Daily May 2013

daily@lists.cert.at

1 participants
19 discussions

Tageszusammenfassung - Freitag 31-05-2013
by Daily end-of-shift report 31 May '13

31 May '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 29-05-2013 18:00 − Freitag 31-05-2013 18:00 Handler: Matthias Fraidl Co-Handler: Otmar Lendl *** Carna Botnet Analysis Renders Scary Numbers on Vulnerable Devices *** --------------------------------------------- An analysis of the data rendered by the Carna botnet reveals a shocking number of vulnerable devices reachable online with default credentials. --------------------------------------------- http://threatpost.com/carna-botnet-analysis-renders-scary-numbers-on-vulner… *** PayPal-Schwachstelle endlich geschlossen *** --------------------------------------------- Fast zwei Wochen hat sich der Zahungsabwickler mit dem Schließen einer kritischen Lücke Zeit gelassen. Fünf Tage davon waren die PayPal-Nutzer einem hohen Angriffsrisiko ausgesetzt. --------------------------------------------- http://www.heise.de/newsticker/meldung/PayPal-Schwachstelle-endlich-geschlo… *** Zavio IP Cameras multiple vulnerabilities *** --------------------------------------------- Zavio IP Cameras default account Zavio IP Cameras command execution --------------------------------------------- http://xforce.iss.net/xforce/xfdb/84568 http://xforce.iss.net/xforce/xfdb/84569 *** Debian Security Advisory DSA-2697 gnutls26 *** --------------------------------------------- out-of-bounds array read --------------------------------------------- http://www.debian.org/security/2013/dsa-2697 *** Apache-Server durch Log-Files angreifbar *** --------------------------------------------- In Apache klafft ein Sicherheitsloch, durch das Angreifer Befehle im Log platzieren können, die ausgeführt werden, sobald der Admin die Datei öffnet. --------------------------------------------- http://www.heise.de/security/meldung/Apache-Server-durch-Log-Files-angreifb… *** RSA Authentication Manager Information Disclosure and PostgreSQL Vulnerabilities *** --------------------------------------------- RSA Authentication Manager Information Disclosure and PostgreSQL Vulnerabilities --------------------------------------------- https://secunia.com/advisories/53641 *** Siemens SCALANCE Privilege Escalation Vulnerabilities *** --------------------------------------------- --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-149-01 *** P2P-Botnetze viel größer als vermutet *** --------------------------------------------- Mit eingeschleusten Sensoren hat ein internationales Forscherteam große Botnetze mit Peer-to-Peer-Infrastruktur vermessen. Sie fanden zum Teil über vierzig Mal mehr infizierte Systeme als mit herkömmlicher Zählweise. --------------------------------------------- http://www.heise.de/newsticker/meldung/P2P-Botnetze-viel-groesser-als-vermu… *** Monkey HTTPD 1.1.1 Denial of Service Vulnerability *** --------------------------------------------- Topic: Monkey HTTPD 1.1.1 Denial of Service Vulnerability Risk: Low Text:Title: Monkey HTTPD 1.1.1 - Denial of Service Vulnerability Date: == 2013-05-28 References: == http://bugs... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013050217 *** Mobile Device Security: The Problems of Remotely Disabling Stolen Phones *** --------------------------------------------- The problem of mobile device theft has become sufficiently severe that legislators have decided to file bills discussing it. Last week, US Senator Charles Schumer re-filed Mobile Device Theft Deterrence Act of 2013, which makes modifying a device's International Mobile Equipment Identity (IMEI) number a crime punishable by up to five years in federal prison. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/FxukunuZ9f0/ *** iCloud users take note: Apple two-step protection won't protect your data *** --------------------------------------------- Limitations could leave users open to the type of hack that hit Wireds Matt Honan. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/VFgQ6tJje98/ *** Weekly Update: The Nginx Exploit and Continuous Testing *** --------------------------------------------- Weekly Update: The Nginx Exploit and Continuous Testing --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2013/05/30/weekly-up… *** Ruckus SSH Server Tunneling Issue *** --------------------------------------------- Topic: Ruckus SSH Server Tunneling Issue --------------------------------------------- http://cxsecurity.com/issue/WLB-2013050219 *** Vuln: Cisco Nexus 1000 Series Switches NX-OS CVE-2013-1209 Remote Authentication Bypass Vulnerability *** --------------------------------------------- Cisco Nexus 1000 Series Switches NX-OS CVE-2013-1209 Remote Authentication Bypass Vulnerability --------------------------------------------- http://www.securityfocus.com/bid/60224 *** VMware Security Advirsory VMSA-2013-0007 *** --------------------------------------------- VMware ESX third party update for Service Console package sudo --------------------------------------------- https://www.vmware.com/support/support-resources/advisories/VMSA-2013-0007.… *** Phishing und verseuchter Spam - Betrug fast ohne Makel *** --------------------------------------------- Neue Woche, neue Kuriositäten. Diese Woche haben wir zwei interessante E-Mailbetrugversuche aus dem Zauberhut Internet gezogen. Dabei sind eine perfekt gestaltete Mastercard-Phishing-Seite und Trojaner-Mails im Namen der Firmen Otto und Görtz. --------------------------------------------- http://www.heise.de/security/meldung/Phishing-und-verseuchter-Spam-Betrug-f…

1 0

Tageszusammenfassung - Mittwoch 29-05-2013
by Daily end-of-shift report 29 May '13

29 May '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 28-05-2013 18:00 − Mittwoch 29-05-2013 18:00 Handler: Matthias Fraidl Co-Handler: Robert Waldner *** How Targeted Attacks And Cybercrime Go Together *** --------------------------------------------- For cybercriminals everywhere, it's still business as usual. The recent global ATM heist that stole a total of $45M showed that orchestrated targeted attacks continues to plague organizations globally. Legacy approaches to identifying threats are not keeping up with the tactics being used to exfiltrate precious assets and corporate secrets. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/J7IrBLritF0/ *** Microsoft loads botnet-crushing data into Azure *** --------------------------------------------- C-TIP gives ISPs near-realtime access to MARS data Microsoft is plugging its security intelligence systems into Azure so that service providers and local authorities can get near-realtime information on botnets and malware detected by Redmond. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2013/05/28/microsoft_a… *** Critical Ruby on Rails bug exploited in wild, hacked servers join botnet *** --------------------------------------------- Attackers success shows many servers still arent patched. Is yours? --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/gjidr1iHpyo/ *** Child-Porn Suspect Ordered to Decrypt His Own Data *** --------------------------------------------- federal magistrate is reversing course and ordering a Wisconsin man suspected of possessing child pornography to decrypt hard drives the authorities seized from his residence. Decryption orders are rare, but are likely to become more commonplace as the public ... --------------------------------------------- http://www.wired.com/threatlevel/2013/05/decryption-order/ *** Raspberry Pi puts holes in Chinas Great Firewall *** --------------------------------------------- RPi plus WiFi hotspot plus VPN equals portable censorship destroyer A tech-savvy China-based Redditor has spotted a hassle-free way of ensuring he or she is always able to bypass the Great Firewall, even when out and about, using the Raspberry Pi to connect to a virtual private network (VPN). --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2013/05/29/raspberry_p… *** Secunia Broadcasts Zero-day Vulnerability via Email *** --------------------------------------------- SecurityWeek has learned that Secunia, a Danish vulnerability management firm, disclosed an unpatched vulnerability within an image viewing application used by organizations in both the private and the defense sectors to a public mailing list. --------------------------------------------- https://www.securityweek.com/secunia-broadcasts-zero-day-vulnerability-email *** Release me from a botnet *** --------------------------------------------- At the beginning of August 2012, an outbreak of the Dorifel virus was observed. This outbreak primarily infected systems in the Netherlands. The virus is being spread through the Citadel botnet. This factsheet will take a closer look at the relationship between Dorifel and Citadel, describe the impact of an infection and recommend steps to take if you are infected. We conclude with providing a number of tips to avoid infection. --------------------------------------------- http://www.ncsc.nl/english/services/expertise-advice/knowledge-sharing/fact… *** IBM WebSphere Portal HTTP Response Splitting Vulnerability *** --------------------------------------------- IBM WebSphere Portal HTTP Response Splitting Vulnerability --------------------------------------------- https://secunia.com/advisories/53627 *** Vuln: socat CVE-2013-3571 Remote Denial of Service Vulnerability *** --------------------------------------------- socat CVE-2013-3571 Remote Denial of Service Vulnerability --------------------------------------------- http://www.securityfocus.com/bid/60170 *** Yahoo! Browser for Android spoofing *** --------------------------------------------- Yahoo! Browser for Android spoofing --------------------------------------------- http://xforce.iss.net/xforce/xfdb/84541 *** Siemens Solid Edge ST5 ActiveX control code execution *** --------------------------------------------- Siemens Solid Edge ST5 ActiveX control code execution --------------------------------------------- http://xforce.iss.net/xforce/xfdb/84530 *** TP-Link IP Cameras multiple vulnerabilities *** --------------------------------------------- Core Security - Corelabs Advisory http://corelabs.coresecurity.com TP-Link IP Cameras Multiple Vulnerabilities --------------------------------------------- http://cxsecurity.com/issue/WLB-2013050202

1 0

Tageszusammenfassung - Dienstag 28-05-2013
by Daily end-of-shift report 28 May '13

28 May '13

======================= = End-of-Shift report = ======================= Timeframe: Montag 27-05-2013 18:00 − Dienstag 28-05-2013 18:00 Handler: Matthias Fraidl Co-Handler: Christian Wojner *** Anatomy of a hack: How crackers ransack passwords like 'qeadzcwrsfxv1331' *** --------------------------------------------- For Ars, three crackers have at 16,000+ hashed passcodes with 90 percent success. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/yG2GKDkgLMo/ *** Security boffins say music could trigger mobile malware *** --------------------------------------------- Justin Bieber really evil virus theory just got more credible Security researchers have discovered that specific music, lighting, vibrations or magnetic fields could all be used as infection channels to trigger the activation of mobile malware on a massive scale. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2013/05/28/light_sound… *** HP-UX Directory Server Discloses Passwords to Remote Authenticated and Local Users *** --------------------------------------------- HP-UX Directory Server Discloses Passwords to Remote Authenticated and Local Users --------------------------------------------- http://www.securitytracker.com/id/1028593 *** Sicherheitslücke in Telekom-Router Speedport LTE II *** --------------------------------------------- Der DSL-Router Speedport LTE II der Telekom soll von außen manipulierbar sein. Stellt ein Angreifer Anfragen an den Router, wird die zur Verfügung stehende Bandbreite gedrosselt. Ein Update soll die Lücke schließen. --------------------------------------------- http://www.heise.de/security/meldung/Sicherheitsluecke-in-Telekom-Router-Sp… *** How to hash windows files against known good set *** --------------------------------------------- Required Tools: md5deep, nsrlquery You'll also need a server to query against. Luckily Kyrus has provided a nsrlserver (beta), known as the Kyrus NSRL Lookup Service! --------------------------------------------- http://brakertech.com/hash-windows-files-against-known-good-set/ *** Serious Privacy Flaw In Facebook Pages Manager For Android Exposes Private Pictures For Everyone To See *** --------------------------------------------- Facebook has a privacy hole that exposes private information to the public. And its a serious one, this time in Facebook Pages Manager for Android, which has been installed over 5 million times since January of this year. --------------------------------------------- http://www.androidpolice.com/2013/05/26/serious-privacy-flaw-in-facebook-pa… *** BANKER Malware Hosted In Compromised Brazilian Government Sites *** --------------------------------------------- Two Brazilian government websites have been compromised and used to serve malware since April 24. We spotted a total of 11 unique malware files being distributed from these sites, with filenames that usually include 'update', 'upgrade', 'Adobe', 'FlashPlayer' or combinations thereof. Besides the different filenames, these samples also have different domains where they can connect to --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/PCxIa2XQtdo/ *** ATM and Point-of-Sale Terminals Malware: The Bad Guys Just Never Stop! *** --------------------------------------------- If you use your debit or credit card to buy groceries or get cash out of an ATM you might want to know that the bad guys could have a piece of it. --------------------------------------------- http://blog.malwarebytes.org/intelligence/2013/05/atm-and-point-of-sale-ter… *** How to keep your Apple computer free from malicious programs and viruses *** --------------------------------------------- - Apple computers are not safe from viruses - Fewer than half of Mac users run anti-virus software - Mac users "will be targeted more and more easily" --------------------------------------------- http://www.news.com.au/technology/techknow/how-to-keep-your-apple-computer-… *** The Team Cymru Malware Hash Registry (MHR) project *** --------------------------------------------- The Malware Hash Registry (MHR) project is a look-up service similar to the Team Cymru IP address to ASN mapping project. This project differs however, in that you can query our service for a computed MD5 or SHA-1 hash of a file and, if it is malware and we know about it, we return the last time weve seen it along with an approximate anti-virus detection percentage. --------------------------------------------- https://www.team-cymru.org/Services/MHR/ *** DoS-Lücke in ModSecurity gestopft *** --------------------------------------------- Angreifer können die Web Application Firewall über speziell präparierte HTTP-Request aus der Ferne lahm legen. --------------------------------------------- http://www.heise.de/security/meldung/DoS-Luecke-in-ModSecurity-gestopft-187… *** Wordpress Export To Text Plugin "download" Remote File Inclusion Vulnerability *** --------------------------------------------- Wordpress Export To Text Plugin "download" Remote File Inclusion Vulnerability --------------------------------------------- https://secunia.com/advisories/51348 *** Nitro Pro / Reader PDF Parsing Vulnerability *** --------------------------------------------- Nitro Pro / Reader PDF Parsing Vulnerability --------------------------------------------- https://secunia.com/advisories/53473 *** SRWare Iron Multiple Vulnerabilities *** --------------------------------------------- SRWare Iron Multiple Vulnerabilities --------------------------------------------- https://secunia.com/advisories/53586 *** Vuln: SPIP Security Bypass Vulnerability *** --------------------------------------------- SPIP Security Bypass Vulnerability --------------------------------------------- http://www.securityfocus.com/bid/60163

1 0

Tageszusammenfassung - Montag 27-05-2013
by Daily end-of-shift report 27 May '13

27 May '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 24-05-2013 18:00 − Montag 27-05-2013 18:00 Handler: Matthias Fraidl Co-Handler: Christian Wojner *** Worm Creates Copies in Password-Protected Archived Files *** --------------------------------------------- Typically users archive file to lump several files together into a single file for convenience or to simply save storage space. However, we uncovered a worm that creates copies of itself even on password-protected archived files. We acquired a sample of a worm (detected as WORM_PIZZER.A) that propagates using a particular WINRAR command line --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/PRaGXwQeGIY/ *** WordPress ProPlayer Plugin 4.7.9.1 - SQL Injection *** --------------------------------------------- WordPress ProPlayer Plugin 4.7.9.1 - SQL Injection --------------------------------------------- http://www.exploit-db.com/exploits/25605 *** Compromised Indian government Web site leads to Black Hole Exploit Kit *** --------------------------------------------- By Dancho Danchev Our sensors recently picked up a Web site infection, affecting the Web site of the Ministry of Micro And Medium Enterprises (MSME DI Jaipur). And although the Black Hole Exploit Kit serving URL is currently not accepting any connections, it's known to have been used in previous client-side exploit serving campaigns. --------------------------------------------- http://blog.webroot.com/2013/05/24/compromised-indian-government-web-site-l… *** Skype Beta Plugs IP Resolver Privacy Leak *** --------------------------------------------- A few months ago, I warned readers that a glaring privacy weakness in voice-over-IP telephony service Skype allows anyone using the network to quickly learn the Internet address of any other Skype user. A new beta version of the popular Microsoft program appears to have nixed that privacy leak with a setting that restricts this capability to connections in your Skype contacts only. --------------------------------------------- http://krebsonsecurity.com/2013/05/skype-beta-plugs-ip-resolver-privacy-leak *** PandaLabs Quarterly Report Q1 2013 *** --------------------------------------------- We have just published our Quarterly Report for Q1 2013, analyzing the IT security events and incidents from January through March 2013. If you want to be aware of the latest security trends, the latest cyber-war cases don't wait any longer, you can download our latest report from our Press Center --------------------------------------------- http://pandalabs.pandasecurity.com/pandalabs-quarterly-report-q1-2013/ *** WordPress milano Theme Cross Site Scripting *** --------------------------------------------- Topic: WordPress milano Theme Cross Site Scripting Risk: Low Text: ## # Exploit Title : Wordpress milano Theme Cross Site Scripting # # Exploit Author : Ashiyane Digital Security Team ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013050184 *** LG Optimus G command injection (as system user) vulnerability *** --------------------------------------------- Topic: LG Optimus G command injection (as system user) vulnerability *youtube Risk: High Text:Device: LG Optimus G E973 (Others affected) Firmware: Android 4.1.2 JZO54k (Others affected) Evidence: http://youtu.be/ZfbDIp... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013050188 *** AVE.CMS <= 2.09 (index.php, module param) - Blind SQL Injection Exploit *** --------------------------------------------- AVE.CMS <= 2.09 (index.php, module param) - Blind SQL Injection Exploit --------------------------------------------- http://www.exploit-db.com/exploits/25716 *** PayPal wieder durch Cross-Site-Scripting angreifbar *** --------------------------------------------- Der eBay gehörende Internetbezahldienst prüft Sucheingaben nicht und erlaubt Angreifern so beliebigen JavaScript-Codes in den Browser des Benutzers einzuschleusen. Dadurch lassen sich Zugangsdaten entwenden. --------------------------------------------- http://www.heise.de/security/meldung/PayPal-wieder-durch-Cross-Site-Scripti… *** Finding Malware by DNS Cache Snooping or by Comparing BRO and PassiveDNS logs *** --------------------------------------------- We can actively look for the presence of malware on a network by examining its nameserver's cache. Since known pieces of malware make requests to specific domains, we're able to check a DNS server's cache for their existence. --------------------------------------------- https://sickbits.net/finding-malware-by-dns-cache-snooping/ *** New Trojan targets Facebook, Twitter and Google Plus *** --------------------------------------------- May 16, 2013 Russian anti-virus company Doctor Web has discovered previously unknown features in the new malware for Facebook that has been widely discussed in the mediadoesnt simply change a user's status, join groups and leave comments on the users behalf, but it can also send spam on Twitter and Google Plus. --------------------------------------------- http://news.drweb.com/show/?i=3527&lng=en&c=9 *** WordPress WP CleanFix Cross-Site Request Forgery Vulnerability *** --------------------------------------------- WordPress WP CleanFix Cross-Site Request Forgery Vulnerability --------------------------------------------- https://secunia.com/advisories/53395 *** Barracuda SSL VPN 680 2.2.2.203 Redirect Web Vulnerability *** --------------------------------------------- Topic: Barracuda SSL VPN 680 2.2.2.203 Redirect Web Vulnerability Risk: Low Text:Title: Barracuda SSL VPN 680 2.2.2.203 - Redirect Web Vulnerability Date: == 2013-05-25 References: == h... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013050193 *** Twitters Zwei-Faktor-Authentifizierung schon ausgehebelt *** --------------------------------------------- Es hätte ja so schön sein können: Doch die Zwei-Faktor-Authentifizierung, die Twitter erst vor wenigen Tagen eingeführt hat, lässt sich mittels SMS-Spoofing relativ leicht aushebeln. --------------------------------------------- http://www.heise.de/security/meldung/Twitters-Zwei-Faktor-Authentifizierung…

1 0

Tageszusammenfassung - Freitag 24-05-2013
by Daily end-of-shift report 24 May '13

24 May '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 23-05-2013 18:00 − Freitag 24-05-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** HPSBUX02881 SSRT101189 rev.1 - HP-UX Directory Server, Remote Disclosure of Information *** --------------------------------------------- A potential security vulnerability has been identified in HP-UX Directory Server. The vulnerability could be exploited remotely resulting in information disclosure. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** Cisco NX-OS igmp_snoop_orib_fill_source_update() Function Remote Denial of Service Vulnerability *** --------------------------------------------- Cisco NX-OS contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition on a targeted device. Updates are available. --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=26613 *** X.Org Security Advisory: May 23, 2013 - Protocol handling issues in X Window System client libraries *** --------------------------------------------- Ilja van Sprundel, a security researcher with IOActive, has discovered a large number of issues in the way various X client libraries handle the responses they receive from servers, and has worked with X.Orgs security team to analyze, confirm, and fix these issues. --------------------------------------------- http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 *** Cisco WebEx for iOS Certificate Verification Security Issue *** --------------------------------------------- Charlie Eriksen has discovered a security issue in Cisco WebEx for iOS, which can be exploited by malicious people to conduct spoofing attacks. --------------------------------------------- https://secunia.com/advisories/51412 *** New Rmnet malware disables anti-virus programs *** --------------------------------------------- May 23, 2013 Russian anti-virus company Doctor Web is warning users about new malicious modules found in the malware that is used to create and maintain the Rmnet bot network. One of them allows attackers to disable the anti-virus software installed on the infected computers. Doctor Webs analysts also managed to hijack a Rmnet subnetwork whose bots contain these harmful components. Doctor Web already warned users about the wide distribution of Win32.Rmnet.12 andWin32.Rmnet.16 programs that... --------------------------------------------- http://news.drweb.com/show/?i=3551&lng=en&c=9 *** Google erneuert SSL-Zertifikate *** --------------------------------------------- Ab August spendiert Google seinen Diensten neue Zertifikate. Vor allem sollen die mit alten 1024-Bit-RSA-Keys ausrangiert und gegen solche mit 2048 Bit ersetzt werden. --------------------------------------------- http://www.heise.de/security/meldung/Google-erneuert-SSL-Zertifikate-186915… *** Malware dont need Coffee *** --------------------------------------------- On the 10th of may was advertised on underground forum by bomba_service a new Ransomware in Affiliate mode. --------------------------------------------- http://malware.dontneedcoffee.com/2013/05/unveiling-locker-bomba-aka-lucky-… *** 0-Days in Novell Client für Windows *** --------------------------------------------- Wer noch Novell Client für Windows einsetzt, sollte sich nach Alternativen umsehen. --------------------------------------------- http://www.heise.de/security/meldung/0-Days-in-Novell-Client-fuer-Windows-1… *** Vuln: MediaWiki Arbitrary File Upload Vulnerability *** --------------------------------------------- MediaWiki is prone to a vulnerability that lets attackers upload arbitrary files. An attacker may leverage this issue to upload arbitrary files to the affected computer. Note that this issue could be exploited to execute arbitrary code, however, this has not been confirmed. --------------------------------------------- http://www.securityfocus.com/bid/60077

1 0

Tageszusammenfassung - Donnerstag 23-05-2013
by Daily end-of-shift report 23 May '13

23 May '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 22-05-2013 18:00 − Donnerstag 23-05-2013 18:00 Handler: Stephan Richter Co-Handler: n/a *** New Trojan steals short messages *** --------------------------------------------- May 22, 2013 Russian anti-virus company Doctor Web is warning users about a new Trojan for Android that can intercept inbound short messages and forward them to criminals. Android.Pincer.2.origin poses a serious threat because stolen messages can contain sensitive information such as mTAN codes which are used to confirm online banking transactions. The Trojan, discovered by Doctor Webs analysts several days ago, is a second representative of the Android.Pincer malware family. Like its... --------------------------------------------- http://news.drweb.com/show/?i=3549&lng=en&c=9 *** CODESYS–Gateway Use After Free *** --------------------------------------------- This advisory provides mitigation details for a vulnerability that impacts the 3S CODESYS Gateway application --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-142-01 *** IBM Tivoli Monitoring cross-site scripting *** --------------------------------------------- IBM Tivoli Monitoring is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using Tivoli Enterprise Portal browser client to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/83328 *** Antwortbegrenzung *** --------------------------------------------- Angesichts zunehmender DNS-Attacken denkt das Denic an eine Begrenzung Antworten auf Domainanfragen. --------------------------------------------- http://www.heise.de/newsticker/meldung/DNS-Attacken-Denic-schliesst-das-Kap… *** Apple QuickTime Multiple Vulnerabilities *** --------------------------------------------- Multiple vulnerabilities have been reported in Appe QuickTime, which can be exploited by malicious people to compromise a user's system. --------------------------------------------- https://secunia.com/advisories/53520 *** Flagallery-Skins plugin for WordPress gallery.php SQL injection *** --------------------------------------------- Flagallery-Skins plugin for WordPress is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the gallery.php script using the playlist parameter, which could allow the attacker to view, add, modify or delete information in the back-end database. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/84445 *** Oracle Java ist verbreitetste Sicherheitslücke *** --------------------------------------------- Laut einer aktuellen Quartalsanalyse des Virenschutzherstellers Kaspersky stieg die Zahl der Bedrohungen über das Internet gegenüber dem Vorquartal um 1,5 Prozentpunkte. Den Spitzenplatz unter den Ländern, von denen Schadprogramme ausgehen, gab Russland wieder an die USA ab. Bei den Sicherheitslücken ist Oracle Java weiter führend. --------------------------------------------- http://futurezone.at/digitallife/16038-oracle-java-ist-verbreitetste-sicher… *** IT security vendors seen as clueless on industrial control systems *** --------------------------------------------- Even the most innocuous security processes used for traditional IT systems could spell disaster in an ICS --------------------------------------------- http://www.csoonline.com/article/733873/it-security-vendors-seen-as-clueles… *** Mac Spyware Bait: Lebenslauf für Praktitkum *** --------------------------------------------- As a follow up to yesterdays Kumar in the Mac post… have you received e-mail attachments such as this?Attachments: • Christmas_Card.app.zip • Content_for_Article.app.zip • Content_of_article_for_[NAME REMOVED].app.zip • Interview_Venue_and_Questions.zip • Lebenslauf_für_Praktitkum.zipIf so, you may be the target of a spear phishing campaign designed to install a spyware on your Mac.Heres a list of binaries signed by Apple Developer "Rajinder... --------------------------------------------- http://www.f-secure.com/weblog/archives/00002559.html

1 0

Tageszusammenfassung - Mittwoch 22-05-2013
by Daily end-of-shift report 22 May '13

22 May '13

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 21-05-2013 18:00 − Mittwoch 22-05-2013 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner *** Researchers find critical vulnerabilities in popular game engines *** --------------------------------------------- Attackers could exploit the flaws to compromise game clients and servers, researchers from ReVuln said --------------------------------------------- http://www.csoonline.com/article/733773/researchers-find-critical-vulnerabi… *** WordPress Events Manager Plugin Multiple Cross-Site Scripting Vulnerabilities *** --------------------------------------------- Multiple vulnerabilities have been discovered in the Events Manager plugin for WordPress, which can be exploited by malicious people to conduct cross-site scripting attacks. --------------------------------------------- https://secunia.com/advisories/53478 *** Bugtraq: Multiple Vulnerabilities in Wordpress Plugins *** --------------------------------------------- [waraxe-2013-SA#104] - Multiple Vulnerabilities in Spider Event Calendar Wordpress Plugin [waraxe-2013-SA#105] - Multiple Vulnerabilities in Spider Catalog Wordpress Plugin --------------------------------------------- http://www.securityfocus.com/archive/1/526660 http://www.securityfocus.com/archive/1/526661 *** The Top 10 Internet Resources to Use After Suffering a Cyber Breach *** --------------------------------------------- Most cyber breaches into your online presence will be directed at your website server and its accompanying databases or accounts. And, if you’ve been the victim of a server hack, it probably occurred through one of two different means. The first would be an attack at some sort of weakness in third party web applications, or... --------------------------------------------- http://resources.infosecinstitute.com/the-top-10-internet-resources-to-use-… *** Oracle Solaris Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/53462 https://secunia.com/advisories/53468 *** Bugtraq: Trend Micro DirectPass 1.5.0.1060 - Multiple Vulnerabilities *** --------------------------------------------- The Vulnerability Laboratory Research Team discovered multiple software vulnerabilities in the official Trend Micro DirectPass v1.5.0.1060 Software. --------------------------------------------- http://www.securityfocus.com/archive/1/526658 *** Apache Struts "ParameterInterceptor" Security Bypass Vulnerability *** --------------------------------------------- A vulnerability has been reported in Apache Struts, which can be exploited by malicious people to bypass certain security restrictions. --------------------------------------------- https://secunia.com/advisories/53495 *** IBM Eclipse Help System information disclosure *** --------------------------------------------- Multiple IBM products could allow a remote attacker to obtain sensitive information, caused by an error in the IBM Eclipse Help System. A specially-crafted URL could cause an error message to be returned in the browser that may contain sensitive information. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/83613 *** DHS to Share Zero-Day Intelligence *** --------------------------------------------- The U.S. Department of Homeland Security (DHS) is developing a system that will enable classified vulnerability data to be shared with the private sector. The information, primarily Zero-Day vulnerability data, will be sold via a select group of service providers. Siehe auch: http://www.dhs.gov/enhanced-cybersecurity-services Siehe auch: http://www.csoonline.com/article/733557/experts-ding-dhs-vulnerability-shar… --------------------------------------------- http://www.securityweek.com/dhs-share-zero-day-intelligence

1 0

Tageszusammenfassung - Dienstag 21-05-2013
by Daily end-of-shift report 21 May '13

21 May '13

======================= = End-of-Shift report = ======================= Timeframe: Freitag 17-05-2013 18:00 − Dienstag 21-05-2013 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner *** Suchmaschine für Internet Census 2012 *** --------------------------------------------- Die gewaltigen Datenmengen, die bei einem Portscan des gesamten Internets aufgelaufen sind, kann man jetzt auch komfortabel online durchsuchen. --------------------------------------------- http://www.heise.de/security/meldung/Suchmaschine-fuer-Internet-Census-2012… *** SSL: Another reason not to ignore IPv6, (Fri, May 17th) *** --------------------------------------------- Currently, many public web sites that allow access via IPv6 do so via proxies. This is seen as the "quick fix", as it requires minimum changes to the site itself. As far as the web application is concerned, all incoming traffic is IPv4. The most obvious issue here is logging, in that the application only "sees" the proxies IP address, unless it inspects headers added by the proxy, which will no point to (unreadable?) IPv6 addresses. But there is another issue: SSL --------------------------------------------- http://isc.sans.edu/diary.html?storyid=15833&rss *** CKEditor comment or content post cross-site scripting *** --------------------------------------------- CKEditor is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the comment or content post field to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site,... --------------------------------------------- http://xforce.iss.net/xforce/xfdb/84356 *** Vuln: WordPress Mail On Update Plugin Cross Site Request Forgery Vulnerability *** --------------------------------------------- The Mail On Update plugin for WordPress is prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible. --------------------------------------------- http://www.securityfocus.com/bid/59932 *** Hitachi JP1/Automatic Operation unspecified cross-site scripting *** --------------------------------------------- Hitachi JP1/Automatic Operation is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site,... --------------------------------------------- http://xforce.iss.net/xforce/xfdb/84365 *** Remote Code Injection Vulnerabilities Discovered in iOS Apps *** --------------------------------------------- Multiple vulnerabilities have been discovered in both File Lite and File Pro, two file management applications created by Perception Systems for iOS, currently available on Apple’s App Store. --------------------------------------------- http://threatpost.com/remote-code-injection-vulnerabilities-discovered-in-i… *** Security Update: URL Manipulation Vulnerability in IBM WebSphere Portal versions *** --------------------------------------------- URL manipulation security vulnerabilities for IBM WebSphere Portal may allow a remote attacker to traverse directories on the system and view information contained in files. These vulnerabilities are susceptible to an exploit in the wild. Please review the updated security bulletins (see links below). CVE(s): CVE-2012-2181 and CVE-2012-4834 Affected product(s): IBM WebSphere Portal Affected version(s): 7.0.0.x and 8.0 Refer to the following reference URLs for remediation and additional... --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_update_url_m… *** IBM WebSphere DataPower Appliance echo web service cross-site scripting *** --------------------------------------------- IBM WebSphere DataPower Appliance is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site,... --------------------------------------------- http://xforce.iss.net/xforce/xfdb/82221 *** Mitsubishi MX Component V3 ActiveX Vulnerability *** --------------------------------------------- This advisory recommends upgrading to MX Component 4.03 that is not affected by this vulnerability. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-13-140-01 *** Moodle Multiple Vulns *** --------------------------------------------- Topic: Moodle Multiple Vulns Risk: Medium Text:The following security notifications are now public. Thanks to OSS members for their cooperation. =... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013050156 *** [remote] - Linksys WRT160nv2 apply.cgi Remote Command Injection *** --------------------------------------------- Some Linksys Routers are vulnerable to an authenticated OS command injection on their web interface where default credentials are admin/admin or admin/password. Since it is a blind OS command injection vulnerability, there is no output for the executed command when using the cmd generic payload. --------------------------------------------- http://www.exploit-db.com/exploits/25608 *** Safeguarding ISPs from DDoS Attacks *** --------------------------------------------- A distributed-denial-of-service attack in Europe highlights the need for Internet service providers to implement security best practices to prevent future incidents, ENISAs Thomas Haeberlen says. --------------------------------------------- http://www.databreachtoday.asia/safeguarding-isps-from-ddos-attacks-a-5773 *** National Cyber Security Strategies in the World *** --------------------------------------------- A free and open Internet is at the heart of the new Cyber Security Strategy by the European Union High Representative Catherine Ashton and the European Commission. The new Communication is the first comprehensive policy document that the European Union has produced in this area. It comprises internal market, justice and home affairs and the foreign policy aspects of cyberspace issues. ENISA has listed all the documents of National Cyber Security Strategies in the EU but also in the world. --------------------------------------------- https://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-s… *** Dovecot IMAP "APPEND" Parameters Processing Denial of Service Vulnerability *** --------------------------------------------- A vulnerability has been reported in Dovecot, which can be exploited by malicious users to cause a DoS (Denial of Service). The vulnerability is caused due to an error within IMAP functionality when processing the "APPEND" parameters and can be exploited to cause a hang. --------------------------------------------- https://secunia.com/advisories/53492 *** IBM Maximo Asset Management Products Java Multiple Vulnerabilities *** --------------------------------------------- IBM has acknowledged multiple vulnerabilities in IBM Maximo Asset Management products, which can be exploited by malicious, local users to disclose certain sensitive information and gain escalated privileges and by malicious people to disclose certain sensitive information, manipulate certain data, bypass certain security restrictions, cause a DoS (Denial of Service), and compromise a vulnerable system. --------------------------------------------- https://secunia.com/advisories/53451 *** SAProuter NI Route Message Handling Vulnerability *** --------------------------------------------- ERPScan has reported a vulnerability in SAProuter, which can be exploited by malicious people to potentially compromise a vulnerable system. --------------------------------------------- https://secunia.com/advisories/53436 *** Bugtraq: Revision of "IPv6 Stable Privacy Addresses" (Fwd: I-D Action: draft-ietf-6man-stable-privacy-addresses-07.txt) *** --------------------------------------------- We have published a revision of our IETF I-D "A method for Generating Stable Privacy-Enhanced Addresses with IPv6 Stateless Address Autoconfiguration (SLAAC)". --------------------------------------------- http://www.securityfocus.com/archive/1/526646 *** Security Bulletin: IBM TS3310 Tape Library update for security vulnerabilities in OpenSSL (CVE-2013-0169) *** --------------------------------------------- Download an update to the TS3310 Tape Library, which contains a newer version of OpenSSL that fixes certain security vulnerabilities that were present in older versions of OpenSSL. CVEID: CVE-2013-0169 Affected product(s) and affected version(s): All TS3310 tape libraries with firmware versions lower than 636G Refer to the following reference URLs for remediation and additional vulnerability details. Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004345 X-Force --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm…

1 0

Tageszusammenfassung - Freitag 17-05-2013
by Daily end-of-shift report 17 May '13

17 May '13

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 16-05-2013 18:00 − Freitag 17-05-2013 18:00 Handler: Matthias Fraidl Co-Handler: Robert Waldner *** Android.RoidSec: This app is an info stealing 'sync-hole'! *** --------------------------------------------- By Nathan Collier Android.RoidSec has the package name 'cn.phoneSync', but an application name of 'wifi signal Fix'. From a Malware 101′ standpoint, you would think the creators would have a descriptive package name that matches the application name. Not so, in this case. --------------------------------------------- http://blog.webroot.com/2013/05/16/android-roidsec-this-app-is-a-info-steal… *** vBulletin Input Validation Flaw Lets Remote Users Inject SQL Commands *** --------------------------------------------- The 'index.php/ajax/api/reputation/vote' script does not properly validate user-supplied input in the 'nodeid' parameter. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database. --------------------------------------------- http://www.securitytracker.com/id/1028543 *** Bank Account Logins for Sale, Courtesy of Citadel Botnet *** --------------------------------------------- Financial theft is one of the most lucrative forms of cybercrime. Malware authors continue to deliver sophisticated tools and techniques to unlock online bank accounts. Attackers design and develop botnets to perform financial fraud, targeting banks and other institutions for profit. --------------------------------------------- http://blogs.mcafee.com/mcafee-labs/bank-account-logins-for-sale-courtesy-o… *** Apple iTunes Multiple Vulnerabilities *** --------------------------------------------- Multiple vulnerabilities have been reported in Apple iTunes, which can be exploited by malicious people to conduct spoofing attacks and compromise a user's system. --------------------------------------------- https://secunia.com/advisories/53471 *** In a sea of malware, viruses make a small comeback *** --------------------------------------------- Microsoft has noticed a small uptick in viruses that infect files --------------------------------------------- http://www.csoonline.com/article/733558/in-a-sea-of-malware-viruses-make-a-… *** Trying to kill undead Pushdo zombies? Hard luck, Trojan is EVOLVING *** --------------------------------------------- Malware remains undead, adds double-sneaky stealth mode The crooks behind the Pushdo botnet agent have developed variants of the malware that are more resistant to take-down attempts or hijacking by rival hackers. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2013/05/17/pushdo_extr… *** Hintergrund: Mehr Fakten und Spekulationen zu Skypes ominösen Link-Checks *** --------------------------------------------- Zu Beginn der Woche berichtete heise Security, dass Links, die in privaten Skype-Chat-Sitzungen verschickt werden, kurze Zeit später von einem System von Microsoft besucht werden. Wir beobachteten ausschließlich Zugriffe auf https-URLs. --------------------------------------------- http://www.heise.de/security/artikel/Mehr-Fakten-und-Spekulationen-zu-Skype… *** Targeted information stealing attacks in South Asia use email, signed binaries *** --------------------------------------------- In the past few months, we have analyzed a targeted campaign that tries to steal sensitive information from different organizations throughout the world, but particularly in Pakistan. During the course of our investigations we uncovered several leads that indicate this threat has its origin in India and has been going on for at least two years. --------------------------------------------- http://www.welivesecurity.com/2013/05/16/targeted-threat-pakistan-india/ *** Fake YouTube page targets Chrome users *** --------------------------------------------- Fake YouTube pages are one of the favored ways attackers leverage to get users to click on malicious content. --------------------------------------------- http://research.zscaler.com/2013/05/fake-youtube-page-targets-chrome-users.… *** CSRF vulnerability in LinkedIn 2013 *** --------------------------------------------- A security company has found an CSRF vulnerability in LinkedIn and they have uploaded an POC on Youtube to show the impact. The Cross Site Request Forgery attack allows the attacker to access information from an contact without the consent/knowledge of the affected user. --------------------------------------------- http://cyberwarzone.com/csrf-vulnerability-linkedin-2013? *** Blog: Malicious PACs and Bitcoins *** --------------------------------------------- Malicious PACs used by Brazilian bad guys aiming to steal bitcoins --------------------------------------------- http://www.securelist.com/en/blog/208195033/Malicious_PACs_and_Bitcoins *** April 2013 virus activity review from Doctor Web *** --------------------------------------------- May 13, 2013 IT security experts will remember April 2013 for several remarkable events. At the beginning of the month, Doctor Webs analysts hijacked a rapidly growing botnet comprised of computers infected with BackDoor.Bulknet.739. The middle of April saw the discovery of a new Trojan of the most common family 'Trojan.Mayachok' and an upsurge of spam containing subject matter related to the terrorist acts that occurred in Boston. --------------------------------------------- http://news.drweb.com/show/?i=3516&lng=en&c=9

1 0

Tageszusammenfassung - Donnerstag 16-05-2013
by Daily end-of-shift report 16 May '13

16 May '13

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 15-05-2013 18:00 − Donnerstag 16-05-2013 18:00 Handler: Matthias Fraidl Co-Handler: Robert Waldner *** HP-UX Running XNTP, Remote Denial of Service (DoS) and Execution of Arbitrary Code *** --------------------------------------------- [security bulletin] HPSBUX02859 SSRT101144 rev.3 - HP-UX Running XNTP, Remote Denial of Service (DoS) and Execution of Arbitrary Code --------------------------------------------- http://www.securityfocus.com/archive/1/526607 *** python backports ssl_match_hostname Resource Exhaustion 0day *** --------------------------------------------- Topic: python backports ssl_match_hostname Resource Exhaustion 0day Risk: Medium Text:A denial of service flaw was found in the way python-backports-ssl_match_hostname, an implementation that brings the ssl.match... --------------------------------------------- http://feedproxy.google.com/~r/securityalert_database/~3/P8TEFx3kOnQ/WLB-20… *** Exploit für lokalen Linux-Kernel-Bug im Umlauf *** --------------------------------------------- Ein bereits im April im Entwickler-Kernel-Zweig gefixter Fehler wurde nicht als sicherheitsrelevant erkannt und lässt sich deshalb auf vielen Systemen immer noch ausnutzen. --------------------------------------------- http://www.heise.de/security/meldung/Exploit-fuer-lokalen-Linux-Kernel-Bug-… *** New versatile and remote-controlled 'Android.MouaBot' malware found in the wild *** --------------------------------------------- By Cameron Palan and Nathan Collier Recently, we discovered a new malicious Android application called Android.MouaBot. This malicious software is a bot contained within another basic app; in this case, a Chinese calculator application. Behind the scenes, it automatically sends an SMS message to an auto-reply number which replies back to the phone ... --------------------------------------------- http://blog.webroot.com/2013/05/15/new-versatile-and-remote-controlled-andr… *** Download: Mobile Threat Report Q1 2013 *** --------------------------------------------- Our Mobile Threat Report Q1 2013 is now publicly available.All of our past reports are also available in the "Labs" section of f-secure.com. On 15/05/13 At 12:45 PM --------------------------------------------- http://www.f-secure.com/weblog/archives/00002553.html *** PushDo Malware Resurfaces with DGA Capabilities *** --------------------------------------------- The PushDo malware family is back, this time with a domain generation algorithm that helps it avoid detection and add resiliency to its capabilities. --------------------------------------------- http://threatpost.com/pushdo-malware-resurfaces-with-dga-capabilities/ *** zPanel themes remote command execution as root *** --------------------------------------------- Topic: zPanel themes remote command execution as root Risk: High Text:So I saw this earlier today: http://www.reddit.com/r/netsec/comments/1ee0eg/zpanel_support_team_calls_fo… ... --------------------------------------------- http://cxsecurity.com/wlb/WLB-2013050133 *** Drupal 6.x/7.x Google Authenticator login Access Bypass *** --------------------------------------------- Topic: Drupal 6.x/7.x Google Authenticator login Access Bypass Risk: High Text:View online: http://drupal.org/node/1995706 * Advisory ID: DRUPAL-SA-CONTRIB-2013-047 * Project: Google Authenticator l... --------------------------------------------- http://cxsecurity.com/wlb/WLB-2013050134 *** Analysis of Malicious Document Files Spammed by Cutwail *** --------------------------------------------- Over the past week, the Cutwail botnet has been sending out spam containing malicious documents of the aforementioned vulnerability, CVE-2012-0158. The use of a loaded RTF attachment is a departure from normal for Cutwail, usually it distributes executable attachments or links to exploit kits. --------------------------------------------- http://blog.spiderlabs.com/2013/05/malicious-document-files-spammed-by-cutw… *** RIPE: Angriffe auf das Domain Name System nehmen zu *** --------------------------------------------- Auf dem Treffen der IP-Adressverwaltung RIPE wurde darüber debattiert, die schwarze Scharfe dazu gebracht werden können, überfällige Sicherungen vorzunehmen. --------------------------------------------- http://www.heise.de/security/meldung/RIPE-Angriffe-auf-das-Domain-Name-Syst… *** Mac Spyware Found at Oslo Freedom Forum *** --------------------------------------------- The Oslo Freedom Forum is an annual event "exploring how best to challenge authoritarianism and promote free and open societies." This years conference (which took place May 13-15) had a workshop for freedom of speech activists on how to secure their devices against government monitoring. During the workshop, Jacob Appelbaum actually discovered a new and previously unknown backdoor on an African activists Mac.Our Mac analyst (Brod) is currently investigating the sample.Its signed with --------------------------------------------- http://www.f-secure.com/weblog/archives/00002554.html

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily May 2013