *** --------------------------------------------- The hack of a social media account is a common incident that could have a serious impact of our digital identity. How to prevent it? What to do in case of hack? --------------------------------------------- http://securityaffairs.co/wordpress/19143/cyber-crime/social-media-security… *** Angebliches Fritzbox-Fax entpuppt sich als Trojaner *** --------------------------------------------- Schadhafte E-Mails, die sich als Fax-Benachrichtigungen einer Fritzbox tarnen, verbreiten sich momentan rapide. In dem beigefügten Zip-Archiv befindet sich nicht etwa ein Fax, sondern ein Trojaner. --------------------------------------------- http://www.heise.de/security/meldung/Angebliches-Fritzbox-Fax-entpuppt-sich… *** Facebook Android Flaws Enable Any App to Get User's Access Tokens *** --------------------------------------------- A researcher has discovered serious vulnerabilities in the main Facebook and Facebook Messenger apps for Android that enable any other app on a device to access the user's Facebook access token and take over her account. --------------------------------------------- http://threatpost.com/facebook-android-flaws-enable-any-app-to-get-users-ac… *** [webapps] - Pirelli Discus DRG A125g - Password Disclosure Vulnerability. *** --------------------------------------------- http://www.exploit-db.com/exploits/29262 *** DSA-2786 icu *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2786 *** vBulletin 4.1.x / 5.x.x Administrative User Injection *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100192 *** MobileIron 4.5.4 Cross Site Scripting *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100190 *** SAP Financial Services Statutory Reporting for Insurance (FS-SR) Unspecified Flaw Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1029256

1 0

Tageszusammenfassung - Montag 28-10-2013
by Daily end-of-shift report 28 Oct '13

28 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 25-10-2013 18:00 − Montag 28-10-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Email contains phishing scam, not iPhone 5S *** --------------------------------------------- A new phishing email circulating the globe is preying on Apple fans who cant wait to get their hands on the coming iPhone 5S and iPhone 5c devices. --------------------------------------------- http://www.scmagazine.com/email-contains-phishing-scam-not-iphone-5s/articl… *** Blog: Cryptolocker Wants Your Money! *** --------------------------------------------- A new ransomware Trojan is on the loose. The attackers give you roughly three days to pay them, otherwise your data is gone forever. --------------------------------------------- http://www.securelist.com/en/blog/208214109/Cryptolocker_Wants_Your_Money *** Blog-Software Wordpress 3.7 aktualisiert sich selbst *** --------------------------------------------- In der neuen Version 3.7 hält sich die Blog-Software Wordpress selbst aktuell: Sicherheitsupdates werden künftig im Hintergrund automatisch eingespielt, wenn die Konfiguration das zulässt. Weitere Neuerungen dienen ebenfalls vorrangig der Sicherheit. --------------------------------------------- http://www.heise.de/security/meldung/Blog-Software-Wordpress-3-7-aktualisie… *** Periodic Connections to Control Server Offer New Way to Detect Botnets *** --------------------------------------------- A number of recent botnets and advanced threats use HTTP as their primary communications channel with their control servers. McAfee Labs research during the last couple of years reveals that more than 60 percent of the top botnet families depend on HTTP. These numbers have increased significantly over the last few quarters. --------------------------------------------- http://blogs.mcafee.com/mcafee-labs/periodic-links-to-control-server-offer-… *** Improving Hadoop Security with Host Intrusion Detection (Part 2) *** --------------------------------------------- This is a continuation of our previous post on Hadoop security. As we mentioned in our earlier post, we can use OSSEC to monitor for the file integrity of these existing Hadoop and HBase systems. OSSEC creates logs which a system administrator can use to check for various system events. It´s worth noting that big data systems ... --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/improving-hadoop… *** Active Perl/Shellbot Trojan *** --------------------------------------------- ISC received a submission from Zach of a Perl/Shellbot.B trojan served by fallencrafts[.]info/download/himad.png. The trojan has limited detection on Virustotal and the script contains a 'hostauth' of sosick[.]net[3] and the IRC server where the compromised systems are connecting to is located at 89.248.172.144. What we have so far, it appears it is exploiting older version of Plesk. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16907&rss *** LinkedIn kann Mails mitlesen *** --------------------------------------------- Die kürzlich eingeführte Intro-Technik für iOS bringt dem Berufsnetzwerk Kritik ein: Sie sei ein Traum für Angreifer und Sicherheitsdienste. Die Firma verteidigt sich: Alles sei sicher und man respektiere die Privatsphäre der Nutzer. --------------------------------------------- http://www.heise.de/security/meldung/LinkedIn-kann-Mails-mitlesen-2034490.h… *** Einbruch bei Buffer *** --------------------------------------------- Der Social-Media-Dienst wurde gestern gehackt. Laut Unternehmensblog sollen weder Passwörter noch Kreditkarteninformationen abhanden gekommen sein. --------------------------------------------- http://www.heise.de/security/meldung/Einbruch-bei-Buffer-2034519.html *** Storewize: IBM warnt vor Sicherheitslücke in Storage-Systemen *** --------------------------------------------- In den SAN-Controllern der Serie Storewize von IBM steckt eine Lücke, mit der ein Angreifer die Konfiguration ändern und auch Daten löschen kann. Abhilfe schafft ein Firmware-Update, das schon bereitsteht. (IBM, Netzwerk) --------------------------------------------- http://www.golem.de/news/storewize-ibm-warnt-vor-sicherheitsluecke-in-stora… *** End User Devices Security and Configuration Guidance *** --------------------------------------------- UK Gov Configuration guidance for the following platforms: End User Devices Security Guidance: Windows Phone 8 End User Devices Security Guidance: Android 4.2 End User Devices Security Guidance: Windows 7 and Windows 8 End User Devices Security Guidance: Ubuntu 12.04 End User Devices Security Guidance: Windows 8 RT ... --------------------------------------------- https://www.gov.uk/government/collections/end-user-devices-security-guidanc… *** Bypassing security scanners by changing the system language *** --------------------------------------------- Luiz Eduardo and Joaquim Espinhara´s found that the majority of pentesting tools analyze specific problems in web applications - such as SQL injection - via the return messages that are provided by the application, and not by the error code that is reported by the database management system. So, what would happen if the setup language was not English, but Chinese or Portuguese? As their research showed, if the target SQL server doesnt use English by default, the scanners wont be able to --------------------------------------------- http://www.net-security.org/secworld.php?id=15832 *** Cisco Identity Services Engine contains an input validation vulnerability *** --------------------------------------------- Vulnerability Note VU#952422 Cisco Identity Services Engine contains an input validation vulnerability Original Release date: 28 Oct 2013 | Last revised: 28 Oct 2013 Overview Cisco Identity Services Engine contains an input validation vulnerability (CWE-20). Description CWE-20: Improper Input ValidationCisco Identity Services Engine (ISE) contains an input validation vulnerability. --------------------------------------------- http://www.kb.cert.org/vuls/id/952422 *** I challenged hackers to investigate me and what they found out is chilling *** --------------------------------------------- It´s my first class of the semester at New York University. I´m discussing the evils of plagiarism and falsifying sources with 11 graduate journalism students when, without warning, my computer freezes. I fruitlessly tap on the keyboard as my laptop takes on a life of its own and reboots. Seconds later the screen flashes a message. --------------------------------------------- http://pandodaily.com/2013/10/26/i-challenged-hackers-to-investigate-me-and… *** Spam-Versender. Schauen Sie doch mal bitte in Ihren Junk-Ordner *** --------------------------------------------- Werbefilter funktionieren inzwischen ziemlich zuverlässig. Das wissen auch die Spam-Versender. Deshalb schicken sie noch eine zweite Nachricht hinterher. --------------------------------------------- http://www.heise.de/security/meldung/Spam-Versender-Schauen-Sie-doch-mal-bi… *** Scan Shows 65% of ReadyNAS Boxes on Web Vulnerable to Critical Bug *** --------------------------------------------- It´s been known for some time now several months, in fact that there is a critical, remotely exploitable vulnerability in some of Netgear´s ReadyNAS storage boxes, and a patch has been available since July. However, many of the boxes exposed to the Web are still vulnerable, and a recent scan by HD Moore of Rapid7 found that ... --------------------------------------------- http://threatpost.com/scan-shows-65-of-readynas-boxes-on-web-vulnerable-to-… *** Vuln: Cisco Catalyst 3750 Series Switches Default Credentials Security Bypass Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/63342 *** Bugtraq: Multiple CSRF Horde Groupware Web mail Edition 5.1.2 *** --------------------------------------------- http://www.securityfocus.com/archive/1/529466 *** Bugtraq: DD-WRT v24-sp2 Command Injection *** --------------------------------------------- http://www.securityfocus.com/archive/1/529463 *** Apache Struts2 showcase multiple XSS *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100185 *** DSA-2787 roundcube *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2787 *** Woltlab Burning Board Regenbogenwiese 2007 Addon SQL Injection Exploit. *** --------------------------------------------- http://www.exploit-db.com/exploits/29023 *** GnuPG Side-Channel Attack Lets Local Users Recover RSA Secret Keys *** --------------------------------------------- http://www.securitytracker.com/id/1029242 *** DSA-2785 chromium-browser *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2785

1 0

Tageszusammenfassung - Freitag 25-10-2013
by Daily end-of-shift report 25 Oct '13

25 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 24-10-2013 18:00 − Freitag 25-10-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Periodic Links to Control Server Offer New Way to Detect Botnets *** --------------------------------------------- A number of recent botnets and advanced threats use HTTP as their primary communications channel with their control servers. McAfee Labs research during the last couple of years reveals that more than 60 percent of the top botnet families depend on HTTP. These numbers have increased significantly over the last few quarters. The following pie […] --------------------------------------------- http://blogs.mcafee.com/mcafee-labs/periodic-links-to-control-server-offer-… *** DDoS mitigation firm notes dramatic increase in reflection attack style *** --------------------------------------------- Between Q3 2012 and Q3 2013, distributed reflection denial-of-service (DrDoS) attacks increased 265 percent, a global attack report found. --------------------------------------------- http://www.scmagazine.com/ddos-mitigation-firm-notes-dramatic-increase-in-r… *** LinkedIn Intro App Equivalent to Man in the Middle Attack, Experts Say *** --------------------------------------------- LinkedIn’s release of its Intro app yesterday for Apple iOS mobile devices raised more than a few eyebrows for behaviors that are tantamount to a man-in-the-middle attack, experts said. --------------------------------------------- http://threatpost.com/linkedin-intro-app-equivalent-to-man-in-the-middle-at… *** Evasive Tactics: Terminator RAT *** --------------------------------------------- FireEye Labs has been tracking a variety of APT threat actors that have been slightly changing their tools, techniques and procedures (TTPs) in order to evade network defenses. Earlier, we documented changes to Aumlib, the malware used in the attack... --------------------------------------------- http://www.fireeye.com/blog/technical/malware-research/2013/10/evasive-tact… *** Cybercriminals release new commercially available Android/BlackBerry supporting mobile malware bot *** --------------------------------------------- Thanks to the growing adoption of mobile banking, in combination with the utilization of mobile devices to conduct financial transactions, opportunistic cybercriminals are quickly capitalizing on this emerging market segment. Made evident by the release of Android/BlackBerry compatible mobile malware bots. This site is empowering potential cybercriminals with the necessary ‘know-how’ when it comes to ‘cashing out’ compromised accounts of E-banking victims who have... --------------------------------------------- http://www.webroot.com/blog/2013/10/25/cybercriminals-release-new-commercia… *** OSX/Leverage.a Analysis *** --------------------------------------------- A few days ago, a new OSX malware was detected in the wild. It looks like a picture and behaves like it when you click on it. Everything looks fine when the clicked picture is opened on the screen, but the malware also performs some other actions. After the first look, we saw that the malware copies itself to /Users/Shared/UserEvent.app with the ditto command, and creates a LaunchAgent to load itself when the computer starts with these shell commands: mkdir ~/Library/LaunchAgents echo --------------------------------------------- http://www.alienvault.com/open-threat-exchange/blog/osx-leveragea-analysis *** PHP.net zur Verbreitung von Malware missbraucht *** --------------------------------------------- Entgegen früherer Aussagen der Administratoren wurde die Projektseite von PHP doch Opfer eines Hackerangriffs. Zwei Server wurden gekapert und zur Verteilung von Schadcode eingesetzt. --------------------------------------------- http://www.heise.de/security/meldung/PHP-net-zur-Verbreitung-von-Malware-mi… *** ProSoft Technology RadioLinx ControlScape PRNG Vulnerability *** --------------------------------------------- RadioLinx ControlScape is prone to a predictable random number generator weakness. Attackers can leverage this weakness to aid in brute-force attacks. Other attacks are also possible. --------------------------------------------- http://www.securityfocus.com/bid/62238/ http://ics-cert.us-cert.gov/advisories/ICSA-13-248-01 *** Vuln: OpenStack Keystone Tokens Validation CVE-2013-4222 Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/61725 *** Vuln: OpenStack Nova CVE-2013-4261 Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/62200 *** Vuln: OpenStack Nova CVE-2013-4278 Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/62016 *** CA SiteMinder Input Validation Flaw Permits Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1029237 *** libvirt API Access Control Flaw Lets Remote Authenticated Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1029241 *** Vuln: GnuTLS CVE-2013-4466 libdane/dane.c Remote Buffer Overflow Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63326 *** Vuln: VICIDIAL manager_send.php CVE-2013-4468 Command Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63288 *** Security Bulletin: Tivoli Netcool/OMNIbus Web GUI - IBM WebSphere Application Server PM44303 security bypass (CVE-2012-3325) and Hash denial of service (CVE-2011-4858) *** --------------------------------------------- CVE-2012-3325: After installing an Interim Fix for PM44303 or a Fix Pack containing PM44303, there is a potential security exposure with IBM WebSphere Application Server. CVE-2011-4858: Potential Denial of Service (DoS) security exposure when using web-based applications due to Java HashTable implementation vulnerability. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_tiv…

1 0

Tageszusammenfassung - Donnerstag 24-10-2013
by Daily end-of-shift report 24 Oct '13

24 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 23-10-2013 18:00 − Donnerstag 24-10-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Neutrino: Caught in the Act *** --------------------------------------------- Last week, we got a tip from Kafeine about hacked sites serving injected iframes leading to an exploit kit. We thought it was quite interesting so we looked at one of the infected websites and found this sneaky piece of code: The deobfuscated code shows the location from where the... --------------------------------------------- http://www.f-secure.com/weblog/archives/00002626.html *** Neue und alte Router-Lücken bei Netgear, Tenda und DrayTek *** --------------------------------------------- Sicherheitsexperten haben eine Hintertür in Routern der WNDR-Reihe von Netgear gefunden, die ohne Passwort-Abfrage vollen Zugrif auf das Gerät erlaubt. Bei Modellen der Firmen Tenda und DrayTek kann man Schadcode ausführen, ohne sich einloggen zu müssen. --------------------------------------------- http://www.heise.de/security/meldung/Neue-und-alte-Router-Luecken-bei-Netge… *** Industrial software flaw could allow manipulation of energy processes *** --------------------------------------------- The vulnerability lies in industrial automation software that uses a weak encryption algorithm for user authentication, researchers at IOActive found. --------------------------------------------- http://www.scmagazine.com/industrial-software-flaw-could-allow-manipulation… *** Bugtraq: ESA-2013-067: RSA® Authentication Agent for Web for Internet Information Services (IIS) Security Controls Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/529394 *** Bugtraq: RPS/APS vulnerability in snom/yealink and others *** --------------------------------------------- http://www.securityfocus.com/archive/1/529397 *** Security Bulletin: IBM Flex System Manger expired USERID password vulnerability (CVE-2013-5424) *** --------------------------------------------- Security Bulletin: IBM Flex System Manger expired USERID password vulnerability (CVE-2013-5424) Affected product(s) and affected version(s): IBM Flex System Manager Node, Types 7955, 8731, 8734 all models, Version 1.3.0 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Cisco IOS XR Software Route Processor Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Multiple Vulnerabilities in Cisco Identity Services Engine *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Secure ACS Distributed Deployment Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… *** Vuln: Multiple Cisco Appliances CVE-2013-5537 Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63280 *** Vuln: Joomla! Maian15 Component name Parameter Arbitrary Shell Upload Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63287 *** Vuln: Drupal Spaces Module Access Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63305 *** WordPress Blue Wrench Video Widget Plugin Cross-Site Request Forgery Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55456

1 0

Tageszusammenfassung - Mittwoch 23-10-2013
by Daily end-of-shift report 23 Oct '13

23 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 22-10-2013 18:00 − Mittwoch 23-10-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** WellinTech KingView ActiveX Vulnerabilities *** --------------------------------------------- OVERVIEW: This advisory is a follow-up to the alert titled ICS-ALERT-13-256-01 WellinTech KingView ActiveX Vulnerabilitiesa that was published September 13, 2013, on the NCCIC/ICS-CERT Web site. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-295-01 *** Apache Fixes Information Disclosure Vulnerability in Shindig *** --------------------------------------------- The Apache Software Foundation released a new version of Shindig, a framework for web applications, yesterday, fixing what the collective has deemed an important information disclosure vulnerability. --------------------------------------------- http://threatpost.com/apache-fixes-information-disclosure-vulnerability-in-… *** Xerox WorkCentre and ColorQube Let Remote Users Gain Unauthorized Access *** --------------------------------------------- A vulnerability was reported in Xerox WorkCentre and ColorQube. A remote user can gain unauthorized access. --------------------------------------------- http://www.securitytracker.com/id/1029224 *** Security Bulletins: Vulnerability in XenDesktop 7.0 upgrade could result in policy bypass *** --------------------------------------------- A vulnerability has been identified in Citrix XenDesktop 7.0 that could prevent policy rules from being correctly applied following an upgrade from earlier versions of Citrix XenDesktop. --------------------------------------------- http://support.citrix.com/article/CTX138627 *** MantisBT 1.2.15 XSS vulnerability *** --------------------------------------------- Topic: MantisBT 1.2.15 XSS vulnerability Risk: Low Text:Greetings Roland Becker (MantisBT developer) discovered and fixed [1] an XSS vulnerability issue affecting MantisBT releases... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100159 *** Fixes from Apple (iOS 7.0.3, OS X Mavericks v10.9, Safari 6.1, Keynote 6.0, OS X Server 3.0, Remote Desktop, iTunes 11.1.2) *** --------------------------------------------- http://prod.lists.apple.com/archives/security-announce/2013/Oct/msg00002.ht… http://prod.lists.apple.com/archives/security-announce/2013/Oct/msg00003.ht… http://prod.lists.apple.com/archives/security-announce/2013/Oct/msg00004.ht… http://prod.lists.apple.com/archives/security-announce/2013/Oct/msg00005.ht… http://prod.lists.apple.com/archives/security-announce/2013/Oct/msg00006.ht… http://prod.lists.apple.com/archives/security-announce/2013/Oct/msg00007.ht… http://prod.lists.apple.com/archives/security-announce/2013/Oct/msg00008.ht… http://prod.lists.apple.com/archives/security-announce/2013/Oct/msg00009.ht…

1 0

Tageszusammenfassung - Dienstag 22-10-2013
by Daily end-of-shift report 22 Oct '13

22 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 21-10-2013 18:00 − Dienstag 22-10-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Fake Dropbox Password Reset Spam Leads to Malware *** --------------------------------------------- A new spam campaign has been circulating over the last few weeks in hopes of duping users of the popular cloud storage service Dropbox. The e-mails purport to come from the service but instead lead those who click through to a malware landing page. --------------------------------------------- http://threatpost.com/fake-dropbox-password-reset-spam-leads-to-malware/102… *** New DIY compromised hosts/proxies syndicating tool spotted in the wild *** --------------------------------------------- Compromised, hacked hosts and PCs are a commodity in underground markets today. More cybercriminals are populating the market segment with services tailored to fellow cybercriminals looking for access to freshly compromised PCs to be later abused in a variety of fraudulent/malicious ways, all the while taking advantage of their clean IP reputation. Naturally, once the commoditization took place, cybercriminals quickly realized that the supply of such hosts also shaped several different market... --------------------------------------------- http://www.webroot.com/blog/2013/10/21/new-diy-compromised-hostsproxies-syn… *** Cryptolocker Update, Request for Info, (Tue, Oct 22nd) *** --------------------------------------------- It was briefly mentioned in a previous posting, but the Cryptolocker ransomware is still going strong. In essence, post infection is encrypts all of your "document" files based on file extension and then gives the user 72 hours to pay the ransom ($300 USD or 2 BTC). It is one f the few pieces of ransomware that does encryption right so at present, short of paying the ransom, there is no other means to decrypt. Bleeping Computer has a good write up, but below are the TL;DR highlights. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16871&rss *** Touch ID: Biometrics Dont Make For Good Passwords *** --------------------------------------------- Theres an Apple event scheduled for tomorrow which will showcase this years iPad lineup. Among the more credible rumors is that at least one version of the iPad will include Apples Touch ID, its fingerprint identity sensor.And so it seems somewhat inevitable that all of our "smart" devices will soon include fingerprint readers.That being the case, we strongly recommend the following by @dustinkirkland: • Fingerprints are Usernames, not PasswordsWe welcome intelligent use of --------------------------------------------- http://www.f-secure.com/weblog/archives/00002624.html *** Defending Against Crypto Backdoors *** --------------------------------------------- We already know the NSA wants to eavesdrop on the Internet. It has secret agreements with telcos to get direct access to bulk Internet traffic. It has massive systems like TUMULT, TURMOIL, and TURBULENCE to sift through it all. And it can identify ciphertext -- encrypted information -- and figure out which programs could have created it. But what the... --------------------------------------------- https://www.schneier.com/blog/archives/2013/10/defending_again_1.html *** Security Bulletins: Citrix XenServer Multiple Security Updates *** --------------------------------------------- A number of security vulnerabilities have been identified in Citrix XenServer. These vulnerabilities affect all currently supported versions of Citrix XenServer up to and including version 6.2. --------------------------------------------- http://support.citrix.com/article/CTX139295 *** Vuln: 7T Interactive Graphical SCADA System Multiple Security Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/46936 *** WordPress Portable phpMyAdmin Plugin Security Bypass Security Issue *** --------------------------------------------- https://secunia.com/advisories/55270 *** WatchGuard Extensible Threat Management and System Manager Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55388 *** Vuln: D-Link DIR-605L CAPTCHA Data Stack Based Buffer Overflow Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/56330 *** Bugtraq: [CVE-2013-2751, CVE-2013-2752] NETGEAR ReadyNAS Remote Root *** --------------------------------------------- http://www.securityfocus.com/archive/1/529364 *** Cisco ASA VPN Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the VPN authentication code that handles parsing of the username from the certificate on the Cisco ASA firewall could allow an unauthenticated, remote attacker to cause a reload of the affected device. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… *** Security Bulletin: IBM SONAS fix available for Cross Frame Scripting vulnerability via Graphical User Interface (CVE-2013-5376) *** --------------------------------------------- An issue in IBM SONAS allows remote attackers to access the system as an authorized administrative user. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Security Bulletin: IBM SONAS Fix Available for SONAS Cross Protocol Vulnerability (CVE-2013-0500) *** --------------------------------------------- IBM SONAS includes a flaw in the handling of special files created by an NFS client resulting in a vulnerability reported against IBM SONAS. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** IBM WebSphere Message Broker and IBM Integration Bus Security Vulnerability: XML4J denial of service attack (CVE-2013-5372) *** --------------------------------------------- XML4J is vulnerable to a denial of service attack triggered by a specially crafted XML document --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21653087 *** IBM Domino / iNotes Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55405 https://secunia.com/advisories/55409 *** IBM WebSphere DataPower XC10 Two Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55402 *** F5 BIG-IP Traffic Management Microkernel Component Lets Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1029220

1 0

Tageszusammenfassung - Montag 21-10-2013
by Daily end-of-shift report 21 Oct '13

21 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 18-10-2013 18:00 − Montag 21-10-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Card Data Siphon with Google Analytics *** --------------------------------------------- The introduction of EMV (Chip & Pin) payment devices in 2003 resulted in a rapid decline in physical credit card cloning in Europe. EMV technology has also led to an increase in attacks on e-commerce systems targeting cardholder data. Each year, Trustwave SpiderLabs investigates hundreds of incidents of data compromise. I work on some of these investigations and occasionally get to evaluate some rather unusual attack vectors. This blog post details a novel data extraction technique using... --------------------------------------------- http://blog.spiderlabs.com/2013/10/card-data-siphon-with-google-analytics.h… *** New tricks that may bring DNS spoofing back or: "Why you should enable DNSSEC even if it is a pain to do", (Mon, Oct 21st) *** --------------------------------------------- Recently, two papers independently outlined new attacks against DNS, undermining some of the security features protecting us from DNS spoofing. As Dan Kaminsky showed [1], 16 bit query IDs are an insufficient protection against DNS spoofing. As a result, DNS servers started to randomize the source port of DNS queries in order to make DNS spoofing harder. This was never meant to "fix" DNS spoofing, but worked well enough for DNSSEC to be pushed back yet again. Overall, to --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16859&rss *** Darkleech in Europe, Middle East and Africa *** --------------------------------------------- In a previous blog post, we discussed how Darkleech-related malware wound up on a FireEye partner’s website. We followed up with a post detailing a major wave of Darkleech activity linked to a major global malvertising campaign. In this post,... --------------------------------------------- http://www.fireeye.com/blog/corporate/2013/10/darkleech-in-europe-middle-ea… *** Threatpost News Wrap, October 18, 2013 *** --------------------------------------------- Dennis Fisher and Mike Mimoso discuss the big stories of the last couple of weeks, including the grassroots effort to audit the TrueCrypt source code, the Apple iMessage security model and Yahoo enabling SSL by default. --------------------------------------------- http://threatpost.com/threatpost-news-wrap-october-18-2013/102624 *** Bugtraq: OWASP Vulnerable Web Applications Directory Project *** --------------------------------------------- The OWASP Vulnerable Web Applications Directory (VWAD) Project is a comprehensive and well maintained registry of all known vulnerable web applications currently available. These vulnerable web applications can be used by web developers, security auditors and penetration testers to put in practice their knowledge and skills during training... --------------------------------------------- http://www.securityfocus.com/archive/1/529293 *** DNP3 Implementation Vulnerability *** --------------------------------------------- OVERVIEW: Adam Crain of Automatak and independent researcher Chris Sistrunk reported an improper input validation vulnerability to NCCIC/ICS-CERT that was evident in numerous slave and/or master station software products. The researchers emphasize that the vulnerability is not with the DNP3 stack but with the implementation. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-291-01 *** Yet Another WHMCS SQL Injection Exploit, (Sat, Oct 19th) *** --------------------------------------------- WHMCS, a popular billing/support/customer management system, is still suffering from critical SQL injection issues. Today, yet another vulnerability, including exploit was released... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16853&rss *** Vuln: WordPress Quick Paypal Payments Plugin Multiple HTML Injection Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/63213 *** Wordpress WooCommerce Plugin 2.0.17 Cross-Site Scripting Vulnerability *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100127 *** Wordpress spreadsheet Plugin Cross site scripting *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100130 *** Cisco Unified Computing System Bugs Let Remote Users Conduct Man-in-the-Middle Attacks and Obtain Information and Let Local Users View Files *** --------------------------------------------- http://www.securitytracker.com/id/1029209 *** Vuln: OpenLDAP rwm_conn_destroy Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63190 *** IBM WebSphere Partner Gateway Java Spoofing and Denial of Service Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55406 *** Vulnerability Note VU#303900 - SAP Sybase Adaptive Server Enterprise vulnerable to XML injection *** --------------------------------------------- SAP Sybase Adaptive Server Enterprise Version 15.7 ESD 2 and possibly earlier versions contains an XML injection vulnerability (CWE-91). --------------------------------------------- http://www.kb.cert.org/vuls/id/303900

1 0

Tageszusammenfassung - Freitag 18-10-2013
by Daily end-of-shift report 18 Oct '13

18 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 17-10-2013 18:00 − Freitag 18-10-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** You´re infected - if you want to see your data again, pay us $300 in Bitcoins *** --------------------------------------------- Ransomware comes of age with unbreakable crypto, anonymous payments. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/VLDxuwIP36Q/story01… *** DNS-Experten diskutieren Risiken neuer Angriffsszenarien *** --------------------------------------------- Forscher beschreiben Angriffsszenarien auf das Domain Name System, bei dem die Fragmentierung von IP-Paketen ausgenutzt wird. --------------------------------------------- http://www.heise.de/security/meldung/DNS-Experten-diskutieren-Risiken-neuer… *** Kankan - eine chinesische Trojaner-Geschichte *** --------------------------------------------- Die Analysten von Eset haben eine mysteriöse Geschichte über einen Trojaner zusammengetragen, der vor allem in China Verbreitung fand. Die Bestandteile: infizierte PCs und Smartphones, ein reumütiger Software-Hersteller und mehrere offene Rätsel. --------------------------------------------- http://www.heise.de/security/meldung/Kankan-eine-chinesische-Trojaner-Gesch… *** Got a mobile phone? Then youve got a Trojan problem too *** --------------------------------------------- This time it´s personal Something wonderful has happened: phones have got smart, but the bad news is they may open the door to those you don´t want to let in. --------------------------------------------- http://www.theregister.co.uk/2013/10/18/feature_mobile_security_malware/ *** VMware Release Multiple Security Updates *** --------------------------------------------- VMware released the following security updates. The first one is VMSA-2013-0012 which address multiple vulnerabilities in vCenter Server, vSphere Update Manager, ESXi and ESX. The second is VMSA-2013-0006.1 which address multiple vulnerabilities in vCenter Server Appliances and vCenter Server running on Windows. The last is VMSA-2013-0009.1 which address multiple vulnerabilities in vCenter Server, ESX and ESXi that updates third party libraries. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16847&rss *** Fiendish CryptoLocker ransomware: Whatever you do, dont PAY *** --------------------------------------------- Create remote backups before infection, advise infosec bods Vid A fiendishly nasty strain of Windows malware that uses advanced encryption to lock up user files before demanding a ransom is doing the rounds. --------------------------------------------- http://www.theregister.co.uk/2013/10/18/cryptolocker_ransmware/ *** Sybase Adaptive Server Enterprise XML injection *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/88105 *** cPanel CloudFlare Plugin Unspecified Privilege Escalation Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55273 *** osCommerce Flaws Permit Cross-Site Scripting and Cross-Site Request Forgery Attacks to Create New Admin Accounts *** --------------------------------------------- http://www.securitytracker.com/id/1029189 *** Level One Enterprise Access Points Password Disclosure *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100123 *** Bugtraq: CSRF vulnerability in LinkedIn *** --------------------------------------------- http://www.securityfocus.com/archive/1/529270 *** Summary for October 2013 - Version: 1.1 *** --------------------------------------------- http://technet.microsoft.com/en-za/security/bulletin/ms13-oct

1 0

Tageszusammenfassung - Donnerstag 17-10-2013
by Daily end-of-shift report 17 Oct '13

17 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 16-10-2013 18:00 − Donnerstag 17-10-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Bug Hunters Find 25 ICS, SCADA Vulnerabilities *** --------------------------------------------- A trio of researchers have uncovered 25 security vulnerabilities in various supervisory control and data acquisition (SCADA) and industrial control system (ICS) protocols. --------------------------------------------- http://threatpost.com/bug-hunters-find-25-ics-scada-vulnerabilities/102599 *** Researchers uncover holes that open power stations to hacking *** --------------------------------------------- Hacks could cause power outages and dont need physical access to substations. --------------------------------------------- http://arstechnica.com/security/2013/10/researchers-uncover-holes-that-open… *** Raising awareness quickly: A look at basic password hygiene *** --------------------------------------------- Rapid7s tips for strengthing your first line of defense --------------------------------------------- http://www.csoonline.com/article/741540/raising-awareness-quickly-a-look-at… *** Mass iFrame injection campaign leads to Adobe Flash exploits *** --------------------------------------------- We´ve intercepted an ongoing malicious campaign, relying on injected/embedded iFrames at Web sites acting as intermediaries for a successful client-side exploits to take place. Let´s dissect the campaign, expose the malicious domains portfolio/infrastructure it relies on, as well as directly connect it with historical malicious activity, in this particular case, a social engineering campaign pushing fake browser updates. --------------------------------------------- http://www.webroot.com/blog/2013/10/17/mass-iframe-injection-campaign-leads… *** Top 20 Free Digital Forensic Investigation Tools for SysAdmins *** --------------------------------------------- Here are 20 of the best free tools that will help you conduct a digital forensic investigation. Whether it´s for an internal human resources case, an investigation into unauthorized access to a server, or if you just want to learn a new skill, these suites and utilities will help you conduct memory forensic analysis, hard drive forensic analysis, forensic image exploration, forensic imaging and mobile forensics. --------------------------------------------- http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-fo… *** Hintergrund: Standardpasswörter kein Sicherheitsrisiko? *** --------------------------------------------- Das ICS-CERT, zuständig für kritische Infrastruktur wie Staudämme und Atomkraftwerke, sagt Standardpasswörter stellen kein Sicherheitsrisiko dar solange sie gut dokumentiert und änderbar sind. Ist das wirklich so? --------------------------------------------- http://www.heise.de/security/artikel/Standardpasswoerter-kein-Sicherheitsri… *** Apple iMessage Open to Man in the Middle, Spoofing Attacks *** --------------------------------------------- The Apple iMessage protocol has been shrouded in secrecy for years now, but a pair of security researchers have reverse-engineered the protocol and found that Apple controls the encryption key infrastructure for the system and therefore has the ability to read users´ text messages or decrypt them and hand them over at the order of a government agency. --------------------------------------------- http://threatpost.com/apple-imessage-open-to-man-in-the-middle-spoofing-att… *** IBM Storwize V7000 Unified Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55247 *** Bugtraq: PayPal Inc Bug Bounty #61 - Persistent Mail Encoding Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/529250 *** Puppet Enterprise Dashboard Report YAML Handling Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55362 *** Drupal Context Mulitple Vulnerabilities *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100111 *** Drupal Simplenews Cross Site Scripting *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100112 *** Vuln: Cisco Identity Services Engine CVE-2013-5539 Arbitrary File Upload Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63031 *** Bugtraq: Security Advisory for Bugzilla 4.4.1, 4.2.7 and 4.0.11 *** --------------------------------------------- http://www.securityfocus.com/archive/1/529262 *** Panda Security for Business Pagent.exe code execution *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/88091

1 0

Tageszusammenfassung - Mittwoch 16-10-2013
by Daily end-of-shift report 16 Oct '13

16 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 15-10-2013 18:00 − Mittwoch 16-10-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** ORACLE Critical Patch Update - October 2013 *** --------------------------------------------- Critical Patch Update - October 2013 --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html ** Follow-up ** *** Critical Java Update Plugs 51 Security Holes *** --------------------------------------------- Oracle has released a critical security update that fixes at least 51 security vulnerabilities in its Java software. Patches are available for Linux, Mac OS X, Solaris and Windows versions of the software. --------------------------------------------- http://krebsonsecurity.com/2013/10/java-update-plugs-51-security-holes/ *** Android-Verschlüsselung wurde verschlimbessert *** --------------------------------------------- Android bevorzugt offenbar seit einigen Jahren für Internet-Verbindungen Verschlüsselungsverfahren, die eigentlich als geknackt gelten. Die Motivation dahinter ist unklar. --------------------------------------------- http://www.heise.de/security/meldung/Android-Verschluesselung-wurde-verschl… *** Google Fixes Three High-Risk Flaws in Chrome *** --------------------------------------------- There is a trio of high-risk security vulnerabilities in Google Chrome that have been patched in a new version of the browser released on Tuesday. The vulnerabilities all are use-after-free bugs, and Google paid a total of $5,000 in rewards to researchers who discovered and reported them. --------------------------------------------- http://threatpost.com/google-fixes-three-high-risk-flaws-in-chrome/102586 *** Registrar in Metasploit DNS Hijacking Not Duped by Fax *** --------------------------------------------- Rapid7 said today that an employee at its registrar, Register.com, was duped out of their credentials leading to a DNS hijacking attack against the Rapid7 and Metasploit websites. --------------------------------------------- http://threatpost.com/registrar-in-metasploit-dns-hijacking-not-duped-by-fa… *** How Vulnerable Are Your Phishing Targets? *** --------------------------------------------- How Vulnerable Are Your Phishing Targets? --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2013/10/16/how-vulne… *** ASLR Bypass Apocalypse in Lately Zero-Day Exploits *** --------------------------------------------- ASLR (Address Space Layout Randomization) is one of the most effective protection mechanisms in the modern operation system. However, there were many innovative ASLR bypass techniques used in recent APT attacks. --------------------------------------------- http://www.fireeye.com/blog/technical/cyber-exploits/2013/10/aslr-bypass-ap… *** Vulnerabilities Discovered in Global Vessel Tracking Systems *** --------------------------------------------- Text by Marco Balduzzi and Kyle Wilhoit Trend Micro researchers have discovered that flaws in the AIS vessel tracking system can allow attackers to hijack communications of existing vessels, create fake vessels, trigger false SOS or collision alerts and even permanently disable AIS tracking on any vessel. Figure 1. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-… *** Blog: Under Pressure *** --------------------------------------------- Any online project - be it a long-lost blog, or a new start-up's web app - has a very important performance feature called a "maximum load". This indicator makes itself known when a web app either partially or fully fails to perform its assigned functions to process user requests. --------------------------------------------- http://www.securelist.com/en/blog/8136/Under_Pressure *** Yet another Bitcoin accepting E-shop offering access to thousands of hacked PCs spotted in the wild *** --------------------------------------------- The never-ending supply of access to compromised/hacked PCs - the direct result of the general availability of DIY/cracked/leaked malware/botnet generating tools - continues to grow in terms of the number and variety of such type of underground market propositions. --------------------------------------------- http://www.webroot.com/blog/2013/10/16/yet-another-bitcoin-accepting-e-shop… *** Honeydroid: Android-Handy wird zur Hackerfalle *** --------------------------------------------- Experten der Deutschen Telekom machen aus Android-Smartphones mobile Honeypots. So haben sie in drei Monaten über 10.000 Angriffe auf ein einzelnes Gerät im Mobilnetz protokollieren können. --------------------------------------------- http://www.heise.de/security/meldung/Honeydroid-Android-Handy-wird-zur-Hack… *** Convincing "Urgent Windows Error Fix" phishing email doing rounds *** --------------------------------------------- A pretty convincing email phishing campaign is targeting one of the largest user bases out there - those who use Microsofts Windows OS - by taking advantage of the recent problems that the company has been having with updates. --------------------------------------------- http://www.net-security.org/secworld.php?id=15779 *** HP Service Manager Bugs Permit Cross-Site Scripting, Information Disclosure, and Code Injection Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1029180 *** UbiDisk File Manager v2.0 iOS - Multiple Web Vulnerabilities *** --------------------------------------------- http://www.exploit-db.com/exploits/28977 *** Apple iOS 7.0.2 SIM Lock Screen Display Bypass *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100103

1 0

Tageszusammenfassung - Dienstag 15-10-2013
by Daily end-of-shift report 15 Oct '13

15 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 14-10-2013 18:00 − Dienstag 15-10-2013 18:00 Handler: Matthias Fraidl Co-Handler: Robert Waldner *** Fingerprinting Ubuntu OS Versions using OpenSSH *** --------------------------------------------- Over the past couples weeks, I’ve been working on enhancing the operating system detection logic in the TrustKeeper Scan Engine. Having the capability to detect a target’s operating system can be very useful. Whether you’re performing a simple asset identification scan or doing an in depth review, this information helps you make more informed decisions. In this blog post, I’ll be talking about a technique that that you can use to fingerprint a server operating system --------------------------------------------- http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/e7s2jWmx7bU/fingerprin… *** October 2013 Security Bulletin Webcast, Q&A, and Slide Deck *** --------------------------------------------- Today we’re publishing the October 2013 Security Bulletin Webcast Questions & Answers page. We fielded 11 questions during the webcast, with specific bulletin questions focusing primarily on the SharePoint (MS13-084) and Kernel-Mode Drivers (MS13-081) bulletins. There was one additional question that we were unable to answer on air, and we have included a response to that question on the Q&A page. We invite our customers to join us for the next public webcast on Wednesday, --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2013/10/14/october-2013-security-bu… *** Vuln: osCommerce products_id Parameter HTML Injection Vulnerability *** --------------------------------------------- osCommerce is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input. Hostile HTML and script code may be injected into vulnerable sections of the application. When an unsuspecting user visits the affected site and views the affected section, the attacker-supplied code is rendered in the user's browser in the context of that site. osCommerce 2.3.3 is vulnerable. Other versions may also be affected. --------------------------------------------- http://www.securityfocus.com/bid/62997 *** Insecurities in the Linux /dev/random *** --------------------------------------------- New paper: "Security Analysis of Pseudo-Random Number Generators with Input: /dev/random is not Robust, by Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault, Damien Vergnaud, and Daniel Wichs. Abstract: A pseudo-random number generator (PRNG) is a deterministic algorithm that produces numbers whose distribution is indistinguishable from uniform. A formal security model for PRNGs with input was proposed in 2005 by Barak and... --------------------------------------------- https://www.schneier.com/blog/archives/2013/10/insecurities_in.html *** Thousands of Sites Hacked Via vBulletin Hole *** --------------------------------------------- Attackers appear to have compromised tens of thousands of Web sites using a security weakness in sites powered by the forum software vBulletin, security experts warn. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/Mc94cSf4_Mc/ *** Juniper Junos SRX Series Gateway Buffer Overflow in Telnet Firewall Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- Juniper Junos SRX Series Gateway Buffer Overflow in Telnet Firewall Lets Remote Users Execute Arbitrary Code --------------------------------------------- http://www.securitytracker.com/id/1029175 *** Sensoren verraten Identität des Smartphones *** --------------------------------------------- Die Messwerte eines Smartphones können den Benutzer wie ein digitaler Fingerabdruck verraten. Das haben Forscher der US-Universität Stanford nachgewiesen. --------------------------------------------- http://futurezone.at/digital-life/sensoren-verraten-identitaet-des-smartpho… *** Steam-Client verhilft Angreifern zu Systemrechten *** --------------------------------------------- Die Windows-Version der Spieleplattform Steam enthält eine Schwachstelle, die es einem Angreifer ermöglicht, Schadcode mit Systemrechten auszuführen. Valve schweigt zu der Lücke. --------------------------------------------- http://www.heise.de/security/meldung/Steam-Client-verhilft-Angreifern-zu-Sy… *** We scanned the Internet for port 22 *** --------------------------------------------- We scanned the entire Internet for port 22 - the port reserved for SSH, the protocol used by sysadmins to remotely log into machines. Unlike our normal scans of port 80 or 443, this generated a lot more abuse complaints, so I thought Id explain the scan. --------------------------------------------- http://blog.erratasec.com/2013/09/we-scanned-internet-for-port-22.html *** Blog: Pharmaceutical ‘phishing’ *** --------------------------------------------- Adverts for medication to improve male sex drive are a staple of spam mailings. Like any other unsolicited messages, emails of this nature have evolved with time and today’s versions no longer merely contain promises of enahnced potency and a link to a site selling pills. In August and September we noted a series of mailings that used the names of well-known companies, that looked just like typical phishing messages. However, instead of a phishing site the links they contained led to an advert for “male medication”. --------------------------------------------- http://www.securelist.com/en/blog/8135/Pharmaceutical_phishing *** Cisco Video Surveillance 4000 Series IP Camera Analytics Page Hardcoded Credentials Security Issue *** --------------------------------------------- A security issue has been reported in Cisco Video Surveillance 4000 Series IP Camera, which can be exploited by malicious people to bypass certain security restrictions. The security issue is caused due to the device allowing access to the analytics page using hardcoded credentials, which can be exploited to gain access to an otherwise restricted video feed. The security issue is reported in versions 2.4(0.1) and 3.1(0.52). --------------------------------------------- https://secunia.com/advisories/55283 *** [2013-10-15] Multiple critical vulnerabilities in SpamTitan *** --------------------------------------------- SpamTitan suffers from multiple critical vulnerabilities. Unauthenticated attackers are able to completely compromise the system and extract or manipulate database contents. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2013… *** WordPress security threats, protection tips and tricks *** --------------------------------------------- To start off with, there are some things that you can do just once to improve the security of your WordPress blog or website, but you still have to always follow a number of rules while using WordPress. By following such rules you will be safe from most of the automated targeted WordPress attacks which typically spread like wild fires ... --------------------------------------------- http://www.net-security.org/article.php?id=1895 *** D-link to Padlock Router Backdoor By Halloween *** --------------------------------------------- D-Link will address by the end of October a security issue in some of its routers that could allow attackers to change the device settings without requiring a username and password.The issue consists of a backdoor-type function built into the firmware of some D-Link routers that can be used to bypass the normal authentication procedure on their Web-based user interfaces. --------------------------------------------- http://www.cio.com/article/741414/D_link_to_Padlock_Router_Backdoor_By_Hall…

1 0

Tageszusammenfassung - Montag 14-10-2013
by Daily end-of-shift report 14 Oct '13

14 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 11-10-2013 18:00 − Montag 14-10-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** 2013-10 Security Bulletin: Junos: GNU libc glob(3) GLOB_LIMIT Remote Denial of Service Vulnerability (CVE-2010-2632) *** --------------------------------------------- The glob implementation in libc allows authenticated remote users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames. This vulnerability can be exploited against a device running Junos OS with FTP services enabled to launch a high CPU utilization partial denial of service attack. --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10598 *** Top sites (and maybe the NSA) track users with 'device fingerprinting' *** --------------------------------------------- May make it easier to follow privacy-minded users on the darknet. --------------------------------------------- http://arstechnica.com/security/2013/10/top-sites-and-maybe-the-nsa-track-u… *** Threat Refinement Ensues with Crypto Locker, SHOTODOR Backdoor *** --------------------------------------------- In our 2013 Security Predictions, we anticipated that cybercriminals would focus on refining existing tools, instead of creating new threats. Two threats that both represent refinements of previously known threats show this effectively. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/threat-refinemen… *** Critical Patch Update - October 2013 - Pre-Release Announcement *** --------------------------------------------- Critical Patch Update - October 2013 - Pre-Release Announcement --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html *** Blackhole, Supreme No More *** --------------------------------------------- Blackhole exploit kit has always been a favorite example when discussing the impact of kits to internet users. Weve previously mentioned in our posts how fast it was in supporting new vulnerabilities, how it was related to Cool, and that it was the leading kit in our telemetry data. Blackhole and Cool almost always had special mentions in our Threat Reports. --------------------------------------------- http://www.f-secure.com/weblog/archives/00002622.html *** Debian Security Advisory DSA-2776 drupal6 *** --------------------------------------------- several vulnerabilities --------------------------------------------- http://www.debian.org/security/2013/dsa-2776 *** Debian Security Advisory DSA-2777 systemd *** --------------------------------------------- several vulnerabilities --------------------------------------------- http://www.debian.org/security/2013/dsa-2777 *** Stabiles Debian 7.2 behebt Fehler und löst Sicherheitsprobleme *** --------------------------------------------- Das Debian-Projekt aktualisiert die Linux-Distribution Debian 7 (Wheezy) auf Version 7.2 und behebt dabei eine lange Liste von Fehlern und schließt Sicherheitslöcher. --------------------------------------------- http://www.heise.de/newsticker/meldung/Stabiles-Debian-7-2-behebt-Fehler-un… *** Google Chrome speichert Kreditkarten-Daten als Klartext *** --------------------------------------------- Der Google-Browser Chrome ist einmal mehr unter Beschuss von Sicherheitsexperten. Diese kritisieren, dass Chrome sensible Daten als Klartext auf der Festplatte speichert. --------------------------------------------- http://futurezone.at/produkte/google-chrome-speichert-kreditkarten-daten-al… *** Security Bulletin: WebSphere eXtreme Scale Monitoring Console Web Vulnerabilities (CVE-2013-5390, CVE-2013-5393, CVE-2013-5394) *** --------------------------------------------- Three web security vulnerabilities were identified in the WebSphere eXtreme Scale monitoring console, those being a cross site scripting vulnerability, a log-off processing weakness, and vulnerability to a phishing attack. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_web… *** Back door found in D-Link routers *** --------------------------------------------- D-secret is D-logon string allowing access to everything A group of embedded device hackers has turned up a vulnerability in D-Link consumer-level devices that provides unauthenticated access to the units admin interfaces. --------------------------------------------- http://www.theregister.co.uk/2013/10/13/dlink_routers_have_admin_backdoor/ *** Spamvertised T-Mobile 'Picture ID Type:MMS' themed emails lead to malware *** --------------------------------------------- The cybercriminals behind last week's profiled fake T-Mobile themed email campaign have resumed operations, and have just spamvertised another round of tens of thousands of malicious emails impersonating the company, in order to trick its customers into executing the malicious attachment, which in this case is once again supposedly a legitimate MMS notification message. --------------------------------------------- http://www.webroot.com/blog/2013/10/14/spamvertised-t-mobile-picture-id-typ… *** Captain, Where Is Your Ship Compromising Vessel Tracking Systems *** --------------------------------------------- In recent years, automated identification systems (AIS) have been introduced to enhance ship tracking and provide extra safety to marine traffic, on top of conventional radar installations. AIS is currently mandatory for all passenger ships and commercial (non-fishing) ships over 300 metric tons. It works by acquiring GPS coordinates and exchanging vessel's position, course and ... --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/captain-where-is… *** WordPress Cart66 Lite Plugin Cross-Site Request Forgery Vulnerability *** --------------------------------------------- WordPress Cart66 Lite Plugin Cross-Site Request Forgery Vulnerability --------------------------------------------- https://secunia.com/advisories/55265 *** End User Devices Security Guidance: Windows 7 and Windows 8 *** --------------------------------------------- This guidance is applicable to devices running Enterprise versions of Windows 7 and Windows 8, acting as client operating systems, which include BitLocker Drive Encryption, AppLocker and Windows VPN features. --------------------------------------------- https://www.gov.uk/government/publications/end-user-devices-security-guidan…

1 0

Tageszusammenfassung - Freitag 11-10-2013
by Daily end-of-shift report 11 Oct '13

11 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 10-10-2013 18:00 − Freitag 11-10-2013 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** WhatsApp Crypto Error Exposes Messages *** --------------------------------------------- WhatsApp, a popular mobile message application, suffers from crypto implementation vulnerability that leaves messages exposed. Thijs Alkemade, a computer science student at Utrecht University in The Netherlands who works on the open source Adium instant messaging project, disclosed a serious issue this week with the encryption used to secure WhatsApp messages, namely that the same... --------------------------------------------- http://threatpost.com/whatsapp-crypto-error-exposes-messages/102565 *** Some Bing Ads Redirecting To Malware *** --------------------------------------------- An anonymous reader writes "Security firm ThreatTrack Security Labs today spotted that certain Bing ads are linking to sites that infect users with malware. Those who click are redirected to a dynamic DNS service subdomain which in turns serves the Sirefef malware from 109(dot)236(dot)81(dot)176. ThreatTrack notes that the scammers could of course be targeting other keywords aside from YouTube. The more popular the keywords, the bigger the potential for infection." Read more of --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/7RRrvRPB5JM/story01.htm *** Top 15 Indicators Of Compromise *** --------------------------------------------- In the quest to detect data breaches more quickly, indicators of compromise can act as important breadcrumbs for security pros watching their IT environments. Unusual activity on the network or odd clues on systems can frequently help organizations spot attacker activity on systems more quickly so that they can either prevent an eventual breach from happening -- or at least stop it in its earliest stages. --------------------------------------------- http://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise… *** Vuln: libtar th_read() Function Multiple Heap Buffer Overflow Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/62922 *** libtar "tar_extract_glob()" and "tar_extract_all()" Directory Traversal Vulnerabilities *** --------------------------------------------- libtar "tar_extract_glob()" and "tar_extract_all()" Directory Traversal Vulnerabilities --------------------------------------------- https://secunia.com/advisories/55138 *** Bugtraq: [security bulletin] HPSBMU02901 rev.1 - HP Business Process Monitor running on Windows, Remote Execution of Arbitrary Code and Disclosure of Information *** --------------------------------------------- http://www.securityfocus.com/archive/1/529117 *** Juniper Junos TCP Packet Handling Denial of Service Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55218 *** Juniper Junos Telnet Messages Handling Buffer Overflow Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55109 *** Hitachi JP1/VERITAS Backup Exec Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55261 *** Cisco Unified IP Phones 9900 Series webapp Interface Buffer Overflow Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55275 *** Dropbear SSH Server User Enumeration Weakness and Denial of Service Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55173 *** Network Security Services (NSS) Uninitialized Memory Read Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55050 *** InduSoft Thin Client ActiveX control buffer overflow *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/87788 *** Security Bulletin: IBM InfoSphere Information Server Data Quality Console and Information Analyzer are vulnerable to cross-site request forgery attacks (CVE-2013-4056) *** --------------------------------------------- A cross-site request forgery vulnerability exists in IBM InfoSphere Information Server Data Quality Console and Information Analyzer which can allow an attacker to trick a legitimate user into opening a URL that results in an action being taken as that user, potentially without the knowledge of that user. Any actions taken require the user being tricked to either be previously authenticated or to authenticate as part of the attack. --------------------------------------------- https://www-304.ibm.com/support/docview.wss?uid=swg21652413 *** IBM WebSphere Message Broker and IBM Integration Bus Security Vulnerability: Multiple security vulnerabilities in IBM JREs 5 & 7 *** --------------------------------------------- Multiple security vulnerabilities exist in the IBM Java Runtime Environment component of WebSphere Message Broker for IBM JRE 5.0 SR16-FP3 (and earlier) and the IBM Java Runtime Environment component of IBM Integration Bus for JRE 7.0 SR5 (and earlier). --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_websphere_message…

1 0

Tageszusammenfassung - Donnerstag 10-10-2013
by Daily end-of-shift report 10 Oct '13

10 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 09-10-2013 18:00 − Donnerstag 10-10-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** BlackBerry Fixes Remote Code Vulnerability in BES10 *** --------------------------------------------- Blackberry added to Patch Tuesdays patches with an update for its BlackBerry Enterprise Service 10 mobile device management product, fixing a remote code execution vulnerability. --------------------------------------------- http://threatpost.com/blackberry-fixes-remote-code-vulnerability-in-bes10/1… *** Unexpected IE Zero Day Used in Banking, Gaming Attacks *** --------------------------------------------- Microsoft released a patch for a second zero-day vulnerability in Internet Explorer yesterday, one that caught administrators off-guard. --------------------------------------------- http://threatpost.com/unexpected-ie-zero-day-used-in-banking-gaming-attacks… *** vBulletin vuln opens backdoor to rogue accounts *** --------------------------------------------- The workaround is easy, though The widespread vBulletin CMS has a vulnerability that allows remote attackers to create new administrative accounts. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2013/10/10/vbulletin_v… *** Invensys Wonderware InTouch Improper Input Validation Vulnerability *** --------------------------------------------- OVERVIEW: This advisory was originally posted to the US-CERT secure Portal library on October 03, 2013, and is now being released to the NCCIC/ICS-CERT-Web page. This advisory provides mitigation details for a vulnerability that impacts the Invensys Wonderware InTouch application. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-276-01 *** Quassel IRC SQL injection *** --------------------------------------------- Topic: Quassel IRC SQL injection Risk: Medium Text: Please assign a CVE to the following issue: Quassel IRC is vulnerable to SQL injection on all current versions (0.9.0 being... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100064 *** McAfee Web Reporter Servlet Access Control Flaw Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1029154 *** MyBB Session Hijacking and Security Bypass Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/54994 *** OXID eShop "searchrecomm" Cross-Site Scripting Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55193 *** Security Bulletin: Multiple IBM Eclipse Help System (IEHS) vulnerabilities used in IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed (CVE-2013-0599, CVE-2013-0464, CVE-2013-0467) *** --------------------------------------------- IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed ships with IBM Eclipse Help System (IEHS). The IBM Eclipse Help System (IEHS) is vulnerable to: a XSS attacks, reading source code via a crafted URL and reading the debug information associated with the 500 HTTP status... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21651947 *** Multiple Vulnerabilities in Cisco ASA Software *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Multiple Vulnerabilities in Cisco Firewall Services Module Software *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** HP Intelligent Management Center Unspecified Flaws Let Remote Users Execute Arbitrary Code and Obtain Information *** --------------------------------------------- http://www.securitytracker.com/id/1029164 *** HP Intelligent Management Center Multiple Flaws Lets Remote Users Bypass Authentication, Gain Unauthorized Acess, Inject SQL Commands, and Obtain Information *** --------------------------------------------- http://www.securitytracker.com/id/1029165

1 0

Tageszusammenfassung - Mittwoch 9-10-2013
by Daily end-of-shift report 09 Oct '13

09 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 08-10-2013 18:00 − Mittwoch 09-10-2013 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** WhatsApp-Verschlüsselung ruft Zweifel hervor *** --------------------------------------------- Dem Chefentwickler des IM-Clients Adium zufolge müssen WhatsApp-Nutzer alle bisher versandten Nachrichten als entschlüsselbar betrachten. --------------------------------------------- http://www.heise.de/security/meldung/WhatsApp-Verschluesselung-ruft-Zweifel… *** The October 2013 security updates *** --------------------------------------------- This month we release eight bulletins - four Critical and four Important - which address 26 unique CVEs in Microsoft Windows, Internet Explorer, SharePoint, .NET Framework, Office, and Silverlight. For those who need to prioritize their deployment planning, we recommend focusing on MS13-080, MS13-081, and MS13-083. Our Bulletin Deployment Priority graph provides an overview of this month's priority releases... --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2013/10/08/the-october-2013-securit… *** Other Patch Tuesday Updates (Adobe, Apple), (Wed, Oct 9th) *** --------------------------------------------- Adobe released two bulletins today: APSB13-24: Security update for RoboHelp http://www.adobe.com/support/security/bulletins/apsb13-24.html I dont remember seeing a pre-anouncement for this one. The update fixes an arbitrary code execution vulnerability (CVE-2013-5327) . Robohelp is only available for Window. APSB13-25: Security update for Adobe Acrobat and Adobe Reader http://www.adobe.com/support/security/bulletins/apsb13-25.html This update fixes a problem that was introduced in a recent --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16763&rss *** September 2013 Virus Activity Overview *** --------------------------------------------- October 1, 2013 The first autumn month in 2013 was marked by a number of important events that could have a profound impact on IT security in the future. In particular, in early September a dangerous backdoor that can execute commands from a remote server was discovered, and a bit later Doctor Webs analysts identified the largest known botnet comprised of more than 200,000 infected devices running Android. Overall, numerous malignant programs for this platform were found in September. Viruses --------------------------------------------- http://news.drweb.com/show/?i=3962&lng=en&c=9 *** ENISA - Can we learn from SCADA security incidents - White Paper *** --------------------------------------------- Security experts across the world continue to sound the alarm bells about the security of Industrial Control Systems (ICS). Industrial Control Systems look more and more like consumer PCs. They are used everywhere and involve a considerable amount of software, often outdated and unpatched. Recent security incidents in the context of SCADA and Industrial Control Systems emphasise greatly the importance of good governance and control of SCADA infrastructures. --------------------------------------------- https://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrast… *** Staying Stealthy: Passive Network Discovery with Metasploit *** --------------------------------------------- One of the first steps in your penetration test is to map out the network, which is usually done with an active scan. In situations where you need to be stealthy or where active scanning may cause instability in the target network, such as in SCADA environments, you can run a passive network scan to avoid detection and reduce disruptions. A passive network scan stealthily... --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2013/10/09/passive-n… *** Twitter Malware *** --------------------------------------------- NCC Group has observed a sharp rise in threats using Twitter direct messages (often abbreviated to DMs) as a method of delivery over the last few months. These threats originate from compromised Twitter accounts. These accounts, once compromised, send direct messages to their followers. If received by email,... --------------------------------------------- http://www.nccgroup.com/en/blog/2013/10/twitter-malware/ *** Alstom e-Terracontrol DNP3 Master Improper Input Validation *** --------------------------------------------- OVERVIEW: Adam Crain of Automatak and independent researcher Chris Sistrunk have identified an improper input validation in the Alstom e-terracontrol software. Alstom has produced a patch that mitigates this vulnerability. Adam Crain and Chris Sistrunk have tested the patch to validate that it resolves the vulnerability. This vulnerability could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-282-01

1 0

Tageszusammenfassung - Dienstag 8-10-2013
by Daily end-of-shift report 08 Oct '13

08 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 07-10-2013 18:00 − Dienstag 08-10-2013 18:00 Handler: Robert Waldner Co-Handler: n/a *** Rockwell Automation FactoryTalk and RSLinx Multiple Vulnerabilities (Update A) *** --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-13-095-02 Rockwell Automation FactoryTalk and RSLinx Multiple Vulnerabilities that was published April 5, 2013, on the ICS-CERT Web page. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-095-02A *** Quarian Group Targets Victims With Spearphishing Attacks *** --------------------------------------------- The current generation of targeted attacks are getting more sophisticated and evasive. These attacks employ media-savvy stories in their social engineering themes to lure unsuspecting users. We have seen heightened activity by one of the groups, dubbed Quarian. It is believed to be targeting government agencies and embassies around the world including the United States. [...] --------------------------------------------- http://blogs.mcafee.com/mcafee-labs/quarian-group-targets-victims-with-spea… *** xinetd security update *** --------------------------------------------- It was found that xinetd ignored the user and group configuration directives for services running under the tcpmux-server service. This flaw could cause the associated services to run as root. If there was a flaw in such a service, a remote attacker could use it to execute arbitrary code with the privileges of the root user. (CVE-2013-4342) --------------------------------------------- https://rhn.redhat.com/errata/RHSA-2013-1409.html *** Hackerangriff auf WhatsApp *** --------------------------------------------- Einer politische motivieren Hackergruppe ist es offenbar gelungen, die Kontrolle über die WhatsApp-Domain zu übernehmen. --------------------------------------------- http://www.heise.de/security/meldung/Hackerangriff-auf-WhatsApp-1974342.html *** ecoTrialog #9: Blackout *** --------------------------------------------- NEA und USV sind im Datacenter seit vielen Jahren ein gängiger Begleiter – Welche Entwicklungen, Trends und Visionen zeigen uns die Lösungsanbieter? – Welche möglichen Fehler sind bei einer Planung zu vermeiden? Das ist das zentrale Thema des neunten ecoTrialogs in Ahrensburg bei Hamburg. --------------------------------------------- http://datacenter.eco.de/2013/07/26/ecotrialog-10-blackout/ *** Ad Vulna: A Vulnaggressive (Vulnerable & Aggressive) Adware Threatening Millions *** --------------------------------------------- FireEye researchers have discovered a rapidly-growing class of mobile threats represented by a popular ad library affecting apps with over 200 million downloads in total. This ad library, anonymized as “Vulna,” is aggressive at collecting sensitive data and is able to perform dangerous operations such as downloading and running new components on demand. Vulna is also plagued with various classes of vulnerabilities that enable attackers to turn Vulna’s aggressive behaviors against --------------------------------------------- http://www.fireeye.com/blog/technical/2013/10/ad-vulna-a-vulnaggressive-vul… *** Introducing Kvasir *** --------------------------------------------- During our typical assessments we may analyze anywhere between 2,000 and 10,000 hosts for vulnerabilities, perform various exploitation methods such as account enumeration and password attempts, buffer/stack overflows, administrative bypasses, and others. ... We think this isn’t good enough which is why we are releasing our tool, Kvasir, as open source for you to analyze, integrate, update, or ignore. We like the tool a lot and we think it fills a missing key part of penetration testin --------------------------------------------- http://blogs.cisco.com/security/introducing-kvasir/ *** CSAM - RFI with a small twist *** --------------------------------------------- Logs are under appreciated. We all collect them, but in a majority of organisations you will find that they are only ever looked at once something has gone wrong. Which is unfortunately usually when people discover that either they didnt collect "that" log or timestamps are out of whack, log files rolled over, etc. Which is unfortunate because log files can tell you quite a bit of information as we are hoping to show throughout October as part of the Cyber Security Awareness Month. --------------------------------------------- https://isc.sans.edu/diary/CSAM+-+RFI+with+a+small+twist/16748 *** Mehrere Verwundbarketen in Cisco Identity Services Engine *** --------------------------------------------- Blind SQL Injection: - http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… Sponsor Portal cross-frame scripting: - http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… Parameter cross-site scripting: - http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… --------------------------------------------- http://tools.cisco.com/security/center/publicationListing.x#~CiscoSecurityN… *** Cisco IOS Software DHCP Server remember Functionality Vulnerability *** --------------------------------------------- An issue in the DHCP server code of Cisco IOS Software could allow an unauthenticated, adjacent attacker to cause the device to reload. The issue is due to the remember functionality of the DHCP server. An attacker could exploit this issue by obtaining a lease and then releasing it. An exploit could allow the attacker to cause the affected device to reload. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… *** How the Bible and YouTube are fueling the next frontier of password cracking *** --------------------------------------------- Crackers tap new sources to uncover "givemelibertyorgivemedeath" and other phrases. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/w9PZonWnTIA/story01…

1 0

Tageszusammenfassung - Montag 7-10-2013
by Daily end-of-shift report 07 Oct '13

07 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 04-10-2013 18:00 − Montag 07-10-2013 18:00 Handler: Robert Waldner Co-Handler: n/a *** Security Bulletin: Denial of Service Vulnerability in DB2 for Unix, Linux and Windowss Fast Communications Manager. (CVE-2013-4032) *** --------------------------------------------- Vulnerability in IBM DB2 for Unix, Linux and Windows server products could allow arbitrary data sent to the Fast Communications Manager (FCM) to cause server denial of service. CVE(s): CVE-2013-4032 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_den… *** Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-4066 and CVE-2013-4067) *** --------------------------------------------- Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-4066 and CVE-2013-4067) CVE(s): CVE-2013-4066, and CVE-2013-4067 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul… *** Prenotification: Upcoming Security Updates for Adobe Reader and Acrobat (APSB13-25) *** --------------------------------------------- A prenotification Security Advisory has been posted in regards to upcoming Adobe Reader and Acrobat security updates scheduled for Tuesday, October 8, 2013. There are no known exploits in the wild for these updates. We will continue to provide updates … --------------------------------------------- http://blogs.adobe.com/psirt/2013/10/prenotification-upcoming-security-upda… *** Cisco NX-OS RIP denial of service *** --------------------------------------------- Cisco NX-OS is vulnerable to a denial of service, caused by an error in the Routing Information Protocol (RIP) service engine. By sending a specially-crafted RIPv4 or RIPv6 message to UDP port 520, a remote attacker could exploit this vulnerability to cause the RIP service engine to restart. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/87669 *** Cisco NX-OS configuration files information disclosure *** --------------------------------------------- Cisco NX-OS could allow a remote authenticated attacker to obtain sensitive information, caused by the improper sanitization of configuration files. By accessing the Cisco NX-OS management interface as a network-operator, an attacker could exploit this vulnerability to view restricted information within configuration files. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/87670 *** The Hail Mary Cloud and the Lessons Learned *** --------------------------------------------- badger.foo writes "Against ridiculous odds and even after gaining some media focus, the botnet dubbed The Hail Mary Cloud apparently succeeded in staying under the radar and kept compromising Linux machines for several years. This article sums up the known facts about the botnet and suggests some practical measures to keep your servers safe." Read more of this story at Slashdot. --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/QrqADehWUPU/story01.htm *** Why the state of application security is not so healthy *** --------------------------------------------- Web applications are often a common portal for breaches, so why arent they being better protected? --------------------------------------------- http://www.csoonline.com/article/740164/why-the-state-of-application-securi… *** [local] - FreeBSD Intel SYSRET Kernel Privilege Escalation Exploit *** --------------------------------------------- * FreeBSD 9.0 Intel SYSRET Kernel Privilege Escalation exploit * Author by CurcolHekerLink * * This exploit based on open source project, I can make it open source too. Right? --------------------------------------------- http://www.exploit-db.com/exploits/28718 *** Cybercrime in the Deep Web *** --------------------------------------------- Earlier, we published a blog post talking about the recent shut down of the Silk Road marketplace. There, we promised to release a new white paper looking at cybercrime activity on the Deep Web in more detail. This paper can now be found on our site here. While the Deep Web has often been uniquely associated […]Post from: Trendlabs Security Intelligence Blog - by Trend MicroCybercrime in the Deep Web --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/RYkDXfurPWU/ *** Aanval SAS Cross-Site Scripting and SQL Injection Vulnerabilities *** --------------------------------------------- Multiple vulnerabilities have been discovered in Aanval SAS, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks. --------------------------------------------- https://secunia.com/advisories/55134 *** Abzockversuche: Anbieter werben mit angeblichem iOS-7-Jailbreak *** --------------------------------------------- Viele iPhone-Nutzer warten sehnsüchtig auf ein Jailbreak-Tool für iOS 7 – und einige von ihnen fallen auf Abzocker herein. Ein Test zeigt, wie die Masche funktioniert. --------------------------------------------- http://www.heise.de/newsticker/meldung/Abzockversuche-Anbieter-werben-mit-a… *** Philips Xper Connect HTTP Request Handling Buffer Overflow Vulnerability *** --------------------------------------------- A vulnerability has been reported in Philips Xper Connect, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error when handling HTTP requests and can be exploited to cause a heap-based buffer overflow by sending a specially crafted HTTP request to TCP port 6000. --------------------------------------------- https://secunia.com/advisories/55152 *** Door Control Systems: An Examination of Lines of Attack *** --------------------------------------------- In this blog post, we shall show that there are serious security vulnerabilities in one of the market-leading door control systems, and that these can be exploited not only to gain physical access to secure premises, but also to obtain confidential information about the organisation to whom the premises belong. --------------------------------------------- http://www.nccgroup.com/en/blog/2013/09/door-control-systems-an-examination… *** McAfee Web Reporter Premium EJBInvokerServlet / JMXInvokerServlet Marshaled Object Arbitrary Code Execution Vulnerability *** --------------------------------------------- Andrea Micalizzi has discovered a vulnerability in McAfee Web Reporter Premium, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to the application not properly restricting access to the invoker/EJBInvokerServlet and invoker/JMXInvokerServlet servlets within Apache Tomcat, which can be exploited to deploy and execute arbitrary Java code by sending a specially crafted marshaled object to TCP port 9111. --------------------------------------------- https://secunia.com/advisories/55112

1 0

Tageszusammenfassung - Samstag 5-10-2013
by Daily end-of-shift report 05 Oct '13

05 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 03-10-2013 18:00 − Freitag 04-10-2013 18:00 Handler: Robert Waldner Co-Handler: Matthias Fraidl *** Adobe Preparing Critical Patches for Reader, Acrobat Next Week *** --------------------------------------------- Adobe has announced that it plans next week to patch critical vulnerabilities in two products, Adobe Reader and Acrobat XI (11.0.04) for Windows. --------------------------------------------- http://threatpost.com/adobe-preparing-critical-patches-for-reader-acrobat-n… *** Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-4066 and CVE-2013-4067) *** --------------------------------------------- Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-4066 and CVE-2013-4067) CVE(s): CVE-2013-4066, CVE-2013-4067 Affected product(s) and affected version(s): IBM InfoSphere Information Server Versions 8.0, 8.1, 8.5, 8.7, and 9.1 running on all platforms --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul… *** Hacking Summit Names Nations With Cyberwarfare Capabilities *** --------------------------------------------- In 2009, I read with great interest a paper published in the Journal of International Security Affairs titled The Art of (Cyber) War. In this paper, Brian M. Mazanec explained the People's Republic of China was interested in cyberwarfare and had improved its capabilities to conduct military operations in the cyberspace. --------------------------------------------- http://blogs.mcafee.com/mcafee-labs/hacking-summit-names-nations-with-cyber… *** AIX printer commands vulnerability (CVE-2013-5419) *** --------------------------------------------- AIX printer commands vulnerability. CVE(s): CVE-2013-5419 Affected product(s) and affected version(s): AIX 6.1 and 7.1 releases Refer to the following reference URLs for remediation and additional vulnerability details. Source Bulletin: http://aix.software.ibm.com/aix/efixes/security/cmdque_advisory.asc X-Force Database: http://xforce.iss.net/xforce/xfdb/87481 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/aix_printer_commands_… *** CSAM: Web Honeypot Logs, (Thu, Oct 3rd) *** --------------------------------------------- Todays logs come from a honeypot. The fun part about honeypots is that you dont have to worry about filtering out "normal" logs. Usually I check the honeypot for anything new and interesting first, then look on my real web server to figure out if I see similar attacks. In the real web server, these attack would otherwise drown in the noise. SSL Conection to a web server not supporting SSL Invalid method in request \x80w\x01\x03\x01 The first few bytes of the request are interpreted --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16718&rss *** Blog: Ekoparty Security Conference 2013 *** --------------------------------------------- The Ekoparty Security Conference 2013 was held in the beautiful city of Buenos Aires, Argentina, from 25 to 27 September, This event,the most important security conference in Latin America, is now in is ninth year and was attended by 1,500 people --------------------------------------------- http://www.securelist.com/en/blog/208214073/Ekoparty_Security_Conference_20… *** Adobe To Announce Source Code, Customer Data Breach *** --------------------------------------------- Adobe Systems Inc. is expected to announce today that hackers broke into its network and stole source code for an as-yet undetermined number of software titles, including its Cold Fusion Web application platform, and possibly its Acrobat family of products. The company said hackers also accessed nearly three million customer credit card records, and stole login data for an undetermined number of Adobe user accounts. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/jWJBDb7eE-o/ *** October Patch Tuesday Preview (CVE-2013-3893 patch coming!) *** --------------------------------------------- So far, we got pre-announcements from Microsoft and Adobe. Microsoft promises 8 bulletins, split evenly between critical and important. The critical bulletins affect Windows, Internet Explorer and the .Net framework, while the important bulletins affect Office and Silverlight. So this sounds like an average, very client heavy patch Tuesday. On the server end, only Sharepoint server (again) and Office Server are affected. Important: The cumulative IE update included will include a patch for --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16721&rss *** EMC Atmos Unauthenticated Database Access *** --------------------------------------------- Topic: EMC Atmos Unauthenticated Database Access Risk: High Text:ESA-2013-062: EMC Atmos Unauthenticated Database Access Vulnerability EMC Identifier: ESA-2013-062 CVE Identifier: C... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100034 *** SQL injection vulnerability in Zabbix *** --------------------------------------------- The monitoring solution Zabbix is vulnerable to SQL injection. Attackers are able to gain access to database contents or elevate privileges and even take over the monitoring system. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2013… *** Commercially available Blackhat SEO enabled multi-third-party product licenses empowered VPSs spotted in the wild *** --------------------------------------------- In this post, I'll discuss a recent example of standardization, in particular, a blackhat SEO friendly VPS (Virtual Private Server) that comes with over a dozen multi-blackhat-seo-friendly product licenses from third-party products integrated. It empowers potential customers new to this unethical and potentially fraudulent/malicious practice with everything they need to hijack legitimate traffic from major search engines internationally. --------------------------------------------- http://www.webroot.com/blog/2013/10/04/commercially-available-blackhat-seo-… *** Certain HP FutureSmart MFP, Weak PDF Encryption, Local Disclosure of Information *** --------------------------------------------- Potential security vulnerabilities have been identified with certain HP FutureSmart LaserJet printers. The vulnerabilities might lead to weak encryption of PDF documents or local disclosure of scanned information. References: CVE-2013-4828 (SSRT101249) CVE-2013-4829 (SSRT101327) --------------------------------------------- http://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n… *** Apple OS X Directory Services Authentication Flaw Lets Local Users Gain Elevated Privileges *** --------------------------------------------- OS X v10.8.5 Supplemental Update Directory Services Available for: OS X Mountain Lion v10.8 to v10.8.5 Impact: A local user may modify Directory Services records with system privileges Description: A logic issue existed in Directory Servicess verification of authentication credentials allowing a local attacker to bypass password validation. The issue was addressed through improved credential validation. --------------------------------------------- http://support.apple.com/kb/HT5964 *** Hintergrund: Todesurteil für Verschlüsselung in den USA *** --------------------------------------------- Die Anordnung eines US-Gerichts, Ermittlungsbeamten den geheimen Schlüssel zu übergeben, mit dem sie Zugriff auf die Daten aller Lavabit-Kunden erhielten, ruiniert den letzten Rest Vertrauen in die amerikanischen Cloud-Anbieter. --------------------------------------------- http://www.heise.de/security/artikel/Todesurteil-fuer-Verschluesselung-in-d… *** Corel PaintShop Pro X5 / X6 Insecure Library Loading Vulnerability *** --------------------------------------------- Corel PaintShop Pro X5 / X6 Insecure Library Loading Vulnerability --------------------------------------------- https://secunia.com/advisories/53618 *** McAfee Agent Framework Service Denial of Service Vulnerability *** --------------------------------------------- McAfee Agent Framework Service Denial of Service Vulnerability --------------------------------------------- https://secunia.com/advisories/55158

1 0

Tageszusammenfassung - Donnerstag 3-10-2013
by Daily end-of-shift report 03 Oct '13

03 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 02-10-2013 18:00 − Donnerstag 03-10-2013 18:00 Handler: Robert Waldner Co-Handler: n/a *** Cisco IOS XR Software Memory Exhaustion Vulnerability *** --------------------------------------------- Cisco IOS XR Software Memory Exhaustion Vulnerability --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** IBM WebSphere MQ Security Vulnerability: Multiple security vulnerabilities in IEHS *** --------------------------------------------- Multiple security vulnerabilities exist in the IBM Eclipse Help System which is used to provide the product Information Centers for IBM WebSphere MQ and IBM WebSphere MQ File Transfer Edition. Debug Information displayed in browser (CVE-2013-0599) - XSS Alert vulnerability (CVE-2013-0464) - Application source code can be downloaded (CVE-2013-0467) --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_websphere_mq_secu… *** Evince PDF Reader - 2.32.0.145 (Windows) and 3.4.0 (Linux) - Denial Of Service *** --------------------------------------------- Evince PDF Reader - 2.32.0.145 (Windows) and 3.4.0 (Linux) - Denial Of Service --------------------------------------------- http://www.exploit-db.com/exploits/28679 *** IBM SPSS Collaboration and Deployment Services Unspecified Flaws Let Remote Users Execute Arbitrary Code *** --------------------------------------------- IBM SPSS Collaboration and Deployment Services Unspecified Flaws Let Remote Users Execute Arbitrary Code --------------------------------------------- http://www.securitytracker.com/id/1029117 *** SIEMENS Solid Edge ST4 SEListCtrlX ActiveX Remote Code Execution *** --------------------------------------------- SIEMENS Solid Edge ST4 SEListCtrlX ActiveX Remote Code Execution --------------------------------------------- http://cxsecurity.com/issue/WLB-2013100017 *** Bugtraq: RootedCON 2014 - Call For Papers *** --------------------------------------------- RootedCON 2014 - Call For Papers --------------------------------------------- http://www.securityfocus.com/archive/1/528963 *** Denial of service vulnerability in Citrix NetScaler *** --------------------------------------------- A Citrix NetScaler component is affected by a denial of service vulnerability. Attackers can keep the appliance in a constant reboot loop resulting in total loss of availability. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2013… *** Tor and the Silk Road takedown *** --------------------------------------------- Weve had several requests by the press and others to talk about the Silk Road situation today. We only know whats going on by reading the same news sources everyone else is reading. In this case weve been watching carefully to try to learn if there are any flaws with Tor that we need to correct. So far, nothing about this case makes us think that there are new ways to compromise Tor (the software or the network). --------------------------------------------- https://blog.torproject.org/blog/tor-and-silk-road-takedown *** Survey Finds Manufacturers Afflicted with a False Sense of Cyber Security *** --------------------------------------------- Though manufacturers think they're doing a better job safeguarding data, cybersecurity breaches are increasing. So says a PricewaterhouseCoopers (PwC) study, which finds that "while organizations have made significant security improvements, they have not kept pace with today's determined adversaries." --------------------------------------------- http://news.thomasnet.com/IMT/2013/10/02/survey-finds-manufacturers-afflict… *** The Top 20 Free Network Monitoring and Analysis Tools for Sys Admins *** --------------------------------------------- here are 20 of the best free tools for monitoring devices, services, ports or protocols and analysing traffic on your network. Even if you may have heard of some of these tools before, we're sure you'll find a gem or two amongst this list ... --------------------------------------------- http://www.gfi.com/blog/the-top-20-free-network-monitoring-and-analysis-too… *** 18 Free Security Tools for SysAdmins *** --------------------------------------------- Here are 18 of the best free security tools for password recovery, password management, penetration testing, vulnerability scanning, steganography and secure data wiping. ... Even if you may have heard of some of these tools before, I'm confident that you'll find a gem or two amongst this list. --------------------------------------------- http://www.gfi.com/blog/18-free-security-tools-for-sysadmins/ *** Could the EU cyber security directive cost companies billions? *** --------------------------------------------- Many of the world's largest enterprises are not prepared for the new European Union Directive on cyber security, which states that organizations that do not have suitable IT security in place to protect their digital assets will face extremely heavy fiscal penalties. The directive, which was adopted in July this year, will require that organizations circulate early warnings of cyber risks and incidents, and that actual security incidents are reported to cyber security authorities. --------------------------------------------- http://www.net-security.org/secworld.php?id=15694 *** On Anonymous *** --------------------------------------------- Gabriella Coleman has published an interesting analysis of the hacker group Anonymous: Abstract: Since 2010, digital direct action, including leaks, hacking and mass protest, has become a regular feature of political life on the Internet. The source, strengths and weakness of this activity are considered in this paper through an in-depth analysis of Anonymous, the protest ensemble that has been... --------------------------------------------- https://www.schneier.com/blog/archives/2013/10/on_anonymous.html *** RuggedCom Rugged Operating System Alarms Configuration Security Bypass Security Issue *** --------------------------------------------- RuggedCom Rugged Operating System Alarms Configuration Security Bypass Security Issue --------------------------------------------- https://secunia.com/advisories/55153 *** Ryan Naraine on Virus Bulletin 2013, Zero Days and Cyberwarfare *** --------------------------------------------- Dennis Fisher talks with Ryan Naraine about the news from the Virus Bulletin 2013 conference, whether the use of zero days is overrated and the collateral damage that can result from cyberwarfare attacks. --------------------------------------------- http://threatpost.com/ryan-naraine-on-virus-bulletin-2013-zero-days-and-cyb…

1 0

Tageszusammenfassung - Mittwoch 2-10-2013
by Daily end-of-shift report 02 Oct '13

02 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 01-10-2013 18:00 − Mittwoch 02-10-2013 18:00 Handler: Robert Waldner Co-Handler: n/a *** CSAM! Send us your logs!, (Tue, Oct 1st) *** --------------------------------------------- Today is the beginning of Cyber Security Awareness Month. Apparently the months official theme is "Our Shared Responsibility," We at the SANS Internet Storm Center want your logs! Send us packets, malware, all your logs, log snippets, observations, things that go bump on the net, things that make you go HMMMM, or just send us email to discuss InfoSec. What can we do as individuals to increase information security and encourage secure practices among co-workers, friends, and family? --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16691&rss *** Apple Spikes As Phishing Target *** --------------------------------------------- According to news stories, Apple is now the most valuable brand in the world. One party that would agree: cybercriminals, who are now targeting Cupertino in increasing numbers. Earlier in the year, the number of identified Apple phishing sites would only be in the hundreds per month, as seen in the chart below: Figure 1. […]Post from: Trendlabs Security Intelligence Blog - by Trend MicroApple Spikes As Phishing Target --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/rwX5MEZpPOs/ *** VLC Media Player Buffer Overflow in MP4A Packetizer Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- A remote user can create a specially crafted file that, when loaded by the target user, will trigger a buffer overflow in the mp4a packetizer and execute arbitrary code on the target system. The code will run with the privileges of the target user. --------------------------------------------- http://www.securitytracker.com/id/1029120 *** "microsoft support" calls - now with ransomware, (Wed, Oct 2nd) *** --------------------------------------------- Most of us are familiar with the "microsoft support" call. A phone call is received, the person states they are from "microsoft support" and they have been alerted that your machine is infected. The person will assist you by having you install a remote desktop tool such as teamviewer or similar (we have seen many different versions). Previously they would install software that would bug you until you paid the "subscription fee". As the father of a friend found --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16703&rss *** Bugtraq: Defense in depth -- the Microsoft way (part 11): privilege escalation for dummies *** --------------------------------------------- in <..> I showed a elaborated way for privilege elevation using IExpress (and other self-extracting) installers containing *.MSI or *.MSP which works "in certain situations". The same IExpress installer(s) but allow a TRIVIAL to exploit privilege escalation which works in all situations too: Proof of concept (run on a fully patched Windows 7 SP1): --------------------------------------------- http://www.securityfocus.com/archive/1/528955 *** Gate: LG teilt Smartphones in zwei Hälften *** --------------------------------------------- Auch LG versucht, dem Thema BYOD den Schrecken zu nehmen. Gate splittet das Smartphone hierzu in zwei Bereiche: einen für Berufliches, einen für Privates. --------------------------------------------- http://www.heise.de/newsticker/meldung/Gate-LG-teilt-Smartphones-in-zwei-Ha… *** Zero-Day-Lücke im Internet Explorer im Visier von Cyberkriminellen *** --------------------------------------------- Integration ins Metasploit-Framework erlaubt einfache Ausnutzung --------------------------------------------- http://derstandard.at/1379292812878 *** Zero Days Are Not the Bugs You’re Looking For *** --------------------------------------------- BERLIN–The technology industry often is used by politicians, executives and others as an example of how to adapt quickly and shift gears in the face of disruptive changes. But the security community has been doing defense in basically the same way for several decades now, despite the fact that the threat landscape has changed dramatically, […] --------------------------------------------- http://threatpost.com/zero-days-are-not-the-bugs-youre-looking-for/102481 *** PolarSSL RSA Private Key Recovery Weakness *** --------------------------------------------- A weakness has been reported in PolarSSL, which can be exploited by malicious people to disclose certain sensitive information. ... The weakness is reported in versions prior to 1.2.9 and 1.3.0. --------------------------------------------- https://secunia.com/advisories/55084 *** Siemens Scalance X-200 Series Switches Authentication Security Bypass Vulnerability *** --------------------------------------------- A vulnerability has been reported in Siemens Scalance X-200 Series Switches, which can be exploited by malicious people to bypass certain security restrictions. ... The vulnerability is reported in the following products and versions: * SCALANCE X-200 versions prior to 4.5.0. --------------------------------------------- https://secunia.com/advisories/55126 *** A History of Hard Conditions: Exploiting Linksys CVE-2013-3568 *** --------------------------------------------- Earlier this summer Craig Young posted on Bugtraq about a root command injection vulnerability on the Linksys WRT110 router. ... Our awesome Joe Vennix figured out the vulnerability and how to exploit it to get a session, even on a restricted Linux environment like the Linksys one. Since the experience can be useful for others exploiting embedded devices, here it is! --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2013/10/02/a-history… *** Researchers Ponder When to Notify Users of Public Vulnerability Exploits *** --------------------------------------------- BERLIN–Just whispering the words “vulnerability disclosure” within earshot of a security researcher or vendor security response team members can put you in fear for your life these days. The debate is so old and worn out that there is virtually nothing new left to say or chew on at this point. However, the question of […] --------------------------------------------- http://threatpost.com/researchers-ponder-when-to-notify-users-of-public-vul… *** ZeroAccess: The Most Profitable Botnet *** --------------------------------------------- In March of this year, researchers on Symantecs Security Response team began looking at ways in which they might be able to "sinkhole" (takedown) ZeroAcess — one of the worlds largest botnets. But then… in late June, the botnet started updating itself, removing the flaw that the researchers hoped to take advantage of. Faced with the choice of some or nothing, the team moved to sinkhole what they could. And that was over 500,000 bots.A very commendable effort!Ross Gibb and --------------------------------------------- http://www.f-secure.com/weblog/archives/00002614.html

1 0

Tageszusammenfassung - Dienstag 1-10-2013
by Daily end-of-shift report 01 Oct '13

01 Oct '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 30-09-2013 18:00 − Dienstag 01-10-2013 18:00 Handler: Robert Waldner Co-Handler: n/a *** Asus RT-N66U 3.0.0.4.374_720 Cross Site Request Forgery *** --------------------------------------------- The Asus RT-N66U is a home wireless router. Its web application has a CSRF vulnerability that allows an attacker to execute arbitrary commands on the target device. --------------------------------------------- http://cxsecurity.com/issue/WLB-2013090194 *** What kind of target are you? *** --------------------------------------------- Some attackers want money or data, while others hope to make you look bad. What do you have that might put you on a hackers hit list? --------------------------------------------- http://www.csoonline.com/article/740614/what-kind-of-target-are-you-?source… *** BYOD: Eigenes Handy als Notlösung *** --------------------------------------------- Neue Studie zeigt: Eigene Geräte im Beruf verwenden die meisten Anwender nur, weil ihnen die IT nicht die ausreichende Ausrüstung bieten kann für diese Mitarbeiter ist Bring Your Own Device eine Notlösung. --------------------------------------------- http://www.heise.de/newsticker/meldung/BYOD-Eigenes-Handy-als-Notloesung-19… *** Blog: Ad Plus instead of AdBlock Plus *** --------------------------------------------- Fake and malicious AdBlock Plus brings to your Android not an Ad protection but more Ad than even before. --------------------------------------------- http://www.securelist.com/en/blog/208214071/Ad_Plus_instead_of_AdBlock_Plus *** Hand Me Downs: Exploit and Infrastructure Reuse Among APT Campaigns *** --------------------------------------------- Since we first reported on Operation DeputyDog, at least three other Advanced Persistent Threat (APT) campaigns known as Web2Crew, Taidoor, and th3bug have made use of the same exploit to deliver their own payloads to their own targets. --------------------------------------------- http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/hand-me-downs-… *** Open-Xchange AppSuite multiple session hijacking *** --------------------------------------------- Open-Xchange AppSuite multiple session hijacking --------------------------------------------- http://xforce.iss.net/xforce/xfdb/87557 *** Open-Xchange AppSuite /ajax/defer servlet CRLF injection *** --------------------------------------------- Open-Xchange AppSuite /ajax/defer servlet CRLF injection --------------------------------------------- http://xforce.iss.net/xforce/xfdb/87558 *** Sweet murmuring Siri opens stalking security hole in iOS 7 *** --------------------------------------------- Siri, hand over my contacts and history now. It has not been a good week for Apple on the security front, and theres no relief in sight after an Israeli researcher found a way to access a locked iPhones contacts and messages database using Siri. --------------------------------------------- http://www.theregister.co.uk/2013/09/30/sweettalking_siri_opens_stalking_se… *** World War C: Understanding Nation-State Motives Behind Today´s Advanced Cyber Attacks *** --------------------------------------------- This report describes the unique characteristics of cyber attack campaigns waged by governments worldwide. We hope that, armed with this knowledge, security professionals can better identify their attackers and tailor their defenses accordingly... --------------------------------------------- http://www.fireeye.com/resources/pdfs/fireeye-wwc-report.pdf *** It´s your digital life. Being safer online - citizens in focus of 1st European Cyber Security Month *** --------------------------------------------- The EU´s cyber security agency ENISA, together with the European Commission´s DG CONNECT, is launching the first fully fledged European Cyber Security Month campaign. During the month of October, more than 40 public and private stakeholders will promote cyber security among citizens and children, and advocate for a change in the perception of cyber-threats. --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/it2019s-your-digital-life-b… *** PayPal: Zweiter Faktor optional *** --------------------------------------------- Die iOS-App des Bezahldienstes PayPal kann sich ohne zusätzlichen Code aus Hardware-Token oder SMS beim Server anmelden, selbst wenn der Benutzer Zwei-Faktor-Authentifizierung aktiviert hat. Das führt das Sicherheitskonzept ad absurdum. --------------------------------------------- http://www.heise.de/security/meldung/PayPal-Zweiter-Faktor-optional-1970328… *** Quarter of TWO-MILLION-strong zombie PC army lured to their deaths *** --------------------------------------------- Pied piper Symantec says it led infected computers into sinkhole Symantec has claimed credit for luring a significant lump of the powerful ZeroAccess botnet into a sinkhole. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2013/10/01/zeroaccess_…

1 0

Tageszusammenfassung - Montag 30-09-2013
by Daily end-of-shift report 30 Sep '13

30 Sep '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 27-09-2013 18:00 − Montag 30-09-2013 18:00 Handler: Robert Waldner Co-Handler: n/a *** IBM WebSphere DataPower XC10 unauthorized access *** --------------------------------------------- An unspecified vulnerability in IBM WebSphere DataPower could allow unauthenticated access to administrative operations and data. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/87299 *** Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-0585, CVE-2013-3034, CVE-2013-3040 and CVE-2013-0599) *** --------------------------------------------- Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-0585, CVE-2013-3034, CVE-2013-3040 and CVE-2013-0599) CVE(s): CVE-2013-0585 , CVE-2013-3034 , CVE-2013-3040 , CVE-2013-0599, CVE-2013-0585, CVE-2013-3034, CVE-2013-3040, and CVE-2013-0599 Affected product(s) and affected version(s): IBM InfoSphere Information Server versions 8.1, 8.5, 8.7, 9.1.0, and 9.1.2 running on all platforms --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul… *** Security Bulletin: Vulnerability in IBM Rational ClearQuest Web Client with potential for JSON Hijacking Attack (CVE-2013-3041) *** --------------------------------------------- A JSON Hijacking Attack vulnerability exists in IBM Rational ClearQuest Web Client. CVE(s): CVE-2013-3041 Affected product(s) and affected version(s): Upgrade to IBM Rational ClearQuest version: 7.1.2.12, 8.0.0.8, or 8.0.1.1 Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21648086 X-Force Database: http://xforce.iss.net/xforce/xfdb/84724 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_vul… *** Security Bulletin: Vulnerability in IBM Rational ClearQuest Web Client with potential for Cross-Site Request Forgery (CVE-2013-0598) *** --------------------------------------------- A Cross-Site Request Forgery (CSRF) Attack vulnerability exists in IBM Rational ClearQuest Web Client CVE(s): CVE-2013-0598 Affected product(s) and affected version(s): Rational ClearQuest Web v7.1 through 7.1.2.10, v8.0 through 8.0.0.7, and v8.0.1 Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: http://www.ibm.com/support/docview.wss?uid=swg21648665 X-Force Database: http://xforce.iss.net/xforce/xfdb/83611 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_vul… *** Security Bulletin: Multiple JRE vulnerabilities addressed in IBM Sterling Secure Proxy (CVE-2013-0440, CVE-2013-0443, CVE-2013-0169) *** --------------------------------------------- The IBM JRE embedded in the IBM Sterling Secure Proxy Configuration Manager has security vulnerabilities that affect SSL connections to the configuration GUI. CVE(s): CVE-2013-0440, CVE-2013-0443, and CVE-2013-0169 Affected product(s) and affected version(s): Sterling Secure Proxy 3.4.1 Sterling Secure Proxy 3.4.0 Sterling Secure Proxy 3.3.01 Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul… *** As Hurricane Season Looms, Its Disaster-Preparedness Time *** --------------------------------------------- Nervals Lobster writes "In 2012, hurricane Sandy smacked the East Coast and did significant damage to New Jersey, New York City, and other areas. Flooding knocked many datacenters in Manhattan offline, temporarily taking down a whole lot of Websites in the process. Now that fall (and the tail end of hurricane season) is upon us again, any number of datacenters and IT companies are probably looking over their disaster-preparedness checklists in case another storm comes barreling through. --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/fMCJ586KPYE/story01.htm *** Internet-Ombudsmann warnt vor Onlineshop-Falle *** --------------------------------------------- Der österreichische Internet-Ombudsmann warnt vor der Firma Factory Store OHG, da sie angeblich Kunden mit günstigen Angeboten in eine Falle lockt. --------------------------------------------- http://www.heise.de/security/meldung/Internet-Ombudsmann-warnt-vor-Onlinesh… *** Gesicherte BlackBerrys in Deutschland zugelassen *** --------------------------------------------- Ein vom Düsseldorfer Anbieter Secusmart abgesichertes BlackBerry-Modell wurde in Deutschland die Zulassung für den Dienstgebrauch in Regierungsbehörden erteilt. --------------------------------------------- http://futurezone.at/digital-life/gesicherte-blackberrys-in-deutschland-zug… *** ReadMore CMS Multiple Vulnerability *** --------------------------------------------- Topic: ReadMore CMS Multiple Vulnerability Risk: Medium --------------------------------------------- http://cxsecurity.com/issue/WLB-2013090190 *** Metasploit creator seeks crowds help for vuln scanning *** --------------------------------------------- Project Sonar combines tools, data and research Security outfit Rapid7 has decided that theres just too much security vulnerability information out there for any one group to handle, so its solution is to try and crowd-source the effort.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2013/09/30/hd_more_see… *** The Ghost in the (Portable) Machine: Securing Mobile Banking *** --------------------------------------------- Online banking is one of the many tasks that have been made more convenient by mobile technology. Now, users can purchase products and/or services, pay their bills and manage their finances from anywhere, and anytime. However, there are threats against mobile banking exist, which need to be addressed and secured against. Some of these threats […]Post from: Trendlabs Security Intelligence Blog - by Trend MicroThe Ghost in the (Portable) Machine: Securing Mobile Banking --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/ftep24zpfWE/ *** Wordpress 3.7 Beta 1 verspricht mehr Sicherheit *** --------------------------------------------- Das Wordpress-Projekt hat beschlossen, den Release-Zyklus für Version 3.7 zu verkürzen und bereits die erste Betaversion veröffentlicht. Wordpress 3.7 Beta 1 bringt vor allem einige neue Funktionen, die die Sicherheit der Blog-Software erhöhen sollen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Wordpress-3-7-Beta-1-verspricht-mehr… *** Bugtraq: [IBliss Security Advisory] Cross-site scripting ( XSS ) in PHP IDNA Convert *** --------------------------------------------- PHP Net_IDNA is a class to convert between the Punycode and Unicode formats. Punycode is a standard described in RFC 3492 and part of IDNA (Internationalizing Domain Names in Applications [RFC3490]) . This class allows PHP scripts to convert these domain names without having one of the PHP extensions installed. It supports both IDNA 2003 and IDNA 2008. --------------------------------------------- http://www.securityfocus.com/archive/1/528934 *** Sicherheit von SHA-3 angeblich verringert *** --------------------------------------------- Forscher werfen dem NIST vor, den SHA-3-Algorithmus Keccak für die Standardisierung durch Modifikationen unsicherer zu machen. Sichere Hashverfahren werden insbesondere für digitale Signaturen und Integritätschecks von Software benötigt. --------------------------------------------- http://www.heise.de/newsticker/meldung/Kryptographie-NIST-will-angeblich-Si… *** Emerson Multiple Products Security Issue and Arbitrary Code Execution Vulnerability *** --------------------------------------------- Emerson Multiple Products Security Issue and Arbitrary Code Execution Vulnerability --------------------------------------------- https://secunia.com/advisories/54936 *** Needle in a Haystack: Detecting Zero-Day Attacks *** --------------------------------------------- People often ask me what differentiates FireEye from its rivals. The real question is “What should I look for in a solution to advanced persistent threats, regardless of the provider?” (And while I can rattle off a long list of … Continue reading → --------------------------------------------- http://www.fireeye.com/blog/corporate/2013/09/needle-in-a-haystack-detectin… *** 7 Sneak Attacks Used By Todays Most Devious Hackers *** --------------------------------------------- Here are some of the latest techniques of note that have piqued my interest as a security researcher and the lessons learned. Some stand on the shoulders of past malicious innovators, but all are very much in vogue today as ways to rip off even the savviest users. --------------------------------------------- http://www.cio.com/article/740598/7_Sneak_Attacks_Used_By_Today_s_Most_Devi… *** Apache Camel Simple Language Expression Arbitrary Code Execution Vulnerability *** --------------------------------------------- A vulnerability has been reported in Apache Camel, which can be exploited by malicious users to compromise an application using the framework. --------------------------------------------- https://secunia.com/advisories/54888

1 0

Tageszusammenfassung - Freitag 27-09-2013
by Daily end-of-shift report 27 Sep '13

27 Sep '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 26-09-2013 18:00 − Freitag 27-09-2013 18:00 Handler: Robert Waldner Co-Handler: n/a *** Time For a Change in Security Thinking, Experts Say *** --------------------------------------------- WASHINGTON Security, like a lot of other things, tends to go in phases. A new attack technique is developed, vendors respond with a new defensive technology and then attackers find a way to defeat it. It has always been that way. And right now, things seem to be in one of those periodic down cycles .. --------------------------------------------- http://threatpost.com/time-for-a-change-in-security-thinking-experts-say/10… *** Malware Now Hiding In Graphics Cards *** --------------------------------------------- mask.of.sanity writes "Researchers are closing in on a means to detect previously undetectable stealthy malware that resides in peripherals like graphics and network cards. The malware was developed by the same researchers and targeted host runtime memory using direct memory access provided to hardware devices. They said the malware was a highly critical threat to system security and integrity and could not be detected by any operating system." Read more of this story at Slashdot. --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/OU6tbGV5rt4/story01.htm *** qemu host crash from within guest *** --------------------------------------------- Topic: qemu host crash from within guest Risk: Medium Text:A dangling pointer access flaw was found in the way qemu handled hot-unplugging virtio devices. This flaw was introduced by v... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013090186 *** Ask Slashdot: Has Gmails SSL Certificate Changed, How Would We Know? *** --------------------------------------------- An anonymous reader writes "Recent reports from around the net suggest that SSL certificate chain for gmail has either changed this week, or has been widely compromised. Even less-than-obvious places to look for information, such as Googles Online Security Blog, are silent. The problem isnt specific to gmail, of course, which leads me to ask: What is the canonically-accepted out-of-band means by which a new SSL certificates fingerprint may be communicated and/or verified by end --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/ElNnRuzfXzs/story01.htm *** iOS 7.0.2 behebt kritische Sicherheitslücke *** --------------------------------------------- Über einen Trick konnten Fotos und Kontakte ohne Eingabe des Codes zum Entsperren des Displays eingesehen weredn --------------------------------------------- http://derstandard.at/1379292252272 *** Cisco Unified Computing System Hardcoded FTP Account Lets Remote Users View and Modify Files *** --------------------------------------------- Cisco Unified Computing System Hardcoded FTP Account Lets Remote Users View and Modify Files --------------------------------------------- http://www.securitytracker.com/id/1029102 *** DIY commercial CAPTCHA-solving automatic email account registration tool available on the underground market since 2008 *** --------------------------------------------- With low-waged employees of unethical 'data entry' companies having already set the foundations for an efficient and systematic abuse of all the major Web properties, it shouldn't be surprising that new market segments quickly emerged to capitalize on the business opportunities offered by the (commercialized) demise of CAPTCHA as an additional human/bot differentiation technique. One of these market segments is supplying automatic (email) account registration services to --------------------------------------------- http://feedproxy.google.com/~r/WebrootThreatBlog/~3/fT-TzsuZluo/ *** New TDL Dropper Variants Exploit CVE-2013-3660 *** --------------------------------------------- Recently, we been seeing a new breed of TDL variants going around. These variants look to be clones of the notorious TDL4 malware reported by Bitdefender Labs.The new TDL dropper variants we saw (SHA1: abf99c02caa7bba786aecb18b314eac04373dc97) were caught on the client machine by DeepGuard, our HIPS technology (click the image below to embiggen). From the detection name, we can see that the variants are distributed by some exploit kits.Last year, ESET mentioned a TDL4 variant (some AV vendors --------------------------------------------- http://www.f-secure.com/weblog/archives/00002612.html *** EMC VPLEX Lets Local Users Obtain the LDAP/AD Password *** --------------------------------------------- Impact: A local user can obtain the LDAP/AD bind password. Solution: The vendor has issued a fix (GeoSynchrony 5.2 SP1). --------------------------------------------- http://www.securitytracker.com/id/1029105 *** ARP Spoofing And Lateral Movement *** --------------------------------------------- In targeted attacks, during the lateral movement stage attacks try to gain access to other computers on the same local area network (LAN). One useful tool to achieve this is ARP spoofing, which can be used to carry out a variety of attacks to steal information as well as plant backdoors on other machines. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/v1ZdDzc-S68/ *** WordPress-Blogs für DDoS-Attacken missbraucht *** --------------------------------------------- Im April rüttelten Angreifer per Brute-Force-Attacke an Tausenden WordPress-Webseiten. Die Angreifer hatten wohl ein Langzeitziel im Auge. Jetzt wurden rund 550 WordPress-Blogs für eine DDoS-Attacke genutzt. --------------------------------------------- http://www.heise.de/newsticker/meldung/WordPress-Blogs-fuer-DDoS-Attacken-m… *** Zehn Internet-Fallen, die Sie kennen sollten! *** --------------------------------------------- Es gibt immer wieder neue Tricks, mit denen Internet-Nutzer von Cyber-Kriminellen in die Falle gelockt werden. Wir zeigen Ihnen, wovor Sie sich beim Surfen in Acht nehmen sollten. --------------------------------------------- http://web.de/magazine/digitale-welt/sicher-im-netz/17753226-internet-falle… *** BSI Sicherheitskompass: Zehn Regeln für mehr Sicherheit im Netz *** --------------------------------------------- Mit zehn Faustregeln wollen das BSI und die Polizeien der Länder für mehr Sicherheit im Netz sorgen. Anlass ist der europäische Cybersicherheitsmonat im Oktober. Das Konzept des National Cyber Security Awareness Month stammt aus den USA. --------------------------------------------- http://www.heise.de/newsticker/meldung/BSI-Sicherheitskompass-Zehn-Regeln-f… *** Security Bulletin: WebSphere DataPower XC10 Appliance vulnerability for administrative access to code and data (CVE-2013-5403) *** --------------------------------------------- A security vulnerability in the WebSphere DataPower XC10 Appliance might allow unauthenticated access to administrative operations and data. CVE(s): CVE-2013-1571 Affected product(s) and affected version(s): WebSphere DataPower XC10 Appliance version 2.0 WebSphere DataPower XC10 Appliance version 2.1 WebSphere DataPower XC10 Appliance version 2.5 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_web… *** Attackers can slip malicious code into many Android apps via open Wi-Fi *** --------------------------------------------- Connect hijacking could put users at risk of data theft, SMS abuse, and more. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/XKc0_9zgluU/story01… *** LinkedIn Patches Multiple XSS Vulnerabilities *** --------------------------------------------- LinkedIn was susceptible to four reflected cross site scripting (XSS) vulnerabilities before issuing a fix for those flaws over the summer. --------------------------------------------- http://threatpost.com/linkedin-patches-multiple-xss-vulnerabilities/102443

1 0

Tageszusammenfassung - Donnerstag 26-09-2013
by Daily end-of-shift report 26 Sep '13

26 Sep '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 25-09-2013 18:00 − Donnerstag 26-09-2013 18:00 Handler: Robert Waldner Co-Handler: n/a *** [papers] - Linux Classic Return-to-libc & Return-to-libc Chaining Tutorial *** --------------------------------------------- I decided to get a bit more into Linux exploitation, so I thought it would be nice if I document this as a good friend once said “ you think you understand something until you try to teach it“. --------------------------------------------- http://www.exploit-db.com/download_pdf/28553 *** [papers] - Understanding C Integer Boundaries (Overflows & Underflow) *** --------------------------------------------- This is my first try at writing papers. This paper is my understanding of the subject. I understand it might not be complete I am open for suggestions and modifications. I hope as this project helps others as it helped me. --------------------------------------------- http://www.exploit-db.com/download_pdf/28550 *** Blue Coat ProxySG / Security Gateway OS (SGOS) Two Denial of Service Vulnerabilities *** --------------------------------------------- Two vulnerabilities have been reported in Blue Coat ProxySG and Blue Coat Security Gateway OS (SGOS), which can be exploited by malicious people to cause a DoS (Denial of Service). --------------------------------------------- https://secunia.com/advisories/54999 *** Research shows IT blocking applications based on popularity not risk *** --------------------------------------------- Tactic leads to less popular, but still risky cloud-based apps freely accessing networks --------------------------------------------- http://www.csoonline.com/article/740363/research-shows-it-blocking-applicat… *** Popular iOS e-mail app acquired by Dropbox has serious bug, researcher warns (Updated) *** --------------------------------------------- Code-execution vulnerability could open users to a series of serious attacks. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/hFtmTj9wjFg/story01… *** Security Issue in Ruby on Rails Could Expose Cookies *** --------------------------------------------- Versions 2.0 to 4.0 of the popular open source web framework Ruby on Rails are vulnerable to a web security issue involving cookies that could make it much easier for someone to login to an app as another user. --------------------------------------------- http://threatpost.com/security-issue-in-ruby-on-rails-could-expose-cookies/… *** Analysis: The Icefog APT: Frequently Asked Questions *** --------------------------------------------- Here are answers to the most frequently asked questions related to Icefog, an APT operation targeting entities in Japan and South Korea. --------------------------------------------- http://www.securelist.com/en/analysis/204792307/The_Icefog_APT_Frequently_A… *** Cisco IOS Multiple Flaws Let Remote Users Deny Service *** --------------------------------------------- Multiple vulnerabilities were reported in Cisco IOS. A remote user can cause denial of service conditions. --------------------------------------------- http://www.securitytracker.com/id/1029087 *** Security Bulletin: Tivoli Endpoint Manager Security Compliance Analytics (SCA) is affected by multiple Java vulnerabilities *** --------------------------------------------- Security Compliance Analytics version 1.3 and prior affected by multiple Java vulnerabilities CVE(s): CVE-2013-2463 CVE-2013-2465 CVE-2013-2471 Affected product(s) and affected version(s): Tivoli Endpoint Manager SCA 1.3 and earlier. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_tiv… *** Java Security Vulnerabilitys addressed in IBM Tivoli Netcool OMNIbus *** --------------------------------------------- Multiple vulnerabilities related to the Java JRE shipped by Tivoli Netcool/OMNIbus have been resolved. CVE(s): CVE-2012-0502, CVE-2012-0503, CVE-2012-0506, CVE-2012-0507, CVE-2011-3563, CVE-2012-0498, CVE-2012-0499, CVE-2012-0501, CVE-2012-0505, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1720, CVE-2012-1721, CVE-2012-1722, CVE-2012-1725, CVE-2012-1541, CVE-2012-1543, CVE-2012-3213, CVE-2012-4301, CVE-2012-4305, CVE-2013-0351, CVE-2013-0409, --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/java_security_vulnera… *** Security Bulletin: GSKit Security Vulnerabilities addressed in IBM Tivoli Netcool OMNIbus *** --------------------------------------------- Several vulnerabilities related to the GSKit libraries used by Tivoli Netcool/OMNIbus have been resolved. CVE(s): CVE-2012-2190, CVE-2012-2191, CVE-2012-2333, CVE-2012-2203, CVE-2012-2131, CVE-2012-2110, CVE-2012-0884, CVE-2012-0050, CVE-2011-4108, CVE-2011-4576, CVE-2011-4577, CVE-2011-4619, CVE-2011-3210, CVE-2011-0014, CVE-2010-3864, CVE-2013-0169, CVE-2013-0166, and CVE-2012-2686 Affected product(s) and affected version(s): Tivoli Netcool/OMNIbus 7.2.1 Tivoli --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_gsk… *** Blue Coat ProxySG HTTP Request Processing Memory Leak Lets Remote Users Deny Service *** --------------------------------------------- A vulnerability was reported in Blue Coat ProxySG. A remote user can cause denial of service conditions. A remote server can return specially crafted data to trigger a memory leak and cause the target device to drop or bypass traffic. HTML with a large number of recursively embedded HREF tags can trigger this flaw. --------------------------------------------- http://www.securitytracker.com/id/1029088 *** Nodejs js-yaml load() Code Execution *** --------------------------------------------- Topic: Nodejs js-yaml load() Code Execution Risk: High --------------------------------------------- http://cxsecurity.com/issue/WLB-2013090177 *** InstantCMS 1.10.2 Multiple vulnerabilities *** --------------------------------------------- Topic: InstantCMS 1.10.2 Multiple vulnerabilities Risk: Low Text:Hello 3APA3A! These are Login Enumeration, Cross-Site Scripting and Content Spoofing vulnerabilities in InstantCMS. ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013090179 *** Boffins: Internet transit a vulnerability *** --------------------------------------------- Mirror, mirror on the port, is this something I can rort? If you think of an Internet exchange, you probably think of infrastructure thats well-protected, well-managed, and hard to compromise. The reality, however, might be different. According to research by Stanford Universitys Daniel Kharitonov, working with TraceVectors Oscar Ibatullin, there are enough vulnerabilities in routers and the like that the Internet exchange makes a target thats both attractive and exploitable.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2013/09/26/boffins_int… *** 1. Cybercrime-Konferenz von Europol und Interpol: Die Jagd den Privaten überlassen? *** --------------------------------------------- Cybercrime-Ermittlungen privaten Firmen zu überlassen, habe einige Vorteile, meinen Firmenvertreter. Strafverfolger wollen aber genau die Kompetenzen der Privatfirmen entwickeln und ihre Aktionspläne ebenso gut ausgebildeten Richtern vorlegen. --------------------------------------------- http://www.heise.de/newsticker/meldung/1-Cybercrime-Konferenz-von-Europol-u… *** XEN - Information leak on AVX and/or LWP capable CPUs *** --------------------------------------------- When a guest increases the set of extended state components for a vCPU saved/restored via XSAVE/XRSTOR (to date this can only be the upper halves of YMM registers, or AMDs LWP state) after already having touched other extended registers restored via XRSTOR (e.g. floating point or XMM ones) during its current scheduled CPU quantum, the hypervisor would make those registers accessible without discarding the values an earlier scheduled vCPU may have left in them. --------------------------------------------- http://lists.xenproject.org/archives/html/xen-announce/2013-09/msg00005.html *** VLC 2.1 "Rincewind" is a major new version of our popular media player *** --------------------------------------------- Rincewind fixes around a thousand bugs, in more than 7000 commits from 140 volunteers. --------------------------------------------- http://www.videolan.org/vlc/releases/2.1.0.html *** Google Hangouts schickt Nachrichten an falsche Personen *** --------------------------------------------- Zu ungewollt peinlichen Situationen könnte es derzeit mit Googles Chat-Tool Hangouts kommen. --------------------------------------------- http://futurezone.at/produkte/google-hangouts-schickt-nachrichten-an-falsch… *** IBM Rational ClearQuest JSON Hijacking and Cross-Site Request Forgery Vulnerabilities *** --------------------------------------------- IBM Rational ClearQuest JSON Hijacking and Cross-Site Request Forgery Vulnerabilities --------------------------------------------- https://secunia.com/advisories/55010 *** Microsoft veröffentlicht Ereignis- und Paketanalysator Message Analyzer *** --------------------------------------------- Der bislang nur als Beta-Version erhältliche Message Analyzer steht nun Version 1.0 zum Download bereit. --------------------------------------------- http://www.heise.de/newsticker/meldung/Microsoft-veroeffentlicht-Ereignis-u… *** How do you monitor DNS?, (Thu, Sep 26th) *** --------------------------------------------- Personally, my "DNS Monitoring System" is a bunch of croned shell scripts and nagios, in desperate need of an overhaul. While working on a nice (maybe soon published) script to do this, I was wondering: What is everybody else using? The script is supposed to detect DNS outages and unauthorized changes to my domains. Here are some of the parameters I am monitoring now: - changes to the zones serial number - changes to the NS records (using the TLDs name servers, not mine) - changes --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16661&rss *** Blog: Icefog OpenIOC Release *** --------------------------------------------- OpenIOC rules for the IceFog campaign --------------------------------------------- http://www.securelist.com/en/blog/208214070/Icefog_OpenIOC_Release *** Spear Phishing Poses Threat to Industrial Control Systems *** --------------------------------------------- While the energy industry may fear the appearance of another Stuxnet on the systems they use to keep oil and gas flowing and the electric grid powered, an equally devastating attack could come from a much more mundane source: phishing. Rather than worry about exotic cyber weapons like Stuxnet and its big brother, Flame, companies that have SCADA systems ... should make sure that their anti-phishing programs are in order, say security experts. --------------------------------------------- http://www.cio.com/article/740402/Spear_Phishing_Poses_Threat_to_Industrial… *** Barracuda CudaTel Communication Server Cross-Site Scripting and SQL Injection Vulnerabilities *** --------------------------------------------- Vulnerability Lab has reported multiple vulnerabilities in Barracuda CudaTel Communication Server, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks. --------------------------------------------- https://secunia.com/advisories/54258 *** Emerson ROC800 Multiple Vulnerabilities *** --------------------------------------------- This advisory provides mitigation details for multiple vulnerabilities affecting the Emerson Process Management’s ROC800 remote terminal units (RTUs) products (ROC800, ROC800L, and DL8000). --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-259-01

1 0

Tageszusammenfassung - Mittwoch 25-09-2013
by Daily end-of-shift report 25 Sep '13

25 Sep '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 24-09-2013 18:00 − Mittwoch 25-09-2013 18:00 Handler: Robert Waldner Co-Handler: n/a *** IBM Rational ClearCase / ClearQuest GSKit Information Disclosure Weakness *** --------------------------------------------- IBM has acknowledged a weakness in IBM Rational ClearCase and Rational ClearQuest, which can be exploited by malicious people to disclose certain sensitive information. The weakness is caused due to a bundled vulnerable version of IBM Global Security ToolKit. --------------------------------------------- https://secunia.com/advisories/54928 *** 7 Characteristics of a Secure Mobile App *** --------------------------------------------- Keeping a mobile application secure is tough, but not impossible, and certain aspects of session management can go a long way in helping. --------------------------------------------- http://www.csoonline.com/article/740266/7-characteristics-of-a-secure-mobil… *** WordPress Custom Website Data Plugin Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability has been discovered in the Custom Website Data plugin for WordPress, which can be exploited by malicious people to conduct cross-site scripting attacks. --------------------------------------------- https://secunia.com/advisories/54865 *** Linux Kernel "free_netdev()" Use-After-Free Vulnerability *** --------------------------------------------- A vulnerability has been reported in Linux Kernel, which can be exploited by malicious, local users to gain escalated privileges. The vulnerability is caused due to a use-after-free error in the "tun_set_iff()" function (drivers/net/tun.c) and can be exploited to dereference already freed memory. --------------------------------------------- https://secunia.com/advisories/54753 *** FFmpeg Multiple Vulnerabilities *** --------------------------------------------- Multiple vulnerabilities have been reported in FFmpeg, which can be exploited by malicious people to cause a DoS (Denial of Service). --------------------------------------------- https://secunia.com/advisories/54972 *** Vuln: Cisco MediaSense CVE-2013-5502 Information Disclosure Vulnerability *** --------------------------------------------- Cisco MediaSense is prone to an information-disclosure vulnerability. A man-in-the-middle attacker may be able to exploit this issue to obtain sensitive information. Information obtained may aid in further attacks. --------------------------------------------- http://www.securityfocus.com/bid/62601 *** Wordpress simple forum Cross site scripting Vulnerability *** --------------------------------------------- Exploit Title : Wordpress simple forum Cross site scripting Vulnerability Exploit Author : Ashiyane Digital Security Team Software Link : http://wordpress.org Tested on: Windows 7 , Linux Date: 2013/09/23 Exploit : Cross site scripting --------------------------------------------- http://cxsecurity.com/issue/WLB-2013090168 *** Bugtraq: CVE-2013-5118 - XSS Good for Enterprise iOS *** --------------------------------------------- Last month I identified a XSS vulnerability in the Good for Enterprise iOS application. The vulnerable versions are v2.2.2.1611 and earlier --------------------------------------------- http://www.securityfocus.com/archive/1/528839 *** Now You See Me – H-worm by Houdini *** --------------------------------------------- H-worm is a VBS (Visual Basic Script) based RAT written by an individual going by the name Houdini. We believe the author is based in Algeria and has connections to njq8, the author of njw0rm and njRAT/LV --------------------------------------------- http://www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-… *** Security Bulletin: IBM Tivoli Composite Application Manager for Transactions affected by vulnerabilities in IBM JRE (Multiple CVEs) *** --------------------------------------------- IBM Tivoli Composite Application Manager for Transactions is shipped with two IBM JREs that are based on Oracle Java. It is also dependent on ITM 6.2.1 Framework, which also has its own JRE. Oracle has released an April 2013 Critical Patch Update (CPU) that contains security vulnerability fixes and IBM Java is affected. CVE(s): CVE-2013-0401 CVE-2013-0402 CVE-2013-1488 CVE-2013-1491 CVE-2013-1518 CVE-2013-1537 CVE-2013-1540 CVE-2013-1557 CVE-2013-1558 CVE-2013-1561 CVE-2013-1563 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Is mobile anti-virus necessary? *** --------------------------------------------- Experts disagree over whether or not there are any immediate threats --------------------------------------------- http://www.csoonline.com/article/740301/is-mobile-anti-virus-necessary-?sou… *** Social media spam on the rise, says study *** --------------------------------------------- Recent report from Nexgate points to 355 percent increase in social media spam in 2013 alone --------------------------------------------- http://www.csoonline.com/article/740292/social-media-spam-on-the-rise-says-… *** SurgeMail surgeweb interface security bypass *** --------------------------------------------- SurgeMail could allow a remote attacker to bypass security restrictions, caused by the failure to restrict access to other accounts by the surgeweb interface. An attacker could exploit this vulnerability to login to another user's accounts. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/87335 *** Google Chrome 31.0 Webkit Auditor Bypass *** --------------------------------------------- Topic: Google Chrome 31.0 Webkit Auditor Bypass Risk: Low Title: Chrome 31.0 Webkit XSS Auditor Bypass Author: Rafay Baloch @rafaybaloch And PEPE Vila --------------------------------------------- http://cxsecurity.com/issue/WLB-2013090173 *** Newly launched E-shop offers access to hundreds of thousands of compromised accounts *** --------------------------------------------- In a series of blog posts, we’ve highlighted the ongoing commoditization of hacked/compromised/stolen account data (user names and passwords), the direct result of today’s efficiency-oriented cybercrime ecosystem, the increasing availability of sophisticated commercial/leaked DIY undetectable malware generating tools, malware-infected hosts as a service, log files on demand services, as well as basic data mining concepts applied on behalf of the operator of a particular botnet. What --------------------------------------------- http://feedproxy.google.com/~r/WebrootThreatBlog/~3/iHbGGHj2f1o/ *** Details zum iPhone-5s-Hack *** --------------------------------------------- ct dokumentiert Schritt-für-Schritt, wie Starbug den Fingerabdruck-Sensor des iPhone 5S austrickst. --------------------------------------------- http://www.heise.de/newsticker/meldung/c-t-veroeffentlicht-Details-zu-iPhon… *** elproLOG MONITOR WebAccess Two Cross-Site Scripting Vulnerabilities *** --------------------------------------------- Vulnerability Lab has reported two vulnerabilities in elproLOG MONITOR WebAccess, which can be exploited by malicious people to conduct cross-site scripting attacks. --------------------------------------------- https://secunia.com/advisories/54955 *** IT-Sicherheitsbranche: it-sa 2013 wieder mit Kongress, aber ohne Extraentgelt *** --------------------------------------------- 2012 begleitete die it-sa erstmalig ein Kongressprogramm. Der Kongress ist nun wieder dabei, muss aber nicht mehr extra bezahlt werden. Für Studierende der Informatik gibt es spezielle Vorträge und Sonderschauen. --------------------------------------------- http://www.heise.de/newsticker/meldung/IT-Sicherheitsbranche-it-sa-2013-wie… *** Bugtraq: GreHack 2013 - 15 Nov. Grenoble, France - Conf. Registration OPEN *** --------------------------------------------- GREHACK 2013 - 2nd International Symposium in Grey-Hat Hacking 2nd Edition - p*wn me i'm famous! http://grehack.org https://twitter.com/grehack Grenoble, France November 15, 2013 --------------------------------------------- http://www.securityfocus.com/archive/1/528852 *** UKs Get Safe Online? No one cares - run the blockbuster ads instead *** --------------------------------------------- Something like Jack Bauers 24 ... whatever itll take to teach kids how to bat away hackers The UKs Get Safe Online campaign has failed to teach Brits how to secure their computers - so says the ex top cop who established the information security awareness effort in 2004.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2013/09/25/gets_safe_o… *** Splunk Alert Test Scripts Arbitrary Command Execution Vulnerabilities *** --------------------------------------------- Some vulnerabilities have been reported in Splunk, which can be exploited by malicious users to compromise a vulnerable system. The vulnerabilities are caused due to some errors related to alert testing and troubleshooting scripts and can be exploited to execute arbitrary shell scripts. The vulnerabilities are reported in versions prior to 5.0.5. --------------------------------------------- https://secunia.com/advisories/54934 *** Oracle Solaris Tomcat FormAuthenticator Session Hijacking Weakness *** --------------------------------------------- Oracle has acknowledged a weakness in Tomcat included in Solaris, which can be exploited by malicious people to hijack a user's session. --------------------------------------------- https://secunia.com/advisories/55033 *** Oracle Solaris Kerberos KDC Two Vulnerabilities *** --------------------------------------------- Oracle has acknowledged two vulnerabilities in Kerberos included in Solaris, which can be exploited by malicious users to cause a DoS (Denial of Service) or potentially compromise a vulnerable system and by malicious people to potentially compromise a vulnerable system. --------------------------------------------- https://secunia.com/advisories/55036 *** IBM Sterling External Authentication Server JRE Multiple Vulnerabilities *** --------------------------------------------- The application bundles a vulnerable version of the Java Runtime Environment (JRE). --------------------------------------------- https://secunia.com/advisories/55004 *** Several vulnerabilities in extension Apache Solr for TYPO3 (solr) *** --------------------------------------------- It has been discovered that the extension "Apache Solr for TYPO3" (solr) is vulnerable to Cross-Site Scripting and Insecure Unserialize. Affected Versions: Version 2.8.2 and below --------------------------------------------- http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-e… *** Security issues in several third party TYPO3 ectensions *** --------------------------------------------- Direct Mail (direct_mail) RealURL: speaking paths for TYPO3 (realurl) Formhandler (formhandler) AWStats (cc_awstats) booking (booking) ICS AWStats (ics_awstats) Simple Image Gallery (iflowgallery) Ratsinformationssystem (RIS) (cronmm_ratsinfo) Frontend User Registration (ke_userregister) AWStats with individual access (meta_beawstatsind) Powermail double opt-in (powermail_optin) smarty (smarty) Youtube Channel Videos (youtubevideos) --------------------------------------------- http://lists.typo3.org/pipermail/typo3-announce/2013/000285.html *** iPhone-Trojaner verdient mit Klickbetrug *** --------------------------------------------- Eine App für iPhones mit Jailbreak, die eigentlich im Browser WebGL-Funktionen freischalten soll, bringt dem Entwickler nebenbei noch Einnahmen aus versteckt angezeigter Werbung ein. --------------------------------------------- http://www.heise.de/newsticker/meldung/iPhone-Trojaner-verdient-mit-Klickbe… *** ClearSCADA Web Requests Handling Denial of Service Vulnerability *** --------------------------------------------- A vulnerability has been reported in ClearSCADA, which can be exploited by malicious people to cause a DoS (Denial of Service). --------------------------------------------- https://secunia.com/advisories/54931 *** Oracle Solaris Kerberos kpasswd UDP Packet Processing Denial of Service Vulnerability *** --------------------------------------------- Oracle has acknowledged a vulnerability in Kerberos included in Solaris, which can be exploited by malicious people to cause a DoS (Denial of Service). --------------------------------------------- https://secunia.com/advisories/55039 *** Cyber attacks will cause real world harm in next seven years *** --------------------------------------------- New technologies such as Google Glass and IPv6 will lead to new, deadly forms of cyber attack if current manufacturing security practices continue, according to experts from Europol, Trend Micro and The International Cyber Security Protection Alliance (ICSPA). The experts made the warning in a recently published Scenarios for the Future of Cyber Crime white paper. The paper explored what threats the experts expect to emerge in the next six and a half years ... --------------------------------------------- http://www.v3.co.uk/v3-uk/analysis/2296357/cyber-attacks-will-cause-real-wo… *** Secure Domain Name System (DNS) Deployment Guide *** --------------------------------------------- This document provides deployment guidelines for securing DNS within an enterprise. Because DNS data is meant to be public, preserving the confidentiality of DNS data. The primary security goals for DNS are data integrity and source authentication, which are needed to ensure the authenticity of domain name information and maintain the integrity of domain name information in transit. This document provides extensive guidance on maintaining data integrity and performing source authentication. --------------------------------------------- http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf *** How to Protect Your Privacy on Social Media *** --------------------------------------------- How do you keep information private on social networking sites? ... Relying on a site’s privacy settings is just the start. While stricter account settings and tools can help you maintain privacy, there are other ways your personal information can leak out to the public. Knowing and addressing these potential privacy risks will help you protect your data. --------------------------------------------- http://about-threats.trendmicro.com/ebooks/how-to-protect-your-privacy-on-s… *** Oracle Solaris LibXSLT "xsltDocumentFunction()" and "xsltAddKey()" Denial of Service Vulnerabilities *** --------------------------------------------- Oracle has acknowledged two vulnerabilities in LibXSLT included in Solaris, which can be exploited by malicious people to cause a DoS (Denial of Service). --------------------------------------------- https://secunia.com/advisories/55030

1 0

Tageszusammenfassung - Dienstag 24-09-2013
by Daily end-of-shift report 24 Sep '13

24 Sep '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 23-09-2013 18:00 − Dienstag 24-09-2013 18:00 Handler: L. Aaron Kaplan Co-Handler: L. Aaron Kaplan *** ICS Vendor Fixes Hard-Coded Credential Bugs Nearly Two Years After Advisory *** --------------------------------------------- Nearly two years after a security researcher published details of the hard-coded credentials that ship with a slew of industrial control system products made by Schneider Electric, the company has released updated firmware that fix the problems. The vulnerabilities, which were discovered by researcher Ruben Santamarta and published in December 2011, affect dozens of products --------------------------------------------- http://threatpost.com/ics-vendor-fixes-hard-coded-credential-bugs-nearly-tw… *** Security Bulletin: Multiple vulnerabilities exist in IBM Data Studio Web Console, Optim Performance Manager, IBM InfoSphere Optim Configuration Manager, and DB2 Recovery Expert for Linux, UNIX and Windows (CVE-2013-4025, CVE-2013-4024, CVE-2013-4022) *** --------------------------------------------- Multiple vulnerabilities exist in IBM Data Studio Web Console, Optim Performance Manager, IBM InfoSphere Optim Configuration Manager, and DB2 Recovery Expert for Linux, UNIX and Windows which could allow an attacker to view sensitive information or perform actions as a compromised user. CVE(s): CVE-2013-4025, CVE-2013-4024, CVE-2013-4022 Affected product(s) and affected version(s): IBM Data Studio Web Console versions v3.1.x Optim Performance Manager for DB2 on LUW v5.1.x IBM InfoSphere --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul… *** Vuln: Moodle CVE-2013-4313 SQL Injection Vulnerability *** --------------------------------------------- Moodle CVE-2013-4313 SQL Injection Vulnerability --------------------------------------------- http://www.securityfocus.com/bid/62410 *** Citrix XenClient XT Multiple Vulnerabilities *** --------------------------------------------- Citrix XenClient XT Multiple Vulnerabilities --------------------------------------------- https://secunia.com/advisories/54625 *** Cybercriminals experiment with Android compatible, Python-based SQL injecting releases *** --------------------------------------------- Throughout the years, cybercriminals have been perfecting the process of automatically abusing Web application vulnerabilities to achieve their fraudulent and malicious objectives. From the utilization of botnets and search engines to perform active reconnaissance, the general availability of DIY mass SQL injecting tools as well as proprietary malicious script injecting exploitation platforms, the results have been evident ever since in the form of tens of thousands of affected Web sites on a --------------------------------------------- http://feedproxy.google.com/~r/WebrootThreatBlog/~3/uFxqe3lj6ak/ *** Joomla JVideoClip Blind SQL Injection *** --------------------------------------------- Topic: Joomla JVideoClip Blind SQL Injection Risk: Medium Text: == Joomla Component com_jvideoclip (cid|uid|id) Blind SQL Injection / SQL Injection ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013090161 *** WordPress fGallery_Plus Cross Site Scripting *** --------------------------------------------- Topic: WordPress fGallery_Plus Cross Site Scripting Risk: Low Text: # Iranian Exploit DataBase Forum # http://iedb.ir/acc # http://iedb... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013090160 *** AspxCommerce 2.0 Shell Upload *** --------------------------------------------- Topic: AspxCommerce 2.0 Shell Upload Risk: High Text:# Exploit Title: AspxCommerce v2.0 - Arbitrary File Upload Vulnerability # Exploit Author: SANTHO (@s4n7h0) # Vendor Homepage... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013090159 *** H1 2013 Threat Report *** --------------------------------------------- Our H1 2013 Threat Report is now online:Youll find it as well as our previous reports available for download: here. On 24/09/13 At 06:57 AM --------------------------------------------- http://www.f-secure.com/weblog/archives/00002611.html *** Attacks Using Microsoft IE Exploit Tied to Hacking Crew Linked to Bit9 Breach *** --------------------------------------------- Security researchers at FireEye have observed a campaign targeting organizations in Japan that is leveraging the Internet Explorer zero-day Microsoft warned users about last week. The campaign has been dubbed Operation DeputyDog, and is believed to have begun as early as August 19. According to FireEye, the attackers behind the operation may be the same ones involved in last years attack on Bit9 a group researchers at Symantec recently identified as a hacking crew called Hidden Lynx --------------------------------------------- http://www.securityweek.com/attacks-using-microsoft-ie-exploit-tied-hacking… *** D-Link DSL-2740B Router Cross-Site Request Forgery Vulnerability *** --------------------------------------------- D-Link DSL-2740B Router Cross-Site Request Forgery Vulnerability --------------------------------------------- https://secunia.com/advisories/54795 *** Blog: Exposing the security weaknesses we tend to overlook *** --------------------------------------------- --------------------------------------------- http://www.securelist.com/en/blog/8132/Exposing_the_security_weaknesses_we_… *** Cyberwar gegen das Heidiland - Protokoll einer Attacke *** --------------------------------------------- Sie versuchen Beweise zu zerstören. Der IT-Forensiker ist seit Wochen auf der Fährte von Hackern, die eine der grössten Cyberattacken weltweit lanciert haben. Eine Offensive gegen militärische und zivile Ziele. Gegen einen Telekommunikationskonzern in Norwegen, gegen den Autohersteller Porsche, einen internationalen Flughafen in Indien und politische Gruppierungen in Pakistan. --------------------------------------------- http://www.sonntagszeitung.ch/wirtschaft/artikel-detailseite/?newsid=262774 *** "3": Schwere Sicherheitslücke ermöglichte Zugriff auf Kundendaten *** --------------------------------------------- Fehlerhafte Passwortröcksetzung erlaubte unter anderem Zugriff auf Kontaktdaten und Sprachnachrichten --------------------------------------------- http://derstandard.at/1379291849554 *** Inoffizielle iMessage-App für Android schürt Sicherheitsbedenken *** --------------------------------------------- App soll Kommunikation über Server in China leiten - User werden vor Nutzung gewarnt --------------------------------------------- http://derstandard.at/1379291880414 *** TRENDnet Multiple Products libupnp Buffer Overflow Vulnerabilities *** --------------------------------------------- TRENDnet Multiple Products libupnp Buffer Overflow Vulnerabilities --------------------------------------------- https://secunia.com/advisories/54762 *** [remote] - Raidsonic NAS Devices Unauthenticated Remote Command Execution *** --------------------------------------------- Raidsonic NAS Devices Unauthenticated Remote Command Execution --------------------------------------------- http://www.exploit-db.com/exploits/28508 *** [local] - IBM AIX 6.1 / 7.1 - Local root Privilege Escalation *** --------------------------------------------- IBM AIX 6.1 / 7.1 - Local root Privilege Escalation --------------------------------------------- http://www.exploit-db.com/exploits/28507 *** Tenable SecurityCenter "message" Cross-Site Scripting Vulnerability *** --------------------------------------------- Tenable SecurityCenter "message" Cross-Site Scripting Vulnerability --------------------------------------------- https://secunia.com/advisories/54997 *** IBM Rational ClearCase / ClearQuest GSKit Information Disclosure Weakness *** --------------------------------------------- IBM Rational ClearCase / ClearQuest GSKit Information Disclosure Weakness --------------------------------------------- https://secunia.com/advisories/54928 *** 7 Characteristics of a Secure Mobile App *** --------------------------------------------- Keeping a mobile application secure is tough, but not impossible, and certain aspects of session management can go a long way in helping. --------------------------------------------- http://www.csoonline.com/article/740266/7-characteristics-of-a-secure-mobil…

1 0

Tageszusammenfassung - Montag 23-09-2013
by Daily end-of-shift report 23 Sep '13

23 Sep '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 20-09-2013 18:00 − Montag 23-09-2013 18:00 Handler: Robert Waldner Co-Handler: n/a *** PHP updates released 19 SEP 2013 *** --------------------------------------------- PHP 5.5.4 (Current Stable) PHP 5.4.20 (Old Stable) http://www.php.net/downloads.php --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16631&rss *** Cybercriminals experiment with Socks4/Socks5/HTTP malware-infected hosts based DIY DoS tool *** --------------------------------------------- Based on historical evidence gathered during some of the major 'opt-in botnet' type of crowdsourced DDoS (distributed denial of service) attack campaigns that took place over the last couple of years, the distribution of point'nclick DIY DoS (denial of service attack) tools continues representing a major driving force behind the success of these campaigns. A newly released DIY DoS tool aims to empower technically unsophisticated users with the necessary expertise to launch --------------------------------------------- http://feedproxy.google.com/~r/WebrootThreatBlog/~3/QlgGvHwB40s/ *** Bugtraq: [security bulletin] HPSBST02919 rev.1 - HP XP P9000 Command View Advanced Edition Suite Software, Remote Cross Site Scripting (XSS) *** --------------------------------------------- VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP XP P9000 Command View Advanced Edition Suite Software. The vulnerability could be remotely exploited resulting in Cross Site Scripting (XSS). References: CVE-2013-4814 (SSRT101302) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP XP P9000 Command View Advanced Edition Suite Software v 7.0.0-00 to earlier than 7.5.0-02 (Windows, Linux). --------------------------------------------- http://www.securityfocus.com/archive/1/528763 *** BLYPT: A New Backdoor Family Installed via Java Exploit *** --------------------------------------------- Recently, we have observed a new backdoor family which we've called BLYPT. This family is called BLYPT because of its used of binary large objects (blob) stored in the registry, as well as encryption. Currently, this backdoor is installed using Java exploits; either drive-by downloads or compromised web sites may be used to deliver these --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/nVQjUHp2Xcc/ *** Weitere kritische Sicherheitslücke in iOS 7 aufgetaucht *** --------------------------------------------- Über einen Bug in der Notruf-Funktion kann trotz Sperrbildschirm jede beliebige Nummer angerufen werden. --------------------------------------------- http://futurezone.at/produkte/iphone-weitere-kritische-sicherheitsluecke-in… *** Linksys WRT110 Remote Command Execution *** --------------------------------------------- Topic: Linksys WRT110 Remote Command Execution Risk: High Text:## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. --------------------------------------------- http://cxsecurity.com/issue/WLB-2013090147 *** Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against Japanese Targets *** --------------------------------------------- FireEye has discovered a campaign leveraging the recently announced zero-day CVE-2013-3893. This campaign, which we have labeled 'Operation DeputyDog', began as early as August 19, 2013 and appears to have targeted organizations in Japan. --------------------------------------------- http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-depu… *** Operation DeputyDog Part 2: Zero-Day Exploit Analysis (CVE-2013-3893) *** --------------------------------------------- In our previous blog post my colleagues Ned and Nart provided a detailed analysis on the APT Campaign Operation DeputyDog. The campaign leveraged a zero day vulnerability of Microsoft Internet Explorer (CVE-2013-3893). Microsoft provided an advisory and 'Fix it' blog post. --------------------------------------------- http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-depu… *** Angriff der Router *** --------------------------------------------- Die ct analysiert ein sehr ungewöhnliches Botnet: Es besteht aus Routern, auch in Deutschland. --------------------------------------------- http://www.heise.de/newsticker/meldung/Angreifer-kapern-Router-1963578.html *** IDF Hackers Test Readiness In Israel For Cyberattacks *** --------------------------------------------- cold fjord points out a profile in Al-Monitor of Israels cyber-defense group, formed to test the countrys defenses to electronic warfare and information theft. Groups, really, since its run blue-vs-red style, with constant scenario preparation and intrusion attempts. The two (anonymized) leaders of the Blue and Red teams talk about the mind-set and skills that it takes to be in their unit, which they point out is not the place for soda and pizza hijinks. Says "Capt. A": "We are --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/VvdZRjzDjUk/story01.htm *** [webapps] - Wordpress Lazy SEO plugin Shell Upload Vulnerability *** --------------------------------------------- Wordpress Lazy SEO plugin Shell Upload Vulnerability --------------------------------------------- http://www.exploit-db.com/exploits/28452 *** Cybercriminals sell access to tens of thousands of malware-infected Russian hosts *** --------------------------------------------- Today's modern cybercrime ecosystem offers everything a novice cybercriminal would need to quickly catch up with fellow/sophisticated cybercriminals. Segmented and geolocated lists of harvested emails, managed services performing the actual spamming service, as well as DIY undetectable malware generating tools, all result in a steady influx of new (underground) market entrants, whose activities directly contribute to the overall growth of the cybercrime ecosystem. Among the most popular --------------------------------------------- http://feedproxy.google.com/~r/WebrootThreatBlog/~3/cRy7OE78zU0/ *** Bugtraq: [ANN] Struts 2.3.15.2 GA release available - security fix *** --------------------------------------------- The Apache Struts group is pleased to announce that Struts 2.3.15.2 is available as a "General Availability" release.The GA designation is our highest quality grade. ... This release includes important security fixes: - S2-018 - Broken Access Control Vulnerability in Apache Struts2 - S2-019 - Dynamic Method Invocation disabled by default --------------------------------------------- http://www.securityfocus.com/archive/1/528801 *** BlackBerry zieht Messenger-App für iOS und Android zurück *** --------------------------------------------- Die Apps, die den BlackBerry Messenger-Dienst auf iOS und Android bringen sollten, wurden nach einem Leak einer unfertigen Android-Version zurückgezogen. --------------------------------------------- http://futurezone.at/produkte/blackberry-zieht-messenger-app-fuer-ios-und-a… *** Apple zieht Apple-TV-Update 6.0 zurück *** --------------------------------------------- Nach Update-Problemen hat Apple die Aktualisierung offenbar zunächst zurückgezogen. Sie sollte unter anderem Unterstützung für iTunes Radio für US-Kunden liefern. --------------------------------------------- http://www.heise.de/newsticker/meldung/Apple-zieht-Apple-TV-Update-6-0-zuru… *** Chaos Computer Club hackt Apples Touch-ID *** --------------------------------------------- Fingerabdrucksensor des iPhone 5S lässt sich mit bekannten Mitteln austricksen - CCC: Touch-ID "dumme Idee" --------------------------------------------- http://derstandard.at/1379291683079 *** F5 BIG-IP APM Access Policy Logout Page Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability has been reported in F5 BIG-IP APM, which can be exploited by malicious people to conduct cross-site scripting attacks. ... The vulnerability is reported in versions 10.1.0 through 10.2.4 and versions 11.1.0 through 11.3.0. --------------------------------------------- https://secunia.com/advisories/54941 *** Apple TV Multiple Vulnerabilities *** --------------------------------------------- A weakness and some vulnerabilities have been reported in Apple TV, which can be exploited by malicious people with physical access to bypass certain security restrictions and by malicious people to bypass certain security restrictions, cause a DoS (Denial of Service), and compromise a vulnerable device. --------------------------------------------- https://secunia.com/advisories/54961 *** Data Exfiltration in Targeted Attacks *** --------------------------------------------- Data exfiltration is the unauthorized transfer of sensitive information from a target's network to a location which a threat actor controls. Because data routinely moves in and out of networked enterprises, data exfiltration can closely resemble normal network traffic, making detection of exfiltration attempts challenging for IT security groups. Figure 1. Targeted Attack Campaign Diagram --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/bvRuzyNih3k/ *** Analysis: Spam in August 2013 *** --------------------------------------------- The percentage of spam in email traffic in August was down 3.6 percentage points and averaged 67.6%. --------------------------------------------- http://www.securelist.com/en/analysis/204792306/Spam_in_August_2013 *** Verschlüsselung im Web: TLS soll sicherer werden *** --------------------------------------------- Das für die Verschlüsselung im Web meistbenutzte Verschlüsselungsprotokoll krankt an einem Designfehler. Der ließe sich sich relativ leicht beheben, wenn das Normierungsgremium mitspielt. --------------------------------------------- http://www.heise.de/newsticker/meldung/Verschluesselung-im-Web-TLS-soll-sic… *** C3CM: Part 1 - Nfsight with Nfdump and Nfsen *** --------------------------------------------- Part one of our three-part series on C3CM will utilize Nfsight with Nfdump, Nfsen, and fprobe to conduct our identification phase. These NetFlow tools make much sense when attempting to identify the behavior of your opponent on high-volume networks that don't favor full-packet capture or inspection. --------------------------------------------- http://holisticinfosec.org/toolsmith/pdf/august2013.pdf *** C3CM: Part 2 - BroIDS with Logstash and Kibana *** --------------------------------------------- Where, in part one of this three-part series, we utilized Nfsight with Nfdump, Nfsen, and fprobe to conduct our identification phase, we'll use BroIDS (Bro), Logstash, and Kibana as part of our interrupt phase. --------------------------------------------- http://holisticinfosec.org/toolsmith/pdf/september2013.pdf *** Citrix CloudPortal Services Manager Multiple Vulnerabilities *** --------------------------------------------- Some vulnerabilities have been reported in Citrix CloudPortal Services Manager, where some have an unknown impact and another can be exploited by malicious users to bypass certain security restrictions. ... The vulnerabilities are reported in versions 10.0 Cumulative Update 2 and prior. --------------------------------------------- https://secunia.com/advisories/54664 *** OpenVZ update for kernel *** --------------------------------------------- OpenVZ has issued an update for kernel. This fixes two vulnerabilities, which can be exploited by malicious, local users in a guest virtual machine to cause a DoS (Denial of Service) and by malicious, local users to potentially gain escalated privileges. --------------------------------------------- https://secunia.com/advisories/54900 *** BitTorrent-Schluckauf bei Twitter löst Besorgnis aus *** --------------------------------------------- Ein technisches Problem bei Twitter hat dazu geführt, dass das soziale Netzwerk statt dem HTML-Code seiner Share-Buttons den Nutzern Torrent-Files ausliefert. Das hat zu einiger Aufregung bei besorgten Website-Besuchern geführt. --------------------------------------------- http://www.heise.de/newsticker/meldung/BitTorrent-Schluckauf-bei-Twitter-lo…

1 0

Tageszusammenfassung - Freitag 20-09-2013
by Daily end-of-shift report 20 Sep '13

20 Sep '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 19-09-2013 18:00 − Freitag 20-09-2013 18:00 Handler: Robert Waldner Co-Handler: Matthias Fraidl *** Can Companies Fight Against Targeted Attacks? *** --------------------------------------------- There are various reasons why targeted attacks can happen to almost any company. One of the biggest reasons is theft of a company's proprietary information. There are many types of confidential data that could be valuable. Intellectual property is often the first thing that comes to mind. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/can-companies-fi… *** Apple's iOS 7 Update Fixes 80 Security Bugs *** --------------------------------------------- Yesterdays iOS 7 update brought a slew of bug fixes, 80 in total, to Apple devices. --------------------------------------------- http://threatpost.com/apples-ios-7-update-fixes-80-security-bugs/102356 *** Vertexnet Botnet Hides Behind AutoIt *** --------------------------------------------- Recently we found some new malware samples using AutoIt to hide themselves. On further analysis we found that those sample belong to the Vertexnet botnet. They use multiple layers of obfuscation; once decoded, they connect to a control server to accept commands and transfer stolen data. This sample is packed using a custom packer. --------------------------------------------- http://blogs.mcafee.com/mcafee-labs/vertexnet-botnet-hides-behind-autoit *** Experts Worry About Long-Term Implications of NSA Revelations *** --------------------------------------------- With all of the disturbing revelations that have come to light in the last few weeks regarding the NSA's collection methods and its efforts to weaken cryptographic protocols and security products, experts say that perhaps the most worrisome result of all of this is that no one knows who or what they can trust anymore. --------------------------------------------- http://threatpost.com/experts-worry-about-long-term-implications-of-nsa-rev… *** Sophos UTM Unspecified WebAdmin Flaw Has Unspecified Impact *** --------------------------------------------- Sophos UTM Unspecified WebAdmin Flaw Has Unspecified Impact --------------------------------------------- http://www.securitytracker.com/id/1029039 *** Cisco Intrusion Prevention System Authentication Manager Process Flaw Lets Remote Users Deny Service *** --------------------------------------------- Cisco Intrusion Prevention System Authentication Manager Process Flaw Lets Remote Users Deny Service --------------------------------------------- http://www.securitytracker.com/id/1029057 *** Massive Sicherheitslücke in iOS 7 entdeckt *** --------------------------------------------- Trotz Bildschirmsperre kann auf iPhones und iPads mit iOS 7 auf Fotos und dadurch auch auf Kontakte oder Twitter zugegriffen werden. Ausgangspunkt dafür ist das neue Control Center. --------------------------------------------- http://futurezone.at/produkte/apple-massive-sicherheitsluecke-in-ios-7-entd… *** Western Digital Arkeia Remote Code Execution *** --------------------------------------------- Western Digital Arkeia Remote Code Execution --------------------------------------------- http://cxsecurity.com/issue/WLB-2013090143 *** HP ArcSight Enterprise Security Manager Input Validation Flaw Permits Cross-Site Scripting Attacks *** --------------------------------------------- HP ArcSight Enterprise Security Manager Input Validation Flaw Permits Cross-Site Scripting Attacks --------------------------------------------- http://www.securitytracker.com/id/1029069 *** Sicherheitsunternehmen warnt vor NSA-Algorithmus *** --------------------------------------------- Zufallsgenerator Dual EC DRBG in BSAFE und Data Protection Manager als Standard eingerichtet --------------------------------------------- http://derstandard.at/1379291450962 *** FTC-Beschwerde: TrendNets IP-Kameras sind nicht sicher *** --------------------------------------------- Die US-Handelskommission hat TrendNets zu umfangreichen Maßnahmen verpflichtet, um die Netzwerkkameras abzusichern. Auslöser war eine 2012 aufgedeckte Schwachstelle, durch die Unbefugte auf die Live-Streams hunderter TrendNet-Kunden zugreifen konnten. --------------------------------------------- http://www.heise.de/newsticker/meldung/FTC-Beschwerde-TrendNets-IP-Kameras-… *** The Small Biz 5 Step Plan to Security Breach Recovery *** --------------------------------------------- Why do Internet criminals favor small and medium sized businesses? One reason is because many are suppliers and partners of large corporate entities offering a convenient pathway to these partners' networks. Although most SMBs will not experience a security breach, many will. So, how can your business recover following a hacking incident? --------------------------------------------- http://www.business2community.com/small-business/small-biz-5-step-plan-secu… *** OpenEMR 4.1.1 Patch 14 SQLi Privilege Escalation Remote Code Execution *** --------------------------------------------- OpenEMR 4.1.1 Patch 14 SQLi Privilege Escalation Remote Code Execution --------------------------------------------- http://www.exploit-db.com/exploits/28408 *** Cisco AnyConnect Secure Mobility Client Directory Access Permissions Lets Local Users Gain Elevated Privileges *** --------------------------------------------- Cisco AnyConnect Secure Mobility Client Directory Access Permissions Lets Local Users Gain Elevated Privileges --------------------------------------------- http://www.securitytracker.com/id/1029063 *** HP IceWall Multiple Products Multiple Vulnerabilities *** --------------------------------------------- HP IceWall Multiple Products Multiple Vulnerabilities --------------------------------------------- https://secunia.com/advisories/54930 *** Now Registering for Classes at Cybercrime U #INTH3WILD *** --------------------------------------------- As summer comes to a close, students all over the world are heading back to the classroom even in the cyber underground. Over the last few weeks, RSA has observed a spike in the availability of cybercrime courses, lessons, counseling and tutoring that are being offered to help fraudsters achieve their career goals. --------------------------------------------- https://blogs.rsa.com/now-registering-classes-cybercrime-u/ *** Yet another `malware-infected hosts as anonymization stepping stones` service offering access to hundreds of compromised hosts spotted in the wild *** --------------------------------------------- The general availability of DIY malware generating tools continues to contribute to the growth of the `malware-infected hosts as anonymization stepping stones` Socks4/Socks5/HTTP type of services, with new market entrants entering this largely commoditized market segment on a daily basis. Thanks to the virtually non-attributable campaigns that could be launched through the use of malware-infected hosts, ... --------------------------------------------- http://www.webroot.com/blog/2013/09/20/yet-another-malware-infected-hosts-a… *** Cisco AnyConnect VPN Client Secure Mobility Client Mac OS X Privilege Escalation Vulnerability *** --------------------------------------------- Cisco AnyConnect VPN Client Secure Mobility Client Mac OS X Privilege Escalation Vulnerability --------------------------------------------- https://secunia.com/advisories/54929

1 0

Tageszusammenfassung - Donnerstag 19-09-2013
by Daily end-of-shift report 19 Sep '13

19 Sep '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 18-09-2013 18:00 − Donnerstag 19-09-2013 18:00 Handler: Robert Waldner Co-Handler: Matthias Fraidl *** Security Bulletin: Buffer Overflow Vulnerability in IBM iNotes (CVE-2013-4068) *** --------------------------------------------- IBM iNotes 8.5.3 and 9.0 are at risk from a buffer overflow vulnerability. The fix for this issue is available in IBM Domino 8.5.3 Fix Pack 5 Interim Fix 1 and IBM Domino 9.0 Interim Fix 4. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_buf… *** Cisco DCNM Update Released, (Wed, Sep 18th) *** --------------------------------------------- We continue to see web applications deployed to manage datacenter functions. And Im sorry to say, we continue to see security issues in these applications - some of them so simple a quick run-through with Burp or ZAP would red-flag them. In that theme, today Cisco posts updates to DCNM (Cisco Prime Data Center Network Manager). --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16613&rss *** How to avoid unwanted software *** --------------------------------------------- We've all seen it; maybe it's on your own computer, or that of a friend, your spouse, child, or parent. Your home page has been changed to some search engine you've never heard of, there's a new, annoying toolbar in your browser. Maybe you're getting popup ads or have a rogue security product claiming you're infected and asking you to buy the program to remove the infection. Even worse, you don't know how it got there! --------------------------------------------- http://www.webroot.com/blog/2013/09/18/avoid-unwanted-software/ *** More Goodies in the Apple Security Update Basket!, (Wed, Sep 18th) *** --------------------------------------------- APPLE-SA-2013-09-18-3 An OSX update that fixes a situation where the hostname in a certificate is not checked against the actual hostname. This vulnerability means that anyone with a valid certificate can impersonate any host - lots of attack applications in this, when combined with MITM or DNS hijack attacks APPLE-SA-2013-09-18-2 An absolute TON of updates for IOS, which should be no surprise in a new version. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16619&rss *** Cisco NX-OS BGP Regex Processing Flaw Lets Remote Users Deny Service *** --------------------------------------------- Cisco NX-OS BGP Regex Processing Flaw Lets Remote Users Deny Service --------------------------------------------- http://www.securitytracker.com/id/1029048 *** Security Bulletin: IBM Operational Decision Manager and WebSphere ILOG JRules: Multiple security vulnerabilities in IBM JRE *** --------------------------------------------- This Security Bulletin addresses the security vulnerabilities that have shipped with the IBM Java Runtime Environment (JRE) included in IBM Operational Decision Manager and IBM ILOG JRules. IBM ODM and ILOG JRules now include the most recent version of the IBM JRE which fixes the security vulnerabilities reported in Oracles Critical Patch Update releases of April and June 2013. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Security Bulletin: IBM Tivoli Monitoring Basic Services Vulnerabilities (CVE-2013-2960, CVE-2013-2961 , CVE-2013-0548, CVE-2013-0551) *** --------------------------------------------- Several vulnerabilites have been resolved in the Basic Services component of IBM Tivoli Monitoring. These vulnerabilies could have potentially caused a denial of service or Cross Site Scripting (XSS) exposure. CVE(s): CVE-2013-2960, CVE-2013-2961, CVE-2013-0548, and CVE-2013-0551 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Bugtraq: Wordpress Plugin Complete Gallery Manager 3.3.3 - Arbitrary File Upload Vulnerability *** --------------------------------------------- Wordpress Plugin Complete Gallery Manager 3.3.3 - Arbitrary File Upload Vulnerability --------------------------------------------- http://www.securityfocus.com/archive/1/528721 *** New IE Zero Day is Actively Exploited In Targeted Attacks *** --------------------------------------------- Right after a week from September Patch Tuesday, Microsoft had to rush a "Fix It" workaround tool to address a new zero-day Internet Explorer vulnerability (CVE-2013-3893), which is reportedly being actively exploited in certain targeted attacks. As Microsoft advised, the said exploit is targeting a Use After Free Vulnerability in IE's HTML rendering engine (mshtml.dll). --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/new-ie-zero-day-… *** Drupal Google Site Search 6.x / 7.x Cross Site Scripting *** --------------------------------------------- Topic: Drupal Google Site Search 6.x / 7.x Cross Site Scripting Risk: Low Text:View online: https://drupal.org/node/2092395 * Advisory ID: DRUPAL-SA-CONTRIB-2013-077 * Project: Google Site Search [1... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013090133 *** Hidden Lynx *** --------------------------------------------- Symantec hat eine Hackergruppe aufgespürt, die hunderte Organisationen angegriffen haben soll. --------------------------------------------- http://www.heise.de/newsticker/meldung/Hidden-Lynx-Raffinierte-Auftrags-Hac… *** EvilGrab Malware Family Used In Targeted Attacks In Asia *** --------------------------------------------- Recently, we spotted a new malware family that was being used in targeted attacks the EvilGrab malware family. It is called EvilGrab due to its behavior of grabbing audio, video, and screenshots from affected machines. The most common arrival vector for EvilGrab malware is spear phishing messages with malicious Microsoft Office Attachments. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/evilgrab-malware… *** ENISA Threat Landscape mid year 2013 *** --------------------------------------------- ENISA today presented its list of top cyber threats, as a first "taste" of its interim Threat Landscape 2013 report. The study analyses 50 reports, and identifies an increase in threats to: infrastructure through targeted attacks; mobile devices; and social media identity thefts carried out by cyber-criminals over Cloud services. --------------------------------------------- https://www.enisa.europa.eu/activities/risk-management/evolving-threat-envi… *** Apple schließt kritische iTunes-Lücke *** --------------------------------------------- Das Update auf iTunes-Version 11.1 bringt nicht nur den Streaming-Dienst "iTunes Radio" mit, es schließt auch Schwachstelle im ActiveX-Plug-in. --------------------------------------------- http://www.heise.de/newsticker/meldung/Apple-schliesst-kritische-iTunes-Lue… *** Apple Xcode GIT "git-imap-send" SSL Certificate Verification Security Issue *** --------------------------------------------- Apple Xcode GIT "git-imap-send" SSL Certificate Verification Security Issue --------------------------------------------- https://secunia.com/advisories/54887 *** iOS 7 Security Prompts *** --------------------------------------------- Apples iOS 7 was released yesterday. And it has some nice new security prompts... --------------------------------------------- http://www.f-secure.com/weblog/archives/00002610.html

1 0

Tageszusammenfassung - Mittwoch 18-09-2013
by Daily end-of-shift report 18 Sep '13

18 Sep '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 17-09-2013 18:00 − Mittwoch 18-09-2013 18:00 Handler: Christian Wojner Co-Handler: Matthias Fraidl *** WordPress Simple Dropbox Upload Plugin Arbitrary File Upload Vulnerability *** --------------------------------------------- WordPress Simple Dropbox Upload Plugin Arbitrary File Upload Vulnerability --------------------------------------------- https://secunia.com/advisories/54856 *** Microsoft Releases Security Advisory 2887505 *** --------------------------------------------- Today we released Security Advisory 2887505 regarding an issue that affects Internet Explorer. There are only reports of a limited number of targeted attacks specifically directed at Internet Explorer 8 and 9, although the issue could potentially affect all supported versions. This issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type. --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2013/09/17/microsoft-releases-secur… *** Securo-boffins link HIRED GUN hackers to Aurora, Bit9 megahacks *** --------------------------------------------- Researchers: It was resourceful Hidden Lynx crew wot done it Security researchers have linked the 'Hackers for hire' Hidden Lynx Group with a number of high-profile attacks, including an assault on net security firm Bit9, as well as the notorious Operation Aurora assault against Google and other hi-tech firms back in 2009. --------------------------------------------- http://www.theregister.co.uk/2013/09/17/chinese_hackers4hire_crew/ *** Secure on Social Networks *** --------------------------------------------- During the past few years, the popularity of social networks has grown tremendously. They have come to form an important part of our communication. Although social networks offer a useful and fun interactive platform for the exchange and provision of information, they also present various security and privacy risks. This factsheet offers you an overview of the risks involved in participation in social networks. --------------------------------------------- http://www.ncsc.nl/english/services/expertise-advice/knowledge-sharing/fact… *** Study finds fraudsters foist one-third of all Tor traffic *** --------------------------------------------- Anonymizing network disproportionately associated with online skullduggery People who access the internet through the anonymizing Tor network are much more likely to be up to no good than are typical internet users, according to a study by online reputation tracking firm Iovation. --------------------------------------------- http://www.theregister.co.uk/2013/09/18/study_finds_onethird_of_all_tor_tra… *** Look at risk before leaping into BYOD, report cautions *** --------------------------------------------- Risk management critical to skirting pitfalls of permitting personal devices in the office --------------------------------------------- http://www.csoonline.com/article/739937/look-at-risk-before-leaping-into-by… *** Connecting the Dots: Fake Apps, Russia, and the Mobile Web *** --------------------------------------------- The existence of fake mobile apps poses privacy and financial risks to users of the mobile web. As experts figure out the dangers of the consumerization and the lack of security of mobile devices, fake apps continue to grow. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/connecting-the-d… *** IBM Domino / iNotes Buffer Overflow Vulnerability *** --------------------------------------------- IBM Domino / iNotes Buffer Overflow Vulnerability --------------------------------------------- https://secunia.com/advisories/54895 *** Betrüger locken Smartphone-Nutzer mit angeblicher Werbung für G Data *** --------------------------------------------- Werbung in Android-Applikationen soll Nutzer dazu verleiten, teure Premium-SMS-Abos abzuschließen. G Data wehrt sich rechtlich gegen den Missbrauch des Markennames. --------------------------------------------- http://www.heise.de/security/meldung/Betrueger-locken-Smartphone-Nutzer-mit… *** Mozilla Firefox / Thunderbird Multiple Vulnerabilities *** --------------------------------------------- Some vulnerabilities have been reported in Mozilla Firefox and Thunderbird, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to disclose potentially sensitive information, bypass certain security restrictions, and compromise a user's system. --------------------------------------------- https://secunia.com/advisories/54892 *** Researchers can slip an undetectable trojan into Intel's Ivy Bridge CPUS *** --------------------------------------------- New technique bakes super stealthy hardware trojans into chip silicon. --------------------------------------------- http://arstechnica.com/security/2013/09/researchers-can-slip-an-undetectabl…

1 0

Tageszusammenfassung - Dienstag 17-09-2013
by Daily end-of-shift report 17 Sep '13

17 Sep '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 16-09-2013 18:00 − Dienstag 17-09-2013 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** ZeuS/ZBOT: Most Distributed Malware by Spam in August *** --------------------------------------------- In our 2Q Security Roundup, we noted the resurgence of online banking malware, in particular the increase of ZeuS/ZBOT variants during the quarter. While ZeuS/ZBOT has been around for some times, its prevalence shows that it is still a big threat to end users today. For the month of August, 23% of spam with malicious... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/7c3B-kxDrTA/ *** Dropbox Installation Hinders ASLR *** --------------------------------------------- The popular cloud storage service Dropbox is reportedly undercutting the efficacy of access space layout randomization (ASLR) by failing to enable that feature within the dynamic link libraries (DLLs) it injects into other applications. --------------------------------------------- http://threatpost.com/dropbox-installation-hinders-aslr/102304 *** Not So Fast on BEAST Attack Mitigations *** --------------------------------------------- The BEAST attacks, once thought mitigated, may again be viable because of weaknesses in RC4 rendering server-side mitigation moot, and Apples reluctance to enable a 1/1-n split client-side mitigation by default. --------------------------------------------- http://threatpost.com/not-so-fast-on-beast-attack-mitigations/102308 *** Mac OS X Security Configuration Guides *** --------------------------------------------- The Security Configuration Guides provide an overview of features in Mac OS X that can be used to enhance security, known as hardening your computer. The guides are designed to give instructions and recommendations for securing Mac OS X and for maintaining a secure computer. --------------------------------------------- https://ssl.apple.com/support/security/guides/ *** Google knows nearly every Wi-Fi password in the world *** --------------------------------------------- If an Android device (phone or tablet) has ever logged on to a particular Wi-Fi network, then Google probably knows the Wi-Fi password. ... Android devices have defaulted to coughing up Wi-Fi passwords since version 2.2. And, since the feature is presented as a good thing, most people wouldnt change it. I suspect that many Android users have never even seen the configuration option controlling this. --------------------------------------------- http://blogs.computerworld.com/android/22806/google-knows-nearly-every-wi-f… *** With XPs End of Life, Munich Will Distribute Ubuntu CDs *** --------------------------------------------- SmartAboutThings writes "Windows XP is going to officially die and stop receiving support from Microsoft in April, 2014. After that very moment, it is said to become a gold mine for hackers all over the world who will exploit zero-day vulnerabilities. The municipality of the German city of Munich wants to stop that from happening [and] has decided to distribute free CDs with Ubuntu 12.04 to users of the almost extinct XP. Munich, through its Gasteig Library, will prepare around 2000 CDs... --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/fH6x8koNgKU/story01.htm *** A Random Diary, (Tue, Sep 17th) *** --------------------------------------------- The current discussion about breaking encryption algorithm has one common thread: random number generators. No matter the encryption algorithm, if your encryption keys are not random, the algorithm can be brute forced much easier then theoretically predicted based on the strength of the algorithm. All encryption algorithms depend on good random keys and generating good random numbers has long been a problem. In Unix systems for example, you will have two random devices: /dev/random and... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16592&rss *** Mitsubishi MC-WorkX Suite Insecure ActiveX Control *** --------------------------------------------- ICS-CERT is aware of a public report of an insecure ActiveX Control vulnerability in the Mitsubishi MC-WorkX Suite - IcoLaunch.dll with proof-of-concept (PoC) exploit code affecting Mitsubishi MC-WorkX Suite, a supervisory control and data acquisition/human-machine interface (SCADA/HMI) product. According to this report, the PoC allows crafting a Login Client button, which when clicked by the victim, can launch malicious code from a remote share... --------------------------------------------- http://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-259-01 *** Moodle external.php cross-site scripting *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/87148 *** Moodle null byte SQL injection *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/87149 *** [remote] - Sophos Web Protection Appliance sblistpack Arbitrary Command Execution *** --------------------------------------------- http://www.exploit-db.com/exploits/28334 *** [remote] - D-Link Devices UPnP SOAP Telnetd Command Execution *** --------------------------------------------- http://www.exploit-db.com/exploits/28333 *** IBM Tivoli Composite Application Manager for Transactions Java Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/54849

1 0

Tageszusammenfassung - Montag 16-09-2013
by Daily end-of-shift report 16 Sep '13

16 Sep '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 13-09-2013 18:00 − Montag 16-09-2013 18:00 Handler: Robert Waldner Co-Handler: n/a *** Microsoft reissues September patches after user complaints *** --------------------------------------------- A fix to fix the fixes that didnt Problems with Microsofts last round of operating system and application patches have forced the company to reissue part of the update on Friday. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2013/09/13/microsoft_r… *** ProFTPd mod_sftp/mod_sftp_pam invalid pool allocation during kbdint authentication *** --------------------------------------------- Topic: ProFTPd mod_sftp/mod_sftp_pam invalid pool allocation during kbdint authentication Risk: High Text:ProFTPd installs with mod_sftp and mod_sftp_pam activated contain the vulnerability described in this post. The current stab... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013090109 *** Lange Passwörter legen Djangos Webapps lahm *** --------------------------------------------- Das freie Web-Framework Django überprüft eingegebene Passwörter nicht auf Länge, bevor es sie hasht. Das können Angreifer für DoS-Angriffe nutzen. --------------------------------------------- http://www.heise.de/security/meldung/Lange-Passwoerter-legen-Djangos-Webapp… *** Tagungsband zur Fachkonferenz D.A.CH Security 2013 *** --------------------------------------------- Auf der zweitägigen Arbeitskonferenz D.A.CH Security 2013 soll in zahlreichen Vorträgen ein umfassendes Bild des aktuellen Stands rund um IT-Sicherheit gezeichnet werden. Die Referentenbeiträge sind in einem Begleitband zur Tagung zusammengefasst. --------------------------------------------- http://www.heise.de/newsticker/meldung/Tagungsband-zur-Fachkonferenz-D-A-CH… *** Masscan: the entire Internet in 3 minutes *** --------------------------------------------- Masscan is the fastest port scanner, more than 10 times faster than any other port scanner. As the screenshot shows, it can transmit 25 million packets/second, which is fast enough to scan the entire Internet in just under 3 minutes. The system doing this is just a typical quad-core desktop processor. The only unusual part of the system is the dual-port 10-gbps Ethernet card (most computers have only 1-gbps Ethernet). --------------------------------------------- http://blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html *** CSRF Vulnerability in eBay Allows Hackers to Hijack User Accounts *** --------------------------------------------- IT consultant and tech enthusiast Paul Moore has identified a few security issues on eBay, including a cross-site request forgery (CSRF or XSRF) vulnerability that can be exploited by hackers to compromise user accounts. The expert has found that the eBay page which lets users update their profile is vulnerable to XSRF. That's because the field which links it to the user's active cookie is missing. --------------------------------------------- http://news.softpedia.com/news/CSRF-Vulnerability-in-eBay-Allows-Hackers-to… *** Mac OS X Security Configuration Guides *** --------------------------------------------- The Security Configuration Guides provide an overview of features in Mac OS X that can be used to enhance security, known as hardening your computer. The guides are designed to give instructions and recommendations for securing Mac OS X and for maintaining a secure computer. --------------------------------------------- https://ssl.apple.com/support/security/guides/ *** Google knows nearly every Wi-Fi password in the world *** --------------------------------------------- If an Android device (phone or tablet) has ever logged on to a particular Wi-Fi network, then Google probably knows the Wi-Fi password. ... Android devices have defaulted to coughing up Wi-Fi passwords since version 2.2. And, since the feature is presented as a good thing, most people wouldnt change it. I suspect that many Android users have never even seen the configuration option controlling this. --------------------------------------------- http://blogs.computerworld.com/android/22806/google-knows-nearly-every-wi-f…

1 0

Tageszusammenfassung - Freitag 13-09-2013
by Daily end-of-shift report 13 Sep '13

13 Sep '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 12-09-2013 18:00 − Freitag 13-09-2013 18:00 Handler: Robert Waldner Co-Handler: n/a *** Symantec to start revoking customers SSL certificates by October 1 *** --------------------------------------------- ... Symantec will revoke SSL certificates that are using something other than 2048-bit keys. The security giant is making this move as a preemptive measure against the pending December 31 deadline imposed by the Certification Authority/Browser (CA/B) Forum and the National Institute of Standards and Technology (NIST) for Certificate Authorities to halt the issue of 1024-bit certificates. --------------------------------------------- http://www.csoonline.com/article/739590/symantec-to-start-revoking-customer… *** Verdacht auf Zero-Day-Lücke in OpenX und Revive *** --------------------------------------------- Wie heise berichtet, gibt es aktuell einen Verdacht auf eine Zero-Day-Lücke in der Ad-Server-Software OpenX (und dem Fork Revive). Diese wird angeblich auch bereits aktiv ausgenützt. Wir können das mangels Detailwissen nicht nachvollziehen, und haben bisher auch keine anderen Meldungen über aktive Ausnutzung dieser Lücke gehört. --------------------------------------------- http://www.cert.at/services/blog/20130912163815-950.html *** Debian update for mediawiki *** --------------------------------------------- Debian has issued an update for mediawiki. This fixes multiple vulnerabilities, which can be exploited by malicious people to disclose certain sensitive information. --------------------------------------------- https://secunia.com/advisories/54787 *** Apple veröffentlicht OS X 10.8.5 *** --------------------------------------------- Die jüngste Mountain-Lion-Version soll unter anderem Probleme bei Apple Mail und Dateitransfers über 802.11ac lösen. Außerdem wurden Sicherheitsupdates für Lion und Snow Leopard veröffentlicht. --------------------------------------------- http://www.heise.de/security/meldung/Apple-veroeffentlicht-OS-X-10-8-5-1955… *** WordPress Multiple Vulnerabilities *** --------------------------------------------- A weakness, a security issue, and a vulnerability have been reported in WordPress, which can be exploited by malicious users to bypass certain security restrictions and compromise a vulnerable system and by malicious people to conduct spoofing attacks. --------------------------------------------- https://secunia.com/advisories/54803 *** IBM WebSphere Message Broker Information Center Multiple Vulnerabilities *** --------------------------------------------- A security issue and a vulnerability have been reported in IBM WebSphere Message Broker, which can be exploited by malicious people to disclose certain sensitive information and conduct cross-site scripting attacks. --------------------------------------------- https://secunia.com/advisories/54835 *** Stealthy Dopant-Level Hardware Trojans *** --------------------------------------------- DoctorBit writes "A team of researchers funded in part by the NSF has just published a paper in which they demonstrate a way to introduce hardware Trojans into a chip by altering only the dopant masks of a few of the chips transistors. From the paper: Instead of adding additional circuitry to the target design, we insert our hardware Trojans by changing the dopant polarity of existing transistors. Since the modified circuit appears legitimate on all wiring layers (including all metal and --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/wd-ZoysTfmA/story01.htm *** Cisco Unified MeetingPlace Cross-Site Request Forgery Vulnerability *** --------------------------------------------- A vulnerability has been reported in Cisco Unified MeetingPlace, which can be exploited by malicious people to conduct cross-site request forgery attacks. --------------------------------------------- https://secunia.com/advisories/54768 *** Security Bulletin: Vulnerability in IBM Analytical Decision Management (CVE-2013-4047, CVE-2013-4048, CVE-2013-4049 & CVE-2013-5369) *** --------------------------------------------- Vulnerabilities have been identified in IBM Analytical Decision Management which make the product vulnerable to attacks using script injection and remote code execution. --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21648929 *** Rootkit Cafe *** --------------------------------------------- Have you ever wondered about the ads you might have seen being shown on the desktop or in the browser during web browsing sessions at Internet cafes? One of our Analysts, Wayne, certainly did.He recently analyzed a sample (SHA1: c8c643df81df5f60d5cd8cf46cb3902c5f630e96) that gave him an interesting answer. The sample was a rootkit named in its code as LanEx, though we detect it as Rootkit:W32/Sfuzuan.A:Wayne traced the sample back to an advertising company in China called 58wangwei that runs an --------------------------------------------- http://www.f-secure.com/weblog/archives/00002607.html *** D-Link DIR-505 Wireless Router Security Bypass Security Issue *** --------------------------------------------- Alessandro Di Pinto has reported a security issue in D-Link DIR-505 Wireless Router, which can be exploited by malicious people to bypass certain security restrictions. --------------------------------------------- https://secunia.com/advisories/54752 *** Server Security Scan for WordPress *** --------------------------------------------- Server Security Scan checks WordPress installations for unsafe PHP settings and functions, write permissions of directories, errors and error levels, and the presence of security modules. It's worth noting that the tool doesn't fix any of the found issues. --------------------------------------------- http://news.softpedia.com/news/Security-App-of-the-Week-Server-Security-Sca…

1 0

Tageszusammenfassung - Donnerstag 12-09-2013
by Daily end-of-shift report 12 Sep '13

12 Sep '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 11-09-2013 18:00 − Donnerstag 12-09-2013 18:00 Handler: Robert Waldner Co-Handler: n/a *** NIST advises against use of random bit generator algorithm apparently backdoored by NSA *** --------------------------------------------- "NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used," NIST says in a bulletin. --------------------------------------------- http://www.fiercegovernmentit.com/story/nist-advises-against-use-random-bit… *** Bugtraq: OWASP Zed Attack Proxy 2.2.0 *** --------------------------------------------- This includes support for scripts embedded in ZAP components like the active and passive scanners as well as support for Zest - a new security focused scripting language from the Mozilla security team. It also supports Mozilla Plug-n-Hack, localization in 20 languages, various minor enhancements and lots of bug fixes. --------------------------------------------- http://www.securityfocus.com/archive/1/528553 *** Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 6.1.0.47 *** --------------------------------------------- Cross reference list for security vulnerabilities fixed in IBM WebSphere Application Server Fix Pack 6.1.0.47 CVE ID(s): CVE-2012-3305 CVE-2012-4853 CVE-2013-0458 CVE-2013-0461 CVE-2013-0460 CVE-2013-0459 CVE-2013-0596 CVE-2013-0541 CVE-2013-0543 CVE-2013-0462 CVE-2013-2967 CVE-2013-2976 CVE-2013-0542 CVE-2013-0544 CVE-2013-0169 CVE-2013-1768 CVE-2013-1862 CVE-2013-4005 CVE-2013-3029 CVE-2013-1896 CVE-2012-2098 CVE-2013-4053 CVE-2013-4052 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_pot… *** Technical Analysis of CVE-2013-3147 *** --------------------------------------------- In July, Microsoft released a patch for a memory-corruption vulnerability in the Internet Explorer (IE) Web browser. The vulnerability enabled remote attackers to execute arbitrary code or cause a denial of service through a crafted or compromised website — also known as … Continue reading → --------------------------------------------- http://www.fireeye.com/blog/technical/2013/09/technical-analysis-of-cve-201… *** TYPO3 CMS 6.1.5, 6.0.10, 4.7.15 and 4.5.30 released *** --------------------------------------------- We are announcing the release of the following TYPO3 CMS updates: TYPO3 CMS 6.1.5 TYPO3 CMS 6.0.10 TYPO3 CMS 4.7.15 TYPO3 CMS 4.5.30 All versions are maintenance releases and contain bug fixes. Note: The 6.1.5 and 6.0.10 releases contain important fixes to regression which were introduced in the latest security releases (6.1.4 and 6.0.9). Releases 4.7.15 and 4.5.30 are merely bug fix releases, and increased compatibility with browsers and MySQL 5.5. --------------------------------------------- http://typo3.org/news/article/typo3-cms-615-6010-4715-and-4530-released/ *** Wordpress-Update schließt Sicherheitslücken *** --------------------------------------------- Mit Version 3.6.1 hat das Wordpress-Team ein wichtiges Update für seine Open-Source-Blog-Software freigegeben. 13 Fehler und drei Sicherheitslücken der vor kurzem veröffentlichten Version 3.6 wurden behoben, die Entwickler raten zur Aktualisierung. --------------------------------------------- http://www.heise.de/security/meldung/Wordpress-Update-schliesst-Sicherheits… *** Analysis: Staying safe from virtual robbers *** --------------------------------------------- The more popular online banking becomes, the more determined cybercriminals are to steal users’ money. How is money stolen with the help of malicious programs? How can you protect yourself from virtual robbery? --------------------------------------------- http://www.securelist.com/en/analysis/204792304/Staying_safe_from_virtual_r… *** Office-Updates geraten in Installationsschleife *** --------------------------------------------- Einige der am September-Patchday herausgegebene Office-Patches sind offenbar fehlerhaft. Drei der Updates hängen in einer Installationsschleife fest, eines sorgt dafür, dass Outlook nur noch eingeschränkt nutzbar ist. --------------------------------------------- http://www.heise.de/newsticker/meldung/Office-Updates-geraten-in-Installati… *** Juniper Junos Pulse Secure Access Service / Junos Pulse Access Control Service OpenSSL Multiple Vulnerabilities *** --------------------------------------------- Juniper Junos Pulse Secure Access Service / Junos Pulse Access Control Service OpenSSL Multiple Vulnerabilities --------------------------------------------- https://secunia.com/advisories/54777 *** Siemens SCALANCE X-200 Web Hijack Vulnerability *** --------------------------------------------- OVERVIEWSiemens has identified a Web hijack vulnerability in the SCALANCE X-200 switch product family. Researcher Eireann Leverett of IOActive coordinated disclosure of the vulnerability with Siemens. Siemens has produced a firmware update that mitigates this vulnerability.This vulnerability could be exploited remotely.AFFECTED PRODUCTSSiemens reports that the vulnerability affects the following versions: --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-254-01 *** Firefox OS Likely to Face HTML5, Boot-to-gecko Process Attacks *** --------------------------------------------- Excerpt: The Firefox OS, a new contender in mobile operating systems, will likely see HTML5-related attacks and assaults on a crucial operating system process, according to security vendor Trend Micro.Some mobile phone operators are already shipping devices with the Firefox OS, which comes from Mozilla, the nonprofit organization behind the Firefox desktop browser. --------------------------------------------- http://www.cio.com/article/739475/Firefox_OS_Likely_to_Face_HTML5_Boot_to_g…

1 0

Tageszusammenfassung - Mittwoch 11-09-2013
by Daily end-of-shift report 11 Sep '13

11 Sep '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 10-09-2013 18:00 − Mittwoch 11-09-2013 18:00 Handler: Robert Waldner Co-Handler: n/a *** Juniper Junos J-Web Arbitrary Command Execution Vulnerability *** --------------------------------------------- Sense of Security has reported a vulnerability in Juniper Junos, which can be exploited by malicious users to compromise a vulnerable system. The vulnerability is caused due to the application not properly restricting access to /jsdm/ajax/port.php and can be exploited to execute arbitrary OS commands with root privileges. --------------------------------------------- https://secunia.com/advisories/54731 *** Android Mobile: Following In the Windows Footsteps *** --------------------------------------------- FireEye discovered an email spam campaign, currently ongoing, which is dropping the well-known Android malware Android FakeDefender. Looking through our DTI platform, we believe that this campaign started on the 6th of September. Vector of Propagation FireEye Labs has identified … Continue reading → --------------------------------------------- http://www.fireeye.com/blog/technical/2013/09/android-malware.html *** BlackBerry Patches Flash, WebKit and Libexif Flaws on Mobile Devices *** --------------------------------------------- BlackBerry issued four security advisories, patching vulnerabilities in the Z10 and Q10 smartphones and the PlayBook tablet. --------------------------------------------- http://threatpost.com/blackberry-patches-flash-webkit-and-libexif-flaws-on-… *** Macs need to patch too!, (Tue, Sep 10th) *** --------------------------------------------- Our regular readers know this, but on Patch Tuesday aka Black Tuesday we get a bit wider audience and hence its worth repeating it even more: Do not forget to also patch your Macs! E.g. a Trojan was recently discoverd that targets Macs with unpatched java flaws. See the Intego writeup. Not only that. Microsoft Office, Adobe Flash, shockwave, reader or acrobat all need to get update too. -- Swa Frantzen -- Section 66 (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16544&rss *** Investigating the Security of the Firefox OS *** --------------------------------------------- Firefox OS is Mozilla’s foray into the mobile operating system field and promises a more adaptive mobile OS. But as mobile threats, in particular in the Android platform, has gained momentum, the question in everyone’s mind is – how safe is it? About a month ago, Telefonica announced that it had launched the Firefox OS […]Post from: Trendlabs Security Intelligence Blog - by Trend MicroInvestigating the Security of the Firefox OS --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/b6Lw53NWiz4/ *** FreeBSD Network ioctl(2) Lets Local Users Gain Elevated Privileges *** --------------------------------------------- A vulnerability was reported in the FreeBSD Kernel. A local user can cause denial of service conditions. A local user may be able to obtain elevated privileges on the target system. --------------------------------------------- http://www.securitytracker.com/id/1029014 *** Managed Malicious Java Applets Hosting Service Spotted in the Wild *** --------------------------------------------- In a series of blog posts, we’ve been profiling the tactics and DIY tools of novice cybercriminals, whose malicious campaigns tend to largely rely on social engineering techniques, on their way to trick users into thinking that they’ve been exposed to a legitimate Java applet window. These very same malicious Java applets, continue representing a popular infection vector among novice cybercriminals, who remain the primary customers of the DIY tools/attack platforms that we’ve --------------------------------------------- http://feedproxy.google.com/~r/WebrootThreatBlog/~3/3tgS8jmgHQQ/ *** Summary for September 2013 - Version: 1.0 *** --------------------------------------------- Unter anderem: - Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution - Vulnerability in Microsoft Outlook Could Allow Remote Code Execution - Vulnerability in OLE Could Allow Remote Code Execution - Vulnerability in Windows Theme File Could Allow Remote Code Execution - Vulnerabilities in Microsoft Office Could Allow Remote Code Execution - Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution - Vulnerabilities in Microsoft Access Could Allow Remote Code Execution --------------------------------------------- http://technet.microsoft.com/en-gb/security/bulletin/ms13-sep *** Bugtraq: Synology DSM multiple vulnerabilities *** --------------------------------------------- Synology DiskStation Manager (DSM) it's a Linux based operating system, used for the DiskStation and RackStation products. --------------------------------------------- http://www.securityfocus.com/archive/1/528543 *** Java 7u40 ist da – diesmal kein Critical Patch Update *** --------------------------------------------- Das als Funktions-Update angedachte neue Java-Release bringt etliche Sicherheits-Features und ein an die frührere JRockit Mission Control Suite erinnerndes Werkzeug zur Überwachung und zum Profiling der JVM. --------------------------------------------- http://www.heise.de/security/meldung/Java-7u40-ist-da-diesmal-kein-Critical… *** Xen - libxl partially sets up HVM passthrough even with disabled iommu *** --------------------------------------------- Impact: A HVM domain, given access to a device which bus mastering capable in the absence of a functioning IOMMU, can mount a privilege escalation or denial of service attack affecting the whole system. --------------------------------------------- http://seclists.org/oss-sec/2013/q3/578 *** Adobe Security Bulletins Posted *** --------------------------------------------- Today, we released the following Security Bulletins: APSB13-21 – Security updates available for Adobe Flash Player APSB13-22 – Security updates available for Adobe Acrobat and Reader APSB13-23 – Security updates available for Shockwave Player Customers of the affected products should … Continue reading → --------------------------------------------- http://blogs.adobe.com/psirt/2013/09/adobe-security-bulletins-posted-9.html *** RouterOS sshd Denial of Service Vulnerability *** --------------------------------------------- Kingcope has reported a vulnerability in RouterOS, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within sshd when processing requests and can be exploited to corrupt memory and subsequently cause a crash of the daemon. --------------------------------------------- https://secunia.com/advisories/54633

1 0

Tageszusammenfassung - Dienstag 10-09-2013
by Daily end-of-shift report 10 Sep '13

10 Sep '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 09-09-2013 18:00 − Dienstag 10-09-2013 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Book Review: The Practice of Network Security Monitoring *** --------------------------------------------- benrothke writes "It has been about 8 years since my friend Richard Bejtlichs (note, that was a full disclosure my friend) last book Extrusion Detection: Security Monitoring for Internal Intrusions came out. That and his other 2 books were heavy on technical analysis and real-word solutions. Some titles only start to cover ground after about 80 pages of introduction. With this highly informative and actionable book, you are already reviewing tcpdump output at page 16. In The Practice of --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/GDJ5LDb-zAY/story01.htm *** Researchers Call for Ban on PHP SuperGlobal Variables *** --------------------------------------------- Researchers urge developers to ban PHP SuperGlobal variables in applications. These variables are wide open to remote code execution, remote file inclusion and security bypasses. --------------------------------------------- http://threatpost.com/researchers-call-for-ban-on-php-superglobal-variables… *** Keeping Data Secret, Even From Apps That Use It *** --------------------------------------------- Nervals Lobster writes "Datacenters wanting to emulate Google by encrypting their data beyond the ability of the NSA to crack it may get some help from a new encryption technique that allows data to be stored, transported and even used by applications without giving away any secrets. In a paper to be presented at a major European security conference this week, researchers from Denmark and the U.K. collaborated on a practical way to implement a long-discussed encryption concept called --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/xYV9IJvP0OQ/story01.htm *** Online security: it’s in your interest! 1st European Cyber Security Month coming up in October *** --------------------------------------------- In October 2013, the first fully-fledged European Cyber Security Month (ECSM) will take place all over Europe. --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/online-security-it2019s-in-… *** MIPS-Router mit Entropieproblemen *** --------------------------------------------- Die MIPS-Ausgabe von Linux erzeugt Zufallszahlen mit Hilfe von fragwürdigen Entropiewerten, was die Angreifbarkeit von kryptografischen Schlüsseln erhöht. Dies betrifft eine ganze Reihe von Routern für den Endverbraucher-Markt. --------------------------------------------- http://www.heise.de *** iPhone 5S Phishing Mail Arrives In Time for Launch *** --------------------------------------------- While millions of mobile users are anticipating the launch of the new iPhone (5S and 5C), cybercriminals are already making their move to distribute spam that promise to give away the said devices for free, in the guise of a contest. We saw samples of spammed messages that attempted to spoof an Apple Store email […]Post from: Trendlabs Security Intelligence Blog - by Trend MicroiPhone 5S Phishing Mail Arrives In Time for Launch --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/zf_EldxUPaU/ *** Windows Phone 7: a look at popular apps and their data storage practices *** --------------------------------------------- This paper looks at how popular Windows Phone 7 apps address data storage with a focus on the platforms initial lack of data protection APIs and how that influenced the type of and manner in which data was kept on a users device. --------------------------------------------- https://www.isecpartners.com/media/106503/wp7_app_survey_storage.pdf *** NSA-Affäre: Generatoren für Zufallszahlen unter der Lupe *** --------------------------------------------- Nachdem bekannt wurde, dass die NSA eine Backdoor in einen von NIST veröffentlichten Zufallszahlengenerator einbaute, werden nun viele Entropie-Quellen mit gesundem Misstrauen geprüft. So auch Intels Chip-basierte RDRAND-Funktion unter Linux. --------------------------------------------- http://www.heise.de/security/meldung/NSA-Affaere-Generatoren-fuer-Zufallsza… *** iPhone 5S: Fingerabdruckscanner können ausgetrickst werden *** --------------------------------------------- Einfache Systeme mit Fotokopien täuschbar - Experten orten Probleme auch in zentralen Datenbanken --------------------------------------------- http://derstandard.at/1378248579562 *** HPSBPV02918 rev.1 - HP ProCurve Manager (PCM), HP PCM+ and HP Identity Driven Manager (IDM), SQL Injection, Remote Code Execution, Session Reuse *** --------------------------------------------- Potential security vulnerabilities have been identified with HP ProCurve Manager (PCM), HP PCM+ and HP Identity Driven Manager (IDM). These vulnerabilities could be exploited remotely to allow SQL injection, remote code execution and session reuse. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** Bugtraq: FreeBSD Security Advisory FreeBSD-SA-13:12.ifioctl *** --------------------------------------------- http://www.securityfocus.com/archive/1/528520 *** Bugtraq: Open-Xchange Security Advisory 2013-09-10 *** --------------------------------------------- http://www.securityfocus.com/archive/1/528519 *** Bugtraq: Multiple vulnerabilities on D-Link Dir-505 devices *** --------------------------------------------- http://www.securityfocus.com/archive/1/528516

1 0

Tageszusammenfassung - Montag 9-09-2013
by Daily end-of-shift report 09 Sep '13

09 Sep '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 06-09-2013 18:00 − Montag 09-09-2013 18:00 Handler: Robert Waldner Co-Handler: n/a *** Zwei-Faktor-Authentifizierung bei GitHub *** --------------------------------------------- Bei dem Quellcode-Hoster können Nutzer ihren Account nun auch mit einer zusätzlichen Authentifizierungsschicht absichern. Das schützt GitHub-Projekte vor Manipulationen, wenn die Zugangsdaten mal in die falschen Hände fallen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Zwei-Faktor-Authentifizierung-bei-Gi… *** Citrix CloudPortal Services Manager Multiple Flaws Have Unspecified Impact *** --------------------------------------------- Citrix CloudPortal Services Manager Multiple Flaws Have Unspecified Impact --------------------------------------------- http://www.securitytracker.com/id/1028987 *** AirPort Extreme Base Station Frame Processing Bug Lets Remote Users Deny Service *** --------------------------------------------- AirPort Extreme Base Station Frame Processing Bug Lets Remote Users Deny Service --------------------------------------------- http://www.securitytracker.com/id/1028988 *** pyOpenSSL hostname check bypassing vulnerability *** --------------------------------------------- Topic: pyOpenSSL hostname check bypassing vulnerability Risk: Medium Text:The pyOpenSSL module implements hostname identity checks but it did not properly handle hostnames in the certificate that conta... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013090061 *** John Gilmore Analyzes NSA Obstruction of Crypto In IPSEC *** --------------------------------------------- New submitter anwyn writes " In a recent article postend on the cryptography mailing list, long time civil libertarian and free software entrepreneur, John Gilmore has analyzed possible NSA obstruction of cryptography in IPSEC. He suggest that packet processing in the Linux kernel had been obstructed by one kernel developer. Gilmore suggests that the NSA has been plotting against strong cryptography on mobile phones:" Read more of this story at Slashdot. --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/KQm4nlge0-A/story01.htm *** Prenotification: Upcoming Security Updates for Adobe Reader and Acrobat (APSB13-22) *** --------------------------------------------- A prenotification Security Advisory has been posted in regards to upcoming Adobe Reader and Acrobat updates scheduled for Tuesday, September 10, 2013. We will continue to provide updates on the upcoming release via the Security Advisory section of the Adobe … Continue reading → --------------------------------------------- http://blogs.adobe.com/psirt/2013/09/prenotification-upcoming-security-upda… *** Telekom: Router warnt bei Bot-Befall *** --------------------------------------------- Die Telekom sammelt mit eigenen Honeypots Daten über Angriffsszenarien und macht sich diese zum Beispiel in einer Router-Software zu Nutze, die den Anwender warnt, wenn seine IP-Adresse Teil eines Botnetzes ist. --------------------------------------------- http://www.heise.de/security/meldung/Telekom-Router-warnt-bei-Bot-Befall-19… *** Spy Service Exposes Nigerian ‘Yahoo Boys’ *** --------------------------------------------- A crude but effective online service that lets users deploy keystroke logging malware and then view the stolen data remotely was hacked recently. The information leaked from that service has revealed a network of several thousand Nigerian email scammers and offers a fascinating glimpse into an entire underground economy that is seldom explored. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/Bxu69w83Y0Q/ *** Scammers pop up in Android’s Calendar App *** --------------------------------------------- Over the last couple of days, we’ve intercepted a rather interesting fraudulent approach that’s not just successfully hitting the inboxes of users internationally, but is also popping up as an event on their Android Calendar apps. How is this possible? Fairly simple. Sample screenshot of the fraudulent Google Calendar invitation: Through automatic registration — thanks to the outsourcing of the CAPTCHA solving process — fraudsters are registering thousands of bogus --------------------------------------------- http://feedproxy.google.com/~r/WebrootThreatBlog/~3/JEYS_MitQTU/ *** Kein großes Smartphone-Betriebssystem vor US-Geheimdienst sicher *** --------------------------------------------- Der amerikanische Geheimdienst NSA kann sich Zugang zu Nutzerdaten von iPhones, Android-Smartphones und BlackBerry-Geräten verschaffen. Dies meldet der Spiegel unter Bezug auf geheime Unterlagen. --------------------------------------------- http://www.heise.de *** No, the NSA cant spy on arbitrary smartphone data *** --------------------------------------------- The NSA has been exposed as evil and untrustworthy, but so has the press. The press distorts every new revelation, ignoring crucial technical details, and making it sound worse than it really is. An example is this Der Spiegel story claiming "NSA Can Spy On Smartphone Data", such as grabbing your contacts or SMS/email stored on the phone. Update: That was a teaser story, the actual story appearing tomorrow has more facts and fewer speculations than the teaser story. --------------------------------------------- http://blog.erratasec.com/2013/09/no-nsa-cant-spy-on-smartphone-data.html *** IBM OS/400 Java Multiple Vulnerabilities *** --------------------------------------------- IBM OS/400 Java Multiple Vulnerabilities --------------------------------------------- https://secunia.com/advisories/54631 *** ExecScent: Mining for New C&C Domains in Live Networks with Adaptive Control Protocol Templates *** --------------------------------------------- In this paper, we present ExecScent, a novel system that aims to mine new, previously unknown C&C domain names from live enterprise network traffic. ExecScent automatically learns control protocol templates (CPTs) from examples of known C&C communications. These CPTs are then adapted to the “background traffic” of the network where the templates are to be deployed. The goal is to generate hybrid templates that can self-tune to each specific deployment scenario, thus ... --------------------------------------------- https://www.damballa.com/downloads/a_pubs/Damballa_ExecScent.pdf *** 30-Second HTTPS Crypto Cracking Tool Released *** --------------------------------------------- Three researchers who discovered a crypto attack that can be used to grab sensitive information from HTTPS traffic in less than 30 seconds have released a tool to help website operators see if their systems are susceptible. Details of the BREACH -- short for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext -- attack were first revealed last month at the Black Hat information security conference ... --------------------------------------------- http://www.informationweek.com/security/attacks/30-second-https-crypto-crac… *** Vuln: Cisco Adaptive Security Appliance (ASA) Software Denial of Service Vulnerability *** --------------------------------------------- Cisco Adaptive Security Appliance (ASA) Software Denial of Service Vulnerability --------------------------------------------- http://www.securityfocus.com/bid/62251 *** [webapps] - Moodle 2.3.9, 2.4.6 - Multiple Vulnerabilities *** --------------------------------------------- Moodle 2.3.9, 2.4.6 - Multiple Vulnerabilities --------------------------------------------- http://www.exploit-db.com/exploits/28174 *** Exploring attacks against PHP applications *** --------------------------------------------- Imperva released its September Hacker Intelligence Initiative report which presents an in-depth view of recent attacks against PHP applications, including attacks that involve the PHP “SuperGlobal” parameters, and provides further insight into the nature of hacking activities in general and the implications for the overall integrity of the World Wide Web. --------------------------------------------- http://www.net-security.org/secworld.php?id=15535 *** Sophos pulls out spade, fills in holes in Web Appliance *** --------------------------------------------- Uproots root privilege route, covers it over Sophos has pulled out the weeds in its web-scanning software after Core Security identified multiple holes in its Web Protection Appliance versions 3.8.0, 3.8.13 and 3.7.9 and earlier.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2013/09/09/sophos_patc… *** Security experts question if Googles Chrome Apps is worth the risk *** --------------------------------------------- Worry based on security issues with cross-platform tech such as Flash and Java, which pioneered the write once, infect everywhere model --------------------------------------------- http://www.csoonline.com/article/739320/security-experts-question-if-google… *** Blackout - Feature-length What-If drama exploring the effects of a devastating cyber-attack on Britains national electricity grid *** --------------------------------------------- Based on expert advice and meticulous research, Blackout combines real user-generated footage, alongside fictional scenes, CCTV archive and news reports to build a terrifyingly realistic account of Britain being plunged into darkness. --------------------------------------------- http://www.channel4.com/programmes/blackout/episode-guide

1 0

Tageszusammenfassung - Freitag 6-09-2013
by Daily end-of-shift report 06 Sep '13

06 Sep '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 05-09-2013 18:00 − Freitag 06-09-2013 18:00 Handler: Robert Waldner Co-Handler: n/a *** Advance Notification Service for September 2013 Security Bulletin Release *** --------------------------------------------- In celebration of kids heading back to school, today we're providing advance notification for the release of 14 bulletins, four Critical and 10 Important, for September 2013. The Critical updates address issues in Internet Explorer, Outlook, SharePoint and Windows. As always, we've scheduled the bulletin release for the second Tuesday of the month, Sept. 10, 2013, at approximately 10:00 a.m. PDT. Revisit this blog then for our analysis of the risk and impact, as well as our --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2013/09/05/advance-notification-ser… *** Windows 8s Picture Passwords Weaker Than Users Might Hope *** --------------------------------------------- colinneagle writes with word of work done by researchers at Arizona State University, Delaware State University and GFS Technology Inc., who find that the multiple-picture sequence security option of Windows 8 suffers from various flaws -- some of them specific to a password system based on gestures, and some analogous to weaknesses in conventional passwords entered by keyboard. "The research found that the strength of picture gesture password has a strong connection to how long a person --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/28mhP0YmW7c/story01.htm *** The NSA's work to make crypto worse and better *** --------------------------------------------- Leaked documents say that the NSA has compromised encryption specs. It wasnt always this way. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/b8hGFShwJ6E/story01… *** August 2013 Virus Activity Overview *** --------------------------------------------- September 2, 2013 In August, Doctor Web specialists analysed a myriad of new malware. At the beginning of the month, they discovered a malicious program that compromised sites making use of popular CMSs. In the second half of August, a Trojan-Spy was found that represents a serious risk to Linux machines. Viruses According to the statistical information collected on computers by Dr.Web CureIt!, Trojan.Loadmoney.1 became the leader among the threats identified Trojan.Hosts.6815, which in an --------------------------------------------- http://news.drweb.com/show/?i=3885&lng=en&c=9 *** IKEd AuthIP IPsec Keyring Modules Service (IKEEXT) Missing DLL *** --------------------------------------------- Topic: IKEd AuthIP IPsec Keyring Modules Service (IKEEXT) Missing DLL Risk: Medium Text:## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013090054 *** Vuln: Citrix CloudPortal Services Manager CVE-2013-2939 Unspecified Security Vulnerability *** --------------------------------------------- Citrix CloudPortal Services Manager CVE-2013-2939 Unspecified Security Vulnerability --------------------------------------------- http://www.securityfocus.com/bid/62236 *** Patch-Dienstag: Microsoft flickt 14 Mal, Adobe einmal *** --------------------------------------------- Sowohl Microsoft als auch Adobe wollen am kommenden Dienstag wieder diverse Probleme in ihrer Software beheben. Microsoft plant, vier kritische Lücken zu schließen, wovon eine alle unterstützten Versionen des Internet Explorers betrifft. --------------------------------------------- http://www.heise.de/newsticker/meldung/Patch-Dienstag-Microsoft-flickt-14-M… *** Cisco Jabber for Windows SSL Certificate Verification Security Issue *** --------------------------------------------- Cisco Jabber for Windows SSL Certificate Verification Security Issue --------------------------------------------- https://secunia.com/advisories/54622

1 0

Tageszusammenfassung - Donnerstag 5-09-2013
by Daily end-of-shift report 05 Sep '13

05 Sep '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 04-09-2013 18:00 − Donnerstag 05-09-2013 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Mit Typo 3 zum Server-Admin *** --------------------------------------------- Angemeldete Benutzer konnten unter Typo 3 Konfigurationsdateien auslesen und Dateien kopieren, löschen und ausführen. Nachdem die Experten der SySS GmbH diese Fehler schon vor Monaten an die Entwickler gemeldet hatten, wurden die Probleme nun behoben. --------------------------------------------- http://www.heise.de/newsticker/meldung/Mit-Typo-3-zum-Server-Admin-1949243.… *** AVG 2014: Das Interessanteste gibts umsonst *** --------------------------------------------- AVG stellt die Version 2014 seiner Virenschutzprodukte vor. Das darin enthaltene Modul PrivacyFix überprüft, welche Daten man auf sozialen Netzwerken über sich preisgibt. --------------------------------------------- http://www.heise.de/security/meldung/AVG-2014-Das-Interessanteste-gibts-ums… *** Whatever Happened to Facebook Likejacking? *** --------------------------------------------- Back in 2010, Facebook likejacking (a social engineering technique of tricking people into posting a Facebook status update) was a trending problem. So, whatever happened to likejacking scams and spam? Well, Facebook beefed-up its security - and the trend significantly declined, at least when compared to peak 2010 numbers.But you cant keep a good spammer down. Cant beat them? Join them.Today, some of the same junk which was spread via likejacking... is now spread via Facebook... --------------------------------------------- http://www.f-secure.com/weblog/archives/00002602.html *** Java's Losing Security Legacy *** --------------------------------------------- Javas code-signing requirements have proven to be a bust, security researchers say, and now even longtime developers are losing faith in the programming language. --------------------------------------------- http://threatpost.com/javas-losing-security-legacy/102176 *** Sham G20 Summit Email Carries "Split" Backdoor *** --------------------------------------------- The upcoming G20 Summit in St. Petersburg, Russia might have already spewed several messages aimed at both common users and specific groups. A recent email we saw is only the latest in these threats. The said message is purportedly from the event's planning team and refers to a "pre-summit meeting":... --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/sham-g20-summit-… *** Leicht zu enttarnen *** --------------------------------------------- Wissenschaftler haben die Möglichkeiten untersucht, die Anonymität von Tor-Nutzern aufzuheben - mit ziemlich erschreckenden Resultaten. --------------------------------------------- http://www.heise.de/newsticker/meldung/Tor-Benutzer-leicht-zu-enttarnen-194… *** Blog: Obad.a Trojan now being distributed via mobile botnets *** --------------------------------------------- In late May we reported on the details of Backdoor.AndroidOS.Obad.a, the most sophisticated mobile Trojan to date. At the time we had almost no information about how this piece of malware gets onto mobile devices. We have since been examining how the Trojan is distributed and discovered that the malware owners have... --------------------------------------------- http://www.securelist.com/en/blog/8131/Obad_a_Trojan_now_being_distributed_… *** Bugcrowd organisiert Schwachstellensuche für Unternehmen *** --------------------------------------------- Das australisch-amerikanische Startup will es Firmen ermöglichen, ihre eigenen Bug-Bounty-Programme einfach auf die Beine zu stellen. Firmen wie Google und Mozilla profitieren schon seit längerem von eigenen Programmen dieser Art. --------------------------------------------- http://www.heise.de/security/meldung/Bugcrowd-organisiert-Schwachstellensuc… *** Don't Install The Google Authenticator For iOS Update *** --------------------------------------------- Google today pushed an update out for Google Authenticator for iOS, the two-factor authentication companion app that makes your Google account and services where you use it to login more secure. But it's an update users will want to avoid for now, as it erases all your existing stored data and connected accounts,... --------------------------------------------- http://techcrunch.com/2013/09/04/dont-install-the-google-authenticator-for-… *** Samsungs Android-Geräte bekommen Verschlüsselungstechnik Knox *** --------------------------------------------- Samsung hat die ersten Android-Geräte mit der Sicherheitstechnik ausgerüstet und erste Hinweise geliefert, welche älteren Modelle ein Update bekommen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Samsungs-Android-Geraete-bekommen-Ve… *** Large botnet cause of recent Tor network overload *** --------------------------------------------- Recently, Roger Dingledine described a sudden increase in Tor users on the Tor Talk mailinglist. To date there has been a large amount of speculation as to why this may have happened. A large number of articles seem to suggest this to be the result of the recent global espionage events, the evasion of the Pirate Bay blockades using the PirateBrowser or the Syrian civil war. --------------------------------------------- http://blog.fox-it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-… *** Linux Kernel 3.10.10 scm_check_creds() PID spoofing Privileges Escalation *** --------------------------------------------- Topic: Linux Kernel 3.10.10 scm_check_creds() PID spoofing Privileges Escalation Risk: High Text:A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to gain escalated pri... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013090044 *** Drupal Core CSS Selectors Allow Remote Users to Insert Hidden Text and Links to Obtain Potentially Sensitive Information *** --------------------------------------------- http://www.securitytracker.com/id/1028978 *** Bugtraq: Cisco Security Advisory: Multiple Vulnerabilities in the Cisco WebEx Recording Format and Advanced Recording Format Players *** --------------------------------------------- Cisco Security Advisory: Multiple Vulnerabilities in the Cisco WebEx Recording Format and Advanced Recording Format Players --------------------------------------------- http://www.securityfocus.com/archive/1/528432 *** Symantec Endpoint Protection un-installation password bypass *** --------------------------------------------- Topic: Symantec Endpoint Protection un-installation password bypass Risk: High Text: Description: A weakness has been revealed on SEP installation that allows user to uninstall this product w... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013090045 *** IBM WebSphere MQ Multiple Java Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/54721 *** Cisco GSS Global Site Selector Cross-Site Request Forgery Vulnerability *** --------------------------------------------- https://secunia.com/advisories/54727

1 0

Tageszusammenfassung - Mittwoch 4-09-2013
by Daily end-of-shift report 04 Sep '13

04 Sep '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 03-09-2013 18:00 − Mittwoch 04-09-2013 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Hintergrund: Browser-SSL entschlüsselt *** --------------------------------------------- Mit einem kleinen Trick speichern Firefox und Chrome die verwendeten Schlüssel so, dass Wireshark die damit verschlüsselten Daten gleich dekodieren kann. --------------------------------------------- http://www.heise.de/security/artikel/Browser-SSL-entschluesselt-1948431.html *** Software Developer Says Mega Master Keys Are Retrievable *** --------------------------------------------- hypnosec writes that software developer Michael Koziarski has released a bookmarklet "which he claims has the ability to reveal Mega users master key. Koziarski went on to claim that Mega has the ability to grab its users keys and use them to access their files. Dubbed MegaPWN, the tool not only reveals a users master key, but also gives away a users RSA private key exponent. MEGApwn is a bookmarklet that runs in your web browser and displays your supposedly secret MEGA master key, showing --------------------------------------------- http://yro.slashdot.org/story/13/09/03/1720223/software-developer-says-mega… *** Cidox Trojan Spoofs HTTP Host Header to Avoid Detection *** --------------------------------------------- Lately, we have seen a good number of samples generating some interesting network traffic through our automated framework. The HTTP network pattern generated contains a few interesting parameters, names like "&av" (for antivirus?) and "&vm="(VMware?), The response received looked to be encrypted, which drew my attention. Also, all the network traffic contained the same host Read more... --------------------------------------------- http://blogs.mcafee.com/mcafee-labs/cidox-trojan-spoofs-http-host-header-to… *** Styx-like Cool Exploit Kit: How It Works *** --------------------------------------------- While the Blackhole Exploit Kit is the most well-known of the exploit kits that affect users, other exploit kits are also well known in the Russian underground. In this post, we will look at how these other kits work, and its differences from other exploit kits. One well-known Blackhole alternative is the Styx Exploit Kit. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/styx-exploit-pac… *** Researchers: Oracle's Java Security Fails *** --------------------------------------------- Faced with an onslaught of malware attacks that leverage vulnerabilities and design weaknesses in Java, Oracle Corp. recently tweaked things so that Java now warns users about the security risks of running Java content. But new research shows that the integrity and accuracy of these warning messages can be subverted easily in any number of ways, and that Oracles new security scheme actually punishes Java application developers who adhere to it. --------------------------------------------- http://krebsonsecurity.com/2013/09/researchers-oracles-java-security-fails/ *** The Red Book - The SysSec Roadmap for Systems Security Research *** --------------------------------------------- The SysSec Red Book is a Roadmap in the area of Systems Security, as prepared by the SysSec consortium and its constituency. For preparing this roadmap a Task Force of young researchers with proven track of record in the area was assembled and collaborated with the senior researchers of SysSec. Additionally, the SysSec Community has been consulted to provide input on the contents of the roadmap. --------------------------------------------- http://www.red-book.eu/ *** [Video] ThreatVlog, Episode 3: NYT, Twitter, and HuffPost hacked by Syrian Electronic Army *** --------------------------------------------- In this episode of ThreatVlog, Grayson Milbourne covers the information behind the Syrian Electronic Army's hacking of New York Times, Twitter, and Huffington Post. Grayson includes a breakdown of the hack as well as information on how to keep your own websites protected form this malicious behavior.The post [Video] ThreatVlog, Episode 3: NYT, Twitter, and HuffPost hacked by Syrian Electronic Army appeared first on Webroot Threat Blog. --------------------------------------------- http://www.webroot.com/blog/2013/09/04/video-threatvlog-episode-3-nyt-twitt… *** Bugtraq: SEC Consult SA-20130904-0 :: GroupLink everything HelpDesk - undocumented password reset/admin takeover and XSS vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/528420 *** Samsung Galaxy S4 Polaris Viewer DOCX Buffer Overflow Vulnerability *** --------------------------------------------- https://secunia.com/advisories/54701 *** MediaWiki Security Release *** --------------------------------------------- I would like to announce the release of MediaWiki 1.21.2, 1.20.7 and 1.19.8. These releases fix 3 security related bugs that could affect users of MediaWiki. --------------------------------------------- http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/0001… *** OpenVZ update for kernel *** --------------------------------------------- https://secunia.com/advisories/54311 *** Linux Kernel PID Spoofing Privilege Escalation Vulnerability *** --------------------------------------------- https://secunia.com/advisories/54675 *** Sixnet Universal Protocol Undocumented Function Codes (Update A) *** --------------------------------------------- OVERVIEW: This updated advisory is a follow-up to the original advisory titled ICSA-13-231-01 Sixnet Universal Protocol Undocumented Function Codes that was published August 19, 2013, on the ICS-CERT Web page.Independent researcher Mehdi Sabraoui has identified undocumented function codes in Sixnet's universal protocol. Sixnet has produced a new version of the remote terminal unit (RTU) firmware that mitigates this vulnerability. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-231-01A *** Tridium Niagara Vulnerabilities (Update A) *** --------------------------------------------- OVERVIEW--------- Begin Update A Part 1 of 2 --------This updated advisory is a follow-up to the original advisory titled ICSA-12-228-01 Tridium Niagara Multiple Vulnerabilities that was published August 15, 2012, on the ICS-CERT Web page. It is also a follow-up to ICS-ALERT-12-195-01 Tridium Niagara Directory Traversal and Weak Credential Storage Vulnerability that was published July 13, 2012, on the ICS-CERT Web page. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-12-228-01A *** Cisco Mobility Services Engine Configuration Error Lets Remote Users Login Anonymously *** --------------------------------------------- http://www.securitytracker.com/id/1028972 *** Cisco Secure Access Control System (ACS) TACACS+ Socket Denial of Service Vulnerability *** --------------------------------------------- https://secunia.com/advisories/54687 *** SAP NetWeaver "ABAD0_DELETE_DERIVATION_TABLE" SQL Injection Vulnerability *** --------------------------------------------- https://secunia.com/advisories/54702 *** Vuln: Supermicro IPMI Web Interface Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/62094 http://www.securityfocus.com/bid/62097 http://www.securityfocus.com/bid/62098 *** Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-0585, CVE-2013-3034, CVE-2013-3040 and CVE-2013-0599) *** --------------------------------------------- Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-0585, CVE-2013-3034, CVE-2013-3040 and CVE-2013-0599) CVE(s): CVE-2013-0585, CVE-2013-3034, CVE-2013-3040, and CVE-2013-0599 Affected product(s) and affected version(s): IBM InfoSphere Information Server version 9.1 running on all platforms Refer to the following reference URLs for remediation and additional vulnerability details. Source Bulletin: --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul…

1 0

Tageszusammenfassung - Dienstag 3-09-2013
by Daily end-of-shift report 03 Sep '13

03 Sep '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 02-09-2013 18:00 − Dienstag 03-09-2013 18:00 Handler: Robert Waldner Co-Handler: n/a *** Blog: NetTraveler Is Back: The Red Star APT Returns With New Tricks *** --------------------------------------------- NetTraveler, which we described in depth in a previous post, is an APT that infected hundreds of high profile victims in more than 40 countries. Known targets of NetTraveler (also known as ‘Travnet’ or “Netfile”) include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors. --------------------------------------------- http://www.securelist.com/en/blog/208214039/NetTraveler_Is_Back_The_Red_Sta… *** 353,436 Exposed ZTE Devices Found In Net Census *** --------------------------------------------- mask.of.sanity writes "Hundreds of thousands of internet-accessible devices manufactured Chinese telco ZTE have been found with default or hardcoded usernames and passwords. The devices were discovered in analysis of the huge dataset from the Internet Census run this year. ZTE topped the charts, accounting for 28 percent of all affected devices worldwide. Only one manufacturer has responded to the researchers bid to supply the data in efforts to stop production of insecure devices." --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/Ev4LKChpZbQ/story01.htm *** USB-Tastatur kapert Linux-Kern *** --------------------------------------------- Der Speicher eines Linux-Systems kann durch USB-Endgeräte fast beliebig manipuliert werden, wie ChromeOS-Entwickler Kees Cook entdeckte. Einen Patch für das Problem lieferte er gleich mit. --------------------------------------------- http://www.heise.de/newsticker/meldung/USB-Tastatur-kapert-Linux-Kern-19475… *** cPanel Multiple Vulnerabilities *** --------------------------------------------- A security issue and multiple vulnerabilities have been reported in cPanel, which can be exploited by malicious, local users to disclose potentially sensitive information, bypass certain security restrictions, manipulate certain data, and gain escalated privileges and by malicious users to conduct script insertion attacks, bypass certain security restrictions, and compromise a vulnerable system. --------------------------------------------- https://secunia.com/advisories/54601 *** Bugtraq: PayPals "invalid" aksession Padding Oracle Flaw *** --------------------------------------------- The main PayPal web site sets a cookie named "aksession" which contains a blob of base64-encoded ciphertext. This ciphertext is encrypted using a 64-bit block cipher in CBC mode and does not have any other integrity protection. Naturally, this means the aksession cookie is vulnerable to a padding oracle attack allowing full decryption and forgery. --------------------------------------------- http://www.securityfocus.com/archive/1/528403 *** [remote] - Mikrotik RouterOS sshd (ROSSSH) - Remote Preauth Heap Corruption *** --------------------------------------------- During an audit the Mikrotik RouterOS sshd (ROSSSH) has been identified to have a remote previous to authentication heap corruption in its sshd component. Exploitation of this vulnerability will allow full access to the router device. --------------------------------------------- http://www.exploit-db.com/exploits/28056 *** [webapps] - TP-Link TD-W8951ND - Multiple Vulnerabilities *** --------------------------------------------- Tested on TP-Link TD-W8951ND Firmware 4.0.0 Build 120607 Rel.30923 --------------------------------------------- http://www.exploit-db.com/exploits/28055

1 0

Tageszusammenfassung - Montag 2-09-2013
by Daily end-of-shift report 02 Sep '13

02 Sep '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 30-08-2013 18:00 − Montag 02-09-2013 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Njw0rm - Brother From the Same Mother *** --------------------------------------------- FireEye Labs has discovered an intriguing new sibling of the njRAT remote access tool (RAT) that one-ups its older "brother" with a couple of diabolically clever features. Created by the same author as njRAT - a freelance coder who goes by... --------------------------------------------- http://www.fireeye.com/blog/technical/malware-research/2013/08/njw0rm-broth… *** US Mounted 231 Offensive Cyber-operations In 2011, Runs Worldwide Botnet *** --------------------------------------------- An anonymous reader sends this news from the Washington Post: "U.S. intelligence services carried out 231 offensive cyber-operations in 2011, the leading edge of a clandestine campaign that embraces the Internet as a theater of spying, sabotage and war, according to top-secret documents [from Edward Snowden]. Additionally, under an extensive effort code-named GENIE, U.S. computer specialists break into foreign networks so that they can be put under surreptitious U.S. control. Budget... --------------------------------------------- http://yro.slashdot.org/story/13/08/31/2223212/us-mounted-231-offensive-cyb… *** Boffins follow TOR breadcrumbs to identify users *** --------------------------------------------- Anonymity? Fuggedaboutit! Watching TOR for months reveals true names Its easier to identify TOR users than they believe, according to research published by a group of researchers from Georgetown University and the US Naval Research Laboratory (USNRL). --------------------------------------------- http://www.theregister.co.uk/2013/09/01/tor_correlation_follows_the_breadcr… *** Cisco IOS TCP ACK Processing Lets Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1028969 *** Cisco ASA Idle Timeout Processing Flaw Lets Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1028968 *** IBM WebSphere Commerce Search Denial of Service Vulnerability *** --------------------------------------------- https://secunia.com/advisories/54734

1 0

Tageszusammenfassung - Freitag 30-08-2013
by Daily end-of-shift report 30 Aug '13

30 Aug '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 29-08-2013 18:00 − Freitag 30-08-2013 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** CoreText Font Rendering Bug Leads To iOS, OS X Exploit *** --------------------------------------------- redkemper writes with this news from BGR.com (based on a report at Hacker News), excerpting: "Android might be targeted by hackers and malware far more often than Apples iOS platform, but that doesnt mean devices like the iPhone and iPad are immune to threats. A post on a Russian website draws attention to a fairly serious vulnerability that allows nefarious users to remotely crash apps on iOS 6, or even render them unusable. The vulnerability is seemingly due to a bug in Apples CoreText... --------------------------------------------- http://apple.slashdot.org/story/13/08/29/155221/coretext-font-rendering-bug… *** Cloud-Dienst als Malware-Einfallstor *** --------------------------------------------- IT-Sicherheitsforscher haben eine Methode gezeigt, mit der über Dropbox und Co. Sicherheitsmechanismen von Firmen überwunden werden können. --------------------------------------------- http://www.heise.de/newsticker/meldung/Cloud-Dienst-als-Malware-Einfallstor… *** Sicherheitsforscher knacken Dropbox *** --------------------------------------------- Client entschlüsselt - Zwei-Weg-Authentifizierung kann umlaufen werden --------------------------------------------- http://derstandard.at/1376535110812 *** TeleGeographys Interactive Submarine Cable Map *** --------------------------------------------- ....Ever want to know where all the submarine cables are that provide part of the physical infrastructure of the Internet? Or which cities in the world have the most connectivity via submarine cables? (or which regions might be single points of failure?) In doing some research I stumbled across this excellent site from the folks at TeleGeography ... --------------------------------------------- http://www.submarinecablemap.com/ *** FinFisher range of attack tools *** --------------------------------------------- FinFisher is a range of attack tools developed and sold by a company called Gamma Group.Recently, some FinFisher sales brochures and presentations were leaked on the net. They contain many interesting details about these tools.In the background part of the FinFisher presentation, they go on to explain how Gamma hired the (at-the-time) main developer of Backtrack Linux to build attack tools for Gamma. This is a reference to Martin Johannes Münch. They also boast how their developers have... --------------------------------------------- http://www.f-secure.com/weblog/archives/00002601.html *** vBulletin users warned of potential exploit *** --------------------------------------------- The forum softwares developers advise users to delete the install folder --------------------------------------------- http://www.csoonline.com/article/738959/vbulletin-users-warned-of-potential… *** MatrikonOPC SCADA DNP3 Master Station Improper Input Validation *** --------------------------------------------- OVERVIEW: This updated advisory was originally posted to the US-CERT secure Portal library on August 02, 2013, and is now being released to the ICS-CERT Web page.Adam Crain of Automatak and independent researcher Chris Sistrunk have identified a buffer overflow vulnerability in MatrikonOPC’s SCADA DNP3 OPC Server application. MatrikonOPC has produced a patch that mitigates this vulnerability. The researchers tested the patch to validate that it resolves the vulnerability.This vulnerability... --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-213-04A *** Cisco Identity Services Engine Discloses Authentication Credentials to Remote Users *** --------------------------------------------- http://www.securitytracker.com/id/1028965 *** IBM InfoSphere Information Server Web Console Cross-Site Scripting Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/54698 *** Schneider Electric OFS XML External Entities Vulnerability *** --------------------------------------------- https://secunia.com/advisories/54616 *** Cisco ASA Software TFTP Protocol Inspection Denial of Service Vulnerability *** --------------------------------------------- https://secunia.com/advisories/54699 *** LibTIFF Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/54628 *** VMSA-2013-0011 *** --------------------------------------------- VMware ESXi and ESX address an NFC Protocol Unhandled Exception --------------------------------------------- http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0011.h…

1 0

Tageszusammenfassung - Donnerstag 29-08-2013
by Daily end-of-shift report 29 Aug '13

29 Aug '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 28-08-2013 18:00 − Donnerstag 29-08-2013 18:00 Handler: Robert Waldner Co-Handler: n/a *** Bugtraq: Cisco Security Advisory: Cisco Secure Access Control Server Remote Command Execution Vulnerability *** --------------------------------------------- Cisco Security Advisory: Cisco Secure Access Control Server Remote Command Execution Vulnerability --------------------------------------------- http://www.securityfocus.com/archive/1/528295 *** Kelihos Relying on CBL Blacklists to Evaluate New Bots *** --------------------------------------------- The Kelihos botnet is leveraging legitimate security services such as composite blocking lists (CBLs) to test the reliability of victim IP addresses before using them to push spam and malware. --------------------------------------------- http://threatpost.com/kelihos-relying-on-cbl-blacklists-to-evalute-new-bots… *** Java Native Layer Exploits Going Up *** --------------------------------------------- Recently, security researchers disclosed two Java native layer exploits (CVE-2013-2465 and CVE-2013-2471). This caused us too look into native layer exploits more closely, as they have been becoming more common this year. At this year’s Pwn2Own competition at CanSecWest, Joshua Drake showed CVE-2013-1491, which was exploitable on Java 7 running on Windows 8. CVE-2013-1493 has […]Post from: Trendlabs Security Intelligence Blog - by Trend MicroJava Native Layer Exploits Going Up --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/--YBZ1lrFxM/ *** Cisco Secure Access Control Server EAP-FAST Authentication Flaw Lets Remote Users Execute Arbitrary Commands *** --------------------------------------------- Cisco Secure Access Control Server EAP-FAST Authentication Flaw Lets Remote Users Execute Arbitrary Commands --------------------------------------------- http://www.securitytracker.com/id/1028958 *** Unpatched Mac bug gives attackers “super user” status by going back in time *** --------------------------------------------- Exploiting the five-month-old "sudo" flaw in OS X just got easier. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/r1T9FKbYWWY/story01… *** Triangle MicroWorks Improper Input Validation *** --------------------------------------------- OVERVIEWAdam Crain of Automatak and independent researcher Chris Sistrunk have identified an improper input validation vulnerability in multiple Triangle MicroWorks’ products and third‑party components. Triangle MicroWorks has produced an update that mitigates this vulnerability. Adam Crain has tested the update to validate that it resolves the vulnerability.This vulnerability could be exploited remotely.AFFECTED PRODUCTSThe following Triangle MicroWorks products are affected: --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-240-01 *** Bugtraq: 30C3 Call for Participation *** --------------------------------------------- 30C3 Call for Participation --------------------------------------------- http://www.securityfocus.com/archive/1/528298 *** Suspect Sendori software, (Thu, Aug 29th) *** --------------------------------------------- Reader Kevin wrote in to alert us of an interesting discovery regarding Sendori. Kevin stated that two of his clients were treated to malware via the auto-update system for Sendori. In particular, they had grabbed Sendori-Client-Win32/2.0.15 from 54.230.5.180 which is truly an IP attributed to Sendori via lookup results. Sendoris reputation is already a bit sketchy; search results for Sendori give immediate pause but this download in particular goes beyond the pale. With claims that "As of --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16466&rss *** WordPress Wordfence 3.8.1 Cross Site Scripting *** --------------------------------------------- Topic: WordPress Wordfence 3.8.1 Cross Site Scripting Risk: Low Text:# Exploit Title: Wordpress Plugin Wordfence 3.8.1 - Cross Site Scripting # Date: 28 de Agosto del 2013 # Exploit Author: Dyla... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013080221 *** Google Docs Information Disclosure *** --------------------------------------------- Topic: Google Docs Information Disclosure Risk: Medium Text:I reported this problem to Google in June but I did not get the usual reply saying they were working on it, so I guess it isn... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013080224 *** Bugtraq: Drupal Node View Permissions module and Flag module Vulnerabilities *** --------------------------------------------- Drupal Node View Permissions module and Flag module Vulnerabilities --------------------------------------------- http://www.securityfocus.com/archive/1/528310 *** Cybercrime-friendly underground traffic exchanges help facilitate fraudulent and malicious activity – part two *** --------------------------------------------- By Dancho Danchev The list of monetization tactics a cybercriminal can take advantage of, once they manage to hijack a huge portion of Web traffic, is virtually limitless and is entirely based on his experience within the cybercrime ecosystem. Through the utilization of blackhat SEO (search engine optimization), RFI (Remote File Inclusion), DNS cache poisoning, or […] --------------------------------------------- http://feedproxy.google.com/~r/WebrootThreatBlog/~3/zWNtszZsWRs/ *** IBM InfoSphere Information Server Multiple Vulnerabilities *** --------------------------------------------- IBM InfoSphere Information Server Multiple Vulnerabilities --------------------------------------------- https://secunia.com/advisories/54666 *** Office 2003s burial will resurrect hacker activity *** --------------------------------------------- The end of Microsofts support for popular suite come April 2014 will usher in an era of infinite zero-day attacks, analyst predicts --------------------------------------------- http://www.csoonline.com/article/738914/office-2003-s-burial-will-resurrect… *** [papers] - Metasploit -The Exploit Learning Tree *** --------------------------------------------- Metasploit -The Exploit Learning Tree --------------------------------------------- http://www.exploit-db.com/download_pdf/27935 *** Outage Analyzer - Track Web Service Outages,in Real Time *** --------------------------------------------- ....Outage Analyzer lets you view internet service outages as they occur around the world. The application lists the outages that are occurring now or can provide a view of outages that have closed recently...... --------------------------------------------- http://www.compuware.com/en_us/application-performance-management/products/…

1 0

Tageszusammenfassung - Mittwoch 28-08-2013
by Daily end-of-shift report 28 Aug '13

28 Aug '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 27-08-2013 18:00 − Mittwoch 28-08-2013 18:00 Handler: Robert Waldner Co-Handler: n/a *** Security Bulletin: IBM Tivoli Monitoring clients affected by vulnerabilities in IBM JRE executed under a security manager. *** --------------------------------------------- IBM Tivoli Monitoring ships and uses a Java Runtime Environment (JRE). This alert addresses several vulnerabilities for the Tivoli Enterprise Portal browser JRE which might allow remote untrusted Java WebStart applications and untrusted Java applets to affect confidentiality, availability and integrity. CVE(s): CVE-2013-2467, CVE-2013-2448, CVE-2013-2459, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2466, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Firefox Extension HTTP Nowhere Allows Users to Browse in Encrypted-Only Mode *** --------------------------------------------- It’s no secret that the Web wasn’t really meant to be a secure platform, for communications or commerce or anything else. But it’s used for all of these functions every day, and for the most part they depend upon the sites they deal with using SSL and doing so correctly. That’s not always a sure [...] --------------------------------------------- http://threatpost.com/firefox-extension-http-nowhere-allows-users-to-browse… *** Microsoft Releases Revisions to 4 Existing Updates, (Tue, Aug 27th) *** --------------------------------------------- Four patches have undergone signficant revision according to Microsoft. The following patches were updated today by Microsoft, and are set to roll in the automatic updates: MS13-057 - Critical - https://technet.microsoft.com/security/bulletin/MS13-057 - Reason for Revision: V3.0 (August 27, 2013): Bulletin revised to rerelease security update 2803821 for Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008; security update 2834902 for Windows XP and Windows Server 2003; --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16448&rss *** Asterisk SIP Request Processing Flaw With Invalid SDP Lets Remote Users Deny Service *** --------------------------------------------- Asterisk SIP Request Processing Flaw With Invalid SDP Lets Remote Users Deny Service --------------------------------------------- http://www.securitytracker.com/id/1028957 *** Linux-Trojaner analysiert *** --------------------------------------------- Avast hat den bislang wohl ersten Online-Banking-Trojaner, der es auf Linux-Nutzer abgesehen hat, in seinem Virenlabor untersucht: Der Entwickler hat sich große Mühe gegeben, damit sein Baby unentdeckt bleibt. --------------------------------------------- http://www.heise.de/newsticker/meldung/Erster-Banking-Trojaner-fuer-Linux-a… *** Exploit für ungepatchte Lücke in Java 6 aufgetaucht *** --------------------------------------------- Ein Werkzeug enthält Code, der eine seit Juni bekannte Lücke in Java 6 ausnutzt. Oracle hat die Wartung für diese Version eingestellt, die sich jedoch noch häufig im Einsatz befindet. --------------------------------------------- http://www.heise.de/newsticker/meldung/Exploit-fuer-ungepatchte-Luecke-in-J… *** Cybercriminals offer spam-ready SMTP servers for rent/direct managed purchase *** --------------------------------------------- By Dancho Danchev We continue to observe an increase in underground market propositions for spam-ready bulletproof SMTP servers, with the cybercriminals behind them trying to differentiate their unique value proposition (UVP) in an attempt to attract more customers. Let’s profile the underground market propositions of what appears to be a novice cybercriminal offering such spam-ready […] --------------------------------------------- http://feedproxy.google.com/~r/WebrootThreatBlog/~3/eWR3avR3M7k/ *** IBM FileNet Content Manager / Content Foundation XML Parser Denial of Service Vulnerability *** --------------------------------------------- IBM FileNet Content Manager / Content Foundation XML Parser Denial of Service Vulnerability --------------------------------------------- https://secunia.com/advisories/54632 *** IBM TRIRIGA Application Platform Multiple Cross-Site Scripting Vulnerabilities *** --------------------------------------------- IBM TRIRIGA Application Platform Multiple Cross-Site Scripting Vulnerabilities --------------------------------------------- https://secunia.com/advisories/54641 *** Bugtraq: Two Instagram Android App Security Vulnerabilities *** --------------------------------------------- Two Instagram Android App Security Vulnerabilities --------------------------------------------- http://www.securityfocus.com/archive/1/528292

1 0

Tageszusammenfassung - Dienstag 27-08-2013
by Daily end-of-shift report 27 Aug '13

27 Aug '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 26-08-2013 18:00 − Dienstag 27-08-2013 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** [Video] ThreatVlog, Episode 1: Tor and Apple exploits revealed *** --------------------------------------------- What is Tor? Is it really secure? What about the Apple App Store approval process? Are all these applications really looked at? In today's episode, Grayson Milbourne covers the exploitation of the Tor network through Firefox and a proof of concept showing just how insecure Apple app testing can be. --------------------------------------------- http://blog.webroot.com/2013/08/20/tor-and-apple-exploits-revealed/ *** [Video] ThreatVlog, Episode 2: Keyloggers and your privacy *** --------------------------------------------- Commercial and black hat keyloggers can infect any device, from your PC at home to the phone in your hand. What exactly are these programs trying to steal? How can this data be used harmfully against you? And what can you do to protect all your data and devices from this malicious data gathering? In... --------------------------------------------- http://blog.webroot.com/2013/08/26/video-threatvlog-episode-2-keyloggers-an… *** "thereisnofatebutwhatwemake" - Turbo-charged cracking comes to long passwords *** --------------------------------------------- Cracking really long passwords just got a whole lot faster and easier. --------------------------------------------- http://arstechnica.com/security/2013/08/thereisnofatebutwhatwemake-turbo-ch… *** Feature Phone Hack Can Block Calls, Texts On Some Networks *** --------------------------------------------- Trailrunner7 writes, quoting Threat Post "By tweaking the firmware on certain kinds of phones, a hacker could make it so other phones in the area are unable to receive incoming calls or SMS messages, according to research presented at the USENIX Security Symposium. The hack involves modifying the baseband processor on some Motorola phones and tricking some older 2G GSM networks into not delivering calls and messages. By watching the messages sent from phone towers and not delivering them --------------------------------------------- http://it.slashdot.org/story/13/08/26/2254224/feature-phone-hack-can-block-… *** Patch Management Guidance from NIST, (Tue, Aug 27th) *** --------------------------------------------- The National Institute of Standards and Technology (NIST) released a new version of guidance around Patch Management last week, NIST SP800-40. The latest release takes a broader look at etnerprise patch management than the previous version, so well worth the read. Patch Management is clearly called out as a "Quick Win" in Critical Control #3 "Secure Configurations for Hardware and Software". Additionally, Patch Management is something that is required by many of the cyber --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16445&rss *** NSA: Hardening Tips For Mac OS X *** --------------------------------------------- ....The National Security Agency (NSA) offers "Hardening Tips for Mac OS X" a tri-fold security brochure for the agencys Information Assurance Mission. Its packed with useful tips...... Siehe auch: http://www.nsa.gov/ia/_files/factsheets/macosx_10_6_hardeningtips.pdf --------------------------------------------- http://www.nsa.gov/ia/_files/factsheets/macosx_hardening_tips.pdf *** The SCADA That Cried Wolf: Who's Really Attacking Your ICS Devices- Part 2 *** --------------------------------------------- The concern on ICS/SCADA security gained prominence due to high-profile attacks targeting these devices, most notably Flame and Stuxnet. However, we noted recent findings, which prove that the interest in ICS/SCADA devices as attack platforms is far from waning. We've all read about how insecure ICS/SCADA devices are and how certain threat actors are targeting... --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/the-scada-that-c… *** Malware-Erkennung für Medizingeräte *** --------------------------------------------- US-Informatiker wollen über Veränderungen im Stromverbrauch von Medizingeräten Datenschädlinge im Gesundheitsbereich feststellen. --------------------------------------------- http://www.heise.de/security/meldung/Malware-Erkennung-fuer-Medizingeraete-… *** Security Bulletin: IBM Notes & Domino fixes for multiple vulnerabilities in IBM JRE *** --------------------------------------------- IBM Notes and Domino are vulnerable to multiple attacks listed in the Oracle Java SE Critical Patch Update Advisories (February, April and June 2013) as well as miscellaneous client-side attacks listed below. The repaired IBM JRE is available in Notes and Domino 8.5.3 Fix Pack 5 and is also planned for Notes and Domino 9.0.1. CVE(s): CVE-2013-0464, CVE-2012-3325, and CVE-2011-4858 Affected product(s) and affected version(s): IBM Notes and Domino 9.0 IBM Notes and Domino 8.5.x IBM Notes and... --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Security Bulletin: IBM Notes & Domino fixes for multiple vulnerabilities in IBM JRE *** --------------------------------------------- IBM Notes and Domino are vulnerable to multiple attacks listed in the Oracle Java SE Critical Patch Update Advisories (February, April and June 2013) as well as miscellaneous client-side attacks listed below. The repaired IBM JRE is available in Notes and Domino 8.5.3 Fix Pack 5 and is also planned for Notes and Domino 9.0.1. CVE(s): CVE-2013-0809, CVE-2013-1493, CVE-2013-3012, CVE-2013-3011, CVE-2013-3010, CVE-2013-3009, CVE-2013-3008, CVE-2013-3007, CVE-2013-3006, CVE-2013-2455, and --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Security Bulletin: IBM Security SiteProtector System can be affected by a vulnerability in the IBM Eclipse Help System (IEHS) (CVE-2013-0467) *** --------------------------------------------- IBM Security SiteProtector System can be affected by a vulnerability in the IBM Eclipse Help System (IEHS). This vulnerability could allow a remote attacker to obtain the source code of the Help System. CVE(s): and CVE-2013-0467 Affected product(s) and affected version(s): IBM Security SiteProtector System: 2.8.1 and 2.9 Refer to the following reference URLs for remediation and additional vulnerability details. Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21647392 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Security Bulletin: IBM Content Collector - Eclipse Help System Cross Site Scripting Vulnerability (CVE-2013-0464) *** --------------------------------------------- Cross-Site Scripting vulnerability exists in IBM Eclipse Help System, a component bundled with IBM Content Collector, which is used to display the IBM Content Collector help content. CVE(s): and CVE-2013-0464 Affected product(s) and affected version(s): IBM Content Collector 3.0 Refer to the following reference URLs for remediation and additional vulnerability details. Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21646473 X-Force Database: --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** IBM Lotus iNotes Input Validation Flaws Permit Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1028954 *** Sixnet Universal Protocol Undocumented Function Codes *** --------------------------------------------- OVERVIEW: This updated advisory is a follow-up to the original advisory titled ICSA-13-231-01 Sixnet Universal Protocol Undocumented Function Codes that was published August 19, 2013, on the ICS-CERT Web page. Independent researcher Mehdi Sabraoui has identified undocumented function codes in Sixnet's universal protocol. Sixnet has produced a new version of the remote terminal unit (RTU) firmware that mitigates this vulnerability. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-231-01A *** RoundCube Webmail Edit Email Script Insertion Vulnerability *** --------------------------------------------- https://secunia.com/advisories/54536 *** IBM DB2 / DB2 Connect Unspecified Security Bypass Vulnerability *** --------------------------------------------- https://secunia.com/advisories/54644 *** Atlassian 4.x Confluence Sensitive Information Leakage *** --------------------------------------------- Topic: Atlassian 4.x Confluence Sensitive Information Leakage Risk: Low Text:Since vendor does not seem to care about this issue more than a year after initial report (https://jira.atlassian.com/browse/C... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013080213

1 0

Tageszusammenfassung - Montag 26-08-2013
by Daily end-of-shift report 26 Aug '13

26 Aug '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 23-08-2013 18:00 − Montag 26-08-2013 18:00 Handler: Robert Waldner Co-Handler: n/a *** Mozilla und Chrome erhöhen Anforderungen an Zertifikate *** --------------------------------------------- In Zukunft wollen die beiden freien Browser SSL-Zertifikate mit einer besonders langen Laufzeit nicht mehr akzeptieren. Die Änderungen betreffen jedoch nur relativ wenige Server. --------------------------------------------- http://www.heise.de/newsticker/meldung/Mozilla-und-Chrome-erhoehen-Anforder… *** EU-Meldepflicht bei Datenklau tritt in Kraft *** --------------------------------------------- Ab sofort müssen Kommunikations-Unternehmen innerhalb von 24 Stunden melden, wenn ein Datenschutzverstoß von nicht oder nicht ausreichend gesicherten Personendaten vorliegt. Auch die Betroffenen müssen in einigen Fällen informiert werden. --------------------------------------------- http://futurezone.at/netzpolitik/17910-eu-meldepflicht-bei-datenklau-tritt-… *** RealPlayer Two Vulnerabilities *** --------------------------------------------- 1) An error when handling filenames in RMP can be exploited to cause a stack-based buffer overflow. 2) An error when parsing RealMedia files can be exploited to cause a memory corruption. Successful exploitation may allow execution of arbitrary code. --------------------------------------------- https://secunia.com/advisories/54621 *** OpenSSL erzeugt zu oft den gleichen Zufall *** --------------------------------------------- Der Zufallszahlengenerator der freien Krypto-Bibliothek liefert unter bestimmten Voraussetzungen relativ kurz hintereinander dieselben Zahlen. Noch ist nicht entschieden, ob die OpenSSL-Entwickler oder -Nutzer ihren Code ändern müssen. --------------------------------------------- http://www.heise.de/security/meldung/OpenSSL-erzeugt-zu-oft-den-gleichen-Zu… *** IBM WebSphere Commerce Tools Pages Cross-Site Scripting Vulnerabilities *** --------------------------------------------- IBM WebSphere Commerce Tools Pages Cross-Site Scripting Vulnerabilities --------------------------------------------- https://secunia.com/advisories/54643 *** IBM Tivoli Workload Scheduler OpenSSL Multiple Vulnerabilities *** --------------------------------------------- IBM Tivoli Workload Scheduler OpenSSL Multiple Vulnerabilities --------------------------------------------- https://secunia.com/advisories/54655 *** IBM Lotus iNotes Multiple Cross-Site Scripting Vulnerabilities *** --------------------------------------------- IBM Lotus iNotes Multiple Cross-Site Scripting Vulnerabilities --------------------------------------------- https://secunia.com/advisories/54645 *** Cacti Script Insertion and SQL Injection Vulnerabilities *** --------------------------------------------- Cacti Script Insertion and SQL Injection Vulnerabilities --------------------------------------------- https://secunia.com/advisories/54531 *** Bugtraq: Wordpress post-gallery Plugin Xss vulnerabilities *** --------------------------------------------- Wordpress post-gallery Plugin Xss vulnerabilities --------------------------------------------- http://www.securityfocus.com/archive/1/528243 *** [remote] - Belkin G Wireless Router Firmware 5.00.12 - RCE PoC *** --------------------------------------------- Belkin G Wireless Router Firmware 5.00.12 - RCE PoC --------------------------------------------- http://www.exploit-db.com/exploits/27873

1 0

Tageszusammenfassung - Freitag 23-08-2013
by Daily end-of-shift report 23 Aug '13

23 Aug '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 22-08-2013 18:00 − Freitag 23-08-2013 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Top Server OPC Improper Input Validation Vulnerability *** --------------------------------------------- OVERVIEW: Adam Crain of Automatak and independent researcher Chris Sistrunk have identified an improper input validation vulnerability in the Software Toolbox TOP Server DNP Master OPC product. Software Toolbox has produced a new version that mitigates this vulnerability. The researchers have tested the new version to validate that it resolves the vulnerability. This vulnerability could be exploited remotely. AFFECTED PRODUCTS: The following Software Toolbox products are affected:... --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-234-02 *** Read of the Week: A Fuzzy Future in Malware Research, (Thu, Aug 22nd) *** --------------------------------------------- The August 2013 ISSA Journal includes an excellent read from Ken Dunham: A Fuzzy Future in Malware Research. Ken is a SANS veteran (GCFA Gold, GREM Gold, GCIH Gold, GSEC, GCIA) who spends a good bit of his time researching, writing and presenting on malware-related topics. From Kens abstract: "Traditional static analysis and identification measures for malware are changing, including the use of fuzzy hashes which offers a new way to find possible related malware samples on a computer or --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16427 *** How Exploit Kits Dodge Security Vendors and Researchers *** --------------------------------------------- Websites with exploit kits are one thing that security vendors and researchers frequently try to look into, so it shouldn't be a surprise that attackers have gone to some length to specifically dodge the good guys. How do they do it? The most basic method used by attackers is an IP blacklist. Just like security... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/qf9ZXjwNgn0/ *** How Can Social Engineering Training Work Effectively? *** --------------------------------------------- One particular aspect of DEF CON that always gets some media coverage is the Social Engineering Capture the Flag (SECTF) contest, where participants use nothing more than a phone call to get victims at various Fortune 500 to give up bits of information. These are the sort of social engineering attacks that give security professionals... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/D-0-ZRv5fSY/ *** Angeblicher Adobe-Reader-Exploit vermutlich ein Fake *** --------------------------------------------- Es verdichten sich die Indizien dafür, dass es das kritische Sicherheitsloch, dass in der aktuellen Reader-Version klaffen soll, gar nicht gibt. --------------------------------------------- http://www.heise.de/newsticker/meldung/Angeblicher-Adobe-Reader-Exploit-ver… *** Pixel Perfect Timing Attacks with HTML5 *** --------------------------------------------- "This paper describes a number of timing attack techniques that can be used by a malicious web page to steal sensitive data from a browser, breaking cross-origin restrictions. The new requestAnimationFrame API can be used to time browser rendering operations and infersensitive data based on timing data." --------------------------------------------- http://contextis.co.uk/files/Browser_Timing_Attacks.pdf *** BSI: Trotz "kritischer Aspekte" keine Warnung vor Windows 8 *** --------------------------------------------- In einer Stellungnahme stellt das Bundesamt klar, dass es keine grundsätzlichen Sicherheitsbedenken gegen den Einsatz von Windows 8 und Trusted Computing habe. Das BSI kritisiert allerdings bestimmte Aspekte des Betriebssystems. --------------------------------------------- http://www.heise.de/security/meldung/BSI-Trotz-kritischer-Aspekte-keine-War… *** Setuid-Probleme auf Debian-Abkömmlingen *** --------------------------------------------- Ein schlampig programmiertes Setuid-Tool aus dem VMware-Paket beschert Root-Rechte; doch die Ursachen reichen tiefer. --------------------------------------------- http://www.heise.de/newsticker/meldung/Setuid-Probleme-auf-Debian-Abkoemmli… https://secunia.com/advisories/54580

1 0

Tageszusammenfassung - Donnerstag 22-08-2013
by Daily end-of-shift report 22 Aug '13

22 Aug '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 21-08-2013 18:00 − Donnerstag 22-08-2013 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** If you ever use text VTs, dont run XMir right now *** --------------------------------------------- Itd be easy to assume that in a Mir-based world, the Mir server receives input events and hands them over to Mir clients. In fact, as I described here, XMir uses standard Xorg input drivers and so receives all input events directly. This led to issues like the duplicate mouse pointer seen in earlier versions of XMir - as well as the pointer being drawn by XMir, Mir was drawing its own pointer.But theres also some more subtle issues. Mir recently gained a fairly simple implementation of VT... --------------------------------------------- http://mjg59.dreamwidth.org/27327.html *** Jumping Out of IE's Sandbox With One Click *** --------------------------------------------- Software vendors often give intentionally vague and boring names to the updates they use to fix security vulnerabilities. The lamer the name, the less attention it may attract from attackers looking to reverse-engineer the patch. There was one patch in Microsoft's August Patch Tuesday release earlier this month that fit that bill, MS13-059, Cumulative Security [...] --------------------------------------------- http://threatpost.com/jumping-out-of-ies-sandbox-with-one-click/102054 *** BSI: Trotz "kritischer Aspekte" keine Warnung vor Windows 8 *** --------------------------------------------- In einer Stellungnahme stellt das Bundesamt klar, dass es keine grundsätzlichen Sicherheitsbedenken gegen den Einsatz von Windows 8 und Trusted Computing habe. Das BSI kritisiert allerdings bestimmte Aspekte des Betriebssystems. --------------------------------------------- http://www.heise.de/security/meldung/BSI-Trotz-kritischer-Aspekte-keine-War… *** Siemens COMOS Privilege Escalation Vulnerability *** --------------------------------------------- OVERVIEW: Siemens has notified ICS-CERT of a privilege escalation vulnerability in the Siemens COMOS database application. Siemens has produced a patch that mitigates this vulnerability. AFFECTED PRODUCTS: The following Siemens COMOS versions are affected:... --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-233-01 *** Cisco Prime Central for Hosted Collaboration Solution Assurance Denial of Service Vulnerabilities *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** MySQL Debian/Ubuntu Installation Script Lets Local Users Obtain Potentially Sensitive Information *** --------------------------------------------- http://www.securitytracker.com/id/1028927 *** Hotel Software and Booking system 1.8 SQL Injection & Cross Site Scripting *** --------------------------------------------- Topic: Hotel Software and Booking system 1.8 SQL Injection & Cross Site Scripting Risk: Medium Text: # Exploit Title: Hotel Software and Booking system 1.8 - SQL Injection / Cross Site Scripting # Date: 21 de A... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013080175 *** Drupal Zen 7.x Cross Site Scripting *** --------------------------------------------- Topic: Drupal Zen 7.x Cross Site Scripting Risk: Low Text:View online: https://drupal.org/node/2071157 * Advisory ID: DRUPAL-SA-CONTRIB-2013-070 * Project: Zen [1] (third-party ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013080180 *** Debian update for cacti *** --------------------------------------------- https://secunia.com/advisories/54181 *** Multiple NetGear ProSafe Switches CVE-2013-4776 Remote Denial of Service Vulnerability *** --------------------------------------------- A range of ProSafe switches are affected by two different vulnerabilities. CVE-2013-4775: Unauthenticated startup-config disclosure. CVE-2013-4776: Denial of Service vulne... --------------------------------------------- http://www.encripto.no/forskning/whitepapers/Netgear_prosafe_advisory_aug_2… *** [webapps] - Netgear ProSafe - Denial of Service Vulnerability *** --------------------------------------------- http://www.exploit-db.com/exploits/27775 *** [webapps] - Netgear ProSafe - Information Disclosure Vulnerability *** --------------------------------------------- http://www.exploit-db.com/exploits/27774

1 0

Tageszusammenfassung - Mittwoch 21-08-2013
by Daily end-of-shift report 21 Aug '13

21 Aug '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 20-08-2013 18:00 − Mittwoch 21-08-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Hacker greift offenbar Zugangsdaten für Twitter ab *** --------------------------------------------- Ein Hacker hat sich offenbar Zugang zu Anmeldedaten des Kurznachrichtendienstes Twitter verschafft. Der Angreifer, der sich Mauritania Hacker nennt, hat am Dienstag angebliche Detailinformationen zu mehr als 15.000 Twitter-Accounts veröffentlicht. --------------------------------------------- http://www.heise.de/security/meldung/Hacker-greift-offenbar-Zugangsdaten-fu… *** Poison Ivy: Assessing Damage and Extracting Intelligence *** --------------------------------------------- Today, our research team is publishing a report on the Poison Ivy family of remote access tools (RATs) along with a package of tools created... --------------------------------------------- http://www.fireeye.com/blog/technical/targeted-attack/2013/08/pivy-assessin… *** Measuring Entropy and its Applications to Encryption *** --------------------------------------------- There have been a bunch of articles about an information theory paper with vaguely sensational headlines like "Encryption is less secure than we thought" and "Research shakes crypto foundations." Its actually not that bad. Basically, the researchers arguethat the traditional measurement of Shannon entropy isnt the right model to use for cryptography, and that minimum entropy is. This difference may... --------------------------------------------- http://www.schneier.com/blog/archives/2013/08/measuring_entro.html *** Sicherheitsforscher: Zero-Day-Lücke im Adobe Reader *** --------------------------------------------- In der aktuellen Version des Adobe Reader soll eine kritische Schwachstelle klaffen, durch die Angreifer Schadcode in PDF-Dokumenten platzieren können. Der Code wird ausgeführt, sobald man das Dokument öffnet. --------------------------------------------- http://www.heise.de/security/meldung/Sicherheitsforscher-Zero-Day-Luecke-im… *** Gpg4win 2.2 verschlüsselt E-Mails und Dateien *** --------------------------------------------- Die neue Version 2.2 der GnuPG-Version für Windows unterstützt Outlook 2010 und 2013. Das Verschlüsselungs-Plug-in für den Windows Explorer liegt jetzt auch in einer 64-Bit-Version bei. --------------------------------------------- http://www.heise.de/security/meldung/Gpg4win-2-2-verschluesselt-E-Mails-und… *** Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 8.0.0.7 *** --------------------------------------------- Cross reference list for security vulnerabilities fixed in IBM WebSphere Application Server Fix Pack 8.0.0.7 CVE(s): CVE-2013-2967, CVE-2013-2976, CVE-2013-4004, CVE-2013-0169, CVE-2013-0597, CVE-2013-1768, CVE-2013-1862, CVE-2013-4005, CVE-2013-3029, CVE-2013-1896, and CVE-2012-2098 Affected product(s) and affected version(s): The following IBM WebSphere Application Server Versions are affected: Version 8.5 Version 8 Version 7 Version 6.1 OSGi Applications and JPA Feature Pack EJB 3.0 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_pot… *** RSA Authentication Agent for PAM Allows Remote Users to Make Unlimited Login Attempts *** --------------------------------------------- http://www.securitytracker.com/id/1028930 *** IBM WebSphere Portal Unspecified Bug Lets Remote Users Access User Directories *** --------------------------------------------- http://www.securitytracker.com/id/1028933 *** McAfee Email Gateway Email Processing "ws_inv-smtp" Denial of Service Vulnerability *** --------------------------------------------- https://secunia.com/advisories/54486 *** PHP OpenID XRDS Processing XML External Entities Vulnerability *** --------------------------------------------- https://secunia.com/advisories/54542 *** Multiple Vulnerabilities in Cisco Unified Communications Manager *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…

1 0

Tageszusammenfassung - Dienstag 20-08-2013
by Daily end-of-shift report 20 Aug '13

20 Aug '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 19-08-2013 18:00 − Dienstag 20-08-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** The Sunshop Campaign Continues *** --------------------------------------------- We recently detected what we believe is a continuation of the Sunshop campaign that we first revealed on May 20, 2013. This follow-on to the Sunshop campaign started on July 17, 2013. In this latest wave the attackers inserted malicious... --------------------------------------------- http://www.fireeye.com/blog/technical/cyber-exploits/2013/08/the-sunshop-ca… *** FuzzDB hilft bei Sicherheitstests von Webapplikationen *** --------------------------------------------- FuzzDB umfasst Angriffsmuster, eine vorsortierte Sammlung bekannter Logdateien, Administrationsverzeichnisse sowie reguläre Ausdrücke zur Auswertung von Antworten angegriffener Server und Dokumentationsmaterialien. --------------------------------------------- http://www.heise.de/security/meldung/FuzzDB-hilft-bei-Sicherheitstests-von-… *** Netzwerkscanner nmap aufgefrischt *** --------------------------------------------- Die nmap-Version 6.4 bringt neben zahlreichen Erweiterungen auch eine Lua-Anbindung für ncat mit. --------------------------------------------- http://www.heise.de/security/meldung/Netzwerkscanner-nmap-aufgefrischt-1938… *** Can KINS Be The Next ZeuS? *** --------------------------------------------- Malware targeting online banking sites naturally cause alarm among users, as they are designed to steal not only information but also money from its users. Thus it is no surprise that the surfacing of KINS, peddled as 'professional-grade banking Trojan' in the underground market, raised concerns that it might become as successful as ZeuS/ZBOT... --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/can-kins-be-the-… *** Microsoft Reissues MS13-066 Windows Server Patch *** --------------------------------------------- Microsoft has re-released one of the August security patches for Windows Server 2008 in order to fix a regression issue that would cause some servers to stop working. The MS13-066 patch was released again Monday after Microsoft discovered the problem last week. The patch in the MS13-066 update fixes a vulnerability Active Directory Federation Services [...] --------------------------------------------- http://threatpost.com/microsoft-reissues-ms13-066-windows-server-patch/1020… *** Security Bulletin: Cross Site Scripting vulnerabilities in themes of WebSphere Portal (CVE-2013-0587) *** --------------------------------------------- Several spots in themes of WebSphere Portal have been identified to be vulnerable to Cross Site Scripting (XSS). CVE(s): CVE-2013-0587 Affected product(s) and affected version(s): WebSphere Portal Version 6.1.0.x WebSphere Portal Version 6.1.5.x WebSphere Portal Version 7.0.0.x WebSphere Portal Version 8.0.0.x Refer to the following... --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_cro… *** Sixnet Universal Protocol Undocumented Function Codes *** --------------------------------------------- OVERVIEW: Independent researcher Mehdi Sabraoui has identified undocumented function codes in Sixnet's universal protocol. Sixnet has produced a new version of the remote terminal unit (RTU) firmware that mitigates this vulnerability. This vulnerability could be exploited remotely. AFFECTED PRODUCTS:... --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-231-01 *** HPSBUX02922 SSRT101305 rev.1 - HP-UX Running Java5 Runtime Environment (JRE) and Java Developer Kit (JDK), Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities *** --------------------------------------------- Potential security vulnerabilities have been identified in Java5 Runtime Environment (JRE) and Java Developer Kit (JDK) running on HP-UX. These vulnerabilities could allow remote unauthorized access, disclosure of information, and other vulnerabilities. --------------------------------------------- http://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_… *** HPSBMU02902 rev.2 - HP Integrated Lights-Out iLO3, iLO4, and iLO CM IPMI, Cipher Suite 0 Authentication Bypass Vulnerability *** --------------------------------------------- A potential security vulnerability has been identified with HP Integrated Lights-Out iLO3, iLO4, and iLO CM IPMI. The vulnerability could allow authentication bypass. --------------------------------------------- http://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_… *** Bugtraq: Multiple vulnerabilities on Sitecom N300/N600 devices *** --------------------------------------------- http://www.securityfocus.com/archive/1/528093 *** IBM HTTP Server Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/54560 *** FFmpeg Two Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/54389

1 0

Tageszusammenfassung - Montag 19-08-2013
by Daily end-of-shift report 19 Aug '13

19 Aug '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 16-08-2013 18:00 − Montag 19-08-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Filtering Signal From Noise, (Fri, Aug 16th) *** --------------------------------------------- We have used the term "internet background radiation" more than once to describe things like SSH scans. Like cosmic background radiation, its easy to consider it noise, but one can find signals buried within it, with enough time and filtering. I wanted to take a look at our SSH scan data and see if we couldnt tease out anything useful or interesting. First Visualization I used the DShield API to pull this years port 22 data (https://isc.sans.edu/api/ for more details on our API.) --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16385&rss *** Schwachstelle im BIOS einiger Dell-Geräte *** --------------------------------------------- Dell hat für eine Reihe älterer Systeme der Latitude- und Precision-Reihe BIOS-Updates herausgegeben. Den Geräten lässt sich wegen eines potenziellen Buffer Overflows im BIOS eine unsignierte Firmware unterschieben. --------------------------------------------- http://www.heise.de/security/meldung/Schwachstelle-im-BIOS-einiger-Dell-Ger… *** A Closer Look: Perkele Android Malware Kit *** --------------------------------------------- In March 2013 I wrote about Perkele, a crimeware kit designed to create malware for Android phones that can help defeat multi-factor authentication used by many banks. In this post, well take a closer look at this threat, examining the malware as it is presented to the would-be victim as well as several back-end networks set up by cybercrooks who have been using Perkele to fleece banks and their customers. --------------------------------------------- http://krebsonsecurity.com/2013/08/a-closer-look-perkele-android-malware-ki… *** HP verabschiedet sich vom Java-Interface *** --------------------------------------------- Bei einer Routine-Überprüfung einer unserer HP-Procurve-Switches haben wir eine erfreuliche Entdeckung gemacht. HP hat schon vor einer Weile angefangen, seine Java-Konfigurationsoberflächen zu ersetzen und nutzt stattdessen HTML. Aber nicht alle Switches bekommen ein HTML-Update. --------------------------------------------- http://www.golem.de/news/procurve-hp-verabschiedet-sich-vom-java-interface-… *** DIY automatic cybercrime-friendly 'redirectors generating' service spotted in the wild *** --------------------------------------------- By Dancho Danchev Redirectors are a popular tactic used by cybercriminal on their way to trick Web filtering solutions. And just as we've seen in virtually ever segment of the underground marketplace, demand always meets supply. A newly launched, DIY 'redirectors' generating service, aims to make it easier for cybercriminals to hide the true intentions... --------------------------------------------- http://blog.webroot.com/2013/08/19/diy-automatic-cybercrime-friendly-redire… *** whistle.im: FaaS - Fuckup as a Service *** --------------------------------------------- Auf den ersten Blick mag das Projekt sinnvoll erscheinen: Ende-zu-Ende-Verschlüsselung "Unsere Kryptographie ist Open Source - Mitstreiter willkommen!" Verwendung von SSL, RSA, AES Doch schaut man etwas tiefer in das Projekt, so merkt man schnell, dass es sich mehr um hohle Phrasen handelt, als um Ansätze, die mit Sach- oder Fachverstand geprüft wurden. --------------------------------------------- http://hannover.ccc.de/~nexus/whistle.html *** Analysis: Anti-decompiling techniques in malicious Java Applets *** --------------------------------------------- Step 1: How this startedWhile I was investigating the Trojan.JS.Iframe.aeq case (see blogpost ) one of the files dropped by the Exploit Kit was an Applet exploiting a vulnerability:document.write(<applet ... --------------------------------------------- http://www.securelist.com/en/analysis/204792300/Anti_decompiling_techniques… *** The Cryptopocalypse *** --------------------------------------------- There was a presentation at Black Hat last month warning us of a "factoring cryptopocalypse": a moment when factoring numbers and solving the discrete log problem become easy, and both RSA and DH break. This presentation was provocative, and has generated a lot of commentary, but I dont see any reason to worry. Yes, breaking modern public-key cryptosystems has gotten... --------------------------------------------- http://www.schneier.com/blog/archives/2013/08/the_cryptopocal.html *** The Risk of Running Windows XP After Support Ends April 2014 *** --------------------------------------------- Back in April I published a post about the end of support for Windows XP called The Countdown Begins: Support for Windows XP Ends on April 8, 2014. Since then, many of the customers I have talked to have moved, or are in the process of moving, their organizations from Windows XP to modern operating systems like Windows 7 or Windows 8. --------------------------------------------- http://blogs.technet.com/b/security/archive/2013/08/15/the-risk-of-running-… *** Here's what you find when you scan the entire Internet in an hour *** --------------------------------------------- Until recently, scanning the entire Internet, with its billions of unique addresses, was a slow and labor-intensive process. For example, in 2010 the Electronic Frontier Foundation conducted a scan to gather data on the use of encryption online. The process took two to three months. --------------------------------------------- http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/18/heres-what-you… *** 2013-08 Security Bulletin: Network and Security Manager: DoS due to repeated SSL session renegotiations (CVE-2011-1473) *** --------------------------------------------- A vulnerability has been reported against virtually all versions of OpenSSL stating that client-initiated renegotiation is not properly restricted within the SSL and TLS protocols. This might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection. Some network services in Network and Security Manager (NSM) utilizing SSL/TLS were found vulnerable to this issue. --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10584 *** IBM Notes / Domino Java Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/54574 *** Django "is_safe_url()" Cross-Site Scripting and "URLField" Script Insertion Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/54476 *** PHP SSL Client Certificate Verification and Session Fixation Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/54562 *** Yafuoku! / Yahoo! Shopping Certificate Verification Security Issue *** --------------------------------------------- https://secunia.com/advisories/54551 *** [webapps] - Copy to WebDAV v1.1 iOS - Multiple Vulnerabilities *** --------------------------------------------- http://www.exploit-db.com/exploits/27655

1 0

Tageszusammenfassung - Freitag 16-08-2013
by Daily end-of-shift report 16 Aug '13

16 Aug '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 14-08-2013 18:00 − Freitag 16-08-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Microsoft Starts Countdown on Eliminating MD5 *** --------------------------------------------- Microsoft has given customers six months to find MD5 installations and prepare for a February 2014 patch that will block the broken algorithm. --------------------------------------------- http://threatpost.com/microsoft-starts-countdown-on-eliminating-md5/101994 *** Microsoft Pulls Back Critical Exchange Server 2013 Patch *** --------------------------------------------- Microsoft has pulled back MS13-061, a critical patch released yesterday for Exchange Server 2013 because it breaks indexing on the messaging server. --------------------------------------------- http://threatpost.com/microsoft-pulls-back-critical-exchange-server-2013-pa… *** Hackers targeting servers running Apache Struts applications, researchers say *** --------------------------------------------- A tool for exploiting known Struts vulnerabilities is available on Chinese hacker forums, Trend Micro researchers said --------------------------------------------- http://www.csoonline.com/article/738134/hackers-targeting-servers-running-a… *** Androids Verschlüsselung angreifbar *** --------------------------------------------- Eine Schwachstelle in Androids Crypto-Bibliotheken betrifft möglicherweise hunderttausende Android-Anwendungen. Der Fehler sorgt für schwache Zufallszahlen und wurde von Kriminellen bereits für den Diebstahl von Bitcoins genutzt. --------------------------------------------- http://www.heise.de/security/meldung/Androids-Verschluesselung-angreifbar-1… *** Personalized Exploit Kit Targets Researchers *** --------------------------------------------- As documented time and again on this blog, cybercrooks are often sloppy or lazy enough to leave behind important clues about who and where they are. But from time to time, cheeky crooks will dream up a trap designed to look like theyre being sloppy when in fact theyre trying to trick security researchers into being sloppy and infecting their computers with malware. --------------------------------------------- https://krebsonsecurity.com/2013/08/personalized-exploit-kit-targets-resear… *** Verbreitung von Android-Malware nimmt deutlich zu, aber ... *** --------------------------------------------- Die Antivirenfirma Kaspersky hat im zweiten Quartal dieses Jahren doppelt so viele neue Android-Schädlinge gesichtet wie im gleichen Quartal des Vorjahres. Anlass zur Panik ist das allerdings nicht. --------------------------------------------- http://www.heise.de/security/meldung/Verbreitung-von-Android-Malware-nimmt-… *** Targeted Attacks Delivering Fruit *** --------------------------------------------- Political news has always been one of the top topics used in targeted attacks. Last week we came across unique malicious emails targeting high-profile companies in Europe and Asia (in sectors such as finance, mining, telecom, and government). The payload is an updated version of a Java remote access tool (RAT) detected as Backdoor.Opsiness, also known as Frutas RAT. --------------------------------------------- http://www.symantec.com/connect/blogs/targeted-attacks-delivering-fruit *** Researchers figure out how to hack tens of thousands of servers *** --------------------------------------------- Security researchers at the University of Michigan have found a potentially devastating security vulnerability that afflicts at least 40,000 servers on the Internet. The researchers say the flaw could allow hackers to compromise certain servers manufactured by Supermicro from anywhere on the Internet. Tens of thousands of servers produced by other vendors could also be at risk. --------------------------------------------- http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/14/researchers-fi… *** Hintergrund: Remote-Shell für die SD-Karte *** --------------------------------------------- Kaum etwas ist zu klein, um gehackt zu werden: Einem Blogger ist es gelungen, Root-Zugriff auf das Embedded-System einer WLAN-fähigen Speicherkarte zu erlangen. --------------------------------------------- http://www.heise.de/security/artikel/Remote-Shell-fuer-die-SD-Karte-1933994… *** Drupal Entity API Module Two Security Bypass Security Issues *** --------------------------------------------- https://secunia.com/advisories/54481 *** Vuln: Dovecot LIST Command Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/61763 *** Drupal 7.22 / 6.28 Cross Site Scripting *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013080126 *** Joomla Media Manager File Upload Vulnerability *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013080120 *** TYPO3 File Upload Flaw Lets Remote Authenticated Users Execute Arbitrary PHP Code *** --------------------------------------------- http://www.securitytracker.com/id/1028919 *** Bugtraq: Open-Xchange Security Advisory 2013-08-16 *** --------------------------------------------- http://www.securityfocus.com/archive/1/528046 *** Bugtraq: Update: Linksys EA2700, EA3500, E4200v2, EA4500 Unspecified unauthenticated remote access *** --------------------------------------------- http://www.securityfocus.com/archive/1/528045 *** Puppet "resource_type" Service Vulnerability *** --------------------------------------------- https://secunia.com/advisories/54564

1 0

Tageszusammenfassung - Mittwoch 14-08-2013
by Daily end-of-shift report 14 Aug '13

14 Aug '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 13-08-2013 18:00 − Mittwoch 14-08-2013 18:00 Handler: Robert Waldner Co-Handler: n/a *** Start isolating critical XP systems now, experts warn *** --------------------------------------------- Lack of updates after April 8, 2014 adds security complications for companies, retailers running specialty software dependent on XP --------------------------------------------- http://www.csoonline.com/article/738085/start-isolating-critical-xp-systems… *** Security Bulletin: Tivoli Workload Scheduler Distributed and Tivoli Workload Scheduler for Applications Openssl Multiple Vulnerabilities *** --------------------------------------------- OpenSSL versions prior to 1.0.0 do not follow best security practices and need to upgrade. CVE(s): CVE-2013-0169 CVE-2013-0166 CVE-2012-2686 CVE-2012-2131 CVE-2012-2110 CVE-2012-0884 CVE-2012-0050 CVE-2011-4108 CVE-2011-4576 CVE-2011-4577 CVE-2011-4619 CVE-2011-3210 CVE-2011-0014 CVE-2010-3864 Affected product(s) and affected version(s): Tivoli --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_tiv… *** Python SSL module NULL bytes spoofing *** --------------------------------------------- Python SSL module NULL bytes spoofing --------------------------------------------- http://xforce.iss.net/xforce/xfdb/86383 *** BIND Vulnerablilty Enables DNS Cache Poisoning Attack *** --------------------------------------------- A vulnerability in the BIND domain name system (DNS) software could give an attacker the ability to easily and reliably control queried name servers chosen by the most widely deployed DNS software on the Internet, according to new research presented at the Woot Conference in Washington D.C. today. --------------------------------------------- http://threatpost.com/bind-vulnerablilty-enables-dns-cache-poisoning-attack… *** Apache Struts2 2.3.15 OGNL Injection *** --------------------------------------------- Topic: Apache Struts2 2.3.15 OGNL Injection Risk: Medium Text:CVE Number: CVE-2013-2251 Title: Struts2 Prefixed Parameters OGNL Injection Vulnerability Affected Softw... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013080115 *** DotNetNuke (DNN) Cross-Site Scripting Vulnerability *** --------------------------------------------- Topic: DotNetNuke (DNN) Cross-Site Scripting Vulnerability Risk: Low Text:Title: DotNetNuke (DNN) Cross-Site Scripting Vulnerability References: CVE-2013-4649 Discovered by: Sajjad Pourali , Nasser S... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013080113 *** Vuln: TYPO3 Static Methods since 2007 Extension Unspecified Cross Site Scripting Vulnerability *** --------------------------------------------- TYPO3 Static Methods since 2007 Extension Unspecified Cross Site Scripting Vulnerability --------------------------------------------- http://www.securityfocus.com/bid/57288 *** Lücke gestopft *** --------------------------------------------- Endlich gibt es ein Sicherheitsupdate für die Steuerungsanlagen von Saia-Burgess und ihre Lücke. --------------------------------------------- http://www.heise.de/newsticker/meldung/Kritisches-Sicherheitsupdate-fuer-20… *** Summary for August 2013 - Version: 1.0 *** --------------------------------------------- This bulletin summary lists security bulletins released for August 2013. --------------------------------------------- http://technet.microsoft.com/en-gb/security/bulletin/ms13-aug *** Die August-Patches *** --------------------------------------------- Microsoft hat acht Patch-Pakete herausgegeben, die nun insgesamt 23 Lücken schließen sollen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Microsofts-August-Patches-und-die-Ru… *** Bugtraq: Subverting BINDs SRTT Algorithm: Derandomizing NS Selection *** --------------------------------------------- Subverting BINDs SRTT Algorithm: Derandomizing NS Selection --------------------------------------------- http://www.securityfocus.com/archive/1/528013 *** Chinese Underground Creates Tool Exploiting Apache Struts Vulnerability *** --------------------------------------------- About a month ago, the Apache Software Foundation released Struts 2.3.15.1, an update to the popular Java Web application development framework. The patch was released because vulnerabilities in older versions of Struts could allow attackers to run arbitrary code on vulnerable servers. Since then, we've found that hackers in the Chinese underground have created an [...]Post from: Trendlabs Security Intelligence Blog - by Trend MicroChinese Underground Creates Tool Exploiting Apache --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/LkrHQVJNU9U/ *** OSIsoft PI Interface for IEEE C37.118 Configuration Packets Processing Denial of Service Vulnerability *** --------------------------------------------- OSIsoft PI Interface for IEEE C37.118 Configuration Packets Processing Denial of Service Vulnerability --------------------------------------------- https://secunia.com/advisories/54498 *** .GOV zones may not resolve due to DNSSEC problems., (Wed, Aug 14th) *** --------------------------------------------- Currently, many users are reporting that .gov domain names (e.g. fbi.gov) will not resolve. The problem appears to be related to an error in the DNSSEC configuration of the .gov zone. According to a quick check with dnsviz.net, it appears that there is no DS record for the current .gov ZSK deposited with the root zone. (excerpt from: http://dnsviz.net/d/fbi.gov/dnssec/) DNSSEC relies on two types of keys each zone uses: - A "key signing key" (KSK) and - A "zone signing --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16367&rss *** cPanel Multiple Vulnerabilities *** --------------------------------------------- cPanel Multiple Vulnerabilities --------------------------------------------- https://secunia.com/advisories/54455

1 0

Tageszusammenfassung - Dienstag 13-08-2013
by Daily end-of-shift report 13 Aug '13

13 Aug '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 12-08-2013 18:00 − Dienstag 13-08-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Blaster - 3654 Days Later *** --------------------------------------------- Yesterday was Blasters 10th anniversary. Do you remember where you were on August 11, 2003? Numerous organizations, including several banks and airlines, suffered serious disruptions because of Blaster which caused affected computers to reboot continuously. Can you imagine the difficulties that would cause today? --------------------------------------------- http://www.f-secure.com/weblog/archives/00002587.html *** Cybercrime-friendly underground traffic exchange helps facilitate fraudulent and malicious activity *** --------------------------------------------- By Dancho Danchev Throughout the last couple of years, the persistent demand for geolocated traffic coming from both legitimate traffic exchanges or purely malicious ones - think traffic acquisition through illegally embedded iFrames - has been contributing to the growing market segment where traffic is bought, sold and re-sold, ... --------------------------------------------- http://blog.webroot.com/2013/08/13/cybercrime-friendly-underground-traffic-… *** Attackers Toolbox Makes Malware Detection More Difficult *** --------------------------------------------- Sometimes the simplest techniques can foil the complex systems created by security firms and large enterprises to detect malicious programs and files. Putting malware to sleep, waiting for a user to click, or looking for the hallmarks of a virtual machine can set off warning bells and cause a malicious program to cease running, making analysis difficult at best. --------------------------------------------- http://www.darkreading.com/monitoring/attackers-toolbox-makes-malware-detec… *** Researchers demonstrate how IPv6 can easily be used to perform MitM attacks *** --------------------------------------------- Many devices simply waiting for router advertisements, good or evil. When early last year I was doing research for an article on IPv6 and security, I was surprised to learn how easy it was to set up an IPv6 tunnel into an IPv4-only environment. --------------------------------------------- http://www.virusbtn.com/blog/2013/08_12.xml *** Joomla Patches Zero Day Targeting EMEA Banks *** --------------------------------------------- Content management system Joomla patched a zero-day vulnerability that allowed attackers to upload malicious code that led victims to the Blackhole exploit kit. --------------------------------------------- http://threatpost.com/joomla-patches-zero-day-targeting-emea-banks/101976 *** WordPress All-in-One Event Calendar Plugin Script Insertion and SQL Injection Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/54038 *** HP StorageWorks P4000 Virtual SAN Appliance Login Buffer Overflow *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013080109 *** IBM HTTP Server mod_rewrite Arbitrary Command Execution Vulnerability *** --------------------------------------------- https://secunia.com/advisories/54497 *** Juniper Network and Security Manager Apache Axis2 Security Issue and Vulnerability *** --------------------------------------------- https://secunia.com/advisories/54454 *** Dovecot POP3 "LIST" Command Handling Denial of Service Vulnerability *** --------------------------------------------- https://secunia.com/advisories/54438 *** Debian Security Advisory DSA-2737 swift *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2737 *** IBM Advanced Management Module Cross-Site Scripting (XSS) *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013080103 *** Ajax PHP Penny Auction 1.x 2.x multiple Vulnerabilities *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013080104 *** Python SSL Module "subjectAltNames" NULL Byte Handling Security Issue *** --------------------------------------------- https://secunia.com/advisories/54393

1 0

Tageszusammenfassung - Montag 12-08-2013
by Daily end-of-shift report 12 Aug '13

12 Aug '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 09-08-2013 18:00 − Montag 12-08-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** BYOD Gives Vulnerable Devices Corporate Network Access *** --------------------------------------------- A research report on mobile security reveals that while BYOD policies may increase employee productivity, they also increase the number of vulnerable devices connecting to corporate networks. --------------------------------------------- http://threatpost.com/byod-gives-vulnerable-devices-corporate-network-acces… *** HP Switches? You may want to look at patching them. , (Fri, Aug 9th) *** --------------------------------------------- A little over a week ago HP (Thanks for the link Ugo) put out a fix for an unspecified vulnerability on, as far as I can see, pretty much every switch device they produce. Both their Procurve as well as the 3COM ranges. CVE-2013-2341 CVSS Score of 7.1 and CVE-2013-2340 CVSS Score of 10 The first one requiring authentication, the second one none and both are remotely exploitable. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16340&rss *** Admins warned: Drill SSL knowledge into your Chrome users *** --------------------------------------------- Google research finds whopping SSL click-through rates Admins of Chrome shops unite your users are dabbling with dodgy SSL, and you must teach them how to be safer online until Google updates its browser. --------------------------------------------- http://www.theregister.co.uk/2013/08/10/chrome_ssl_clickthrough_report/ *** Android bug batters Bitcoin wallets *** --------------------------------------------- subhead Users of Android Bitcoin apps have woken to the unpleasant news that an old pseudo random number generation bug has been exploited to steal balances from users wallets. --------------------------------------------- http://www.theregister.co.uk/2013/08/12/android_bug_batters_bitcoin_wallets/ *** Maltego Tungsten as a collaborative attack platform *** --------------------------------------------- Maltego has always been a strong favorite for pre-attack intelligence gathering - be that for social engineering, doxing or for infrastructure mapping. Indeed its earned its rightful place in the Kali Linux top 10 tools. --------------------------------------------- https://media.blackhat.com/us-13/US-13-Temmingh-Maltego-Tungsten-as-a-Colla… *** Newly launched managed `malware dropping´ service spotted in the wild *** --------------------------------------------- By Dancho Danchev Among the most common misconceptions about the way a novice cybercriminal would approach his potential victims has to do with the practice of having him looking for a `seed´ population to infect, so that he can then use the initially infected users as platform to scale his campaign. --------------------------------------------- http://blog.webroot.com/2013/08/12/newly-launched-managed-malware-dropping-… *** Blog: Visit from an old friend: Counter.php *** --------------------------------------------- Around one year ago I posted about what were the most common web attacks in Spain and how the malware was spread. It is time for an update! --------------------------------------------- http://www.securelist.com/en/blog/9151/Visit_from_an_old_friend_Counter_php *** New Attack Leverages Mobile Ad Network to Deliver Android Malware *** --------------------------------------------- Ad networks have been a key component of the malware and cybercrime ecosystem for a long time and their role is becoming more and more complicated, as researchers from WhiteHat Security showed at Black Hat recently. That problem is now moving to the mobile Web, ... --------------------------------------------- http://threatpost.com/new-attack-leverages-mobile-ad-network-to-deliver-and… *** Sicherheitsupdate für HP-Drucker der LaserJet-Pro-Reihe *** --------------------------------------------- Hewlett Packard hat in zahlreichen seiner Laserdrucker eine Lücke geschlossen, durch die man ohne Authentifizierung an das Admin-Passwort kommt. --------------------------------------------- http://www.heise.de/security/meldung/Sicherheitsupdate-fuer-HP-Drucker-der-… *** Simple Hack Threatens Outdated Joomla Sites *** --------------------------------------------- If you run a site powered by the Joomla content management system and havent yet applied a critical update for this software released less than two weeks ago, please take a moment to do that: A trivial exploit could let users inject malicious content into your site, turning it into a phishing or malware trap for visitors. --------------------------------------------- https://krebsonsecurity.com/2013/08/simple-hack-threatens-oudated-joomla-si… *** AnchorCMS 0.9.1 Stored XSS exploit *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013080092 *** ReviewBoard XSS Vulnerabilities *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013080093 *** Cacti Input Validation Flaw Lets Remote Users Inject SQL Commands *** --------------------------------------------- http://www.securitytracker.com/id/1028893 *** Siemens COMOS CVE-2013-4943 privilege escalation *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/86330 *** Ruby on Rails Known Secret Session Cookie Remote Code Execution *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013080098 *** HTCSyncManagerUpdate DLL Hijacking *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013080095 *** Sybase EAServer XXE Injection *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013080099

1 0

Tageszusammenfassung - Freitag 9-08-2013
by Daily end-of-shift report 09 Aug '13

09 Aug '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 08-08-2013 18:00 − Freitag 09-08-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Advance Notification Service for August 2013 Security Bulletin Release *** --------------------------------------------- Today we're providing advance notification for the release of eight bulletins, three Critical and five Important, for August 2013. The Critical updates address vulnerabilities in Microsoft Windows, Internet Explorer and Exchange. As usual, we've scheduled the bulletin release for the second Tuesday of the month, August 13, 2013, at approximately 10:00 a.m. PDT. Revisit this blog then for our analysis of the risk and impact, as well as our deployment guidance and a brief video --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2013/08/08/advance-notification-ser… *** One-stop-shop for spammers offers DKIM-verified SMTP servers, harvested email databases and training to potential customers *** --------------------------------------------- By Dancho Danchev In a series of blog posts, we've been highlighting the ease, automation, and sophistication of today's customer-ized managed spam 'solutions', setting up the foundations for a successful fraudulent or purely malicious spam campaign, like the ones we intercept and protect against on a daily basis. From bulletproof spam-friendly SMTP servers, to segmented... --------------------------------------------- http://blog.webroot.com/2013/08/08/one-stop-shop-for-spammers-offers-dkim-v… *** Breaking Down the China Chopper Web Shell - Part II *** --------------------------------------------- Part II in a two-part series. Read Part I. Introduction In Part I of this series, I described China Chopper's easy-to-use interface and advanced features - all the more remarkable considering the Web shell's tiny size: 73 bytes for the aspx version,... --------------------------------------------- http://www.fireeye.com/blog/technical/botnet-activities-research/2013/08/br… *** July 2013 Virus Activity Overview *** --------------------------------------------- August 5, 2013 As in previous months, in July, Doctor Webs technical support received hundreds of requests from users whose systems were compromised by various encoder Trojans. Those whose computers were infected with Trojan.Winlock malware turned to Doctor Web for assistance too. Also, incidents took place involving Trojans for Android being spread via Google Play: according to Doctor Webs analysts, from 10,000-25,000 mobile devices could be affected by these malicious applications. Viruses... --------------------------------------------- http://news.drweb.com/show/?i=3805&lng=en&c=9 *** Blog: Securing your Email space *** --------------------------------------------- Lavabit closes and Silent Circle announces closing its Silent Mail service. Which secure e-mail providers can be considered as alternative? --------------------------------------------- http://www.securelist.com/en/blog/9149/Securing_your_Email_space *** Joomla! redSHOP Component "pid" SQL Injection Vulnerability *** --------------------------------------------- Matias Fontanini has reported a vulnerability in the redSHOP component for Joomla!, which can be exploited by malicious people to conduct SQL injection attacks. --------------------------------------------- https://secunia.com/advisories/54428 *** Symfony HOST HTTP Header Spoofing and Validation Bypass Vulnerabilities *** --------------------------------------------- A security issue and a vulnerability have been reported in Symfony, which can be exploited by malicious people to conduct spoofing attacks and bypass certain security restrictions. --------------------------------------------- https://secunia.com/advisories/54329 *** VLC Media Player ABC File Parsing Vulnerabilities *** --------------------------------------------- SCRT Information Security has discovered two vulnerabilities in VLC Media Player, which can be exploited by malicious people to compromise a user's system. The vulnerabilities are caused due to a bundled vulnerable version of libmodplug. --------------------------------------------- https://secunia.com/advisories/54451 *** MyBB member.php open redirect *** --------------------------------------------- MyBB could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the member.php script. A remote attacker could exploit this vulnerability using the url parameter in a... --------------------------------------------- http://xforce.iss.net/xforce/xfdb/86312 *** Security Bulletin: Informix Open Admin Tool (OAT) cross-site scripting vulnerability (CVE-2013-0492) *** --------------------------------------------- An attacker can trick a user into inserting a mal-formed URL address into a browser or clicking on a mal-formed URL link and exploit a cross-site scripting vulnerability that can be used to gain unauthorized access or collect sensitive information. CVE(s): CVE-2013-0492 Affected product(s) and affected version(s): Informix Open Admin Tool (OAT) 3.11 and prior releases Refer to the following reference URLs for remediation and additional vulnerability details. Source Bulletin: --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_inf…

1 0

Tageszusammenfassung - Donnerstag 8-08-2013
by Daily end-of-shift report 08 Aug '13

08 Aug '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 07-08-2013 18:00 − Donnerstag 08-08-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** The Reality of Browser-Based Botnets *** --------------------------------------------- The research on browser-based botnets presented during the recent Blackhat conference in Las Vegas touches on our previous study on the abuse of HTML5. Most importantly, it shows how a simple fake online ad can lead to formidable threats like a distributed denial of service (DDoS) attack. In their briefing, Jeremiah Grossman and Matt Johansen... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/uhrzSyFOloo/ *** "Hand of Thief" banking trojan doesn't do Windows - but it does Linux *** --------------------------------------------- Priced at $2,000, bank fraud malware has its own sales and support agents. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/RoJzDIPdCXI/story01… *** [papers] - Adventures in Automotive Networks and Control Units *** --------------------------------------------- Previous research has shown that it is possible for an attacker to get remote code execution on the electronic control units (ECU) in automotive vehicles via various interfaces such as the Bluetooth interface and the telematics unit. This paper aims to expand on the ideas of what such an attacker could do to influence the behavior of the vehicle after that type of attack. In particular, we demonstrate how on two different vehicles that in some circumstances we are able to control the steering, braking,... --------------------------------------------- http://www.exploit-db.com/download_pdf/27404 *** Cisco TelePresence System Default Credentials Vulnerability *** --------------------------------------------- A vulnerability in Cisco TelePresence System could allow a remote attacker to access the web server via a user account that is created with default credentials. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Vulnerabilities in Drupal Third Party Modules *** --------------------------------------------- https://drupal.org/node/2059589 https://drupal.org/node/2059599 https://drupal.org/node/2059603 https://drupal.org/node/2059765 https://drupal.org/node/2059823 *** Security Bulletin: IBM Platform Application Center (CVE-2013-4002) *** --------------------------------------------- A variant of the Apache Xerces-J XML parser (XML4J) shipped with IBM Platform Application Center is vulnerable to a denial of service attack that can be triggered by malformed XML data. CVE(s): CVE-2013-4002 Affected product(s) and affected version(s): IBM Platform Application Center V8.3 and V9.1 Refer to the following reference URLs for remediation and additional vulnerability details. Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=isg3T1019751 X-Force Database: --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** IBM Content Analytics with Enterprise Search Multiple Vulnerabilities *** --------------------------------------------- IBM has acknowledged a weakness and multiple vulnerabilities in IBM Content Analytics with Enterprise Search, which can be exploited by malicious people to disclose certain sensitive information, conduct cross-site scripting attacks, manipulate certain data, and cause a DoS (Denial of Service). --------------------------------------------- https://secunia.com/advisories/54460 *** Bugtraq: [security bulletin] HPSBHF02912 rev.1 - HP Networking Products including H3C and 3COM Routers and Switches, OSPF Remote Information Disclosure and Denial of Service *** --------------------------------------------- Potential security vulnerabilities have been identified with HP Networking Products including 3COM and H3C routers and switches. The vulnerabilities could be remotely exploited resulting in disclosure of information and denial of service. --------------------------------------------- http://www.securityfocus.com/archive/1/527859

1 0

Tageszusammenfassung - Mittwoch 7-08-2013
by Daily end-of-shift report 07 Aug '13

07 Aug '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 06-08-2013 18:00 − Mittwoch 07-08-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Stop! Yammer time: Microsoft blats biz babble account hijacking bug *** --------------------------------------------- You cant touch this other users logins, Miss Hacker Microsoft has fixed a potentially nasty set of authentication vulnerabilities involving Yammer, the "Facebook for business" enterprise collaboration and social networking platform. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2013/08/06/yammer_auth… *** Fort Disco Brute-Force Attack Campaign Targets CMS Websites *** --------------------------------------------- The Fort Disco botnet targets systems built on content management systems such as WordPress, using a brute-force password attack to control systems and install additional malware. --------------------------------------------- http://threatpost.com/fort-disco-brute-force-attack-campaign-targets-cms-we… *** Breaking Down the China Chopper Web Shell - Part I *** --------------------------------------------- Part I in a two-part series. China Chopper: The Little Malware That Could China Chopper is a slick little web shell that does not get enough exposure and credit for its stealth. Other than a good blog post from security researcher... --------------------------------------------- http://www.fireeye.com/blog/technical/botnet-activities-research/2013/08/br… *** Bugtraq: [CVE-2013-2136] Apache CloudStack Cross-site scripting (XSS) vulnerabiliity *** --------------------------------------------- The Apache CloudStack Security Team was notified of an issue found in the Apache CloudStack user interface that allows an authenticated user to execute cross-site scripting attack against other users within the system. --------------------------------------------- http://www.securityfocus.com/archive/1/527803 *** McAfee Superscan 4.0 Cross Site Scripting *** --------------------------------------------- Topic: McAfee Superscan 4.0 Cross Site Scripting Risk: Low Text:Trustwave SpiderLabs Security Advisory TWSL2013-024: Cross Site Scripting (XSS) vulnerability in McAfee Superscan 4.0 Publi... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013080058 *** MyBB 1.6.10 url Parameter Arbitrary Site Redirection Vulnerability *** --------------------------------------------- Topic: MyBB 1.6.10 url Parameter Arbitrary Site Redirection Vulnerability Risk: Low Text:MyBB 1.6.10 url Parameter Arbitrary Site Redirection Vulnerability Vendor: MyBB Group Product web page: http://www.mybb... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013080057 *** Atlassian Confluence 5.3 Cross Site Scripting *** --------------------------------------------- Topic: Atlassian Confluence 5.3 Cross Site Scripting Risk: Low Text:Atlassian Confluence, the Enterprise Wiki Reflected XSS Details Product: Atlassian Confluence ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013080066 *** Atlassian JIRA 6.0.3 Cross Site Scripting *** --------------------------------------------- Topic: Atlassian JIRA 6.0.3 Cross Site Scripting Risk: Low Text: Atlassian JIRA v6.0.3 Arbitrary HTML/Script Execution Vulnerability Vendor: Atlassian Corporation Pty Ltd. Produc... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013080065 *** Bugtraq: Attacking Google Accounts with weblogin: Tokens *** --------------------------------------------- For those who missed it, I would like to spread awareness about how conveniences built into the Google eco-system can allow an application, a physical user, or a forensics expert to access almost everything in your Google account. --------------------------------------------- http://www.securityfocus.com/archive/1/527810 *** National Instruments LabVIEW Path Traversal Flaw Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- A vulnerability was reported in National Instruments LabVIEW. A remote user can execute arbitrary code on the target system. --------------------------------------------- http://www.securitytracker.com/id/1028889 *** Cacti SQL and Command Injection Vulnerabilities *** --------------------------------------------- Some vulnerabilities have been reported in Cacti, which can be exploited by malicious people to conduct SQL injection attacks and compromise a vulnerable system. --------------------------------------------- https://secunia.com/advisories/54386 *** IBM Integrated Management Module IPMI default accounts *** --------------------------------------------- The Integrated Management Module (IMM) and Integrated Management Module II (IMM2) used by multiple IBM servers are preconfigured with one IPMI user account, which has the same default login name and password on all affected systems. If a malicious user gains access to the IPMI interface using this... --------------------------------------------- http://xforce.iss.net/xforce/xfdb/86172

1 0

Tageszusammenfassung - Dienstag 6-08-2013
by Daily end-of-shift report 06 Aug '13

06 Aug '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 05-08-2013 18:00 − Dienstag 06-08-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Security Bulletin: Tivoli Management Framework affected by vulnerabilities in OpenSSL 1.0.1c *** --------------------------------------------- OpenSSL versions before 1.0.1d do not follow best security practices and need to upgrade. On Linux (Intel or z/OS) platform, the components of Tivoli Management Framework 4.1.1 may include the files in OpenSSL which version is 1.0.1c or lower. CVE(s): CVE-2013-0169 CVE-2013-0166 CVE-2012-2686 Affected product(s) and affected version(s): Tivoli Management Framework 4.1.1 (Note: Tivoli Management Framework 4.3.1 does not have this issue.) Refer to the following reference URLs for... --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_tiv… *** MOXA WEAK ENTROPY IN DSA KEYS VULNERABILITY *** --------------------------------------------- OverviewResearcher Nadia Heninger of the University of California, San Diego, and researchers Zakir Durumeric, Eric Wustrow, and J. Alex Halderman of the University of Michigan identified an insufficient entropy vulnerability in Moxa’s OnCell Gateways. Moxa produced and released a firmware upgrade on April 3, 2013, that mitigates this vulnerability.This vulnerability could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-217-01 *** Samba smbd CPU Processing Loop Lets Remote Users Deny Service *** --------------------------------------------- A vulnerability was reported in Samba. A remote user can cause denial of service conditions. --------------------------------------------- http://www.securitytracker.com/id/1028882 *** IBM iNotes Input Validation Flaws Permit Cross-Site Scripting Attacks and Integer Overflow Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- Several vulnerabilities were reported in IBM iNotes. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can conduct cross-site scripting attacks. --------------------------------------------- http://www.securitytracker.com/id/1028884 *** Achtung: Anzeigen-Server OpenX enthält eine Hintertür *** --------------------------------------------- In den offiziellen Downloads vom OpenX-Server hat heise Security eine Hintertür gefunden, die offenbar seit fast einem Jahr vorhanden ist und bereits aktiv für Angriffe auf Anzeigen-Server genutzt wird. --------------------------------------------- http://www.heise.de/security/meldung/Achtung-Anzeigen-Server-OpenX-enthaelt… *** Huawei B153 3G/UMTS Router WPS Weakness *** --------------------------------------------- Topic: Huawei B153 3G/UMTS Router WPS Weakness Risk: High Text:Huawei B153 3G/UMTS router WPS weakness [ADVISORY INFORMATION] Title: Huawei B153 3G/UMTS router WPS weakne... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013080046 *** How to Check if Your Website is Part of the StealRat Botnet *** --------------------------------------------- For a few months now, we have been actively monitoring a spambot named StealRat, which primarily uses compromised websites and systems in its operations. We have continuously monitored its operations and identified about 195,000 thousand domains and IPs that have been compromised. The common denominator among these compromised sites is that they are running vulnerable [...] --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/bWOEp0_bDhw/ *** Java-Forum.org: Datenbank-Dump aufgetaucht *** --------------------------------------------- Nach den Vorfällen der letzten Woche sind nun Teile eines Datenbank-Dumps des Java-Forums aufgetaucht. Da Nutzerdaten eventuell in Gefahr sind, wird Usern geraten, Accounts mit gleichen Passwörtern entsprechend zu ändern. --------------------------------------------- http://www.heise.de/security/meldung/Java-Forum-org-Datenbank-Dump-aufgetau… *** Atlassian Confluence Xwork OGNL Double Evaluation Security Bypass Vulnerability *** --------------------------------------------- A vulnerability has been reported in Atlassian Confluence, which can be exploited by malicious people to bypass certain security restrictions. --------------------------------------------- https://secunia.com/advisories/54416 *** WordPress Xhanch - My Twitter Plugin Cross-Site Request Forgery Vulnerability *** --------------------------------------------- Charlie Eriksen has discovered a vulnerability in the Xhanch - My Twitter plugin for WordPress, which can be exploited by malicious people to conduct cross-site request forgery attacks. --------------------------------------------- https://secunia.com/advisories/53133 *** ownCloud Cross-Site Scripting and Security Bypass Vulnerabilities *** --------------------------------------------- Two vulnerabilities have been reported in ownCloud, which can be exploited by malicious people to conduct cross-site scripting attacks and bypass certain security restrictions. --------------------------------------------- https://secunia.com/advisories/54357 *** 2Q Security Roundup: Mobile Flaws Form Lasting Security Problems *** --------------------------------------------- Threats on mobile platforms, devices, and applications have been swelling up over the past years; but this quarter, they have finally gone full throttle. Cybercriminals have found more sophisticated ways to bypass mobile security, and it’s not just through malicious applications anymore. Android Updates Lag, Users Suffer Critical Flaws Proof of the Android “Master Key” [...]Post from: Trendlabs Security Intelligence Blog - by Trend Micro2Q Security Roundup: Mobile Flaws Form --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/G6B7m5C3Pas/ *** Schneider Electric Vijeo Citect, CitectSCADA, PowerLogic SCADA Vulnerability *** --------------------------------------------- OverviewSchneider Electric has identified an XML external entity vulnerability in Vijeo Citect, CitectSCADA, and PowerLogic SCADA applications. Timur Yunusov, Alexey Osipov, and Ilya Karpov of Positive Technologies reported the vulnerability directly to Schneider Electric. Schneider Electric has produced patches that mitigate this vulnerability.Affected ProductsSchneider Electric reports that the vulnerability affects the following products:· Vijeo Citect Version 7.20 and all previous... --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-217-02

1 0

Tageszusammenfassung - Montag 5-08-2013
by Daily end-of-shift report 05 Aug '13

05 Aug '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 02-08-2013 18:00 − Montag 05-08-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** DMARC: another step forward in the fight against phishing?, (Mon, Aug 5th) *** --------------------------------------------- I’m always searching to find facts and figures on the effectiveness of security measures on phishing attacks, which is harder that it would first seem. This is all is in aid of framing a picture to the boss on why to spend money, energy and resources on this most insidious and highly successful type of attack. That makes it very important to understand what happens towards your company, then you’re industry sector and, finally, how other non-related sectors are doing to create an --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16297&rss *** Samsung Smart TV: Basically a Linux Box Running Vulnerable Web Apps *** --------------------------------------------- chicksdaddy writes "Two researchers at the Black Hat Briefings security conference Thursday said Smart TVs from electronics giant Samsung are rife with vulnerabilities in the underlying operating system and Java-based applications. Those vulnerabilities could be used to steal sensitive information on the device owner, or even spy on the televisions surroundings using an integrated webcam. Speaking in Las Vegas, Aaron Grattafiori and Josh Yavor, both security engineers at the firm ISEC --------------------------------------------- http://entertainment.slashdot.org/story/13/08/03/2250247/samsung-smart-tv-b… *** Firefox Zero-Day Used in Child Porn Hunt? *** --------------------------------------------- A claimed zero-day vulnerability in Firefox 17 has some users of the latest Mozilla Firefox browser (Firefox 22) shrugging their shoulders. Indeed, for now it appears that this flaw is not a concern for regular, up-to-date Firefox end users. But several experts say the vulnerability was instead exposed and used in tandem with a recent U.S. law enforcement effort to discover the true Internet addresses of people believed to be browsing child porn sites via the Tor Browser -- an online anonymity --------------------------------------------- https://krebsonsecurity.com/2013/08/firefox-zero-day-used-in-child-porn-hun… *** Bad timing: New HTML5 trickery lets hackers silently spy on browsers *** --------------------------------------------- Sub-millisecond precision in your rendering engine. What could possibly go wrong? New time-measuring features in HTML5 can be exploited by malicious websites to illicitly peek at pages open on a victims browser, it is claimed.… --------------------------------------------- http://www.theregister.co.uk/2013/08/05/html5_timing_attacks/ *** Microsoft Security Advisory (2876146): Wireless PEAP-MS-CHAPv2 Authentication Could Allow Information Disclosure - Version: 1.0 *** --------------------------------------------- Microsoft is aware of a public report that describes a known weakness in the Wi-Fi authentication protocol known as PEAP-MS-CHAPv2 (Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2), used by Windows Phones for WPA2 wireless authentication. In vulnerable scenarios, an attacker who successfully exploited this issue could achieve information disclosure against the targeted device. --------------------------------------------- http://technet.microsoft.com/en-us/security/advisory/2876146 *** [2013-08-05] Vodafone EasyBox default WPS PIN algorithm weakness *** --------------------------------------------- The algorithm that generates the default WPS-PIN is entirely based on the MAC address (=BSSID) and serial number of the device. The serial number can be derived from the MAC address. An unauthenticated attacker within the range of the access point can capture the BSSID (eg. from 802.11 Beacon Frames) and calculate the default WPS PIN for it. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2013… *** rgpg gem for Ruby command execution *** --------------------------------------------- rgpg gem for Ruby could allow a remote attacker to execute arbitrary commands on the system, caused by the improper validation of input by GpgHelper module (lib/rgpg/gpg_helper.rb). An attacker could exploit this vulnerability to inject and execute arbitrary commands on the system. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/86148 *** HP LaserJet Pro Printer Bug Lets Remote Users Access Data *** --------------------------------------------- A vulnerability was reported in HP Printer. A remote user can obtain potentially sensitive information. --------------------------------------------- http://www.securitytracker.com/id/1028869 *** Bugtraq: FTP OnConnect v1.4.11 iOS - Multiple Web Vulnerabilities *** --------------------------------------------- The Vulnerability Laboratory Research Team discovered a command/path inject vulnerability in the FTP OnConnect v1.4.11 application (Apple iOS - iPad & iPhone). --------------------------------------------- http://www.securityfocus.com/archive/1/527760 *** Bugtraq: PuTTY SSH handshake heap overflow *** --------------------------------------------- PuTTY versions 0.62 and earlier - as well as all software that integrates these versions of PuTTY - are vulnerable to an integer overflow leading to heap overflow during the SSH handshake before authentication,... --------------------------------------------- http://www.securityfocus.com/archive/1/527763 *** Bugtraq: Joomla core <= 3.1.5 reflected XSS vulnerability *** --------------------------------------------- Joomla core package <= 3.1.5 includes a PHP script that suffers from reflected XSS vulnerability that allows to inject HTML and malicious scripts that can access any cookies, session tokens, or other... --------------------------------------------- http://www.securityfocus.com/archive/1/527765 *** IBM InfoSphere BigInsights Multiple Vulnerabilities *** --------------------------------------------- Multiple vulnerabilities have been reported in IBM InfoSphere BigInsights, which can be exploited by malicious people to conduct spoofing, cross-site scripting, and request forgery attacks. --------------------------------------------- https://secunia.com/advisories/54447 *** HPSBUX02909 SSRT101289 rev.1 - HP-UX Apache Web Server, Remote Denial of Service (DoS) *** --------------------------------------------- Potential security vulnerabilities have been identified with HP-UX Apache Web Server. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS). --------------------------------------------- https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** TYPO3: Several vulnerabilities in extensions *** --------------------------------------------- https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-… https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-… https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-… *** phpMyAdmin Clickjacking Vulnerabilies *** --------------------------------------------- https://secunia.com/advisories/54381 https://secunia.com/advisories/54409

1 0

Tageszusammenfassung - Freitag 2-08-2013
by Daily end-of-shift report 02 Aug '13

02 Aug '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 01-08-2013 18:00 − Freitag 02-08-2013 17:12 Handler: Matthias Fraidl Co-Handler: Otmar Lendl *** Gone in 30 seconds: New attack plucks secrets from HTTPS-protected pages *** --------------------------------------------- Exploit called BREACH bypasses the SSL crypto scheme protecting millions of sites. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/40ZrPMXUh8I/story01… *** Siemens Scalance W-7xx Product Family Multiple Vulnerabilities *** --------------------------------------------- OVERVIEWSiemens has identified multiple vulnerabilities in the Siemens Scalance W-7xx product family and reported them to ICS-CERT. A software update has been produced by Siemens that mitigates these vulnerabilities. Siemens has tested the software update to validate that it resolves the vulnerabilities. Exploitation of these vulnerabilities could allow a man-in-the-middle attack or the ability to gain complete control of the system.These vulnerabilities could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-213-01 *** OSPF LSA Manipulation Vulnerability in Multiple Cisco Products *** --------------------------------------------- OSPF LSA Manipulation Vulnerability in Multiple Cisco Products --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Apple to Fix 'Fake USB Charger' Flaw in iOS 7 *** --------------------------------------------- Apple claims it will fix a previous disclosed flaw in its mobile operating system that can allow hackers complete access to an iPhone or iPad via a fake USB charger. --------------------------------------------- http://threatpost.com/apple-to-fix-fake-usb-charger-flaw-in-ios-7/101554 *** Hot Knives Through Butter: Bypassing File-based Sandboxes *** --------------------------------------------- Diamonds are a girl's best friend. Prime numbers are a mathematician's best friend. And file-based sandboxes are an IT security researcher's best friend. Unfortunately, malware authors know this. Aware that researchers are using sandboxes to monitor file behavior, attackers are ... --------------------------------------------- http://www.fireeye.com/blog/technical/malware-research/2013/08/hot-knives-t… *** Vuln: Drupal Google Authenticator Login Module Access Bypass Vulnerability *** --------------------------------------------- Drupal Google Authenticator Login Module Access Bypass Vulnerability --------------------------------------------- http://www.securityfocus.com/bid/59884 *** vtiger CRM 5.4.0 PHP Code Injection *** --------------------------------------------- Topic: vtiger CRM 5.4.0 PHP Code Injection Risk: High Text: -- vtiger CRM <= 5.4.0 (vtigerolservice.php) PHP Code Injection Vulnerability ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013080015 *** Vuln: Symantec Backup Exec CVE-2013-4575 Remote Heap Buffer Overflow Vulnerability *** --------------------------------------------- Symantec Backup Exec CVE-2013-4575 Remote Heap Buffer Overflow Vulnerability --------------------------------------------- http://www.securityfocus.com/bid/61485 *** "Malware-infected hosts as stepping stones" service offers acccess to hundreds of compromised U.S based hosts *** --------------------------------------------- By Dancho Danchev Malware-infected hosts with clean IP reputation have always been a desirable underground market item. On the majority of occasions, they will either be abused as distribution/infection vector, used as cash cows, or as 'stepping stones', risk-forwarding the responsibility, and distorting the attribution process, as well as adding an additional OPSEC (Operational Security) layer --------------------------------------------- http://feedproxy.google.com/~r/WebrootThreatBlog/~3/xpbJBn1gMZA/ *** Java Back Door Acts as Bot *** --------------------------------------------- The current threat landscape is often driven by web-based malware and exploit kits that are regularly updated with newly found vulnerabilities. Recently, we received an interesting malware binary's JAR package that opens a back door for an attacker to execute commands and acts as a bot after infection. This archive does not exploit any Java Read more... --------------------------------------------- http://blogs.mcafee.com/mcafee-labs/java-back-door-acts-as-bot *** Black Hat: EFI-Toolkit zur Suche nach Bootkits *** --------------------------------------------- Sicherheitsforscher haben für die Abhärtung von UEFI ein Rootkit Detection Framework (RDFU) entwickelt. Um dessen Nutzen zu demonstrieren, setzten sie vorher ein Angriffsszenario mit einem Mac-Bootkit um. --------------------------------------------- http://www.heise.de/security/meldung/Black-Hat-EFI-Toolkit-zur-Suche-nach-B… *** Black Hat: Zehntausende offene Webcams im Netz *** --------------------------------------------- In der Firmware zahlreicher Webcams lauern außerordentlich viele Bugs. Sie erlauben die volle Kontrolle von Cams der Hersteller D-Link, Cisco, Trendnet, IQInvision und 3SVision. Updates stehen bereit, werden aber offensichtlich nicht installiert. --------------------------------------------- http://www.heise.de/security/meldung/Black-Hat-Zehntausende-offene-Webcams-… *** ISPmanager Multiple Vulnerabilities *** --------------------------------------------- ISPmanager Multiple Vulnerabilities --------------------------------------------- https://secunia.com/advisories/54330

1 0

Tageszusammenfassung - Donnerstag 1-08-2013
by Daily end-of-shift report 01 Aug '13

01 Aug '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 31-07-2013 18:00 − Donnerstag 01-08-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Inside the Security Model of BlackBerry 10 *** --------------------------------------------- The new BlackBerry 10 operating system contains a number of security improvements and upgrades over earlier versions, but there are still some features and functions that an attacker may be able to exploit. --------------------------------------------- http://threatpost.com/inside-the-security-model-of-blackberry-10/101542 *** Malicious JavaScript flips ad network into rentable botnet *** --------------------------------------------- Enslaved machines helplessly press Apaches buttons Black Hat 2013 Security researchers have shown how hackers can use ad networks to create ephemeral, hard-to-trace botnets that can perform distributed-denial-of-service attacks at the click of a button. --------------------------------------------- http://www.theregister.co.uk/2013/07/31/whitehat_security_ad_networks_botne… *** Got an account on a site like Github? Hackers may know your e-mail address *** --------------------------------------------- Researcher de-anonymizes forum people posting extremist views. --------------------------------------------- http://arstechnica.com/security/2013/07/got-an-account-on-a-site-like-githu… *** Black Hat: TLS-Erweiterung schwächt Sicherheit der Verschlüsselung *** --------------------------------------------- Sicherheitsforscher Florent Daignière hat sich bei der Black Hat mit TLS-Extensions befasst, die Session Tickets vorsehen. Kann ein Angreifer Daten des Webservers abgreifen, lassen sich mitgeschnittene Verbindungen im Nachhinein entschlüsseln. --------------------------------------------- http://www.heise.de/security/meldung/Black-Hat-TLS-Erweiterung-schwaecht-Si… *** Researchers reveal how to hack an iPhone in 60 seconds *** --------------------------------------------- Three Georgia Tech hackers have revealed how to hack iPhones and iPads with malware imitating ordinary apps in under sixty seconds using a "malicious charger." --------------------------------------------- http://www.zdnet.com/researchers-reveal-how-to-hack-an-iphone-in-60-seconds… *** Angriffe auf mit mTAN geschützte Konten *** --------------------------------------------- Die Banken bezeichnen das mTAN-Verfahren als sicher. Trotzdem gelingt es Kriminiellen, den Sicherheitsmechanismus zu umgehen. Der Aufwand ist hoch, die Beute aber groß. --------------------------------------------- http://www.heise.de/security/meldung/Angriffe-auf-mit-mTAN-geschuetzte-Kont… *** Teaching Old Malware New Tricks *** --------------------------------------------- Why Carberp, ZeuS, and Other Vintage Malware Have a Bigger Bite Than You Think (First in a three-part series) As a sales engineer working at FireEye, I spend my days running production pilots with prospects, discussing advanced persistent threats (APTs) --------------------------------------------- http://www.fireeye.com/blog/corporate/2013/08/teaching-old-malware-new-tric… *** Cisco WAAS Central Manager Remote Code Execution Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** GnuPG / Libgcrypt RSA Secret Key Disclosure Weakness *** --------------------------------------------- https://secunia.com/advisories/54373 *** VMware ESXi Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/54339 *** TYPO3 Cross-Site Scripting and Arbitrary File Upload Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/53529 *** Subversion 1.7.9 remote DoS vulnerability. *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013080004 *** Subversion 1.6.21 arbitrary code execution *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013080003 *** Vuln: Drupal Flippy Module Access Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/61546 *** Bugtraq: Open-Xchange Security Advisory 2013-07-31 *** --------------------------------------------- http://www.securityfocus.com/archive/1/527662 *** GnuPG / Libgcrypt RSA Secret Key Disclosure Weakness --------------------------------------------- https://secunia.com/advisories/54373

1 0

Tageszusammenfassung - Mittwoch 31-07-2013
by Daily end-of-shift report 31 Jul '13

31 Jul '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 30-07-2013 18:00 − Mittwoch 31-07-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** New Software Obfuscation Throws Wrench into Reverse Engineering *** --------------------------------------------- Researchers say their new software obfuscation scheme is the first time this technique has been successfully accomplished where the underlying piece of software, such as a patch, could not be reverse engineered in a matter of days. --------------------------------------------- http://threatpost.com/new-software-obfuscation-throws-wrench-into-reverse-e… *** Malware Hijacks Social Media Accounts Via Browser Add-ons *** --------------------------------------------- We spotted yet another threat lurking around social media sites targeting users of either Google Chrome or Mozilla Firefox. This threat uses fake extensions for both browsers to infiltrate user systems and hijack social media accounts specifically, Facebook, Google+, and Twitter accounts. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/malware-hijacks-… *** Pwned again: an exclusive look at Pwnie Express newest hack-in-a-box *** --------------------------------------------- The Pwn Plug R2 is a miniature NSA, ready to exploit networks for their own good. --------------------------------------------- http://arstechnica.com/security/2013/07/pwned-again-an-exclusive-look-at-pw… *** DIY commercially-available 'automatic Web site hacking as a service' spotted in the wild *** --------------------------------------------- By Dancho Danchev A newly launched underground market service, aims to automate the unethical penetration testing process, by empowering virtually all of its (paying) customers with what they claim is 'private exploitation techniques' capable of compromising any Web site. --------------------------------------------- http://blog.webroot.com/2013/07/31/diy-commercially-available-automatic-web… *** TYPO3-CORE-SA-2013-002: Cross-Site Scripting and Remote Code Execution Vulnerability in TYPO3 Core *** --------------------------------------------- It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting and Remote Code Execution Component Type: TYPO3 Core Overall Severity: Critical --------------------------------------------- https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-s… *** New Software Obfuscation Throws Wrench into Reverse Engineering *** --------------------------------------------- Researchers say their new software obfuscation scheme is the first time this technique has been successfully accomplished where the underlying piece of software, such as a patch, could not be reverse engineered in a matter of days. --------------------------------------------- https://threatpost.com/new-software-obfuscation-throws-wrench-into-reverse-… *** Mozilla Minion: Plattform für Sicherheitstests *** --------------------------------------------- Die Plattform zum Automatisieren von Sicherheitstests hat laut ihrer Entwickler mit Version 0.3 nun einen Stand erreicht, in dem sie sich erstmals im großen Stil einsetzen ließe. --------------------------------------------- http://www.heise.de/security/meldung/Mozilla-Minion-Plattform-fuer-Sicherhe… *** MalwareZ: visualizing malware activity on earth map *** --------------------------------------------- MalwareZ is a visualization project that is started as a YakindanEgitim (YE) project. YE is a startup that me and some collegues mentor young people on specific projects, remotely. It is announced as a local fork of Google Summer of Code, except neither mentors nor mentees are paid. --------------------------------------------- https://www.honeynet.org/node/1075 *** Licht an, Whirlpool aus: Smart-Home-Hacking *** --------------------------------------------- Bei der BlackHat-Konferenz widmen sich mehrere Vortragende dem Thema (un)sichere Heimautomation. Eine Journalistin von Forbes versuchte sich ebenfalls im Home-Hacking - und hatte bei acht "Smart-Homes" Erfolg. --------------------------------------------- http://www.heise.de/security/meldung/Licht-an-Whirlpool-aus-Smart-Home-Hack… *** Andromeda Botnet Gets an Update *** --------------------------------------------- The Andromeda botnet is still active in the wild and not yet dead. In fact, it's about to undergo a major update real soon. This botnet was first reported back in 2011 but has recently risen to prominence due to the latest modifications in the threat. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/andromeda-botnet… *** Siemens SIMATIC WinCC TIA Portal Two Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/54051 *** Vuln: YUI CVE-2013-4939 Multiple Cross-Site Scripting Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/61177 *** Vuln: phpMyAdmin CVE-2013-4998 Multiple Unspecified Full Path Information Disclosure Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/61513 *** More heavily URL encoded PHP Exploits against Plesk "phppath" vulnerability, (Tue, Jul 30th) *** --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16255&rss *** IE9/10 information disclosure vulnerability *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013070232

1 0

Tageszusammenfassung - Dienstag 30-07-2013
by Daily end-of-shift report 30 Jul '13

30 Jul '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 29-07-2013 18:00 − Dienstag 30-07-2013 18:00 Handler: Matthias Fraidl Co-Handler: Otmar Lendl *** Microsoft Expands MAPP Program to Incident Response Teams *** --------------------------------------------- Microsoft is expanding its MAPP program that shares attack and protection information with other security vendors and will now be sharing some data with incident responders, as well. The new system will enable organizations such as CERTs and internal IR teams to exchange information on specific attacks and general threats. --------------------------------------------- http://threatpost.com/microsoft-expands-mapp-program-to-incident-response-t… *** Texas students hijack superyacht with GPS-spoofing luggage *** --------------------------------------------- Dont panic, yet Students from the University of Texas successfully piloted an $80m superyacht sailing 30 miles offshore in the Mediterranean Sea by overriding the ships GPS signals without any alarms being raised... --------------------------------------------- http://www.theregister.co.uk/2013/07/29/texas_students_hijack_superyacht_wi… *** How much does it cost to buy one thousand Russian/Eastern European based malware-infected hosts? *** --------------------------------------------- By Dancho Danchev For years, many of the primary and market-share leading 'malware-infected hosts as a service' providers have become used to selling exclusive access to hosts from virtually the entire World, excluding the sale and actual infection of Russian and Eastern European based hosts. --------------------------------------------- http://blog.webroot.com/2013/07/29/how-much-does-it-cost-to-buy-one-thousan… *** BGP multiple banking addresses hijacked, (Mon, Jul 29th) *** --------------------------------------------- BGP multiple banking addresses hijacked On 24 July 2013 a significant number of Internet Protocol (IP) addresses that belong to banks suddenly were routed to somewhere else. An IP address is how packets are routed to their destination across the Internet. Why is this important you ask? Well, imagine the Internet suddenly decided that you were living in the middle of Asia and all traffic that should go to you ends up traveling through a number of other countries to get to you, but you arent --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16249&rss *** Mail from the (Velvet) Cybercrime Underground *** --------------------------------------------- Over the past six months, "fans" of this Web site and its author have shown their affection in some curious ways. One called in a phony hostage situation that resulted in a dozen heavily armed police surrounding my home. Another opened a $20,000 new line of credit in my name. Others sent more than $1,000 in bogus PayPal donations from hacked accounts. --------------------------------------------- https://krebsonsecurity.com/2013/07/mail-from-the-velvet-cybercrime-undergr… *** Custom USB sticks bypassing Windows 7/8's AutoRun protection measure going mainstream *** --------------------------------------------- By Dancho Danchev When Microsoft disabled AutoRun on XP and Vista back in February, 2011, everyone thought this was game over for the bad guys who were abusing the removable media distribution/infection vector in particular. --------------------------------------------- http://blog.webroot.com/2013/07/30/custom-usb-sticks-bypassing-windows-78s-… *** NASA: In die Cloud geschubst *** --------------------------------------------- Von den Bundesbehörden in die Cloud gedrängt und ohne richtige Cloud-Strategie, schob die NASA Daten in die Wolke - nicht abgesichert und teils ohne Wissen des zuständigen Büros. Bei den Bundesbehörden setzt man aber weiterhin auf die Cloud. --------------------------------------------- http://www.heise.de/security/meldung/NASA-In-die-Cloud-geschubst-1926189.ht… *** CrowdSource Tool Aims to Improve Automated Malware Analysis *** --------------------------------------------- When a new piece of malware surfaces, it's typically analyzed eight ways from Sunday by a long list of antimalware and other security companies, government agencies, CERTs and other organizations who try to break it down and classify its capabilities. --------------------------------------------- http://threatpost.com/crowdsource-tool-aims-to-improve-automated-malware-an… *** Vuln: phpMyAdmin Multiple SQL Injection and Cross Site Scripting Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/61493 *** Debian Security Advisory DSA-2730 gnupg *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2730 *** Bugtraq: MojoPortal XSS *** --------------------------------------------- http://www.securityfocus.com/archive/1/527629 *** OpenOffice.org OOXML code execution *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/86002 *** FreeBSD NFS security bypass *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/86003 *** FluxBB 1.5.3 Multiple Remote Vulnerabilities *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013070223

1 0

Tageszusammenfassung - Montag 29-07-2013
by Daily end-of-shift report 29 Jul '13

29 Jul '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 26-07-2013 18:00 − Montag 29-07-2013 18:00 Handler: Matthias Fraidl Co-Handler: Otmar Lendl *** ISC BIND RDATA Processing Bug Lets Remote Users Deny Service *** --------------------------------------------- ISC BIND RDATA Processing Bug Lets Remote Users Deny Service --------------------------------------------- http://www.securitytracker.com/id/1028838 *** Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013070206 *** Informatiker-Team darf Startcodes für Luxusautos nicht offenlegen *** --------------------------------------------- Flavio Garcia von der Universität Birmingham hat ein Sicherheitssystem ausgetrickst, das bei Fahrzeugen der Luxusklasse zum Einsatz kommt. Die geplante Veröffentlichung auf dem Washingtoner Usenix-Symposium wurde ihm jedoch gerichtlich verboten. --------------------------------------------- http://www.heise.de/security/meldung/Informatiker-Team-darf-Startcodes-fuer… *** ASUS RT-AC66U Remote Root Shell Exploit - acsd param command *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013070209 *** Defending Against Web Server Denial of Service Attacks *** --------------------------------------------- Earlier this weekend, one of readers reported in an odd attack toward an Apache web server that he supports. The server was getting pounded with port 80 requests like the excerpt below. This attack had been ramping up since the 21st of July, but the "owners" of the server only detected problems with website accessibility today. They contacted the server support staff who attempted to block the attack by scripting a search for the particular user agent string and then dropping the IP --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16240&rss *** Windows: Dynamische Zertifikat-Updates gefährden SSL-Verschlüsselung *** --------------------------------------------- Windows lädt Stammzertifikate zum Prüfen von Verschlüsselungszertifikaten ohne Anwender-Interaktion aus dem Internet nach. Das weckt Zweifel an der Verlässlichkeit der Verschlüsselung von Windows. --------------------------------------------- http://www.heise.de/security/meldung/Windows-Dynamische-Zertifikat-Updates-… *** [shellcode] - Windows RT ARM Bind Shell (Port 4444) *** --------------------------------------------- Windows RT ARM Bind Shell (Port 4444) --------------------------------------------- http://www.exploit-db.com/exploits/27180 *** Dovecot / Exim Exploit Detects, (Mon, Jul 29th) *** --------------------------------------------- Sometimes it doesnt take an IDS to detect an attack, but just reading your e-mail will do. Our read Timo sent along these two e-mails he received, showing exploitation of a recent Dovecot/Exim configuration flaw --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16243&rss *** OpenOffice DOC Memory Corruption *** --------------------------------------------- The vulnerability is caused by operating on invalid PLCF (Plex of Character Positions in File) data when parsing a malformed DOC document file. Specially crafted documents can be used for denial-of-service attacks. Further exploits are possible but have not been verified. --------------------------------------------- http://cxsecurity.com/issue/WLB-2013070213 *** Header Spoofing Hides Malware Communication *** --------------------------------------------- Spoofing whether in the form of DNS, legitimate email notification, IP, address bar is a common part of Web threats. We've seen its several incarnations in the past, but we recently found a technique known as header spoofing, which puts a different spin on evading detection. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/header-spoofing-… *** TRENDnet TEW-812DRU CSRF Command Injection > Shell Exploit *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013070216 *** Vuln: HP LoadRunner CVE-2013-4800 Remote Code Execution Vulnerability *** --------------------------------------------- HP LoadRunner CVE-2013-4800 Remote Code Execution Vulnerability --------------------------------------------- http://www.securityfocus.com/bid/61446 *** Verschlüsselung: GnuPG bremst neuen Seitenkanalangriff *** --------------------------------------------- Australische Forscher haben aufgezeigt, wie man prinzipiell von einer Virtuellen Maschine aus die Schlüssel einer anderen auf demselben PC ausspionieren kann. Ein GnuPG-Update erschwert das jetzt zumindest. --------------------------------------------- http://www.heise.de/security/meldung/Verschluesselung-GnuPG-bremst-neuen-Se… *** PineApp Mail-SeCure Series Multiple Arbitrary Commands Injection Vulnerabilities *** --------------------------------------------- PineApp Mail-SeCure Series Multiple Arbitrary Commands Injection Vulnerabilities --------------------------------------------- https://secunia.com/advisories/54342 *** Symantec slams Web Gateway back door on would-be corporate spies *** --------------------------------------------- Critical remote code execution vuln fixed - only five months later Symantec has plugged a series of critical flaws in its Web Gateway appliances which included a backdoor permitting remote code execution on targeted systems. --------------------------------------------- http://www.theregister.co.uk/2013/07/29/symantec_web_gateway_vulns_fixed/ *** Hintergrund: Raubzug in Browser-Passwort-Safes *** --------------------------------------------- Ohne spezielles Passwort sind die im Passwort-Safe eines Browser gespeicherten Passwörter leichte Beute -- wenn man weiß wie. --------------------------------------------- http://www.heise.de/security/artikel/Raubzug-in-Browser-Passwort-Safes-1918… *** Tampering with a car's brakes and speed by hacking its computers: A new how-to *** --------------------------------------------- The "Internet of automobiles" may hold promise, but it comes with risks, too. --------------------------------------------- http://arstechnica.com/security/2013/07/disabling-a-cars-brakes-and-speed-b… *** Analysis: Spam in June 2013 *** --------------------------------------------- Contrary to our forecasts the number of phishing attacks on social networking sites fell in June. However these sites remain the most attractive target for phishers. --------------------------------------------- http://www.securelist.com/en/analysis/204792296/Spam_in_June_2013 *** Kaspersky: Angriffe auf Gamer nehmen zu *** --------------------------------------------- Die Zahl der Angriffe auf Online-Gamer steigt laut Kaspersky auch in diesem Jahr. Besonders mit gut gemachten Phishing-Mails werden Spieler um ihre Kontodaten betrogen. Geklaute virtuelle Gegenstände zu verticken, bringt zusätzlich Geld. --------------------------------------------- http://www.heise.de/security/meldung/Kaspersky-Angriffe-auf-Gamer-nehmen-zu…

1 0

Tageszusammenfassung - Freitag 26-07-2013
by Daily end-of-shift report 26 Jul '13

26 Jul '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 25-07-2013 18:00 − Freitag 26-07-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** WordPress Duplicator 0.4.4 Cross Site Scripting *** --------------------------------------------- Topic: WordPress Duplicator 0.4.4 Cross Site Scripting Risk: Low Text:Advisory ID: HTB23162 Product: Duplicator WordPress Plugin Vendor: LifeInTheGrid Vulnerable Version(s): 0.4.4 and probably ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013070201 *** Haunted by the Ghosts of ZeuS & DNSChanger *** --------------------------------------------- One of the challenges in malware research is separating the truly novel innovations in malcoding from new nasties that merely include nominal or superficial tweaks. This dynamic holds true for both malware researchers and purveyors, albeit for different reasons. Researchers wish to avoid being labeled alarmist in calling special attention to what appears to be an emerging threat that turns out to be old news; the bad guys just want to avoid getting scammed into paying for an old malware kit --------------------------------------------- https://krebsonsecurity.com/2013/07/haunted-by-the-ghosts-of-zeus-dnschange… *** Versteckte Rechteverwaltung in Android 4.3 *** --------------------------------------------- Android 4.3 bringt eine Funktion mit, um Apps nachträglich ihre Rechte zu entziehen. Freigeschaltet ist sie noch nicht, doch das geht mit einem kleinen Trick. Die Apps sind darauf allerdings nicht vorbereitet und reagieren unterschiedlich. --------------------------------------------- http://www.heise.de/security/meldung/Versteckte-Rechteverwaltung-in-Android… *** Blog: Malicious news - birth, death, spy scandal *** --------------------------------------------- Anna Volodina and Ram Herkanaidu --------------------------------------------- http://www.securelist.com/en/blog/8110/Malicious_news_birth_death_spy_scand… *** Poker player who won $1.5 million charged with running Android malware ring *** --------------------------------------------- Contact-stealing Android malware allegedly used to fuel $3.9M spam operation. --------------------------------------------- http://arstechnica.com/information-technology/2013/07/poker-player-who-won-… *** The Dangers of a Royal Baby: Scams Abound *** --------------------------------------------- Big news stories are always an opportunity for scammers and spammers, who attempt to redirect users to malicious exploit kits or other unwanted services. Britain's royal baby is the latest news to offer cover for malware. We have already found a lot of spam messages regarding the birth and baby that lead users to the Read more... --------------------------------------------- http://blogs.mcafee.com/mcafee-labs/the-dangers-of-a-royal-baby-scams-abound *** Hintergrund: Zukunftssicher Verschlüsseln mit Perfect Forward Secrecy *** --------------------------------------------- Mit einem exotischen Feature bestimmter Verschlüsselungseinstellungen, könnten Server-Betreiber der NSA in die Suppe spucken. Leider macht das bisher nur ein einziger der großen Diensteanbieter. --------------------------------------------- http://www.heise.de/security/artikel/Zukunftssicher-Verschluesseln-mit-Perf… *** Short-URL Services May Hide Threats *** --------------------------------------------- In a recent post, AppAppeal ranked the most popular URL shorteners. The top five includes TinyURL, Goo.gl, Bit.ly, Ow.ly and is.gd. Unfortunately, these helpful services are also used to hide a large number of malicious URLs. This result has made me want to learn more about malicious links that may be hidden behind these shortcuts. Read more... --------------------------------------------- http://blogs.mcafee.com/mcafee-labs/short-url-services-may-hide-threats *** Microsoft: 88 Percent of Citadel Botnets Down *** --------------------------------------------- Nearly two months after the company was part of an operation to disrupt a large number of Citadel botnets, Microsoft said that 88 percent of the botnets spawned by that malware have been taken down. Citadel is a Trojan designed specifically to steal financial information from a variety of sources using a number of techniques. --------------------------------------------- http://threatpost.com/microsoft-88-percent-of-citadel-botnets-down/101503 *** Powershell Payload Web Delivery *** --------------------------------------------- Topic: Powershell Payload Web Delivery Risk: Medium Text:## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013070202 *** FileChucker filechucker.cgi file upload *** --------------------------------------------- FileChucker filechucker.cgi file upload --------------------------------------------- http://xforce.iss.net/xforce/xfdb/85965 *** [2013-07-26] Critical vulnerabilities in Symantec Web Gateway *** --------------------------------------------- The identified vulnerabilities enable state-sponsored or criminal hackers to take full control of the Symantec Web Gateway Appliance. The surveillance of all internet web activities, which are supposed to be protected by the Symantec solution, can be performed by the attacker easily. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2013… *** Bugtraq: Xymon Systems and Network Monitor - remote file deletion vulnerability *** --------------------------------------------- Xymon Systems and Network Monitor - remote file deletion vulnerability --------------------------------------------- http://www.securityfocus.com/archive/1/527534 *** BMC Service Desk Express Cross-Site Scripting and SQL Injection Vulnerabilities *** --------------------------------------------- BMC Service Desk Express Cross-Site Scripting and SQL Injection Vulnerabilities --------------------------------------------- https://secunia.com/advisories/54145 *** Aktueller Phishing-Angriff auf Apple-Nutzer *** --------------------------------------------- Einige Online-Ganoven scheinen den aktuellen Ausfall von Apples Entwicklerbereich zu nutzen, um an Apple-IDs zu gelangen. --------------------------------------------- http://www.heise.de/security/meldung/Aktueller-Phishing-Angriff-auf-Apple-N… *** Malware Evasion Techniques Dissected at Black Hat *** --------------------------------------------- Researchers use file-level sandboxes to analyze the behavior of malware samples as well as techniques malicious code uses to detect and evade analysis. --------------------------------------------- http://threatpost.com/malware-evasion-techniques-dissected-at-black-hat/101… *** So funktioniert der SIM-Karten-Hack *** --------------------------------------------- Vor rund einer Woche deckte der deutsche Kryptographieexperte Karsten Nohl auf, dass sich Millionen SIM-Kartendaten durch das Hacken der DES-Schlüssel ausnutzen lassen. Wie das genau geht, zeigt unser Video. --------------------------------------------- http://www.heise.de/security/meldung/So-funktioniert-der-SIM-Karten-Hack-19…

1 0

Tageszusammenfassung - Donnerstag 25-07-2013
by Daily end-of-shift report 25 Jul '13

25 Jul '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 24-07-2013 18:00 − Donnerstag 25-07-2013 18:00 Handler: Matthias Fraidl Co-Handler: Christian Wojner *** Multiple Vulnerabilities in the Cisco Video Surveillance Manager *** --------------------------------------------- The Cisco Video Surveillance Manager (VSM) allows operations managers and system integrators to build customized video surveillance networks to meet their needs. Cisco VSM provides centralized configuration, management, display, and control of video from Cisco and third-party surveillance endpoints. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Google Wallet and Paypal Phishing by abusing WhatsApp *** --------------------------------------------- Google Wallet and Paypal Phishing by abusing WhatsApp --------------------------------------------- http://cxsecurity.com/issue/WLB-2013070185 *** Vuln: PHP ext/soap/php_xml.c Multiple Arbitrary File Disclosure Vulnerabilities *** --------------------------------------------- PHP is prone to multiple arbitrary file-disclosure vulnerabilities because the application fails to sanitize user-supplied input. An authenticated attacker can exploit these vulnerabilities to view arbitrary files within the context of the affected application. Other attacks are also possible. --------------------------------------------- http://www.securityfocus.com/bid/58766 *** Google strengthens Android security muscle with NSA-developed protection *** --------------------------------------------- Addition of SELinux to version 4.3 one of several improvements to Android security. --------------------------------------------- http://arstechnica.com/security/2013/07/google-strengthens-android-security… *** Windu CMS 2.2 CSRF Add Admin Exploit *** --------------------------------------------- Topic: Windu CMS 2.2 CSRF Add Admin Exploit Risk: Low Text:<!-- Windu CMS 2.2 CSRF Add Admin Exploit Vendor: Adam Czajkowski Product web page: http://www.windu.org Affected ver... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013070187 *** Toward A Greater Mobile Mal-Awareness *** --------------------------------------------- Several recent developments in mobile malware are conspiring to raise the threat level for Android users, making it easier for attackers to convert legitimate applications into malicious apps and to undermine the technology that security experts use to tell the difference. --------------------------------------------- https://krebsonsecurity.com/2013/07/toward-a-greater-mobile-mal-awareness/ *** Cisco ASA Input Validation Flaw in WebVPN Portal Login Page Permits Cross-Site Scripting Attacks *** --------------------------------------------- Cisco ASA Input Validation Flaw in WebVPN Portal Login Page Permits Cross-Site Scripting Attacks --------------------------------------------- http://www.securitytracker.com/id/1028831 *** nginx 1.3.9 / 1.4.0 x86 Brute Force Remote Exploit Description *** --------------------------------------------- nginx 1.3.9 / 1.4.0 x86 Brute Force Remote Exploit --------------------------------------------- http://cxsecurity.com/issue/WLB-2013070192 *** OWASP AppSec Research 2013: Konferenz und Trainings in Hamburg *** --------------------------------------------- Vom 20. bis zum 23. August lädt die OWASP-Community zu Trainings, Workshops, Reden und Diskussionsrunden nach Hamburg ein. --------------------------------------------- http://www.heise.de/security/meldung/OWASP-AppSec-Research-2013-Konferenz-u… *** HP LoadRunner Denial of Service and Arbitrary Code Execution Vulnerabilities *** --------------------------------------------- HP LoadRunner Denial of Service and Arbitrary Code Execution Vulnerabilities --------------------------------------------- https://secunia.com/advisories/54138 *** Raid millions of bank accounts. New easy-to-use tool. Yours for $5,000 *** --------------------------------------------- F... KINS hell! Cybercrooks have brewed a new professional-grade Trojan toolkit called KINS that will pose plenty of problems for banks and their customers in the months and years ahead. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2013/07/25/kins_bankin… *** Hacking the SIM card: Why it matters to the enterprise *** --------------------------------------------- It appears that the SIM card has finally been hacked, more than 20 years after it was first developed. More specifically, security researcher Karsten Nohl of Security Research Labs says he has found a serious vulnerability that allows mobile phones to be tricked into granting access to SMS functions and other capabilities--without the owner knowing. --------------------------------------------- http://www.fiercecio.com/techwatch/story/hacking-sim-card-why-it-matters-en… *** Dissecting a WordPress Brute Force Attack *** --------------------------------------------- Over the past few months there has been a lot of discussion about WordPress Brute Force attacks. With that discussion has come a lot of speculation as well. What are they doing? Is it a giant WordPress botnet? Is it going to destroy the internet? Well, as you would expect of any good geeks we set out to find a way to find out. --------------------------------------------- http://blog.sucuri.net/2013/07/dissecting-a-wordpress-brute-force-attack.ht… *** Warnung vor Orbit Downloader *** --------------------------------------------- Der Download-Manager beteiligt sich unmittelbar nach dem Start an einem Cyber-Angriff auf vietnamesische IP-Adressen und legt damit auch das lokale Netz lahm. --------------------------------------------- http://www.heise.de/security/meldung/Warnung-vor-Orbit-Downloader-1923667.h…

1 0

Tageszusammenfassung - Mittwoch 24-07-2013
by Daily end-of-shift report 24 Jul '13

24 Jul '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 23-07-2013 18:00 − Mittwoch 24-07-2013 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Vuln: Django User Account Enumeration Information Disclosure Vulnerability *** --------------------------------------------- Django is prone to an information-disclosure vulnerability. --------------------------------------------- http://www.securityfocus.com/bid/61385 *** KINS Banking Trojan a Successor to Citadel? *** --------------------------------------------- A new strain of banking malware called KINS has been discovered for sale on a closed Russian underground forum. --------------------------------------------- http://threatpost.com/kins-banking-trojan-a-successor-to-citadel/101440 *** Sonderheft ct Security: Rundumschutz gegen den Abhörwahn *** --------------------------------------------- Die ct-Redaktion will es mit dem Sonderheft ct Security Angreifern so schwer wie möglich machen: 170 Seiten Praxis, Anleitungen und Know-how, die Live-DVD mit Desinfect, ct Bankix, ct Surfix und ein JonDonym-Gratispaket liefern das passende Rüstzeug. --------------------------------------------- http://www.heise.de/newsticker/meldung/Sonderheft-c-t-Security-Rundumschutz… *** One-Stop Bot Chop-Shops *** --------------------------------------------- New fraudster-friendly content management systems are making it more likely than ever that crooks who manage botnets and other large groupings of hacked PCs will extract and sell all credentials of value that can be harvested from the compromised machines. --------------------------------------------- https://krebsonsecurity.com/2013/07/one-stop-bot-chop-shops/ *** Long-Range RFID Hacking Tool to be Released at Black Hat *** --------------------------------------------- A tool that enables a hacker or penetration tester to capture RFID card data from up to three feet away will be released next week at Black Hat. --------------------------------------------- http://threatpost.com/long-range-rfid-hacking-tool-to-be-released-at-black-… *** Bugtraq: Orbit Downloader versions causing massive SYN flooding. Cyberoam cautions! *** --------------------------------------------- Cyberoam cautions all Orbit Downloader users, as the latest version of the Orbit Downloader is turning computers, devices into a SYN Flooder. It is found that as... --------------------------------------------- http://www.securityfocus.com/archive/1/527478 *** New Office 2010 and SharePoint 2010 Service Packs Roll Out *** --------------------------------------------- jones_supa writes "While service packs are out of style for the Windows operating system, Microsoft has pushed out another service pack (SP2) for both Office 2010 and SharePoint 2010 products. According to the company, they provide key updates and fixes across servers, services and applications including security, stability, and performance enhancements and better compatibility with Windows 8, Internet Explorer 10, Office 2013, and SharePoint 2013. The updates are available through Windows --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/cGtgDc_6QO4/story01.htm *** Ubuntu update for openjdk-6 *** --------------------------------------------- Ubuntu has issued an update for openjdk-6. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to disclose certain sensitive information and manipulate certain data and by malicious people to conduct spoofing attacks,... --------------------------------------------- https://secunia.com/advisories/54254 *** HowTo: Detecting Persistence Mechanisms *** --------------------------------------------- This post is about actually detecting persistence mechanisms...not querying them, but detecting them. Theres a difference between querying known persistence mechanisms, and detecting previously unknown persistence mechanisms used by malware; the former we can do with tools such as AutoRuns and RegRipper, but the latter requires a bit more work. --------------------------------------------- http://windowsir.blogspot.co.uk/2013/07/howto-detecting-persistence-mechani… *** Linux kernel: panic while appending data to a corked IPv6 socket *** --------------------------------------------- Linux kernel built with the IPv6 networking support is vulnerable to a crash while appending data to an IPv6 socket with UDP_CORKED option set. UDP_CORK enables accumulating data and sending it as single datagram. An unprivileged user/program could use this flaw to crash the kernel, resulting in local DoS. --------------------------------------------- http://seclists.org/oss-sec/2013/q3/176 *** IBM WebSphere Multichannel Bank Transformation Toolkit Multiple Java Vulnerabilities *** --------------------------------------------- IBM has acknowledged multiple vulnerabilities in IBM WebSphere Multichannel Bank Transformation Toolkit, which can be exploited by malicious users to disclose potentially sensitive information and by malicious people to disclose potentially sensitive information, hijack a user's session, conduct... --------------------------------------------- https://secunia.com/advisories/54288 *** TYPO3 CMS 4.5.28, 4.7.13, 6.0.7 and 6.1.2 released *** --------------------------------------------- The TYPO3 Community announces the versions 4.5.28, 4.7.13, 6.0.7 and 6.1.2 of the TYPO3 Enterprise Content Management System. --------------------------------------------- http://typo3.org/news/article/typo3-cms-4528-4713-607-and-612-released/ *** First malicious apps to exploit critical Android bug found in the wild *** --------------------------------------------- Flaw allows attackers to surreptitiously inject malicious code in legit apps. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/a9xoVMvQpUI/story01… *** Cisco Unified MeetingPlace Web Conferencing Security Bypass Security Issue *** --------------------------------------------- A security issue has been reported in Cisco Unified MeetingPlace, which can be exploited by malicious people to bypass certain security restrictions. --------------------------------------------- https://secunia.com/advisories/54281 *** Avaya Call Management System (CMS) Java Multiple Vulnerabilities *** --------------------------------------------- Avaya has acknowledged multiple vulnerabilities in Avaya Call Management System (CMS), which can be exploited by malicious, local users to gain escalated privileges and by malicious people to manipulate certain data and cause a DoS (Denial of Service). --------------------------------------------- https://secunia.com/advisories/54291 *** IBM Social Media Analytics Platform cross-site scripting *** --------------------------------------------- IBM Social Media Analytics Platform is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker... --------------------------------------------- http://xforce.iss.net/xforce/xfdb/85253 *** Bugtraq: Cross-Site Scripting (XSS) in Duplicator WordPress Plugin *** --------------------------------------------- High-Tech Bridge Security Research Lab discovered XSS vulnerability in Duplicator WordPress plugin, which can be exploited to perform cross-site scripting attacks against vulnerable application. --------------------------------------------- http://www.securityfocus.com/archive/1/527489 *** Royal Baby Spam Campaign Leads to Black Hole-Infected Site *** --------------------------------------------- Everyone loves babies, especially magical royal ones who are destined to pull a sword from a stone. As it turns out, the baby admiring demographic also includes spammers, who are using the current frenzy over the birth of Prince William and Duchess Kate's baby boy to direct victims to a site serving the Black Hole... --------------------------------------------- http://threatpost.com/royal-baby-spam-campaign-leads-to-black-hole-infected…

1 0

Tageszusammenfassung - Dienstag 23-07-2013
by Daily end-of-shift report 23 Jul '13

23 Jul '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 22-07-2013 18:00 − Dienstag 23-07-2013 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** QEMU Guest Agent Unquoted Search Path Lets Local Users Gain Elevated Privileges *** --------------------------------------------- A vulnerability was reported in QEMU. A local user on the guest operating system can obtain elevated privileges on the target system. --------------------------------------------- http://www.securitytracker.com/id/1028814 *** libvirt qemuAgentGetVCPUs() function privilege escalation *** --------------------------------------------- libvirt could allow a local attacker to gain elevated privileges on the system, caused by a double-free error within the qemuAgentGetVCPUs() function in qemu/qemu_agent.c file . An attacker could exploit this vulnerability to gain elevated privileges on the system. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/85890 *** Cisco Aironet Memory Corruption Error Lets Remote Users Deny Service *** --------------------------------------------- A vulnerability was reported in Cisco Aironet. A remote user can cause denial of service conditions. --------------------------------------------- http://www.securitytracker.com/id/1028818 *** Cisco Unified Operations Manager Input Validation Flaw Permits Cross-Site Scripting Attacks *** --------------------------------------------- A vulnerability was reported in Cisco Unified Operations Manager. A remote user can conduct cross-site scripting attacks. --------------------------------------------- http://www.securitytracker.com/id/1028819 *** Hoster OVH gehackt: "Wir waren nicht paranoid genug" *** --------------------------------------------- Die französische Hosting-Firma OVH hat einen Angriff auf ihre internen Systeme registriert. Kunden werden dazu aufgerufen ihre Passwörter zu ändern. Es könnten über 400.000 Personen betroffen sein. --------------------------------------------- http://www.heise.de/security/meldung/Hoster-OVH-gehackt-Wir-waren-nicht-par… *** Symantec Encryption Management Server Email Attachments Script Insertion Vulnerability *** --------------------------------------------- A vulnerability has been reported in Symantec Encryption Management Server, which can be exploited by malicious users to conduct script insertion attacks. --------------------------------------------- https://secunia.com/advisories/54214 *** [remote] - Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection *** --------------------------------------------- This module exploits a code injection vulnerability in the 'create' action of 'bookmarks' controller of Foreman and Red Hat OpenStack/Satellite (Foreman 1.2.0-RC1 and earlier). --------------------------------------------- http://www.exploit-db.com/exploits/27045

1 0

Tageszusammenfassung - Montag 22-07-2013
by Daily end-of-shift report 22 Jul '13

22 Jul '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 19-07-2013 18:00 − Montag 22-07-2013 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Hack exposes e-mail addresses, password data for 2 million Ubuntu Forum users *** --------------------------------------------- Ubuntu maintainer Canonical exhorts users to change passwords immediately. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/_k7Kb5g3abo/story01… *** Bugtraq: Barracuda CudaTel 2.6.02.040 - Remote SQL Injection Vulnerability *** --------------------------------------------- References: http://vulnerability-lab.com/get_content.php?id=775 --------------------------------------------- http://www.securityfocus.com/archive/1/527423 *** Bugtraq: Barracuda LB, SVF, WAF & WEF - Multiple Vulnerabilities *** --------------------------------------------- References: http://www.vulnerability-lab.com/get_content.php?id=727 --------------------------------------------- http://www.securityfocus.com/archive/1/527422 *** Gefahr durch SIM-Karten-Hack *** --------------------------------------------- Die ITU will Mobilfunkprovider weltweit auf die Gefahr durch schwache Verschlüsselungstechnik von SIM-Karten aufmerksam machen. Angreifer können dadurch Handys mit manipulierten SMS-Nachrichten übernehmen. --------------------------------------------- http://www.heise.de/newsticker/meldung/ITU-warnt-vor-Gefahr-durch-SIM-Karte… *** GPG4Win bringt Verschlüsselung für Outlook 2010 *** --------------------------------------------- Mit neuer Version werden auch die 64-bit-Versionen von Windows XP und Vista unterstützt --------------------------------------------- http://derstandard.at/1373513307363 *** Compromised Sites Conceal StealRat Botnet Operations *** --------------------------------------------- Advances in spam detection meant that spam operators had to find ways to circumvent new technologies. For instance, Asprox made significant improvements in their spam and module architecture whereas Pushdo made use of decoy network traffic. Recently, we have discovered a new simple method used by a spam botnet we named StealRat. It consists of [...]Post from: Trendlabs Security Intelligence Blog - by Trend MicroCompromised Sites Conceal StealRat Botnet Operations... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/0Z3mrtbjVD4/ *** Apple Developer Site Breach, (Mon, Jul 22nd) *** --------------------------------------------- Apple closed access to its developer site after learning that it had been compromissed and developers personal information had been breached [1]. In the notice posted to the site, Apple explained that some developers personal information like name, e-mail address and mailing address may have been accessed. The note does not mention passwords, or if password hashes were accessed. One threat often forgotten in these breaches is phishing. If an attacker has access to some personal information... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16210&rss *** Apache HTTP Server mod_dav and mod_session_dbd Vulnerabilities *** --------------------------------------------- Two vulnerabilities have been reported in Apache HTTP Server, where one has an unknown impact and the other one can be exploited by malicious people to cause a DoS (Denial of Service). --------------------------------------------- https://secunia.com/advisories/54241 *** IBM WebSphere Message Broker Java Multiple Vulnerabilities *** --------------------------------------------- IBM has acknowledged multiple vulnerabilities in IBM WebSphere Message Broker, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to disclose certain sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system. --------------------------------------------- https://secunia.com/advisories/54261

1 0

Tageszusammenfassung - Freitag 19-07-2013
by Daily end-of-shift report 19 Jul '13

19 Jul '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 18-07-2013 18:00 − Freitag 19-07-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** NanoSSH Denial Of Service *** --------------------------------------------- Topic: NanoSSH Denial Of Service Risk: Medium Text:Hi, Various openssh 6.2p1 users including our administrators stumbled over this nice bug in the "nanossh server" during pre... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013070142 *** Drupal MRBS 6.x / 7.x CSRF / SQL Injection *** --------------------------------------------- Topic: Drupal MRBS 6.x / 7.x CSRF / SQL Injection Risk: Medium Text:View online: https://drupal.org/node/2044173 * Advisory ID: DRUPAL-SA-CONTRIB-2013-058 * Project: MRBS [1] (third-party... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013070143 *** Nginx 1.3.9 / 1.4.0 Buffer Overflow *** --------------------------------------------- Topic: Nginx 1.3.9 / 1.4.0 Buffer Overflow Risk: High Text:# encoding: ASCII abort("#{$0} host port") if ARGV.length < 2 require ronin $count = 0 # rop address taken from nginx... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013070151 *** Erpressung: GVU-Trojaner sperrt wieder Windows-Rechner *** --------------------------------------------- Neue Varianten des Trojaners im Umlauf - Will Betroffene zur Überweisung von 100 Euro bringen --------------------------------------------- http://derstandard.at/1373513113284 *** IBM WebSphere Real Time Java Multiple Vulnerabilities *** --------------------------------------------- IBM has acknowledged multiple vulnerabilities in IBM WebSphere Real Time, which can be exploited by malicious, local users to disclose certain sensitive information and manipulate certain data and by malicious people to conduct spoofing attacks, disclose certain sensitive information, manipulate certain data, cause a DoS (Denial of Service), bypass certain security restrictions, and compromise a vulnerable system. --------------------------------------------- https://secunia.com/advisories/54257 *** JBoss RichFaces Resource Deserialisation Security Bypass Vulnerability *** --------------------------------------------- A vulnerability has been reported in JBoss RichFaces, which can be exploited by malicious people to bypass certain security restrictions. --------------------------------------------- https://secunia.com/advisories/54162 *** [2013-07-19] Multiple vulnerabilities in Sybase EAServer *** --------------------------------------------- Sybase EAServer is vulnerable to Path Traversal and XML External Entity Injection attacks. By exploiting these vulnerabilities an unauthenticated attacker can retrieve administrative credentials from configuration files and run arbitrary OS commands using the WSH service. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2013… *** HPSBMU02900 rev.1 - HP System Management Homepage (SMH) running on Linux and Windows, Multiple Remote and Local Vulnerabilities *** --------------------------------------------- Potential security vulnerabilities have been identified with HP System Management Homepage (SMH) running on Linux and Windows. The vulnerabilities could be exploited remotely resulting in Local Denial of Service (DoS), remote Denial of Service (DoS), execution of arbitrary code, gain privileges, disclosure of information, unauthorized access, or XSS. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** Cisco IOS GET VPN Encryption Policy Bypass Vulnerability *** --------------------------------------------- A vulnerability in the Cisco Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS could allow traffic to bypass the configured encryption policy. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013… *** More Details on EXPIRO File Infectors *** --------------------------------------------- We recently reported on an unusual attack involving exploit kits and file infectors. What makes the attack even more notable is that the file infectors used also have information theft routines, a behavior uncommon among file infectors. These file infectors are part of the PE_EXPIRO family, which was first spotted in 2010. It’s possible that [...]Post from: Trendlabs Security Intelligence Blog - by Trend MicroMore Details on EXPIRO File Infectors --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/_wieFR4INGs/ *** [SE-2012-01] New Reflection API affected by a known 10+ years old attack *** --------------------------------------------- A new vulnerability (Issue 69) that was submitted to Oracle today makes it possible to implement a very classic attack against Java VM. Whats in particular interesting is that the attack itself has been in the public knowledge for at least 10+ years... --------------------------------------------- http://seclists.org/fulldisclosure/2013/Jul/172 *** Tiki Wiki CMS/Groupware Multiple Vulnerabilities *** --------------------------------------------- A weakness and two vulnerabilities have been discovered in Tiki Wiki CMS/Groupware, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to disclose certain system information and conduct cross-site scripting attacks. --------------------------------------------- https://secunia.com/advisories/54149 *** Bugtraq: Western Digital My Net N600, N750, N900 and N900C - Plain text disclosure of administrative credentials *** --------------------------------------------- Due to a unspecified bug in the WD My Net N600, N750, N900 and N900C routers, administrative credentials are stored in plain text and are easily accessible from a remote location on the WAN side of the router. --------------------------------------------- http://www.securityfocus.com/archive/1/527370 *** DDoS attacks are getting bigger, stronger and longer *** --------------------------------------------- Prolexic Technologies announced that the average packet-per-second (pps) rate reached 47.4 Mpps and the average bandwidth reached 49.24 Gbps based on data collected in Q2 2013 from DDoS attacks launched against its global client base. These metrics, representing increases of 1,655 percent and 925 percent respectively compared to Q2 2012. --------------------------------------------- https://www.net-security.org/secworld.php?id=15243

1 0

Tageszusammenfassung - Donnerstag 18-07-2013
by Daily end-of-shift report 18 Jul '13

18 Jul '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 17-07-2013 18:00 − Donnerstag 18-07-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Multiple Vulnerabilities in Cisco Unified Communications Manager *** --------------------------------------------- Cisco Unified Communications Manager (Unified CM) contains multiple vulnerabilities that could be used together to allow an unauthenticated, remote attacker to gather user credentials, escalate privileges, and execute commands to gain full control of the vulnerable system. A successful attack could allow an unauthenticated attacker to access, create or modify information in Cisco Unified CM. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Multiple Vulnerabilities in Cisco Intrusion Prevention System Software *** --------------------------------------------- Cisco IPS Software Malformed IP Packets Denial of Service Vulnerability Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** On "FBI" "Ransomware" and Macs *** --------------------------------------------- On Monday, Malwarebytes researcher Jerome Segura posted a nice write up (and video) about FBI themed ransom scams targeting users of Apple Mac OS X.The basics are as such: • Segura discovered the scam via a Bing Images search for Taylor Swift. • A compromised site hosting the image linked to a webpage mimicking police ransomware. • Only it isnt really "ware" in the normal sense of a ransomware trojan. • The scam uses clever persistent JavaScript in its attempt to... --------------------------------------------- http://www.f-secure.com/weblog/archives/00002577.html *** New commercially available Web-based WordPress/Joomla brute-forcing tool spotted in the wild *** --------------------------------------------- By Dancho Danchev Thanks to the fact that users not only continue to use weak passwords, but also, re-use them across multiple Web properties, brute-forcing continues to be an effective tactic in the arsenal of every cybercriminal. With more malicious underground market releases continuing to utilize this technique in an attempt to empower potential cybercriminals with […] --------------------------------------------- http://blog.webroot.com/2013/07/17/new-commercially-available-web-based-wor… *** ePhoto Transfer v1.2.1 iOS Multiple Web Vulnerabilities *** --------------------------------------------- Topic: ePhoto Transfer v1.2.1 iOS Multiple Web Vulnerabilities Risk: Medium Text:Title: ePhoto Transfer v1.2.1 iOS - Multiple Web Vulnerabilities Date: == 2013-07-17 References: == http... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013070132 *** Flux Player v3.1.0 iOS File Include & Arbitrary File Upload Vulnerability *** --------------------------------------------- Topic: Flux Player v3.1.0 iOS File Include & Arbitrary File Upload Vulnerability Risk: High Text:Title: Flux Player v3.1.0 iOS - File Include & Arbitrary File Upload Vulnerability Date: == 2013-07-16 Refere... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013070136 *** HPSBST02896 rev.2 - HP StoreVirtual Storage, Remote Unauthorized Access *** --------------------------------------------- A potential security vulnerability has been identified with the HP StoreVirtual Storage. This vulnerability could be remotely exploited to gain unauthorized access to the device. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** BlackBerry späht Mail-Login aus *** --------------------------------------------- Wer auf einem aktuellen BlackBerry seinen Mail-Account konfiguriert hat, sollte besser sein Passwort ändern. Die dort eingegebenen Zugangsdaten kennt nämlich auch der Hersteller. --------------------------------------------- http://www.heise.de/security/meldung/BlackBerry-spaeht-Mail-Login-aus-19197… *** Autodesk Multiple Products DWG Processing Code Execution Vulnerability *** --------------------------------------------- A vulnerability has been reported in multiple Autodesk products, which can be exploited by malicious people to compromise a user's system. --------------------------------------------- https://secunia.com/advisories/54198 *** Hackers crippled OVER HALF of worlds financial exchanges - report *** --------------------------------------------- Repeated assaults leave bankers in quivering heaps Half of all the worlds critical financial exchanges have suffered cyber attacks in the past year, a report has found... --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2013/07/18/half_of_all… *** IBM API Management Security Bulletin: security vulnerability in IBM API Management V2.0 *** --------------------------------------------- There is an unspecified security vulnerability in IBM API Management which may allow an unauthorized user to gain access to the system. --------------------------------------------- https://www-304.ibm.com/support/docview.wss?uid=swg21643847 *** RuggedCom Rugged Operating System Multiple Vulnerabilities *** --------------------------------------------- RuggedCom has acknowledged multiple vulnerabilities in Rugged Operating System, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. --------------------------------------------- https://secunia.com/advisories/54223 *** Joomla! Googlemaps Plugin "url" Cross-Site Scripting Vulnerability *** --------------------------------------------- MustLive has discovered a vulnerability in the Googlemaps plugin for Joomla!, which can be exploited by malicious people to conduct cross-site scripting attacks. --------------------------------------------- https://secunia.com/advisories/54055 *** Drupal Hostmaster (Aegir) Module Security Bypass Security Issue *** --------------------------------------------- A security issue has been reported in the Hostmaster (Aegir) module for Drupal, which can be exploited by malicious users to bypass certain security restrictions. --------------------------------------------- https://secunia.com/advisories/54136 *** Cisco 9900 Series Phone Arbitrary File Download Vulnerability *** --------------------------------------------- A vulnerability in the Serviceability servlet of fourth-generation Cisco IP phones could allow an unauthenticated, remote attacker to download arbitrary files from the phones file system. --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=30110

1 0

Tageszusammenfassung - Mittwoch 17-07-2013
by Daily end-of-shift report 17 Jul '13

17 Jul '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 16-07-2013 18:00 − Mittwoch 17-07-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Critical Patch Update - July 2013 *** --------------------------------------------- This Critical Patch Update contains 89 new security fixes across the product families listed below. --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html *** Vulnerabilities in Drupal Modules/Themes *** --------------------------------------------- Drupal TinyBox Module Cross Site Scripting Vulnerability Drupal Hatch Theme Cross Site Scripting Vulnerability Drupal Stage File Proxy Module Denial Of Service Vulnerability --------------------------------------------- http://www.securityfocus.com/bid/61078 http://www.securityfocus.com/bid/61079 http://www.securityfocus.com/bid/61080 *** Android-Trojaner zum Selberbauen *** --------------------------------------------- Der Open-Source-Trojaner AndroRAT späht SMS-Nachrichten aus, kann Fotos mit der Smartphone-Kamera aufnehmen und das Handy sogar in eine Wanze verwandeln. Mit Hilfe eines zusätzlichen Tools können Cyber-Ganoven damit beliebige Apps trojanisieren. --------------------------------------------- http://www.heise.de/security/meldung/Android-Trojaner-zum-Selberbauen-19192… *** Cisco Identity Services Engine Cross-Site Request Forgery Vulnerability *** --------------------------------------------- A vulnerability has been reported in Cisco Identity Services Engine, which can be exploited by malicious people to conduct cross-site request forgery attacks. --------------------------------------------- https://secunia.com/advisories/54182 *** IBM Java Multiple Vulnerabilities *** --------------------------------------------- IBM has acknowledged multiple vulnerabilities in IBM Java, which can be exploited by malicious, local users to disclose certain sensitive information, manipulate certain data, and gain escalated privileges and by malicious people to conduct spoofing attacks, disclose certain sensitive information, manipulate certain data, cause a DoS (Denial of Service), bypass certain security restrictions, and compromise a vulnerable system. --------------------------------------------- https://secunia.com/advisories/54154 *** Vuln: Linux Kernel CVE-2013-4125 Remote Denial of Service Vulnerability *** --------------------------------------------- The Linux kernel is prone to a remote denial-of-service vulnerability. --------------------------------------------- http://www.securityfocus.com/bid/61166 *** Atlassian Bamboo Web Interface OGNL Code Injection Vulnerabilities *** --------------------------------------------- Atlassian has acknowledged a vulnerability in Atlassian Bamboo, which can be exploited by malicious people to bypass certain security restrictions. --------------------------------------------- https://secunia.com/advisories/54189 *** Oracle Solaris Two Vulnerabilities *** --------------------------------------------- Oracle has acknowledged two vulnerabilities in multiple packages included in Oracle Solaris, which can be exploited by malicious users to cause a DoS (Denial of Service) and by malicious people to compromise an application using the library. --------------------------------------------- https://secunia.com/advisories/54202 *** Bugtraq: ESA-2013-055: EMC Avamar Multiple Vulnerabilities *** --------------------------------------------- EMC Avamar Server 7.0 contains fixes for multiple security vulnerabilities that could be exploited by malicious users. --------------------------------------------- http://www.securityfocus.com/archive/1/527322 *** A look at Point of Sale RAM scraper malware and how it works *** --------------------------------------------- A special kind of malware has been hitting the headlines recently - that which attacks the RAM of Point of Sale (PoS) systems. --------------------------------------------- http://nakedsecurity.sophos.com/2013/07/16/a-look-at-point-of-sale-ram-scra… *** Apache Struts DefaultActionMapper Redirection and OGNL Security Bypass Vulnerabilities *** --------------------------------------------- Two weaknesses and multiple vulnerabilities have been reported in Apache Struts, which can be exploited by malicious people to conduct spoofing attacks and bypass certain security restrictions. --------------------------------------------- https://secunia.com/advisories/54118

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily