Daily November 2013

daily@lists.cert.at

1 participants
20 discussions

Tageszusammenfassung - Freitag 29-11-2013
by Daily end-of-shift report 29 Nov '13

29 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 28-11-2013 18:00 − Freitag 29-11-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Stealing Credit Cards - A WordPress and vBulletin Hack *** --------------------------------------------- What better way to celebrate Thanksgiving than to share an interesting case that involves two of the most popular CMS applications out there - vBulletin and WordPress. Here is a real case that we just worked on this week, involving an attacker dead set on stealing credit card information. Enjoy! The Environment The client runs... --------------------------------------------- http://blog.sucuri.net/2013/11/stealing-credit-cards-a-wordpress-and-vbulle… *** JPEG Files Used For Targeted Attack Malware *** --------------------------------------------- We recently came across some malware of the SOGOMOT and MIRYAGO families that update themselves in an unusual way: they download JPEG files that contain encrypted configuration files/binaries. Not only that, we believe that this activity has been ongoing since at least the middle of 2010. A notable detail of the malware we came across... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/l94pQWbJ28g/ *** Security Bulletin: IBM BladeCenter Advanced Management Module Account Information Exposure (CVE-2013-6718) *** --------------------------------------------- An interface on the IBM BladeCenter Advanced Management Module (AMM) may expose user account names and passwords that have been configured on that AMM. CVE(s): CVE-2013-6718 Affected product(s) and affected version(s): These IBM BladeCenter Advanced Management Module Firmware versions are affected: v3.64B (BPET64B, BBET64B, and BPEO64B) v3.64C (BPET64C, BBET64C, and BPEO64C) v3.64G (BPET64G, BBET64G, and BPEO64G) This applies to the following hardware products: BladeCenter --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** Google Android com.android.settings Lets Local Applications Remove Device Locks *** --------------------------------------------- http://www.securitytracker.com/id/1029410 *** Cisco IOS XR SNMP Memory Leak Lets Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1029408 *** Cisco IOS XE MPLS Processing Flaw Let Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1029407 *** Joomla! All Video Share Component "avssearch" SQL Injection Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55888 *** FFmpeg Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55802 *** WordPress Highlight - Powerful Premium Theme Arbitrary File Upload Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55671 *** WordPress Store Locator Plugin Cross-Site Request Forgery Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55276

1 0

Tageszusammenfassung - Donnerstag 28-11-2013
by Daily end-of-shift report 28 Nov '13

28 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 27-11-2013 18:00 − Donnerstag 28-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Fake 'October´s Billing Address Code' (BAC) form themed spam campaign leads to malware *** --------------------------------------------- Have you received a casual-sounding email enticing you into signing a Billing Address Code (BAC) form for October, in order for the Payroll Manager to proceed with the transaction? Based on our statistics, tens of thousands of users received these malicious spam emails over the last 24 hours, with the cybercriminal(s) behind them clearly interested in expanding the size of their botnet through good old fashioned 'casual social engineering' campaigns. --------------------------------------------- http://www.webroot.com/blog/2013/11/27/fake-octobers-billing-address-code-b… *** Sharik Back for More After Php.Net Compromise *** --------------------------------------------- Sharik is a Trojan which injects itself into legitimate processes and adds registry entries for an added level of persistence. The infection also sends information about the victims PC to a remote server. The threat can also receive commands from a known CnC server to download further malicious files. --------------------------------------------- http://research.zscaler.com/2013/11/sharik-back-for-more-after-phpnet.html *** ATM Traffic + TCPDump + Video = Good or Evil?, (Wed, Nov 27th) *** --------------------------------------------- I was working with a client recently, working through the move of a Credit Union branch. In passing, he mentioned that they were looking at a new security camera setup, and the vendor had mentioned that it would need a SPAN or MIRROR port on the switch set up. At that point my antennae came online - SPAN or MIRROR ports set up a session where all packets from one switch ports are "mirrored" to another switch port. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17111 *** Microsoft Security Advisory (2914486): Vulnerability in Microsoft Windows Kernel Could Allow Elevation of Privilege - Version: 1.0 *** --------------------------------------------- Microsoft is investigating new reports of a vulnerability in a kernel component of Windows XP and Windows Server 2003. We are aware of limited, targeted attacks that attempt to exploit this vulnerability. --------------------------------------------- http://technet.microsoft.com/en-ca/security/advisory/2914486 *** THOUSANDS of Ruby on Rails sites leave logins lying around *** --------------------------------------------- A security researcher has warned that a Ruby on Rails vulnerability first outlined in September is continuing to linger on the Web, courtesy of admins that don't realise a vulnerability exists in its default CookieStore session storage mechanism. --------------------------------------------- http://www.theregister.co.uk/2013/11/28/thousands_of_ror_sites_leave_logins… *** FakeAV + Ransomware = Windows Expert Console *** --------------------------------------------- During the last months we have been talking mainly about police virus infections, and more recently about CryptoLocker, the new major ransomware family. However that doesn´t mean that our good 'old friends' known as FakeAV aren´t around. --------------------------------------------- http://pandalabs.pandasecurity.com/fakeav-ransomware-windows-expert-console/ *** Linux Worm Targeting Hidden Devices *** --------------------------------------------- Symantec has discovered a new Linux worm that appears to be engineered to target the 'Internet of things'. The worm is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers. Variants exist for chip architectures usually found in devices such as home routers, set-top boxes and security cameras. --------------------------------------------- http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices *** You have a Skype voicemail. PSYCHE! Its just some fiendish Trojan-flinging spam *** --------------------------------------------- A spam run of fake Skype voicemail alert emails actually comes packed with malware, a UK police agency warns. Action Fraud said the zip file attachments come contaminated with a variant of the notorious ZeuS banking Trojan. --------------------------------------------- http://www.theregister.co.uk/2013/11/28/skype_voicemail_alert_spam_flings_z… *** Microsoft Cybersecurity Report: Top 10 Most Wanted Enterprise Threats *** --------------------------------------------- The latest report found that in the enterprise environment, on average about 11% of systems encountered malware, worldwide between the third quarter of 2012 (3Q12) and the second quarter of 2013 (2Q13). The "encounter rate" is defined as the percentage of computers running Microsoft real-time security software that report detecting malware - typically resulting in a blocked installation of malware. --------------------------------------------- http://blogs.technet.com/b/security/archive/2013/11/25/microsoft-cybersecur… *** Quassel IRC Backlog Access Bypass Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55640 *** DSA-2804 drupal7 *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2804 *** DSA-2803 quagga *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2803 *** HP Service Manager and ServiceCenter Unspecified Flaw Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1029400 *** Subversion mod_dontdothat Path Validation Flaw Lets Remote Users Bypass Security Restrictions *** --------------------------------------------- http://www.securitytracker.com/id/1029402 *** Yahoo Open Redirect Vulnerability or "Designing vulnerabilities" *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110200 *** ownCloud Unspecified Security Bypass Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55792

1 0

Tageszusammenfassung - Mittwoch 27-11-2013
by Daily end-of-shift report 27 Nov '13

27 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 26-11-2013 18:00 − Mittwoch 27-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** The Season For Danger: Holiday Season Spam And Phishing *** --------------------------------------------- For many, the holiday season is a season for shopping and spending. But cybercriminals see it in a different light-they see it as a prime opportunity to steal. Take, for example, online shopping. Malicious websites to try and trick online shoppers into giving them their money instead of the legitimate shopping websites. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/the-season-for-d… *** InMobi: Another Vulnaggressive Adware Opens Billions of JavaScript 'Sidedoors' on Android Devices *** --------------------------------------------- FireEye mobile security researchers identified another new mobile threat, which we call 'JavaScript Sidedoors', which we discovered in the popular InMobi ad library. InMobi exposes dangerous behaviors such as making phone calls without user consent through JavaScript interfaces, which creates a 'sidedoor' for attackers to exploit by injecting malicious JavaScript through hijacking InMobi's HTTP traffic. ... --------------------------------------------- http://www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-anothe… *** Ruby on Rails CookieStore Vulnerability Plagues Prominent Websites *** --------------------------------------------- Websites using an older version of Ruby on Rails, including Kickstarter and UrbanSpoon, remain vulnerable to a vulnerability in the frameworks cookie storage mechanism. --------------------------------------------- http://threatpost.com/ruby-on-rails-cookiestore-vulnerability-plagues-promi… *** An Anti-Fraud Service for Fraudsters *** --------------------------------------------- Many online businesses rely on automated fraud detection tools to weed out suspicious and unauthorized purchases. Oddly enough, the sorts of dodgy online businesses advertised by spam do the same thing, only they tend to use underground alternatives that are far cheaper and tuned to block not only fraudulent purchases, but also "test buys" from security researchers, law enforcement and other meddlers. --------------------------------------------- http://krebsonsecurity.com/2013/11/anti-fraud-service-for-fraudsters/ *** Security and policy surrounding bring your own devices (BYOD) *** --------------------------------------------- As the proliferation of devices continues to capture the imagination of consumers, and has ignited what is referred to as bring your own device (BYOD) revolution, many IT departments across the globe are now facing increased security considerations. While organizations encourage BYOD for cost savings and productivity, it is also important to have robust security policies supporting BYOD. --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2013/11/26/security-and-policy-surr… *** Our protection metrics - October results *** --------------------------------------------- Last month we introduced our monthly protection metrics and talked about our September results. Today, we'd like to talk about our results from October. If you want a refresh on the definition of the metrics we use in our monthly results, see our prior post: Our protection metrics - September results. During October 2013, while our rate of incorrect detections remained low, and our performance metrics stayed fairly consistent, the infection rate of 0.18 percent was higher in --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2013/11/26/our-protection-metrics-o… *** White hat Wi-Fi hacking shows vulnerability of business data *** --------------------------------------------- White hat hackers have shown that usernames, passwords, contact lists, details of e-commerce accounts and banking details can be sniffed easily from public Wi-Fi hotspots. --------------------------------------------- http://www.computerweekly.com/news/2240209927/White-hat-Wi-Fi-hacking-shows… *** Volatility 2.3 and FireEyes diskless, memory-only Trojan.APT.9002 *** --------------------------------------------- FireEyes Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method, posted 10 NOV 2013 is specific to an attack that "loaded the payload directly into memory without first writing to disk." As such, this "will further complicate network defenders ability to triage compromised systems, using traditional forensics methods." --------------------------------------------- http://holisticinfosec.blogspot.co.uk/2013/11/volatility-23-and-fireeyes-di… *** Malware creation hits record-high numbers In 2013, according to PandaLabs Q3 Report *** --------------------------------------------- Panda Security, The Cloud Security Company, has just published the results of its Quarterly Report for Q3 2013, drawn up by PandaLabs, the company's anti-malware laboratory. One of the main conclusions that can be drawn from this global study is that malware creation has hit a new record high, with nearly 10 million new strains identified so far this year. --------------------------------------------- http://press.pandasecurity.com/news/malware-creation-hits-record-high-numbe… *** Security Headers on the Top 1,000,000 Websites: November 2013 Report *** --------------------------------------------- It has been almost exactly a year since we conducted the first top 1 million security headers report so it is a great time to re-run the analysis and see how well security header adoption is growing. As before, the latest Chrome and Firefox User-Agent strings were used to make requests to the top 1 million sites over both HTTP and HTTPS. --------------------------------------------- https://www.veracode.com/blog/2013/11/security-headers-on-the-top-1000000-w… *** Finding Cryptolocker Encrypted Files using the NTFS Master File Table *** --------------------------------------------- For the most part, everyone seems to be familiar with the new variants of Cyptolocker making the rounds these days. To quickly summarize, this form of ransomware that encrypts documents and pictures found on local and mapped network drives in an attempt to obtain payment for the decryption keys. --------------------------------------------- http://securitybraindump.blogspot.ru/2013/11/finding-cryptolocker-encrypted… *** Rogue that takes webcam pictures of you *** --------------------------------------------- Recently we heard of a rogue fake antivirus that takes screenshots and webcam images in an attempt to further scare you into succumbing to it's scam. We gathered a sample and sure enough, given some time it will indeed use the webcam and take a picture of what's in front of the camera at that time. This variant is called "Antivirus Security Pro" and it's as nasty as you can get. --------------------------------------------- http://www.webroot.com/blog/2013/11/27/new-rogue-now-takes-screenshots/ *** Vuln: Drupal Core Image Module HTML Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63848 *** Xen Privileged Ring Access Flaw Lets Local Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1029396 *** Debian Security Advisory DSA-2804 drupal7 *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2804 *** Debian Security Advisory DSA-2803 quagga *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2803

1 0

Tageszusammenfassung - Dienstag 26-11-2013
by Daily end-of-shift report 26 Nov '13

26 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 25-11-2013 18:00 − Dienstag 26-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Rätselhafte Entführungen im Internet *** --------------------------------------------- Geheimdienste müssen gar nicht direkt am Kabel lauschen. Der Netzwerkdienstleister Renesys berichtet von einer deutlichen Zunahme von seltsamen Routing-Vorfällen, bei denen Netzwerkverkehr über andere Länder, manchmal sogar Kontinente umgeleitet wird. --------------------------------------------- http://www.heise.de/security/meldung/Raetselhafte-Entfuehrungen-im-Internet… *** The Need for Incident Response *** --------------------------------------------- On an average day in the UK more than 100 .co.uk domain websites are hacked according to the statistics in the Zone-h.org online database. Website hacks are increasing the volume of targeted attacks today. --------------------------------------------- http://www.fireeye.com/blog/corporate/2013/11/the-need-for-incident-respons… *** Fake tech support scam is trouble for legitimate remote help company *** --------------------------------------------- Fraud victims mistake legitimate tech company for fraudsters. --------------------------------------------- http://arstechnica.com/information-technology/2013/11/fake-tech-support-sca… *** VBScript Malware SOYSOS Deletes CAD Files *** --------------------------------------------- Cybercriminals can do just as much damage deleting users´ data as stealing it because file deletion can result in both data or monetary loss. One example would be CryptoLocker, which became notorious for combining the two - demanding money with the threat of data destruction. We recently came across a malware, detected as VBS_SOYSOS, that deletes important image files including .DWG files. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/vbscript-malware… *** Surge in "BlackShades" infections exposes machines worldwide to RAT *** --------------------------------------------- Over the last two months, attackers have opted to spread the malware via the Neutrino exploit kit, researchers found. --------------------------------------------- http://www.scmagazine.com/surge-in-blackshades-infections-exposes-machines-… *** A Look At A Silverlight Exploit *** --------------------------------------------- Recently, independent security researchers found that the Angler Exploit Kit had added Silverlight to their list of targeted software, using CVE-2013-0074. When we analyzed the available exploit, we found that in addition to CVE-2013-0074, a second vulnerability, CVE-2013-3896, in order to bypass ASLR. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-a-silv… *** [Honeypot Alert] More PHP-CGI Scanning (apache-magika.c) *** --------------------------------------------- In the past 24 hours, one of the WASC Distributed Web Honeypot participant's sensors picked up continued scanning for CVE-2012-1823 which is a vulnerability within PHP-CGI. --------------------------------------------- http://blog.spiderlabs.com/2013/11/honeypot-alert-more-php-cgi-scanning-apa… *** New Exploit Kit Atrax Boasts Tor Connectivity, Bitcoin Extraction *** --------------------------------------------- Yet another commercial crimekit has been spotted making the rounds on the underground malware forums that uses the anonymity network Tor to stealthily communicate with its command and control servers. --------------------------------------------- http://threatpost.com/new-exploit-kit-atrax-boasts-tor-connectivity-bitcoin… *** The internet mystery that has the world baffled *** --------------------------------------------- For the past two years, a mysterious online organisation has been setting the worlds finest code-breakers a series of seemingly unsolveable problems. But to what end? Welcome to the world of Cicada 3301. --------------------------------------------- http://www.telegraph.co.uk/technology/internet/10468112/The-internet-myster… *** Das Stuxnet-Duo: Bösartige Geschwister *** --------------------------------------------- Der deutsche Experte Ralph Langner hat nach drei Jahren Analyse ein abschließendes Papier zu Stuxnet vorgelegt. Demnach besteht die Cyber-Waffe aus zwei Schädlingen, von denen nur die zweite richtig bekannt wurde - zu Unrecht, meint Langner. --------------------------------------------- http://www.heise.de/security/meldung/Das-Stuxnet-Duo-Boesartige-Geschwister… *** Analysis: Online banking faces a new threat *** --------------------------------------------- Neverquest supports just about every possible trick on online bank attacks. In light of Neverquest´s self-replication capabilities, the number of users attacked could increase over a short period of time. --------------------------------------------- http://www.securelist.com/en/analysis/204792315/Online_banking_faces_a_new_… *** Nachholbedarf bei IT-Sicherheit: EU-Parlamentarier tappten in Hotspot-Falle *** --------------------------------------------- Alle EU-Parlamentarier sollen jetzt dringend ihre Passwörter ändern, fordert eine Mail der IT-Abteilung. Sie bestätigt, dass durch Angriffe im ungesicherten Parlaments-WLAN Zugangspasswörter ausspioniert wurden. --------------------------------------------- http://www.heise.de/security/meldung/Nachholbedarf-bei-IT-Sicherheit-EU-Par… *** How To Combat Online Surveillance *** --------------------------------------------- Governments have transformed the internet into a surveillance platform, but they are not omnipotent. They´re limited by material resources as much as the rest of us. We might not all be able to prevent the NSA and GCHQ from spying on us, but we can at least create more obstacles and make surveilling us more expensive. The more infrastructure you run, the safer the communication will be. --------------------------------------------- http://theoccupiedtimes.org/?p=12362 *** Why Crimekit Atrax will attract attention *** --------------------------------------------- CSIS researchers have observed an introduction of a new commercial crimekit being sold on several underground web forums. The kit is dubbed 'Atrax' and is both a cheap kit - costs less than $250 for the main platform - as well as it utilizes the TOR protocol for stealthy communication with C&Cs from where it is intended to get instructions, updates and new modules. --------------------------------------------- https://www.csis.dk/en/csis/blog/4103 *** Blackhole and Cool Exploit Kits Nearly Extinct *** --------------------------------------------- When authorities in Russia arrested Paunch, the alleged creator of the Blackhole exploit kit, last month, security researchers and watchers of the malware underground predicted that taking him off the board would put a dent in the use of Blackhole and force its customers onto other platforms. Six weeks later, it now appears that Blackhole is almost gone and the Cool exploit kit, another alleged creation of Paunch, has essentially disappeared, as well. --------------------------------------------- http://threatpost.com/blackhole-and-cool-exploit-kits-nearly-extinct/103034 *** IBM WebSphere Application Server Java Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55870 *** WordPress Contact Form 7 3.5.2 Shell Upload *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110177 *** WordPress Pinboard Shell Upload *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110175 *** TPLINK WR740N / WR740ND Cross Site Request Forgery *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110181 *** NETGEAR ReadyNAS Perl Code Evaluation *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110179 *** Vuln: HP LoadRunner Virtual User Generator CVE-2013-4837 Remote Code Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63475 *** Bugtraq: Open-Xchange Security Advisory 2013-11-25 *** --------------------------------------------- http://www.securityfocus.com/archive/1/530008

1 0

Tageszusammenfassung - Montag 25-11-2013
by Daily end-of-shift report 25 Nov '13

25 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 22-11-2013 18:00 − Montag 25-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** Second Look at Stuxnet Reveals Older Dangerous Variant *** --------------------------------------------- ICS expert Ralph Langner has thrown back the covers on Stuxnet revealing a two-pronged attack intent not only on disrupting Irans nuclear capabilities, but flexing the attackers muscle in building weaponized malware. --------------------------------------------- http://threatpost.com/second-look-at-stuxnet-reveals-older-dangerous-varian… *** Google fixes flaw in Gmail password reset process *** --------------------------------------------- According to the researcher who discovered the bug, Google swiftly addressed the security issue, which could leave users passwords vulnerable to theft. --------------------------------------------- http://www.scmagazine.com/google-fixes-flaw-in-gmail-password-reset-process… *** Five Years Old And Still On The Run: DOWNAD *** --------------------------------------------- Five years ago, Conficker/DOWNAD was first seen and quickly became notorious due to how quickly it spread and how much damage it caused. Remarkably, after all that time, it´s still alive. It can still pose a serious problem, as it can propagate to other systems on the same network as an infected machine - a factor that may explain its high rate of infection to this day. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/five-years-old-a… *** Another Fake WordPress Plugin - And Yet Another SPAM Infection! *** --------------------------------------------- We clean hundreds and thousands of infected websites, a lot of the cleanups can be considered to be somewhat "routine". If you follow our blog, you often hear us say we´ve seen "this" numerous times, we´ve cleaned "that" numerous times. --------------------------------------------- http://blog.sucuri.net/2013/11/another-fake-wordpress-plugin-and-yet-anothe… *** Top Security Predictions for 2014 *** --------------------------------------------- As 2013 draws to a close, FireEye researchers are already looking ahead to 2014 and the shifting threat landscape. Expect fewer Java zero-day exploits and more browser-based ones. Watering-hole attacks may supplant spear-phishing attacks. --------------------------------------------- http://www.fireeye.com/blog/corporate/2013/11/top-security-predictions-for-… *** Port 0 DDOS, (Fri, Nov 22nd) *** --------------------------------------------- Following on the stories of amplification DDOS attacks using Chargen, and stories of "booters" via Brian Kreb's, I am watching with interest the increase in port 0 amplification DDOS attacks. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17081 *** Spam-Friendly Registrar 'Dynamic Dolphin' Shuttered *** --------------------------------------------- The organization that oversees the Internet domain name registration industry last week revoked the charter of Dynamic Dolphin, a registrar that has long been closely associated with spam and cybercrime. --------------------------------------------- http://krebsonsecurity.com/2013/11/spam-friendly-registrar-dynamic-dolphin-… *** LG smart TV snooping extends to home networks, second blogger says *** --------------------------------------------- A second blogger has published evidence that his LG-manufactured smart television is sharing sensitive user data with the Korea-based company in a post that offers support for the theory that the snooping isnt isolated behavior that affects a small number of sets. --------------------------------------------- http://arstechnica.com/security/2013/11/lg-smart-tv-snooping-extends-to-hom… *** CryptoLocker gang teams with botnet-builders on ransomware *** --------------------------------------------- The cyber-gang running the CryptoLocker extortion racket is sharing a big cut of any payments they squeeze out of their victims with criminal botnet owners working closely with them, says Symantec, which has been monitoring this underworld activity online. --------------------------------------------- http://www.pcworld.com/article/2066741/cryptolocker-gang-teams-with-botnet-… *** DSA-2802 nginx *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2802 *** DSA-2801 libhttp-body-perl *** --------------------------------------------- http://www.debian.org/security/2013/dsa-2801 *** [webapps] - TPLINK WR740N/WR740ND - Multiple CSRF Vulnerabilities *** --------------------------------------------- http://www.exploit-db.com/exploits/29802 *** ImpressPages CMS 3.8 Stored XSS Vulnerability *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110168 *** Pirelli Discus DRG A125g Remote Change SSID Value Vulnerability *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110167 *** Google Gmail IOS Mobile Application - Persistent / Stored XSS *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110170 *** Ruby Heap Overflow in Floating Point Parsing Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1029388 *** Drupal Core Bugs Let Remote Users Conduct Cross-Site Scripting, Cross-Site Request Forgery, and Open Redirect Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1029386

1 0

Tageszusammenfassung - Freitag 22-11-2013
by Daily end-of-shift report 22 Nov '13

22 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 21-11-2013 18:00 − Freitag 22-11-2013 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner *** DNP3 Implementation Vulnerability (Update A) *** --------------------------------------------- Adam Crain of Automatak and independent researcher Chris Sistrunk reported an improper input validation vulnerability to NCCIC/ICS-CERT that was evident in numerous slave and/or master station software products. The researchers emphasize that the vulnerability is not with the DNP3 stack but with the --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-291-01A *** Facebook Vulnerability Discloses Friends Lists Defined as Private *** --------------------------------------------- Researchers from the Quotium Seeker Research Center identified a security flaw in Facebook privacy controls. The vulnerability allows attackers to see the friends list of any user on Facebook. This attack is carried out by abusing the 'People You May Know' mechanism on Facebook, ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110157 *** Imperva WAF/DAF 9.5 patch8 and 10.0 patch 2 localroot vulnerability *** --------------------------------------------- Topic: Imperva WAF/DAF 9.5 patch8 and 10.0 patch 2 localroot vulnerability Risk: High Text: Imperva use hardened centos 5.4 to run Web Application Firewall and Database Activity Monitoring product. It could be expl... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110158 *** Instagram for iOS Flattr account security bypass *** --------------------------------------------- Instagram for iOS could allow a remote attacker to bypass security restrictions, caused by an implementation error when the Instagram for iOS and Flattr are linked. An attacker could exploit this vulnerability by flattring the photos causing the money from the users account to be redirected. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/89162 *** Instagram for iOS upload module file upload *** --------------------------------------------- Instagram for iOS could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/89160 *** prettyPhoto Cross-Site Scripting Vulnerability *** --------------------------------------------- Input appended to the URL after /#!prettyPhoto/ is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability is confirmed in version 3.1.4. Prior versions may also be affected. --------------------------------------------- https://secunia.com/advisories/55769 *** Security Bulletin: IBM iNotes Cross-Site Scripting Vulnerability (CVE-2013-0595) *** --------------------------------------------- IBM iNotes versions 8.5.3 and 9.0 contain a cross-site scripting vulnerability. The fix for this issue is available starting in IBM Domino versions 8.5.3 Fix Pack 5 and 9.0.1. CVE(s): CVE-2013-0595 Affected product(s) and affected version(s): IBM iNotes 9.0 IBM iNotes 8.5.3 through 8.5.3 Fix Pack 4 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** VU#893462: Thomson Reuters Velocity Analytics Vhayu Analytic Server version 6.9.4 build 2995 contains a code injection vulnerability *** --------------------------------------------- Overview Thomson Reuters Velocity Analytics Vhayu Analytic Server version 6.94 build 2995 and possibly earlier versions contain a code injection vulnerability (CWE-94). Description CWE-94: Improper Control of Generation of Code (Code Injection) --------------------------------------------- http://www.kb.cert.org/vuls/id/893462 *** Dovecot checkpassword-reply Security Bypass Security Issue *** --------------------------------------------- A security issue has been reported in Dovecot, which can be exploited by malicious, local users to bypass certain security restrictions. --------------------------------------------- https://secunia.com/advisories/54808

1 0

Tageszusammenfassung - Donnerstag 21-11-2013
by Daily end-of-shift report 21 Nov '13

21 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 20-11-2013 18:00 − Donnerstag 21-11-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** EFF Scorecard Shows Crypto Leaders and Laggards *** --------------------------------------------- The Electronic Frontier Foundation (EFF) released its Encrypt the Web Report demonstrating how much encryption leading Internet companies and service providers are deploying. --------------------------------------------- http://threatpost.com/eff-scorecard-shows-crypto-leaders-and-laggards/102987 *** Tomcat-Wurm springt von Server zu Server *** --------------------------------------------- Symantec hat einen Wurm entdeckt, der Apaches Java-Webserver infiziert und als Java-Servlet von Server zu Server springt. Infizierte Rechner werden als DDoS-Schleudern und Proxys missbraucht. --------------------------------------------- http://www.heise.de/security/meldung/Tomcat-Wurm-springt-von-Server-zu-Serv… *** Are large scale Man in The Middle attacks underway?, (Thu, Nov 21st) *** --------------------------------------------- Renesys is reporting two separate incidents where they observed traffic for 1500 IP blocks being diverted for extended periods of time. They observed the traffic redirection for more than 2 months over the last year. Does it seem unusual for internet traffic between Ashburn Virginia (63.218.44.78) and Washington DC (63.234.113.110) to go through Russia to Belarus? That is exactly what they observed. Once traffic flows through your routers there are countless opportunities to capture and modify... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17075&rss *** A look at security effectiveness by industry *** --------------------------------------------- BitSight analyzed security ratings for over 70 Fortune 200 companies in four industries - energy, finance, retail and technology. The objective was to uncover quantifiable differences in security effectiveness and performance across industries from October 2012 through September 2013. --------------------------------------------- http://www.net-security.org/secworld.php?id=15991 *** 5 Considerations For Post-Breach Security Analytics *** --------------------------------------------- Preparing collection mechanisms ahead of time, preserving chain of custody on forensics data, and performing focused analysis all key in inspecting security data after a compromise --------------------------------------------- http://www.darkreading.com/5-considerations-for-post-breach-securit/2401641… *** EMC Document Sciences xPression cross-site request forgery *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/89073 *** SA-CORE-2013-003 - Drupal core - Multiple vulnerabilities *** --------------------------------------------- Advisory ID: DRUPAL-SA-CORE-2013-003 Project: Drupal coreVersion: 6.x, 7.x Date: 2013-November-20 Security risk: Highly critical Exploitable from: Remote Vulnerability: Multiple vulnerabilities Description: Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation - Drupal 6 and 7)Drupals form API has built-in cross-site request forgery (CSRF) validation, and also allows any... --------------------------------------------- https://drupal.org/SA-CORE-2013-003 *** SA-CONTRIB-2013-096 - Entity reference - Access bypass *** *** SA-CONTRIB-2013-095 - Organic Groups - Access bypass *** *** SA-CONTRIB-2013-094 - EU Cookie Compliance - Cross Site Scripting (XSS) *** *** SA-CONTRIB-2013-093 - Invitation - Access Bypass *** --------------------------------------------- https://drupal.org/node/2140237 https://drupal.org/node/2140217 https://drupal.org/node/2140123 https://drupal.org/node/2140097 *** Vuln: SAP NetWeaver SHSTI_UPLOAD_XML() Function XML External Entity Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63779 *** Vuln: SAP NetWeaver Logviewer Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/58615 *** Vuln: SAP NetWeaver SAP Portal URI Redirection Weakness *** --------------------------------------------- http://www.securityfocus.com/bid/63783 *** Vuln: SAProuter NI Route Message Handling Heap Buffer Overflow Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/60054 *** Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Master Data Management - Collaborative Edition (CVE-2013-0478, CVE-2013-0477) *** --------------------------------------------- IBM InfoSphere Master Data Management - Collaborative Edition versions 10.1, 10.0 and IBM InfoSphere Master Data Management Server for Product Information Management versions 9.1, 9.0, 6.0 are vulnerable to cross-site scripting and content spoofing. CVE(s): CVE-2013-0477, and CVE-2013-0478 Affected product(s) and affected version(s): IBM InfoSphere Master Data Management - Collaborative Edition Versions 10.1 and 10.0 IBM InfoSphere Master Data Management Server for Product Information... --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul… *** SKIDATA RFID Freemotion.Gate Unauthenticated Web Service Aribtrary Remote Command Execution *** --------------------------------------------- Title: SKIDATA RFID Freemotion.Gate Unauthenticated Web Service Aribtrary Remote Command Execution Product: Freemotion.Gate Vendor: SKIDATA, http://www.skidata.com/en/ Vulnerable Versions: 4.1.3.5 and likely all prior versions. --------------------------------------------- http://www.keepingkidsonshred.com/2013/11/skidata-rfid-freemotiongate.html *** Splunk Cross-Site Scripting Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55774 *** WHMCS "unserialize()" PHP Code Execution and Multiple Unspecified Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55717

1 0

Tageszusammenfassung - Mittwoch 20-11-2013
by Daily end-of-shift report 20 Nov '13

20 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 19-11-2013 18:00 − Mittwoch 20-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a *** New variant of Android ransomware "Fake Defender" surfaces *** --------------------------------------------- Symantec researchers believe the malicious app is a variant of "Fake Defender," malware used in earlier ransomware scams. --------------------------------------------- http://www.scmagazine.com/new-variant-of-android-ransomware-fake-defender-s… *** Google Extends Scope of External Bug Bounty *** --------------------------------------------- Google has expanded the bounds of its Patch Rewards Program to include open source components of Android, Apache, Sendmail, OpenVPN and other services. --------------------------------------------- http://threatpost.com/google-extends-scope-of-external-bug-bounty/102962 *** TrustKeeper Scan Engine Update - November 14, 2013 *** --------------------------------------------- It's time again for another TrustKeeper Scan Engine update. This release contains over 30 new tests vulnerabilities in Cisco ASA/IOS, JIRA, jQuery, Microsoft Windows, Oracle Database/MySQL, and more. This release also contains default credential checks for both WordPress and Cisco ASA SSL VPN (aka: AnyConnect). --------------------------------------------- http://blog.spiderlabs.com/2013/11/trustkeeper-scan-engine-update-november-… *** VU#295276: Adobe ColdFusion is vulnerable to cross-site scripting via the logviewer directory *** --------------------------------------------- Adobe ColdFusion 10 update 11 and possibly earlier versions contains a reflected cross-site scripting (XSS) vulnerability. An attacker can inject arbitrary HTML content (including script) within the /logviewer/ directory. The vulnerability requires using a relative path, although there is no directory traversal vulnerability. --------------------------------------------- http://www.kb.cert.org/vuls/id/295276 *** Understanding Google´s Blacklist Cleaning Your Hacked Website and Removing From Blacklist *** --------------------------------------------- Today we found an interesting case where Google was blacklisting a client´s site but not sharing the reason why. The fact they were sharing very little info should not be new, but what we found as we dove a little deeper should be. The idea is to provide you webmasters with the required insight toRead More --------------------------------------------- http://blog.sucuri.net/2013/11/understanding-googles-blacklist-cleaning-you… *** Searching live memory on a running machine with winpmem, (Wed, Nov 20th) *** --------------------------------------------- Winpmem may appear to be a simple a memory acquisition tool, but it is really much more. One of my favorite parts of Winpmem is that it has the ability to analyze live memory on a running computer. Rather than dumping the memory and analyzing it in two seperate steps you can search for memory on a running system. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17063 *** Netflixers Beware: Angler Exploit Kit Targets Silverlight Vulnerability *** --------------------------------------------- Developers behind the Angler Exploit Kit have added a new exploit over the last week that leverages a vulnerability in Microsoft´s Silverlight framework. --------------------------------------------- http://threatpost.com/netflixers-beware-angler-exploit-kit-targets-silverli… *** Mobile threats in October 2013 *** --------------------------------------------- In 2013, Russian anti-virus company Doctor Web started using a new system to collect statistics, so that it could promptly obtain information about the malicious applications that are threatening Google Android. An analysis of the data collected in October showed that the Dr.Web resident monitor under Android detected malware about 11 million times, and over 4 million threats to Android were detected by the scanner. These figures correspond to data obtained in September 2013. --------------------------------------------- http://news.drweb.com/show/?i=4061&lng=en&c=9 *** Repeated attacks hijack huge chunks of Internet traffic, researchers warn *** --------------------------------------------- Man-in-the-middle attacks divert data on scale never before seen in the wild. --------------------------------------------- http://arstechnica.com/security/2013/11/repeated-attacks-hijack-huge-chunks… *** US police department pays $750 Cryptolocker Trojan ransom demand *** --------------------------------------------- A US police department was so determined to get back important files that had been encrypted by the rampaging Cryptolocker Trojan it decided to pay the sizable ransom being demanded by the criminals. --------------------------------------------- http://news.techworld.com/security/3489937/us-police-department-pays-750-cr… *** Backup the best defense against (Cri)locked files *** --------------------------------------------- Crilock also known as CryptoLocker - is one notorious ransomware that´s been making the rounds since early September. Its primary payload is to target and encrypt your files, such as your pictures and Office documents. All of the file types that can be encrypted are listed in our Trojan:Win32/Crilock.A and Trojan:Win32/Crilock.B descriptions. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2013/11/19/backup-the-best-defense-… *** JBoss Attacks Up Since Exploit Code Disclosure *** --------------------------------------------- Researchers at Imperva have detected a surge in attacks against webservers running JBoss Application Server since the public disclosure of exploit code last month. --------------------------------------------- http://threatpost.com/jboss-attacks-up-since-exploit-code-disclosure/102971 *** [webapps] - Ruckus Wireless Zoneflex 2942 Wireless Access Point - Authentication Bypass *** --------------------------------------------- http://www.exploit-db.com/exploits/29709 *** nginx URI Parsing Flaw Lets Remote Users Bypass Security Restrictions *** --------------------------------------------- http://www.securitytracker.com/id/1029363 *** PayPal Billsafe Cross Site Scripting *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110142 *** EMC Document Sciences xPression XSS / CSRF / Redirect / SQL Injection *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2013110139

1 0

Tageszusammenfassung - Dienstag 19-11-2013
by Daily end-of-shift report 19 Nov '13

19 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 18-11-2013 18:00 − Dienstag 19-11-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Am I Sending Traffic to a "Sinkhole"?, (Mon, Nov 18th) *** --------------------------------------------- It has become common practice to setup "Sinkholes" to capture traffic sent my infected hosts to command and control servers. These Sinkholes are usually established after a malicious domain name has been discovered and registrars agreed to redirect respective NS records to a specific name server configured by the entity operating the Sinkhole. More recently for example Microsoft gained court orders to take over... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17048 *** Google Completes Upgrade of its SSL Certificates to 2048-Bit RSA *** --------------------------------------------- Google announced today it has completed upgrading all of its SSL certificates to 2048-bit RSA or better, up from 1024. --------------------------------------------- http://threatpost.com/google-completes-upgrade-of-its-ssl-certificates-to-2… *** Facebook URL redirection vulnerability patched *** --------------------------------------------- A Facebook URL redirection vulnerability discovered last week was patched just a day after a blog post detailing the bug went live. --------------------------------------------- http://www.scmagazine.com//facebook-url-redirection-vulnerability-patched/a… *** Winpmem - Mild mannered memory aquisition tool??, (Tue, Nov 19th) *** --------------------------------------------- There should be little argument that with todays threats you should always acquire a memory image when dealing with any type of malware. Modern desktops can have 16 gigabytes of RAM or more filled with evidence that is usually crutial to understanding what was happening on that machine. Failure to acquire that memory will make analyzing the other forensic artifacts difficult or in some cases impossible. Chad Tilbury (@chadtilbury) recently told me about a new memory acquisition tool that I want... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17054&rss *** Old JBoss vuln in the wild, needs patching *** --------------------------------------------- Remote code execution, the usual thing JBoss sysadmins need to get busy hardening their systems, with a rising number of attacks against the system, according to Imperva. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2013/11/19/old_jboss_v… *** Cybercriminals spamvertise tens of thousands of fake "Sent from my iPhone" themed emails, expose users to malware *** --------------------------------------------- Cybercriminals are currently mass mailing tens of thousands of malicious emails, supposedly including a photo attachment that's been "Sent from an iPhone". The social engineering driven spam campaign is, however, the latest attempt by a cybercriminal/group of cybercriminals that we've been monitor for a while, to attempt to trick gullible users into unknowingly joining the botnet operated by the malicious actor(s) behind the campaign. Detection rate for the spamvertised... --------------------------------------------- http://www.webroot.com/blog/2013/11/19/cybercriminals-spamvertise-tens-thou… *** A .BIT Odd *** --------------------------------------------- Like many security researchers, I see a lot of new malicious sites every week, far too many in fact. One thing that sets security researchers apart is that we can see a top-level domain (TLD) like .cc and recall instantly that it belongs to the Cocos Islands in the Indian Ocean, with a tiny population,... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/rFeNuxSPHUg/ *** Vuln: Chainfire SuperSU CVE-2013-6775 Arbitrary Command Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63715 *** Vuln: Multiple Android Superuser Packages CVE-2013-6769 Arbitrary Command Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63712 *** Opera Unspecified Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55720 *** Network Security Services (NSS) Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55557 *** Vuln: MIT Kerberos 5 CVE-2013-6800 Remote Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63770 *** Elastix Multiple Cross-Site Scripting Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55739 *** Splunk Test Scripts Let Remote Authenticated Users Execute Arbitrary Shell Scripts on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1029316

1 0

Tageszusammenfassung - Montag 18-11-2013
by Daily end-of-shift report 18 Nov '13

18 Nov '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 15-11-2013 18:00 − Montag 18-11-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** Password hack of vBulletin.com fuels fears of in-the-wild 0-day attacks *** --------------------------------------------- Hacks on sites using the widely used forum software spread to its maker. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/FIA9t0-8N04/story01… *** BKDR_SHIZ Responsible For SAP Attacks, And More *** --------------------------------------------- There have been recent reports of malware that targeted SAP users for information theft. We detect this threat as BKDR_SHIZ.TO, and it belongs to a malware family that has been detected since 2010. So far, this particular family has received little attention, but its targeting of SAP applications has raised its profile considerably. So what... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/O578f6Dl3Js/ *** Exploiting the Supermicro Onboard IPMI Controller *** --------------------------------------------- Last week @hdmoore published the details about several vulnerabilities into the Supermicro IPMI firmware. With the advisory's release, several modules were landed into Metasploit in order to check Supermicro's device against several of the published vulnerabilities. --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2013/11/15/exploitin… *** Explaining and Speculating About QUANTUM *** --------------------------------------------- Nicholas Weaver has a great essay explaining how the NSAs QUANTUM packet injection system works, what we know it does, what else it can possibly do, and how to defend against it. Remember that while QUANTUM is an NSA program, other countries engage in these sorts of attacks as well. By securing the Internet against QUANTUM, we protect ourselves against... --------------------------------------------- https://www.schneier.com/blog/archives/2013/11/explaining_and.html *** Various Schneier Audio and Video Talks and Interviews *** --------------------------------------------- News articles about me (or with good quotes by me). My talk at the IETF Vancouver meeting on NSA and surveillance. Im the first speaker after the administrivia. Press articles about me and the IETF meeting. Other video interviews with me.... --------------------------------------------- https://www.schneier.com/blog/archives/2013/11/various_schneie.html *** Sagan as a Log Normalizer, (Sat, Nov 16th) *** --------------------------------------------- "Sagan is an open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine that run under *nix operating systems (Linux/FreeBSD/ OpenBSD/etc)."[1] Sagan is a log analysis engine that uses structure rules with the same basic structure as Snort rules. The alerts can be written to a Snort IDS/IPS database in the Unified2 file format using Barnyard2. This mean the alerts can be read using Sguil, BASE or SQueRT to name a few. It is easy to setup, just need to --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17039&rss *** SpiderLabs Radio November 15, 2013 w/ Space Rogue *** --------------------------------------------- This weeks episode of SpiderLabs Radio hosted by Space Rogue is brought to you by Trustwave SpiderLabs and features stories about Stuxnet on ISS, Facebook scans for Adobe, MacRumours, SEA hits Vice, bitcash.cz, Cracked gets cracked, Loyaltybuild, No Nukes in JP, OWASP AppSec USA, SRs Last SLR and more! Listen to SpiderLabs radio in iTunes. Or you can download the MP3 file directly here. Or listen right from your browser with this embedded player. --------------------------------------------- http://blog.spiderlabs.com/2013/11/spiderlabs-radio-november-15-2013-w-spac… *** Vendor of TDoS products/services releases new multi-threaded SIP-based TDoS tool *** --------------------------------------------- Telephony Denial of Service Attacks (TDoS) continue representing a growing market segment within the Russian/Eastern European underground market, with more vendors populating it with propositions for products and services aiming to disrupt the phone communications of prospective victims. From purely malicious in-house infrastructure - dozens of USB hubs with 3G USB modems using fraudulently obtained, non-attributable SIM cards - abuse of legitimate infrastructure, like Skype, ICQ, a... --------------------------------------------- http://www.webroot.com/blog/2013/11/15/vendor-tdos-productsservices-release… *** Bugtraq: Cross-Site Scripting (XSS) in Tweet Blender Wordpress Plugin *** --------------------------------------------- http://www.securityfocus.com/archive/1/529853 *** Vuln: GnuTLS libdane/dane.c CVE-2013-4487 Incomplete Fix Remote Buffer Overflow Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/63469 *** MS13-095 - Important : Vulnerability in Digital Signatures Could Allow Denial of Service (2868626) - Version: 1.0 *** --------------------------------------------- This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service when an affected web service processes a specially crafted X.509 certificate. --------------------------------------------- http://technet.microsoft.com/en-gb/security/bulletin/ms13-095 *** SAP Netweaver Web Application Server J2EE SAP Portal Redirection Weakness *** *** SAP Netweaver DataCollector and JavaDumpService Servlets Multiple Cross-Site Scripting Vulnerabilities *** *** SAP NetWeaver Input Validation Flaw in SRTT_GET_COUNT_BEFORE_KEY_RFC Function Lets Remote Authenticated Users Inject SQL Commands *** --------------------------------------------- https://secunia.com/advisories/55778 https://secunia.com/advisories/55777 http://www.securitytracker.com/id/1029352 *** gitlab-shell Multiple Vulnerabilities *** *** GitLab API Access Security Bypass Security Issue *** --------------------------------------------- https://secunia.com/advisories/55683 https://secunia.com/advisories/55691 *** IBM Tivoli System Automation Application Manager Java Vulnerability *** --------------------------------------------- https://secunia.com/advisories/55794 *** Foreman Host and Host Group SQL Injection Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/55722 *** [webapps] - ManageEngine DesktopCentral 8.0.0 build 80293 - Arbitrary File Upload Vulnerability *** --------------------------------------------- http://www.exploit-db.com/exploits/29674

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily November 2013