Daily November 2014

daily@lists.cert.at

1 participants
20 discussions

Tageszusammenfassung - Freitag 28-11-2014
by Daily end-of-shift report 28 Nov '14

28 Nov '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 27-11-2014 18:00 − Freitag 28-11-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Syrian Electronic Army attack leads to malvertising, (Thu, Nov 27th) *** --------------------------------------------- A number of online services were impacted by what has been referred to by multiple sources as a redirection attack by Syrian Electronic Army (SEA) emanating from the Gigya CDN. Gigya explained the issue as follows: Gigya explained that earlier today at 06:45 EST, it noticed sporadic failures with access to our service. The organization than found a breach at its domain registrar, with the hackers modifying DNS entries and pointing them away from Gigyas CDN domain, instead redirecting to their... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19001&rss *** Worlds best threat detection pwned by HOBBIT *** --------------------------------------------- Forget nation-states, BAB0 is the stuff of savvy crims Some of the worlds best threat detection platforms have been bypassed by custom malware in a demonstration of the fallibility of single defence security. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/11/28/malware_cru… *** ENISA publishes the first framework on how to evaluate National Cyber Security Strategies *** --------------------------------------------- ENISA issues today an Evaluation Framework on National Cyber Security Strategies (NCSS) addressed to policy experts and government officials who design, implement and evaluate an NCSS policy. This work is strongly aligned with the EU Cyber Security Strategy (EU CSS) and aims to assist Member States in developing capabilities in the area of NCSS. --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/enisa-publishes-the-first-f… *** CryptoPHP: Hinterlistiger Schadcode hat zehntausende Server infiziert *** --------------------------------------------- Der Schädling versteckt sich in raubkopierten Themes und Plug-ins für die Content-Management-Systeme Drupal, WordPress und Joomla. Einmal infiziert, wird der Server Teil eines Botnetzes, das Such-Rankings manipuliert. Zum Schaden der eigenen Seite. --------------------------------------------- http://www.heise.de/newsticker/meldung/CryptoPHP-Hinterlistiger-Schadcode-h… *** Kritische Updates für Siemens-Industriesteuerungen *** --------------------------------------------- Ein Update soll kritisches Sicherheitslücken in der Software Simatic WinCC schließen, die als Kontrollzentrum für die Überwachung und Steuerung industrieller Anlagen zum Einsatz kommt. Allerdings gibt es das Update noch nicht für alle Versionen. --------------------------------------------- http://www.heise.de/security/meldung/Kritische-Updates-fuer-Siemens-Industr… *** Economic Failures of HTTPS Encryption *** --------------------------------------------- Interesting paper: "Security Collapse of the HTTPS Market." From the conclusion: Recent breaches at CAs have exposed several systemic vulnerabilities and market failures inherent in the current HTTPS authentication model: the security of the entire ecosystem suffers if any of the hundreds of CAs is compromised (weakest link); browsers are unable to revoke trust in major CAs ("too big to... --------------------------------------------- https://www.schneier.com/blog/archives/2014/11/economic_failur.html *** Fehler in H.264-Plugin könnte Firefox-Nutzer betreffen *** --------------------------------------------- [...] In dem dazugehörigen Bugreport bei Mozilla schreibt der Cisco-Angestellte Ethan Hugg, dass der Fehler in keiner Version des bisher für Firefox bereitgestellten OpenH.264-Moduls vorhanden ist. Noch führen die Mozilla-Hacker den Fehler allerdings nicht als offiziell behoben. Nachtrag vom 28. November 2014, 13:10 Uhr Laut Cisco sind Firefox-Nutzer nicht betroffen, wir haben den Artikel entsprechend angepasst. --------------------------------------------- http://www.golem.de/news/cisco-fehler-in-h-264-plugin-betrifft-alle-firefox… *** Bugtraq: Defense in depth -- the Microsoft way (part 22): no DEP in Windows filesystem (and ASLR barely used) *** --------------------------------------------- http://www.securityfocus.com/archive/1/534109

1 0

Tageszusammenfassung - Donnerstag 27-11-2014
by Daily end-of-shift report 27 Nov '14

27 Nov '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 26-11-2014 18:00 − Donnerstag 27-11-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** New anti-APT tools are no silver bullets: An independent test of APT attack detection appliances *** --------------------------------------------- New anti-APT tools are no silver bullets: An independent test of APT attack detection appliances CrySyS Lab, BME http://www.crysys.hu/ MRG-Effitas https://www.mrg-effitas.com/ November 26, 2014. The term Advanced Persistent Threat (APT) refers to a potential attacker that has the capability and the intent to carry out advanced attacks against specific high profile targets in order to [...] --------------------------------------------- http://blog.crysys.hu/2014/11/new-anti-apt-tools-are-no-silver-bullets-an-i… *** Adobe Reader sandbox popped says Google researcher *** --------------------------------------------- Yet another reason to make sure youve patched promptly and properly The Acrobat Reader Windows sandbox contains a vulnerability that could allow attackers to break out and gain higher privileges, Google security bod James Forshaw claims. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/11/27/adobe_reade… *** Crunch - Password Cracking Wordlist Generator *** --------------------------------------------- Features: crunch generates wordlists in both combination and permutation ways it can breakup output by number of lines or file size * now has resume support * pattern now supports number and symbols * pattern now supports upper and lower case characters separately * adds a status report when generating multiple files * new -l option for literal support of @,%^ * new -d option to limit duplicate characters see man file for details * now has unicode support... --------------------------------------------- http://hack-tools.blackploit.com/2014/11/crunch-password-cracking-wordlist.… *** SEC Risk Factors: How To Determine The Business Value Of Your Data To A Foreign Government *** --------------------------------------------- This white paper will explore where the SEC is headed on this issue and propose a novel solution that's both specific to the company and avoids the potential danger of revealing too much information about company vulnerabilities - the ability to verifiably assess the value of your intellectual property (IP) to a rival Nation State by establishing its Target Asset Value™. --------------------------------------------- http://jeffreycarr.blogspot.co.uk/2014/11/sec-risk-factors-how-to-determine… *** Factsheet HTTPS could be a lot more secure *** --------------------------------------------- HTTPS is a frequently used protocol for protecting web traffic against parties setting out to eavesdrop on or manipulate the traffic. Configuring HTTPS requires precision: there are many options, and by no means all of them are secure. --------------------------------------------- https://www.ncsc.nl/english/services/expertise-advice/knowledge-sharing/fac… *** Cisco: Fehler in H.264-Plugin betrifft alle Firefox-Nutzer *** --------------------------------------------- Ein Fehler in der Speicherverwaltung des H.264-Plugins betrifft potentiell alle Firefox-Nutzer, da Mozilla dieses zwangsweise installiert. Besonders schwerwiegend ist der Fehler zwar nicht, er offenbart aber ein Problem in der Zusammenarbeit mit Cisco. --------------------------------------------- http://www.golem.de/news/cisco-fehler-in-h-264-plugin-betrifft-alle-firefox… *** l+f: Nur zwei Tage vom Patch zum Exploit-Kit *** --------------------------------------------- Der Zeitraum zwischen der Bekanntgabe einer Lücke durch einen Patch und deren aktiver Ausnutzung wird immer kürzer. --------------------------------------------- http://www.heise.de/security/meldung/l-f-Nur-zwei-Tage-vom-Patch-zum-Exploi… *** Meta-Hack stört hunderte Medien-Webseiten *** --------------------------------------------- Auf hunderten großer Webseiten erschien am Donnerstag die Meldung "You have been hacked". Ursache war eine eingebettete Kommentarfunktion von Gigya. --------------------------------------------- http://www.heise.de/security/meldung/Meta-Hack-stoert-hunderte-Medien-Webse… *** TYPO3 CMS 4.5.38 and 6.2.7 released *** --------------------------------------------- The TYPO3 Community announces the versions 4.5.38 LTS and 6.2.7 LTS of the TYPO3 Enterprise Content Management System. All versions are maintenance releases and contain bug fixes. --------------------------------------------- https://typo3.org/news/article/typo3-cms-4538-and-627-released/ *** TYPO3-EXT-SA-2014-017: Improper Access Control in WebDav for filemounts (webdav) *** --------------------------------------------- It has been discovered that the extension "WebDav for filemounts" (webdav) is susceptible to Improper Access Control. Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: 2.0.0 Vulnerability Type: Improper Access Control Severity: Medium Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:H/RL:OF/RC:C --------------------------------------------- http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-e… *** DSA-3077 openjdk-6 *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-3077 *** Cisco ASA SSL VPN Memory Consumption Error Lets Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1031269 *** Mutt Buffer Overflow in mutt_substrdup() Lets Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1031266 *** Xen Security Advisory 112 (CVE-2014-8867) - Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor *** --------------------------------------------- Acceleration support for the "REP MOVS" instruction, when the first iteration accesses memory mapped I/O emulated internally in the hypervisor, incorrectly assumes that the whole range accessed is handled by the same hypervisor sub-component. Impact: A buggy or malicious HVM guest can crash the host. Mitigation: Running only PV guests will avoid this issue. There is no mitigation available for HVM guests. Resolution: Applying the appropriate attached patch resolves this issue. --------------------------------------------- http://lists.xen.org/archives/html/xen-announce/2014-11/msg00006.html *** Xen Security Advisory 111 (CVE-2014-8866) - Excessive checking in compatibility mode hypercall argument translation *** --------------------------------------------- Impact: A buggy or malicious HVM guest can crash the host. Mitigation: Running only PV guests will avoid this issue. There is no mitigation available for HVM guests on any version of Xen so far released by xenproject.org. Resolution: Applying the appropriate attached patch resolves this issue. --------------------------------------------- http://lists.xen.org/archives/html/xen-announce/2014-11/msg00005.html *** F5 Security Advisories *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/15000/800/sol15877.htm… https://support.f5.com:443/kb/en-us/solutions/public/15000/800/sol15875.htm… https://support.f5.com:443/kb/en-us/solutions/public/15000/800/sol15881.htm… https://support.f5.com:443/kb/en-us/solutions/public/15000/800/sol15868.htm… https://support.f5.com:443/kb/en-us/solutions/public/15000/800/sol15885.htm…

1 0

Tageszusammenfassung - Mittwoch 26-11-2014
by Daily end-of-shift report 26 Nov '14

26 Nov '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 25-11-2014 18:00 − Mittwoch 26-11-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Security updates available for Adobe Flash Player (APSB14-26) *** --------------------------------------------- A Security Bulletin (APSB14-26) has been published regarding security updates for Adobe Flash Player. These updates address a critical vulnerability, and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the security bulletin. --------------------------------------------- http://blogs.adobe.com/psirt/?p=1144 *** Brain Science and Browser Warnings *** --------------------------------------------- Computer users will click through browser warnings and security alerts in order to complete a task, but once theyre hacked, their behaviors change, a recent BYU study learned. --------------------------------------------- http://threatpost.com/brain-science-and-browser-warnings/109615 *** Multiple vulnerabilities in ARRIS VAP2500 *** --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-14-389/ http://www.zerodayinitiative.com/advisories/ZDI-14-388/ http://www.zerodayinitiative.com/advisories/ZDI-14-387/ *** DSA-3076 wireshark *** --------------------------------------------- Multiple vulnerabilities were discovered in the dissectors/parsers for SigComp UDVM, AMQP, NCP and TN5250, which could result in denial of service. --------------------------------------------- http://www.debian.org/security/2014/dsa-3076 *** ModSecurity Advanced Topic of the Week: Detecting Malware with Fuzzy Hashing *** --------------------------------------------- In the most recent release of ModSecurity v2.9.0-RC1, we introduced a new operator called @fuzzyHash which uses functionality from the ssdeep tool. This blog post will demonstrate a powerful use-case with ModSecurity which is identifying .. --------------------------------------------- http://blog.spiderlabs.com/2014/11/modsecurity-advanced-topic-of-the-week-d… *** Google Doc Embedder plugin for WordPress google-document-embedder\view.php SQL injection *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/98944 *** VB2014 paper: Labelling spam through the analysis of protocol patterns *** --------------------------------------------- What do your IP packet sizes say about whether youre a spammer?Over the next few months, we will be sharing VB2014 conference papers as well as video recordings of the presentations. Today, we have added Labelling spam through the analysis .. --------------------------------------------- http://www.virusbtn.com/blog/2014/11_26.xml *** Typos Can have a Bigger Impact Than Expected *** --------------------------------------------- Have you ever thought about the cost of a typo? You know what I mean, a simple misspelling of a word somewhere on your website. Do you think there's a risk in that? You may have seen the Grammar Police all over your comments .. --------------------------------------------- http://blog.sucuri.net/2014/11/typos-can-have-a-bigger-impact-than-expected… *** Black Friday and Cyber Monday - 4 Scams To Watch Out For While Shopping *** --------------------------------------------- Holiday Shopping season is really an excited time for both shoppers and retailers, but unfortunately its a good time for cyber criminals and scammers as well. With Black Friday .. --------------------------------------------- http://thehackernews.com/2014/11/black-friday-and-cyber-monday-4-scams_26.h… *** Mängel beim Selbstschutz von Antiviren-Software *** --------------------------------------------- Nur 2 von 32 getesteten Antivirus-Produkten setzen eigentlich selbstverständliche Schutztechniken wie DLP und ASLR auch wirklich konsequent ein, stellte das deutsche Testlabor AV-Test fest. --------------------------------------------- http://www.heise.de/security/meldung/Maengel-beim-Selbstschutz-von-Antivire… *** CryptoPHP a week later: more than 23.000 sites affected *** --------------------------------------------- On November 20th we published our report on CryptoPHP. Since publishing we have, together with other parties, been busy dealing with the affected servers and taking down the CryptoPHP infrastructure. Sinkhole .. --------------------------------------------- http://blog.fox-it.com/2014/11/26/cryptophp-a-week-later-more-than-23-000-s… *** MatrikonOPC for DNP Unhandled C++ Exception *** --------------------------------------------- https://ics-cert.us-cert.gov//advisories/ICSA-14-329-01 *** Siemens SIMANTIC WinCC, PCS7, and TIA Portal Vulnerabilities *** --------------------------------------------- https://ics-cert.us-cert.gov//advisories/ICSA-14-329-02 *** Hintergrund: Schwachstellen-Scanner für Web-Applikationen *** --------------------------------------------- Ein guter Überblick präsentiert 16 Open-Source-Scanner für Web-Applikationen, die Lücken von XSS bis hin zu SQL-Injection aufspüren. --------------------------------------------- http://www.heise.de/security/artikel/Schwachstellen-Scanner-fuer-Web-Applik…

1 0

Tageszusammenfassung - Dienstag 25-11-2014
by Daily end-of-shift report 25 Nov '14

25 Nov '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 24-11-2014 18:00 − Dienstag 25-11-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Remote Code Execution in Popular Hikvision Surveillance DVR *** --------------------------------------------- A number Hikvision digital video recorders contain vulnerabilities that an attacker could remotely exploit in order to gain full control of those devices. --------------------------------------------- http://threatpost.com/remote-code-execution-in-popular-hikvision-surveillan… *** Multiple Dell SonicWALL products code execution *** --------------------------------------------- Multiple Dell SonicWALL products could allow a remote authenticated attacker to execute arbitrary code on the system, caused by the failure to validate user data prior to executing a command in the GMS ViewPoint .. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/98911 *** Obfuscated Flash Files Make Their Mark in Exploit Kits *** --------------------------------------------- In recent years, we noticed that more and more malicious Adobe Flash (.SWF) files are being incorporated into exploit kits like the Magnitude Exploit Kit, the Angler Exploit Kit, and the Sweet Orange Exploit Kit. However, we did some more .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/malicious-flash-… *** The Other Side of Masque Attacks: Data Encryption Not Found in iOS Apps *** --------------------------------------------- Based on our research into the iOS threat Masque Attacks announced last week, Trend Micro researchers have found a new way that malicious apps installed through successful Masque Attacks can pose a threat to iOS devices: by accessing unencrypted data used by legitimate apps. According to reports, .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/the-other-side-o… *** Docker docker pull privilege escalation *** --------------------------------------------- Docker could allow a remote attacker to gain elevated privileges on the system, caused by an error in the docker pull and the docker load operations. An attacker could exploit this vulnerability to gain elevated privileges on the system. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/98924 *** Docker image privilege escalation *** --------------------------------------------- Docker could allow a remote attacker to gain elevated privileges on the system, caused by the ability to modify the default run profile of containers by images. attacker could exploit this vulnerability to gain elevated privileges on the system. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/98925 *** WordPress wpDataTables 1.5.3 SQL Injection *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014110163 *** WordPress wpDataTables 1.5.3 Shell Upload *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014110162 *** [oCERT 2014-008] heap overflow, remote code execution in libFLAC *** --------------------------------------------- FLAC is an open source lossless audio codec supported by several software and music players. The libFLAC project, an open source library implementing reference encoders and decoders for native FLAC and Ogg FLAC audio content, suffers from multiple implementation issues. In particular, a stack overflow and a heap overflow condition, which may .. --------------------------------------------- http://www.ocert.org/advisories/ocert-2014-008.html *** Chrome läutet Ende für Browser-Plugins ein *** --------------------------------------------- Ab Jänner werden sämtliche NPAPI-Plugins blockiert - Silverlight und Java betroffen --------------------------------------------- http://derstandard.at/2000008592582 *** Hacker legen Sony Pictures komplett lahm *** --------------------------------------------- Unbekannte haben am Montag den Firmenbetrieb bei Sony Pictures zum Erliegen gebracht. Sie sollen sämtliche Computer im Firmennetz der Sony-Tochter gekapert haben. Auch das Play-Store-Konto von Sony soll betroffen sein. --------------------------------------------- http://www.heise.de/security/meldung/Hacker-legen-Sony-Pictures-komplett-la… *** Secret Malware in European Union Attack Linked to U.S. and British Intelligence *** --------------------------------------------- Complex malware known as Regin is the suspected technology behind sophisticated cyberattacks conducted by U.S. and British intelligence agencies on the European Union and a Belgian telecommunications company, according to security industry sources and technical analysis conducted by The Intercept. --------------------------------------------- https://firstlook.org/theintercept/2014/11/24/secret-regin-malware-belgacom… *** EU-Experten: Exporte von Spähsoftware sollen stärker kontrolliert werden *** --------------------------------------------- Wirtschaftsminister Gabriel will den Export von Spähsoftware auf EU-Ebene einschränken. Erste Firmen suchen aber schon Wege, um der Exportkontrolle zu entgehen. --------------------------------------------- http://www.golem.de/news/eu-experten-exporte-von-spaehsoftware-sollen-staer…

1 0

Tageszusammenfassung - Montag 24-11-2014
by Daily end-of-shift report 24 Nov '14

24 Nov '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 21-11-2014 18:00 − Montag 24-11-2014 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Website Malware Removal: Phishing *** --------------------------------------------- As we continue on our Malware Removal series we turn our attention to the increasing threat of Phishing infections. Just like a fisherman casts and reels with his fishing rod, a .. --------------------------------------------- http://blog.sucuri.net/2014/11/website-malware-removal-phishing.html *** Asterisk IP address security bypass *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/98863 *** "NotCompatible": Die bisher hartnäckigste Android-Malware *** --------------------------------------------- Schadsoftware infiziert täglich 20.000 Geräte - Für Spam-Versand, Ticket-Kauf und Word-Press-Hacking --------------------------------------------- http://derstandard.at/2000008502545 *** DoubleDirect MitM Attack Targets Android, iOS and OS X Users *** --------------------------------------------- Security researchers have discovered a new type of "Man-in-the-Middle" (MitM) attack in the wild targeting smartphone and tablets users on devices running either iOS or Android around the world. The MitM attack, dubbed DoubleDirect, enables an attacker to redirect a victim's traffic of major websites .. --------------------------------------------- http://thehackernews.com/2014/11/doubledirect-mitm-attack-targets_22.html *** Spearphishing: Jeder Fünfte geht in die Falle *** --------------------------------------------- IT-Benutzer sind gutgläubig. Ein Rabattversprechen reicht, um jede Menge Passwörter einzusammeln. Auf der Wiener Security-Konferenz Deepsec wurden erschreckende Zahlen aus der Praxis verraten. --------------------------------------------- http://www.heise.de/newsticker/meldung/Spearphishing-Jeder-Fuenfte-geht-in-… *** A Nightmare on Malware Street *** --------------------------------------------- Another ransomware has been spotted in the wild lately, branded as CoinVault. This one involves some interesting details worth mentioning, including the peculiar characteristic of offering the free decryption of one of the hostage files a.. --------------------------------------------- http://securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street/ *** ClamA libclamav/pe.c buffer overflow *** --------------------------------------------- ClamAV is vulnerable to a Heap Based buffer overflow, caused by improper bounds checking by the libclamav/pe.c file. A local attacker could overflow a buffer and execute arbitrary code on the system. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/98882 *** Crypto protocols held back by legacy, says ENISA *** --------------------------------------------- EU takes the microscope to security The EU Agency for Network Information and Security (ENISA) has updated its 2013 crypto guidelines, designed to help developers protect personal information in line with EU law, and has sternly told crypto .. --------------------------------------------- http://www.theregister.co.uk/2014/11/24/crypto_protocols_held_back_by_legac… *** Symantec reseachers find Regin malware, label it the new Stuxnet *** --------------------------------------------- Government probably penned peerless p0wn cannon aimed at Russian and Saudi targets An advanced malware instance said to be as sophisticated as Stuxnet and Duqu has has been detected attacking the top end of town and has .. --------------------------------------------- http://www.theregister.co.uk/2014/11/24/regin/ *** Triggering MS14-066 *** --------------------------------------------- Microsoft addressed CVE-2014-6321 this Patch Tuesday, which has been hyped as the next Heartbleed. This vulnerability (actually at least 2 vulnerabilities) promises remote code execution in applications that use the SChannel Security .. --------------------------------------------- http://blog.beyondtrust.com/triggering-ms14-066 *** Hacking RFID Payment Cards Made Possible with Android App *** --------------------------------------------- We recently encountered a high-risk Android app detected as ANDROIDOS_STIP.A in Chile. This app, found distributed through forums and blogs, can be used to hack into the user's RFID bus transit card to recharge the credits. What is the mechanism .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-rfid-pay… *** Protecting Against Unknown Software Vulnerabilities *** --------------------------------------------- Bugs exist in every piece of code. It is suggested that for every 1,000 lines of code, there are on average 1 to 5 bugs to be found. Some of these bugs can have a security implications, these are known as vulnerabilities. These vulnerabilities can be used to exploit and compromise your server, your siteRead More --------------------------------------------- http://blog.sucuri.net/2014/11/protecting-against-unknown-software-vulnerab… *** Linux-Distribution: Less ist ein mögliches Einfallstor *** --------------------------------------------- Das Tool Less wird unter Linux oft benutzt, um in Verbindung mit anderen Tools etwa Dateien zu öffnen. Damit würden viele Fehler und Sicherheitslücken provoziert, meint ein profilierter Hacker. --------------------------------------------- http://www.golem.de/news/linux-distribution-less-als-moegliches-einfallstor… *** Drupal-Update schiebt Session-Klau den Riegel vor *** --------------------------------------------- Die Entwickler des Open-Source CMS haben zwei Sicherheitslücken in Drupal 6 und 7 geschlossen. Die Schwachstellen können missbraucht werden, um Sessions angemeldeter Benutzer zu stehlen und um den Server lahmzulegen. --------------------------------------------- http://www.heise.de/security/meldung/Drupal-Update-schiebt-Session-Klau-den…

1 0

Tageszusammenfassung - Freitag 21-11-2014
by Daily end-of-shift report 21 Nov '14

21 Nov '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 20-11-2014 18:00 − Freitag 21-11-2014 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Rich Telemetry for Cyber Incident Response and Malicious Code Analysis on Microsoft Windows *** --------------------------------------------- 5..4..3..2..1..launch Earlier this week we launched the first product from the research and development efforts of the NCC Group Security Labs team. NCC Group Security Labs is a combined centre within NCC Group which brings together experts from Security Technical Assurance, Security Research, Cyber Defence Operations and Security Software Development to work on innovative software solutions for real-world cyber security problems. The Problem The world of Cyber Defence Operations involves, in... --------------------------------------------- https://www.nccgroup.com/en/blog/2014/11/rich-telemetry-for-cyber-incident-… *** Securing Personal Data: ENISA guidelines on Cryptographic solutions *** --------------------------------------------- ENISA is launching two reports today. The “Algorithms, key size and parameters” report of 2014 is a reference document providing a set of guidelines to decision makers, in particular specialists designing and implementing cryptographic solutions for personal data protection within commercial organisations or governmental services for citizens. The “Study on cryptographic protocols” provides an implementation perspective, covering guidelines regarding protocols required to protect commercial online communications containing personal data. --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/securing-personal-data-enis… *** Weekly Metasploit Wrapup: Exploiting Mobile Security Software *** --------------------------------------------- Exploiting Security Software: Android Edition --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/11/21/weekly-me… *** VB2014 paper: Sweeping the IP space: the hunt for evil on the Internet *** --------------------------------------------- Dhia Mahjoub explains how the topology of the AS graph can be used to uncover hotspots of maliciousness.Over the next few months, we will be sharing VB2014 conference papers as well as video recordings of the presentations. Today, we have added Sweeping the IP space: the hunt for evil on the Internet by OpenDNS researcher Dhia Mahjoub.The Internet is often described as a network of networks. These individual networks are called Autonomous Systems (AS): collections of IPv4 and IPv6 network... --------------------------------------------- http://www.virusbtn.com/blog/2014/11_21.xml?rss *** WordPress 4.0.1 Update Patches Critical XSS Vulnerability *** --------------------------------------------- The latest version of WordPress, 4.0.1, patches a critical cross-site scripting vulnerability in comment fields that enables admin-level control over a website. --------------------------------------------- http://threatpost.com/wordpress-4-0-1-update-patches-critical-xss-vulnerabi… *** The Internet of Things (IoT) will fail if security has no context *** --------------------------------------------- The Internet of Things requires a new way of thinking and acting, one that will protect a business and help it grow. --------------------------------------------- http://www.scmagazine.com/the-internet-of-things-iot-will-fail-if-security-… *** Detekt - Free Anti-Malware Tool To Detect Govt. Surveillance Malware *** --------------------------------------------- Human rights experts and Privacy International have launched a free tool allowing users to scan their computers for surveillance spyware, typically used by governments and other organizations to spy on human rights activists and journalists around the world. This free-of-charge anti-surveillance tool, called Detekt, is an open source software app released in partnership with Human rights... --------------------------------------------- http://thehackernews.com/2014/11/detekt-free-anti-malware-tool-to-detect_20… *** Most Targeted Attacks Exploit Privileged Accounts *** --------------------------------------------- Most targeted attacks exploit privileged account access according to a new report commissioned by the security firm CyberArk. --------------------------------------------- http://threatpost.com/most-targeted-attacks-exploit-privileged-accounts/109… *** Security Advisory - High severity - WP-Statistics WordPress Plugin *** --------------------------------------------- Advisory for: WordPress WP-Statistics Plugin Security Risk: High (DREAD score : 7/10) Exploitation level: Easy/Remote Vulnerability: Stored XSS which executes on the administration panel. Patched Version: 8.3.1 If you're using the WP-Statistics WordPress plugin on your website, now is the time to update. While doing a routine audit for our Website Firewall product, we discovered... --------------------------------------------- http://blog.sucuri.net/2014/11/security-advisory-high-severity-wp-statistic… *** Splunk Enterprise versions 6.0.7 and 5.0.11 address three vulnerabilities *** --------------------------------------------- Description Splunk Enterprise versions 6.0.7 and 5.0.11 address three vulnerabilities OpenSSL session ticket memory leak (SPL-91947, CVE-2014-3567) TLS protocol enhancements related to POODLE (SPL-92062,CVE-2014-3566) Persistent cross-site scripting (XSS) via Dashboard (SPL-89216, CVE-2014-5466) At the time of this announcement, Splunk is not aware of any cases where these vulnerabilities have been actively exploited. Previous Product Security Announcements can be found on our Splunk Product... --------------------------------------------- http://www.splunk.com/view/SP-CAAANST *** GNU C Library wordexp() command execution *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/98852 *** PCRE pcre_exec.c buffer overflow *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/98854 *** Multiple Huawei HiLink products cross-site request forgery *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/98858 *** Asterisk DB Dialplan Function Lets Remote Authenticated Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1031251 *** Asterisk CONFBRIDGE Lets Remote Authenticated Users Execute Arbitrary System Commands *** --------------------------------------------- http://www.securitytracker.com/id/1031250 *** Asterisk ConfBridge State Transition Error Lets Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1031247 *** Asterisk PJSIP Channel Driver Flaw in res_pjsip_refer Module Lets Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1031249 *** Asterisk PJSIP Channel Driver Race Condition Lets Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1031248 *** Asterisk PJSIP ACL Bug Lets Remote Users Bypass Access Controls *** --------------------------------------------- http://www.securitytracker.com/id/1031246 *** HPSBHF03052 rev.2 - HP Network Products running OpenSSL, Multiple Remote Vulnerabilities *** --------------------------------------------- Version:1 (rev.1) - 20 June 2014 Initial release Version:2 (rev.2) - 20 November 2014 Removed iMC Platform Products, 5900 virtual switch, and Router 8800 products. Further analysis revealed that those products as not vulnerable. Added additional products. --------------------------------------------- https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04347622 *** ZDI-14-385: Dell Sonicwall GMS Virtual Appliance Multiple Remote Code Execution Vulnerabilities *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Dell SonicWALL Global Management System (GMS) virtual appliance. Authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-14-385/

1 0

Tageszusammenfassung - Donnerstag 20-11-2014
by Daily end-of-shift report 20 Nov '14

20 Nov '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 19-11-2014 18:00 − Donnerstag 20-11-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** ROVNIX Infects Systems with Password-Protected Macros *** --------------------------------------------- We recently found that the malware family ROVNIX is capable of being distributed via macro downloader. This malware technique was previously seen in the DRIDEX malware, which was notable for using the same routines. DRIDEX is also known as the successor of the banking malware CRIDEX. Though a fairly old method for infection, cybercriminals realized that using malicious macros work... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/0rtiBt3T3E4/ *** Citadel Variant Targets Password Managers *** --------------------------------------------- Some Citadel-infected computers have received a new configuration file, a keylogger triggered to go after the master passwords from three leading password management tools. --------------------------------------------- http://threatpost.com/citadel-variant-targets-password-managers/109493 *** CryptoPHP: Analysis of a hidden threat inside popular content management systems *** --------------------------------------------- CryptoPHP is a threat that uses backdoored Joomla, WordPress and Drupal themes and plug-ins to compromise webservers on a large scale. By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social engineering site administrators into installing the included backdoor on their server. --------------------------------------------- http://blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-ins… *** An inside look: gathering and analyzing the SIR data *** --------------------------------------------- At the Microsoft Malware Protection Center, threat data is a critical source of information to help protect our customers. We use it to understand what's going on in the overall malware ecosystem, determine the best way to protect our customers, and find the most effective way to deliver that protection. We also use the data to produce a number of reports to help our customers. This includes our bi-annual Security Intelligence Report (SIR). This blog post gives you a behind-the-scenes... --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/11/19/an-inside-look-gathering… *** Annual Privacy Forum 2014 materials and APF2015 - Call for partnership *** --------------------------------------------- ENISA's Information Security and Data Protection Unit announces the commencement of preparations for the Annual Privacy Forum of 2015. --------------------------------------------- http://www.enisa.europa.eu/media/news-items/annual-privacy-forum-2014-mater… *** Electronic Arts: Datenpanne bei Origin *** --------------------------------------------- Einblicke in persönliche Daten von anderen Nutzern zeigt derzeit Origin, das Onlineportal von Electronic Arts, beim Zugriff auf die Foren an. --------------------------------------------- http://www.golem.de/news/electronic-arts-datenpanne-bei-origin-1411-110689-… *** How Splitting A Computer Into Multiple Realities Can Protect You From Hackers *** --------------------------------------------- Eight years ago, polish hacker Joanna Rutkowska was experimenting with rootkits - tough-to-detect spyware that infects the deepest level of a computer's operating system - when she came up with a devious notion: What if, instead of putting spyware inside a victim's computer, you put the victim's computer inside the spyware? At the time, a technology known... --------------------------------------------- http://feeds.wired.com/c/35185/f/661467/s/40ab9794/sc/4/l/0L0Swired0N0C20A1… *** Vulnerabilities identified in three Advantech products *** --------------------------------------------- Researchers with Core Security have identified vulnerabilities in three products manufactured by Advantech, some of which can be exploited remotely. --------------------------------------------- http://www.scmagazine.com/vulnerabilities-identified-in-three-advantech-pro… *** Bugtraq: [CORE-2014-0009] - Advantech EKI-6340 Command Injection *** --------------------------------------------- http://www.securityfocus.com/archive/1/534021 *** Bugtraq: [CORE-2014-0008] - Advantech AdamView Buffer Overflow *** --------------------------------------------- http://www.securityfocus.com/archive/1/534022 *** Bugtraq: [CORE-2014-0010] - Advantech WebAccess Stack-based Buffer Overflow *** --------------------------------------------- http://www.securityfocus.com/archive/1/534023 *** Drupal Patches Denial of Service Vulnerability; Details Disclosed *** --------------------------------------------- Drupal has released a patched a denial of service and account hijacking vulnerability, details of which were disclosed by the researchers who discovered the issue. --------------------------------------------- http://threatpost.com/drupal-patches-denial-of-service-vulnerability-detail… *** Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CORE-2014-006Project: Drupal core Version: 6.x, 7.xDate: 2014-November-19Security risk: 14/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Multiple vulnerabilitiesDescriptionSession hijacking (Drupal 6 and 7)A specially crafted request can give a user access to another users session, allowing an attacker to hijack a random session.This attack is known to be possible on certain Drupal 7 sites which serve both HTTP and HTTPS... --------------------------------------------- https://www.drupal.org/SA-CORE-2014-006 *** DRUPAL Security Advisories for Third-Party Modules *** --------------------------------------------- https://www.drupal.org/node/2378287 https://www.drupal.org/node/2378279 https://www.drupal.org/node/2378441 https://www.drupal.org/node/2378401 https://www.drupal.org/node/2378367 *** R7-2014-18: Hikvision DVR Devices - Multiple Vulnerabilities *** --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/11/19/r7-2014-1… *** Paid Memberships Pro plugin for WordPress getfile.php directory traversal *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/98805 *** Lsyncd default-rsyncssh.lua command execution *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/98806 *** Security Advisory-App Validity Check Bypass Vulnerability in Huawei P7 Smartphone *** --------------------------------------------- Nov 20, 2014 14:53 --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** Vuln: MantisBT core/file_api.php Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/71104 *** Xen Security Advisory 113 - Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling *** --------------------------------------------- An error handling path in the processing of MMU_MACHPHYS_UPDATE failed to drop a page reference which was acquired in an earlier processing step. --------------------------------------------- http://lists.xen.org/archives/html/xen-announce/2014-11/msg00003.html *** IBM Security Network Protection Shell Command Injection *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/98519 *** IBM Security Bulletins related to POODLE *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** Other IBM Security Bulletins *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…

1 0

Tageszusammenfassung - Mittwoch 19-11-2014
by Daily end-of-shift report 19 Nov '14

19 Nov '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 18-11-2014 18:00 − Mittwoch 19-11-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** MS14-068 - Critical: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Version: 1.0 *** --------------------------------------------- This security update resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to... --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS14-068 *** Additional information about CVE-2014-6324 *** --------------------------------------------- Today Microsoft released update MS14-068 to address CVE-2014-6324, a Windows Kerberos implementation elevation of privilege vulnerability that is being exploited in-the-wild in limited, targeted attacks. The goal of this blog post is to provide additional information about the vulnerability, update priority, and detection guidance for defenders. Microsoft recommends customers apply this update to their domain controllers as quickly as possible. Vulnerability Details CVE-2014-6324 allows... --------------------------------------------- http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-ab… *** Google Removes SSLv3 Fallback Support From Chrome *** --------------------------------------------- Google has released Chrome 39, fixing 42 security vulnerabilities and removing support for the fallback to SSLv3, the component that was the target of the POODLE attack revealed last month. When the POODLE attack was disclosed by several Google researchers in October, the company said that it had added a change to Chrome that would... --------------------------------------------- http://threatpost.com/google-removes-sslv3-fallback-support-from-chrome/109… *** A New Free CA *** --------------------------------------------- Announcing Lets Encrypt, a new free certificate authority. This is a joint project of EFF, Mozilla, Cisco, Akamai, and the University of Michigan. This is an absolutely fantastic idea. The anchor for any TLS-protected communication is a public-key certificate which demonstrates that the server youre actually talking to is the server you intended to talk to. For many server operators,... --------------------------------------------- https://www.schneier.com/blog/archives/2014/11/a_new_free_ca.html *** Survey: real-time SIEM solutions help orgs detect attacks within minutes *** --------------------------------------------- Real-time security information and event management solutions help organizations detect targeted attacks and advanced persistent threats within minutes, according to a McAfee survey. --------------------------------------------- http://www.scmagazine.com/survey-real-time-siem-solutions-help-orgs-detect-… *** POWELIKS Levels Up With New Autostart Mechanism *** --------------------------------------------- Last August, we wrote about POWELIKS's malware routines that are known for hiding its malicious codes in the registry entry as part of its evasion tactics. In the newer samples we spotted, malware detected as TROJ_POWELIKS.B employed a new autostart mechanism and removes users' privileges in viewing the registry's content. As a result, users won't be able to suspect that... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/zurdvNxST00/ *** Pan-European Cyber Security Competition organised by ENISA *** --------------------------------------------- Today (19 November 2014) the European Union Agency for Network and Information Security (ENISA) is happy to announce the planning of the 1st pan-European Cyber Security Competition in 2015. The competition is organised jointly in collaboration with experienced organisations from EU Member States for students. --------------------------------------------- http://www.enisa.europa.eu/media/news-items/pan-european-cyber-security-com… *** RSS Reveals Malware Injections *** --------------------------------------------- There are multiple different ways to detect invisible malware on a website: You can scrutinize the HTML code of web pages. Use external scanners like SiteCheck or UnmaskParasites. Get alerts from anti-viruses or search engines (both in search results and via their Webmaster Tools). Try to open web pages with different User-Agents and check for... --------------------------------------------- http://blog.sucuri.net/2014/11/rss-reveals-malware-injections.html *** Test Tool for Web App Security Scanners Released by Google *** --------------------------------------------- A new tool was open-sourced by Google on Tuesday, aiming at improving the efficiency of automated web security scanners by evaluating them with patterns of vulnerabilities already seen in the wild. --------------------------------------------- http://news.softpedia.com/news/Test-Tool-for-Web-App-Security-Scanners-Rele… *** Microsoft bessert beim SChannel-Patch nach *** --------------------------------------------- Still und heimlich haben die Windows-Macher am Dienstag mit dem Update außer der Reihe auch eine neue Revision des SChannel-Patches ausgeliefert. Diese soll die Probleme mit der TLS-Verschlüsselung und massive Performance-Einbußen bei SQL Server beheben. --------------------------------------------- http://www.heise.de/security/meldung/Microsoft-bessert-beim-SChannel-Patch-… *** Most advanced mobile botnet EVER is coming for your OFFICE Androids *** --------------------------------------------- NotCompatible A newly discovered variant of NotCompatible is establishing what has been called the most advanced mobile botnet yet created. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/11/19/android_bot… *** jQuery: Cross-Site-Scripting in Captcha-Beispielcode weit verbreitet *** --------------------------------------------- Ein populäres jQuery-Plugin liefert Code mit einer Cross-Site-Scripting-Lücke aus. Der verwundbare Code stammt ursprünglich von einem Beispielskript für Captchas, das auf sehr vielen Webseiten zu finden ist. --------------------------------------------- http://www.golem.de/news/jquery-cross-site-scripting-in-captcha-beispielcod… *** A Peek Inside a PoS Scammer's Toolbox *** --------------------------------------------- PoS malware has been receiving a tremendous amount of attention in the past two years with high profile incidents like Target, Home Depot, and Kmart. With the massive "Black Friday" shopping season coming up, PoS malware will surely get additional publicity. This high profile nature means, we constantly look for evolving PoS malware and look into their behavior... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/xF7gxViXP4A/ *** Nasty Security Bug Fixed in Android Lollipop 5.0 *** --------------------------------------------- There is a vulnerability in Android versions below 5.0 that could allow an attacker to bypass ASLR and run arbitrary code on a target device under certain circumstances. The bug was fixed in Lollipop, the newest version of the mobile OS, released earlier this week. The vulnerability lies in java.io.ObjectInputStream, which fails to check whether... --------------------------------------------- http://threatpost.com/nasty-security-bug-fixed-in-android-lollipop-5-0/1094… *** Cisco Unified Communications Manager IM and Presence Service Enumeration Vulnerability *** --------------------------------------------- CVE-2014-8000 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Multiple Samsung Galaxy Devices knox code execution *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/98780 *** Google Chrome pdfium code execution *** --------------------------------------------- Google Chrome pdfium code execution --------------------------------------------- http://xforce.iss.net/xforce/xfdb/98790 *** Bugtraq: [SECURITY] [DSA 3074-2] php5 regression update *** --------------------------------------------- http://www.securityfocus.com/archive/1/534018 *** Bugtraq: Reflected Cross-Site Scripting (XSS) in Simple Email Form Joomla Extension *** --------------------------------------------- http://www.securityfocus.com/archive/1/534017

1 0

Tageszusammenfassung - Dienstag 18-11-2014
by Daily end-of-shift report 18 Nov '14

18 Nov '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 17-11-2014 18:00 − Dienstag 18-11-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Out-of-band release for Security Bulletin MS14-068 *** --------------------------------------------- On Tuesday, November 18, 2014, at approximately 10 a.m. PST, we will release an out-of-band security update to address a vulnerability in Windows. We strongly encourage customers to apply this update as soon as possible, following the directions in the security bulletin. --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2014/11/18/out-of-band-release-for-… *** VB2014 paper: Optimized mal-ops. Hack the ad network like a boss *** --------------------------------------------- Why buying ad space makes perfect sense for those wanting to spread malware.Over the next few months, we will be sharing VB2014 conference papers as well as video recordings of the presentations. Today, we have added Optimized mal-ops. Hack the ad network like a boss by Bromium researchers Vadim Kotov and Rahul Kashyap.Malicious advertisements (malvertising) go back more than a decade, yet in recent months we have seen a surge in these attacks, including the Kyle and Stan campaign, which... --------------------------------------------- http://www.virusbtn.com/blog/2014/11_18.xml?rss *** l+f: Lücken bei BitTorrent Sync *** --------------------------------------------- Ein Security-Audit hat eine Reihe kleinerer und größerer Lücken im Filesharing-Dienst gefunden. --------------------------------------------- http://www.heise.de/security/meldung/l-f-Luecken-bei-BitTorrent-Sync-245985… *** Matsnu Botnet DGA Discovers Power of Words *** --------------------------------------------- The Matsnu botnet has deployed a new domain generation algorithm that builds domain names from a list of nouns and verbs. The plain English phrases help the DGA elude detection. --------------------------------------------- http://threatpost.com/matsnu-botnet-dga-discovers-power-of-words/109426 *** Cisco Releases Security Analytics Framework to Open Source *** --------------------------------------------- Ciscos OpenSOC, a security analytics framework, has been released to open source. --------------------------------------------- http://threatpost.com/cisco-releases-security-analytics-framework-to-open-s… *** The NSAs Efforts to Ban Cryptographic Research in the 1970s *** --------------------------------------------- New article on the NSAs efforts to control academic cryptographic research in the 1970s. It includes new interviews with public-key cryptography inventor Martin Hellman and then NSA-director Bobby Inman.... --------------------------------------------- https://www.schneier.com/blog/archives/2014/11/the_nsas_effort.html *** Flashpack Exploit Kit Used in Free Ads, Leads to Malware Delivery Mechanism *** --------------------------------------------- In the entry FlashPack Exploit Leads to New Family of Malware, we tackled the Flashpack exploit kit and how it uses three URLs namely (http://{malicious domain}/[a-z]{3}[0-9]{10,12}/loxotrap.php, http://{malicious domain}/[0-9,a-z]{6,10}/load0515p6jse9.php, http://{malicious domain}/[a-z]{3}[0-9]{10,12}/ldcigar.php) as its landing site. We monitored the abovementioned URLs and found out that the FlashPack exploit kit is now using free ads to distribute malware such as... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/-FQFl818dVo/ *** IT threat evolution Q3 2014 *** --------------------------------------------- Kaspersky Lab products detected and neutralized a total of 1,325,106,041 threats in the third quarter of 2014. Our solutions blocked 696,977 attacks that attempted to launch malware capable of stealing money from online banking accounts. Were detected 74,489 new malicious mobile programs, including 7010 mobile banking Trojans. --------------------------------------------- http://securelist.com/analysis/quarterly-malware-reports/67637/it-threat-ev… *** Microsofts SChannel-Fix wird zum Problem-Patch *** --------------------------------------------- Microsoft hat bestätigt, dass der Patch für die Krypto-Funktion von Windows auf Servern zu Problemen führt. Es soll sowohl SQL Server als auch IIS beeinträchtigen. Das Update wird aber nach wie vor verteilt. --------------------------------------------- http://www.heise.de/security/meldung/Microsofts-SChannel-Fix-wird-zum-Probl… *** Cisco IOS DLSw Information Disclosure Vulnerability *** --------------------------------------------- CVE-2014-7992 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Cisco Integrated Management Controller Cross-Site Request Forgery Vulnerability *** --------------------------------------------- CVE-2014-7996 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Vuln: Check Point Security Gateway Multiple Denial of Service Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/67993 *** Rails Action Pack Bug Lets Remote Users Determine if Specified Files Exist on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1031217 *** Moodle Bugs Permit Cross-Site Scripting, Cross-Site Request Forgery, and Information Disclosure Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1031215 *** Tcpdump Multiple Flaws Let Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1031235 *** Xen Security Advisory 110 (CVE-2014-8595) - Missing privilege level checks in x86 emulation of far branches *** --------------------------------------------- The emulation of far branch instructions (CALL, JMP, and RETF in Intel assembly syntax, LCALL, LJMP, and LRET in AT&T assembly syntax) incompletely performs privilege checks. --------------------------------------------- http://lists.xen.org/archives/html/xen-announce/2014-11/msg00001.html *** Xen Security Advisory 109 (CVE-2014-8594) - Insufficient restrictions on certain MMU update hypercalls *** --------------------------------------------- MMU update operations targeting page tables are intended to be used on PV guests only. The lack of a respective check made it possible for such operations to access certain function pointers which remain NULL when the target guest is using Hardware Assisted Paging (HAP). --------------------------------------------- http://lists.xen.org/archives/html/xen-announce/2014-11/msg00002.html *** Apple Security Advisories *** --------------------------------------------- APPLE-SA-2014-11-17-1 iOS 8.1.1 APPLE-SA-2014-11-17-2 OS X Yosemite 10.10.1 APPLE-SA-2014-11-17-3 Apple TV 7.0.2 --------------------------------------------- http://support.apple.com/kb/HT1222 *** IBM Security Bulletins related to a Vulnerability in SSLv3 (POODLE) *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** Other IBM Security Bulletins *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…

1 0

Tageszusammenfassung - Montag 17-11-2014
by Daily end-of-shift report 17 Nov '14

17 Nov '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 14-11-2014 18:00 − Montag 17-11-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Microsoft Updates MS14-066, (Sun, Nov 16th) *** --------------------------------------------- Microsoft updated MS14-066 to warn users about some problems caused by the additional ciphers added with the update [1]. It appears that clients who may not support these ciphers may fail to connect at all. The quick fix is to remove the ciphers by editing the respective registry entry (see the KB article link below for more details). One user reported to us performance issues when connecting from MSFT Access to SQL Server, which are related to these ciphers. Sadly, MS14-066hasnt been --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18957&rss *** EVERYTHING needs crypto says Internet Architecture Board *** --------------------------------------------- Calls for all new protocols to protect privacy, all the time, everywhere The Internet Architecture Board (IAB) has called for encryption to become the norm for all internet traffic. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/11/16/net_gurus_f… *** "Maskierte Apps": Apple veröffentlicht Sicherheitsrichtlinien für App-Installation *** --------------------------------------------- Mit Enterprise-Zertifikaten signierte Apps lassen sich am App Store vorbei auf iOS-Geräten installieren. Angreifer können das nutzen, um Apps durch manipulierte Versionen zu ersetzen. Mit Tipps will Apple Nutzer für Malware sensibilisieren. --------------------------------------------- http://www.heise.de/security/meldung/Maskierte-Apps-Apple-veroeffentlicht-S… *** 91. Treffen der IETF: Das Kapern von BGP-Routen verhindern *** --------------------------------------------- Immer wieder wird Internet-Verkehr unbemerkt über seltsame Wege zum eigentlichen Ziel umgeleitet. Ob es sich um Abhör-Aktionen handelt oder nur um Pannen, ist oft unklar. Nun könnten Netzbetreiber ein Mittel dagegen in die Hand bekommen. --------------------------------------------- http://www.heise.de/newsticker/meldung/91-Treffen-der-IETF-Das-Kapern-von-B… *** Attack reveals 81 percent of Tor users but admins call for calm *** --------------------------------------------- Cisco Netflow a handy tool for cheapskate attackers The Tor project has urged calm after new research found 81 percent of users could be identified using Ciscos NetFlow tool. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/11/17/deanonymiza… *** WinShock PoC clocked: But DONT PANIC... Its no Heartbleed *** --------------------------------------------- SChannel exploit opens an easily closed door Security researchers have released a proof-of-concept exploit against the SChannel crypto library flaw patched by Microsoft last week. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/11/17/ms_schannel… *** Jetzt patchen: Details zur SChannel-Lücke in Windows im Umlauf *** --------------------------------------------- Administratoren sollten Patches für die kritische Sicherheitslücke in Windows, die Microsoft letzte Woche geschlossen hat, umgehend einspielen. Ansonsten riskieren sie, dass Angreifer über das Netz Schadcode einschleusen. --------------------------------------------- http://www.heise.de/security/meldung/Jetzt-patchen-Details-zur-SChannel-Lue… *** Book review: Bulletproof SSL and TLS *** --------------------------------------------- Must-read for anyone working with one of the Internets most important protocols.I was reading Ivan Ristićs book Bulletproof SSL and TLS when rumours started to appear about an attack against SSL 3.0, which would soon become commonly known as the POODLE attack. Thanks to the book, I was quickly able to read up on the differences between SSL 3.0 and its successor, TLS 1.0, which wasnt vulnerable to the attack. Elsewhere in the book, a few pages are dedicated to protocol downgrade attacks,... --------------------------------------------- http://www.virusbtn.com/blog/2014/11_17.xml?rss *** Holy cow! Fasthosts outage blamed on DDoS hack attack AND Windows 2003 vuln *** --------------------------------------------- Monday, bloody Monday Fasthosts five-hour collapse today has been blamed on a Distributed Denial of Service attack and a security flaw spotted on its Windows 2003 shared web server kit. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/11/17/fasthosts_o… *** Comedy spam blunder raises a smile to start the week *** --------------------------------------------- We all get lots of spam. Enough, even with junk folders and spam filters, to be more than merely annoying. So heres a spamming mistake to make you smile... --------------------------------------------- https://nakedsecurity.sophos.com/2014/11/17/comedy-spam-blunder-raises-a-sm… *** Cisco Aironet DHCP Denial of Service Vulnerabilty *** --------------------------------------------- CVE-2014-7997 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Cisco Aironet EAP Debugging Denial of Service Vulnerability *** --------------------------------------------- CVE-2014-7998 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** SSA-860967 (Last Update 2014-11-14): GNU Bash Vulnerabilities in Siemens Industrial Products *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** Hot fix to address POODLE SSLv3 vunerability on Designer 4.0.2 AU5 SVN HTTPS access *** --------------------------------------------- Abstract: Designer 4.0.2 uses SSLv3 to access SVN repositories over HTTPS, making it vulnerable to the poodle weakness in the SSL protocol (CVE-2014-3566). This hot fix addresses the issue by disabling SSLv3 and allowing usage of TLSv1 instead.Document ID: 5195492Security Alert: YesDistribution Type: Field Test FileEntitlement Required: NoFiles:Designer402AU5HF1.zip (2.09 MB)Products:Identity Manager 4.0.2Identity Manager Roles Based Provisioning Module 4.0.2Designer for Identity... --------------------------------------------- https://download.novell.com/Download?buildid=NjOScYlrw_E~ *** Hot Patch 2 for Novell Messenger 2.2 (security fixes to Messengers server and client components) *** --------------------------------------------- https://download.novell.com/Download?buildid=I2DgXp6pwVY~ https://download.novell.com/Download?buildid=sJ4Wcd1G7Bo~ https://download.novell.com/Download?buildid=66t5njTLVmk~ *** DSA-3073 libgcrypt11 *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-3073 *** Vuln: GnuTLS CVE-2014-8564 Multiple Heap Corruption Denial of Service Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/71003 *** HPSBGN03192 rev.1 - HP Remote Device Access: Instant Customer Access Server (iCAS) running OpenSSL, Remote Disclosure of Information *** --------------------------------------------- A potential security vulnerability has been identified with HP Remote Device Access: Instant Customer Access Server (iCAS) running OpenSSL. This is the SSLv3 vulnerability known as "Padding Oracle on Downgraded Legacy Encryption" also known as "Poodle", which could be exploited remotely to allow disclosure of information. SSLv3 is enabled by default in the current HP iCAS client software. --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** Security Bulletin: IBM Systems Director (ISD) is affected by vulnerability in the Console Login Window (CVE-2013-5423) *** --------------------------------------------- IBM Systems Director is affected by a vulnerability in the Console Login Window (CVE-2013-5423). CVE(s): CVE-2013-5423 Affected product(s) and affected version(s): Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096563 X-Force Database: http://xforce.iss.net/xforce/xfdb/87485 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect GPFS V3.5 for Windows (CVE-2014-3513, CVE-2014-3567, CVE-2014-3568) *** --------------------------------------------- OpenSSL vulnerabilities along with SSL 3 Fallback protection (TLS_FALLBACK_SCSV) were disclosed on October 15, 2014 by the OpenSSL Project. OpenSSL is used by GPFS V3.5 for Windows. GPFS V3.5 for Windows has addressed the applicable CVEs and included the SSL 3.0 Fallback protection (TLS_FALLBACK_SCSV) provided by OpenSSL. CVE(s): CVE-2014-3513, CVE-2014-3567 and CVE-2014-3568 Affected product(s) and affected version(s): OpenSSH for GPFS V3.5 for Windows Refer to the following reference --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** IBM Security Bulletins: Vulnerability in SSLv3 affects multiple products *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_vul… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** [webapps] - MyBB Forums 1.8.2 - Stored XSS Vulnerability *** --------------------------------------------- http://www.exploit-db.com/exploits/35266

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily November 2014