Daily November 2014

daily@lists.cert.at

1 participants
20 discussions

Tageszusammenfassung - Freitag 14-11-2014
by Daily end-of-shift report 14 Nov '14

14 Nov '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 13-11-2014 18:00 − Freitag 14-11-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Network Hijackers Exploit Technical Loophole *** --------------------------------------------- Spammers have been working methodically to hijack large chunks of Internet real estate by exploiting a technical and bureaucratic loophole in the way that various regions of the globe keep track of the worlds Internet address ranges. --------------------------------------------- http://krebsonsecurity.com/2014/11/network-hijackers-exploit-technical-loop… *** BASHLITE Affects Devices Running on BusyBox *** --------------------------------------------- When news of the Shellshock vulnerability broke out at the end of September, we spotted several attacks that leveraged the said vulnerability, thus manifesting the prevalence or even evolution on how attackers used the .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects… *** OnionDuke: APT Attacks Via the Tor Network *** --------------------------------------------- Recently, research was published identifying a Tor exit node, located in Russia, that was consistently and maliciously modifying any uncompressed Windows executables downloaded through it. Naturally this piqued our interest, so we decided to peer down the rabbit hole. Suffice to say, the hole was a lot deeper than we expected! In fact, it went all the way .. --------------------------------------------- http://www.f-secure.com/weblog/archives/00002764.html *** The Art of Website Malware Removal - The Basics *** --------------------------------------------- When talking about defense against malicious hacks, the attack vector is a common topic for Information Security (InfoSec) professionals. The primary concern is to understand the anatomy of the attack and prevent it from happening .. --------------------------------------------- http://blog.sucuri.net/2014/11/the-art-of-website-malware-removal-the-basic… *** Android 5: Lollipop verschlüsselt - noch besser *** --------------------------------------------- Mehr Sicherheit für persönliche Daten: Ab Android 5.0 aktiviert Google die automatische Verschlüsselung. Es ist nur eine von vielen zusätzlichen Sicherheitsfunktionen in Lollipop. --------------------------------------------- http://www.golem.de/news/android-5-lollipop-verschluesselt-noch-besser-1411… *** Gefälschte iOS-Apps: Apple sind keine Angriffe bekannt *** --------------------------------------------- Apple sieht nach einer Warnung vor Hacker-Angriffen mit gefälschten iOS-Apps keinen akuten Handlungsbedarf. "Uns sind keine Kunden bekannt, die von einer solchen Attacke betroffen gewesen wären", erklärte der Konzern gegenüber .. --------------------------------------------- http://www.heise.de/security/meldung/Gefaelschte-iOS-Apps-Apple-sind-keine-… *** Son of Stuxnet - The Digital Hunt for Duqu, a Dangerous and Cunning U.S.-Israeli Spy Virus *** --------------------------------------------- Boldizsar Bencsath took a bite from his sandwich and stared at his computer screen. The software he was trying to install on his machine was taking forever to load, and he still had a dozen things to do before the Fall 2011 semester began at the Budapest University of Technology and Economics, where .. --------------------------------------------- https://firstlook.org/theintercept/2014/11/12/stuxnet/ *** Android und iPhone beim Mobile Pwn2Own gefällt *** --------------------------------------------- Alle drei grossen Mobil-Betriebssysteme sind bei der diesjährigen Mobile-Ausgabe von HPs Pwn2Own-Wettbewerb erfolgreichen Hacks zum Opfer gefallen. Der Angriff auf Windows Phone ist dabei allerdings im Vergleich noch eher harmlos. --------------------------------------------- http://www.heise.de/security/meldung/Android-und-iPhone-beim-Mobile-Pwn2Own… *** SChannel Update and Experimental Vulnerability Scanner (MS14-066), (Fri, Nov 14th) *** --------------------------------------------- Just a quick update on the SChannel problem (MS14-066, CVE-2014-6321). So far, there is still no public available exploit for the vulnerability, and details are still sparse. But apparently, there is some progress in developing a .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18953

1 0

Tageszusammenfassung - Donnerstag 13-11-2014
by Daily end-of-shift report 13 Nov '14

13 Nov '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 12-11-2014 18:00 − Donnerstag 13-11-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** DNSSEC mit zu kurzen RSA-Schlüsseln *** --------------------------------------------- Unter anderem bei DNSSEC kommen noch sehr oft RSA-Schlüssel mit 1024 Bit zum Einsatz. Das könnte noch gefährlicher sein, als bisher angenommen, warnen Kryptologen. --------------------------------------------- http://www.heise.de/security/meldung/DNSSEC-mit-zu-kurzen-RSA-Schluesseln-2… *** Microsoft Patchday November 2014 *** --------------------------------------------- Normalerweise schreiben wir nichts über die monatlichen Patchdays von Microsoft: wir schreiben ja auch nicht, wenn ein heller Feuerball in der Früh im Osten über den Horizont steigt. Fast jeder IT Verantwortliche kennt das monatliche Spiel: Lesen, bewerten, eventuell testen dann der Rollout der Patches auf Server und Clients. Dieses .. --------------------------------------------- http://www.cert.at/services/blog/20141112130155-1300.html *** Evolution of Upatre Trojan Downloader *** --------------------------------------------- Upatre is a Trojan Downloader family that once installed, is responsible for stealing information and downloading additional malware onto the victim machine. It typically arrives via spammed e-mail messages from the Cutwail Botnet, either as an attachment or via a URL pointing to a remote hosting site. We are also seeing Exploit Kits being used as a vector for Upatre infections in the wild. --------------------------------------------- http://research.zscaler.com/2014/11/evolution-of-upatre-trojan-downloader.h… *** SA-CONTRIB-2014-109 - Freelinking - Cross Site Scripting (XSS) *** --------------------------------------------- The Freelinking module implements a filter framework for easier creation of HTML links to other pages on the site or to external sites. The module does not sanitize the node title when providing a link to the node, opening a Cross Site Scripting (XSS) vulnerability. --------------------------------------------- https://www.drupal.org/node/2373981 *** SA-CONTRIB-2014-108 - Webform Component Roles - Access Bypass *** --------------------------------------------- The Webform component module enables site admins to limit visibility or editability of webform components based on user roles. The module doesn't sufficiently check that disabled component values are not modified upon submission of the form. --------------------------------------------- https://www.drupal.org/node/2373973 *** SA-CONTRIB-2014-107 - Scheduler - Cross Site Scripting *** --------------------------------------------- The Scheduler module allows nodes to be published and unpublished on specified dates. The module allows administrators to provide additional help text on the content editing form when scheduling is enabled. The module doesn't sufficiently filter the help text which could lead to a Cross Site Scripting (XSS) attack. This vulnerability is mitigated by the fact that an .. --------------------------------------------- https://www.drupal.org/node/2373961 *** Annus HORRIBILIS! ALL the main TLS stacks now officially pwned in 2014 *** --------------------------------------------- Critical crypto 0-day not the worst of mega Nov patch batch The appearance of a critical vuln in Microsoft SChannel - patched as part of this years bumper November Patch Tuesday - means that every major TLS stack has now fallen to a critical flaw at some time during this year. --------------------------------------------- http://www.theregister.co.uk/2014/11/12/ms_crypto_library_megaflaw/ *** Use Protection if Peering Promiscuously *** --------------------------------------------- Last week, I wrote a blog post discussing the dangers of BGP routing leaks between peers, illustrating the problem using examples of recent snafus between China Telecom and Russia’s Vimpelcom. This follow-up blog post provides three additional examples of misbehaving peers and further demonstrates the impact unmonitored routes can have on Internet performance .. --------------------------------------------- http://research.dyn.com/2014/11/use-protection-if-peering-promiscuously/ *** Microsoft stopft ein fast zwei Jahrzehnte altes Sicherheitsloch *** --------------------------------------------- Microsoft hat eine seit fast zwei Jahrzehnten existierende Sicherheitslücke in seinem Windows-Betriebssystem gestopft. Microsoft stufte das Problem in einem am Mittwoch veröffentlichten Sicherheitshinweis als "ernst" ein und stellte ein Update zur Verfügung. --------------------------------------------- http://derstandard.at/2000008083067 *** Phisher zielen auf Apple-Pay-Interessenten ab *** --------------------------------------------- Mit einer auf deutschsprachige Nutzer ausgelegten E-Mail wird derzeit nach Apple-ID-Accounts geangelt. Sie laden vorgeblich zur Registrierung für den bislang nur in den USA verfügbaren iPhone-Bezahldienst ein. --------------------------------------------- http://www.heise.de/security/meldung/Phisher-zielen-auf-Apple-Pay-Interesse…

1 0

Tageszusammenfassung - Mittwoch 12-11-2014
by Daily end-of-shift report 12 Nov '14

12 Nov '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 11-11-2014 18:00 − Mittwoch 12-11-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Security updates available for Adobe Flash Player (APSB14-24) *** --------------------------------------------- A Security Bulletin (APSB14-24) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities, and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the security bulletin. --------------------------------------------- http://blogs.adobe.com/psirt/?p=1141 *** MS14-NOV - Microsoft Security Bulletin Summary for November 2014 - Version: 1.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS14-NOV *** Assessing Risk for the November 2014 Security Updates *** --------------------------------------------- Today we released fourteen security bulletins addressing 33 unique CVEs. Four bulletins have a maximum severity rating of Critical, eight have a maximum severity rating of Important, and two have a maximum severity rating of Moderate. This table is designed to help you prioritize .. --------------------------------------------- http://blogs.technet.com/b/srd/archive/2014/11/11/assessing-risk-for-the-no… *** Erpressung mit Kinderpornos: Exploit-Kit Angler verteilt Android-Trojaner *** --------------------------------------------- Ein Virenforscher hat einen perfiden Schädling entdeckt, der Android-Nutzer mit kinderpornografischem Material zu erpressen versucht. Er wird bereits über das verbreitete Exploit-Kit Angler verteilt. --------------------------------------------- http://www.heise.de/security/meldung/Erpressung-mit-Kinderpornos-Exploit-Ki… *** Rockwell Automation Connected Components Workbench ActiveX Component Vulnerabilities *** --------------------------------------------- This advisory provides mitigation details for two custom ActiveX Component vulnerabilities in Rockwell Automation's Connected Components Workbench application. --------------------------------------------- https://ics-cert.us-cert.gov//advisories/ICSA-14-294-01 *** Security: Dutzende Schwachstellen in Newsletter-Diensten behoben *** --------------------------------------------- Die Sicherheitslücken reichen von XSS-Fehlern über unsichere Formulare bis hin zu SQL-Injection-Schwachstellen: In drei weit verbreiteten E-Mail-Marketing- und Newsletter-Diensten haben IT-Sicherheitsexperten zahlreiche Schwachstellen entdeckt. Sie sind in Absprache mit den Herstellern inzwischen behoben worden. --------------------------------------------- http://www.golem.de/news/security-dutzende-schwachstellen-in-newsletter-die… *** MSRT November 2014 - Tofsee *** --------------------------------------------- This month we added the Win32/Tofsee and Win32/Zoxpng malware families to the Malicious Software Removal Tool. Zoxpng is a backdoor component that can execute remote commands from a malicious hacker. It is related to Win32/Hikiti and the other threats added to the MSRT last .. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/11/11/msrt-november-2014-tofse… *** The Psychology Behind Why Websites Get Hacked *** --------------------------------------------- It's an everyday conversation for security professionals that interact with everyday website owners. The one where we have to explain that just because everything seems fine, doesn't mean that the best security practices .. --------------------------------------------- http://blog.sucuri.net/2014/11/the-psychology-behind-why-websites-get-hacke… *** Bugtraq: CVE-2014-8731 - RCE in phpMemcachedAdmin <=1.2.2 *** --------------------------------------------- http://www.securityfocus.com/archive/1/533968 *** SAP Governance, Risk and Compliance (SAP GRC) Multiple Critical Vulnerabilities *** --------------------------------------------- http://cxsecurity.com/issue/WLB-2014110071 *** Expired antimalware software is nearly as unsafe as having no protection at all *** --------------------------------------------- Analyzing data to find the root cause of infections has been a long-standing focus of the MMPC. One area weve been investigating is the correlation between endpoint protection and infection rates. Back in version 14 of the Security Intelligence Report (SIRv14), we first published data on infection .. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/11/12/expired-antimalware-soft… *** Only Half of USB Devices Have an Unpatchable Flaw, But No One Knows Which Half *** --------------------------------------------- After testing the USB controller chips of all eight major manufacturers, the researcher who first discovered BadUSB has some good news and some bad news. The post .. --------------------------------------------- http://www.wired.com/2014/11/badusb-only-affects-half-of-usbs/

1 0

Tageszusammenfassung - Dienstag 11-11-2014
by Daily end-of-shift report 11 Nov '14

11 Nov '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 10-11-2014 18:00 − Dienstag 11-11-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Cisco Unified Communications Manager Remote Mobile Access Subsystem Vulnerability *** --------------------------------------------- A vulnerability in the Remote Mobile Access Subsystem in Cisco Unified Communications Manager (Cisco Unified CM) could allow an unauthenticated, remote attacker to supply a crafted Transport Layer Security (TLS) certificate that may be accepted by the affected device. The vulnerability is due to improper validation of the SAN field of a TLS certificate. An attacker could exploit this vulnerability by impersonating a VCS core device and supplying a certificate signed by a certificate authority trusted by the Cisco Unified CM that contains crafted values in the SAN field. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Lessons Learn from attacks on Kippo honeypots, (Mon, Nov 10th) *** --------------------------------------------- A number of my fellow Handlers have discussed Kippo, a SSH honeypot that can record adversarial behaviour, be it human or machine. Normal behaviour against my set of Kippo honeypots is randomly predictable; a mixture of known bad IP ranges, researchers or from behind TOR scanning and probing, would be attackers manually entering information from their jump boxes .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18935 *** Hackerangriff auf US-Post *** --------------------------------------------- Der staatliche US Postal Service ist Opfer eines Hackerangriffs geworden. Dabei hätten die Angreifer möglicherweise Zugriff auf persönliche Daten von mehr als 800.000 Beschäftigten sowie von Kunden erhalten, die den Kundendienst per Mail oder Telefon kontaktiert hätten, teilte das Unternehmen .. --------------------------------------------- http://derstandard.at/2000007973390 *** iOS: Schwachstelle erlaubt Installation manipulierter Apps *** --------------------------------------------- Zum zweiten Mal innerhalb weniger Tage entdeckten Datenexperten eine potenzielle Angriffsmethode für Malware in Apples mobilem Betriebssystem iOS. Die IT-Sicherheitsfirma Fireeye warnt vor einer Infizierung von iPhones oder iPads mit einer Methode namens Masque Attack, die auch ohne Jailbreak funktioniert. Dabei .. --------------------------------------------- http://www.golem.de/news/ios-schwachstelle-erlaubt-installation-manipuliert… *** Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong's Pro-Democracy Movement *** --------------------------------------------- As the pro-democracy movement in Hong Kong has continued, we've been watching for indications of confrontation taking place in cyberspace. Protests began in September and have continued to escalate. In recent weeks, attackers have launched .. --------------------------------------------- http://www.fireeye.com/blog/technical/2014/11/operation-poisoned-handover-u… *** Old-time phishing scams are working just fine, Google finds *** --------------------------------------------- A new Google study has found that the true masterpieces of phishing are successful 45% of the time. Its just another example of how phishers may be old dogs, but they can sure learn new tricks. --------------------------------------------- http://nakedsecurity.sophos.com/2014/11/11/old-time-phishing-scams-are-work… *** Stuxnet: Zero Victims *** --------------------------------------------- We collected Stuxnet files for two years. After analyzing more than 2,000 of these files, we were able to identify the organizations that were the first victims of the worms different variants in 2009 and 2010. Perhaps an analysis of their activity can explain why they became "patients zero" (the original, or zero, victims). --------------------------------------------- http://securelist.com/analysis/publications/67483/stuxnet-zero-victims/ *** Important EMET 5.1 Update. Apply before Patches today, (Tue, Nov 11th) *** --------------------------------------------- Microsoft yesterday release EMET 5.1 . One particular sentence in Microsofts blog post suggests that you should apply this update (if you are using EMET) BEFORE you apply the Interent Explorer patch Microsoft is going to release in a couple of hours: ">If you are using Internet Explorer 11, either on Windows 7 or Windows 8.1, and have deployed EMET 5.0, it is .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18939

1 0

Tageszusammenfassung - Montag 10-11-2014
by Daily end-of-shift report 10 Nov '14

10 Nov '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 07-11-2014 18:00 − Montag 10-11-2014 18:00 Handler: Alexander Riepl Co-Handler: n/a *** WireLurker zielt auch als Windows-Trojaner auf iOS-Geräte ab *** --------------------------------------------- Nebem dem Mac-Trojaner haben Sicherheitsforscher inzwischen auch eine Windows-Ausführung aufgespürt. Sie hat es ebenfalls auf angeschlossene iPhones oder iPads abgesehen und schleust auf diesen Malware ein. --------------------------------------------- http://www.heise.de/security/meldung/WireLurker-zielt-auch-als-Windows-Troj… *** VU#432608: IBM Notes Traveler for Android transmits user credentials over HTTP *** --------------------------------------------- The IBM Notes Traveler application for Android does not enforce the use of HTTPS for transmitting user credentials, which can allow an attacker to obtain this information. --------------------------------------------- http://www.kb.cert.org/vuls/id/432608 *** Malicious iframe Injector Found in Adobe Flash File (.SWF) *** --------------------------------------------- Finding malware in Adobe Flash files (.swf) is nothing new, but it usually affects personal computers, not servers. Typically, a hidden iframe is used to drop a binary browser exploit with .SWF files, infecting the client machine. This time we saw the opposite, where a binary .SWF file injects an invisible iframe. This .. --------------------------------------------- http://blog.sucuri.net/2014/11/malicious-injector-in-swf-adobe-flash-file.h… *** Keine Entwarnung beim Router-Farming *** --------------------------------------------- Laut Mitarbeitern der tschechichen CZ.NIC Labs gibt es weltweit mehr als eine halbe Million Router, die ihre Konfiguration und damit das Zugangspasswort unbemerkt herausgeben. Angreifer können Nutzer der Router auf Phishing-Seiten umleiten. --------------------------------------------- http://www.heise.de/security/meldung/Keine-Entwarnung-beim-Router-Farming-2… *** Security: Bilder tausender unsicherer Webcams im Internet zu sehen *** --------------------------------------------- Menschen zu Hause in ihrem Fernsehsessel oder bei der Arbeit am Rechner: Das zeigt eine Webseite - ohne dass die Betroffenen davon wissen. Die unbekannten Betreiber haben dafür weltweit tausende Webcams angezapft. (Datenschutz, Netzwerk) --------------------------------------------- http://www.golem.de/news/security-tausende-unsichere-webcams-im-internet-zu… *** Einfache Lösung zum Live-Patching des Linux-Kernels *** --------------------------------------------- Red-Hat- und Suse-Mitarbeiter arbeiten gemeinsam an einer Live-Patching-Lösung für den Linux-Kernel. Erster Code wurde jetzt veröffentlicht, kann aber weniger Lücken stopfen als Kpatch und kGraft. --------------------------------------------- http://www.heise.de/security/meldung/Einfache-Loesung-zum-Live-Patching-des… *** BND-Kauf von Zero Days: CCC warnt vor "Mitmischen im Schwachstellen-Schwarzmarkt" *** --------------------------------------------- "An Dreistigkeit kaum zu überbieten": Der Chaos Computer Club kritisiert die angeblichen Pläne des BND zum Ankauf von bislang unbekannten Sicherheitslücken. Das Geld liesse sich viel besser verwenden. --------------------------------------------- http://www.golem.de/news/bnd-kauf-von-zero-days-ccc-warnt-vor-mitmischen-im… *** The Dangers of Hosted Scripts - Hacked jQuery Timers *** --------------------------------------------- Google blacklisted a client's website claiming that malicious content was being displayed from forogozoropoto.2waky.com. A scan didn't reveal anything suspicious. The next step was to check all third-party scripts on the website. Soon we found the offending script. It was hxxp://jquery.offput.ca/js/jquery.timers.js - a jQuery Timers plugin that was .. --------------------------------------------- http://blog.sucuri.net/2014/11/the-dangers-of-hosted-scripts-hacked-jquery-… *** Removing Wirelurker from Your iOS or OSX Device *** --------------------------------------------- In an earlier blog post, we tackled what Wirelurker malware is and its security implications and risks for iOS and OSX devices. Within hours of the discovery of this malware, a Windows-based malware (detected as TROJ_WIRELURK.A) that performs the same attack was also seen in the wild. In this blog post, we'dd like .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/removing-wirelur… *** Angriff im Hotel-Netz *** --------------------------------------------- Unter dem Namen Darkhotel berichtet Kaspersky über eine Gruppe von Angreifern mit einer ungewöhnlichen Vorgehensweise: Sie attackieren ihre Opfer auf Auslandsreisen im Netz des Hotels. --------------------------------------------- http://www.heise.de/security/meldung/Angriff-im-Hotel-Netz-2445108.html *** TA14-310A: Microsoft Ending Support for Windows Server 2003 Operating System *** --------------------------------------------- Microsoft is ending support for the Windows Server 2003 operating system on July 14, 2015.[1] After this date, this product will no longer receive:Security patches that help protect PCs from harmful viruses, spyware, and other malicious software. --------------------------------------------- https://www.us-cert.gov/ncas/alerts/TA14-310A *** Verschlüsselung: Parallele Angriffe auf RSA-Schlüssel mit 1.024 Bit *** --------------------------------------------- Kurze RSA-Schlüssel lassen sich schneller und günstiger brechen, wenn man einen Angriff auf viele Schlüssel gleichzeitig durchführt. Insbesondere bei DNSSEC sind RSA-Schlüssel mit 1.024 Bit noch in breitem Einsatz. --------------------------------------------- http://www.golem.de/news/verschluesselung-parallele-angriffe-auf-rsa-schlue… *** EMET 5.1 is available *** --------------------------------------------- Today, we're releasing the Enhanced Mitigation Experience Toolkit (EMET) 5.1 which will continue to improve your security posture by providing increased application compatibility and hardened mitigations. You can download EMET 5.1 from microsoft.com/emet. Following is the list of the main changes and improvements: Several application compatibility issues .. --------------------------------------------- http://blogs.technet.com/b/srd/archive/2014/11/10/emet-5-1-is-available.aspx

1 0

Tageszusammenfassung - Freitag 7-11-2014
by Daily end-of-shift report 07 Nov '14

07 Nov '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 06-11-2014 18:00 − Freitag 07-11-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Crypto 101 - free book resource, (Thu, Nov 6th) *** --------------------------------------------- Regular reader and contributor Gebhard sent us a pointer to Crypto 101, an introductory course on cryptography, freely available for programmers of all ages and skill levels byLaurens Van Houtven (lvh) available for everyone, for free, forever. Its a pre-release PDF read of a project that will be released in more formats later. The Crypto 101 course allows you to learn by doing and includes everything you need to understand complete systems such as SSL/TLS: block ciphers, stream ciphers, hash... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18925&rss *** Metasploit Weekly Wrapup: Another Android Universal XSS *** --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/11/06/metasploi… *** Navy gunners unphased by "integer overflow bug" concerns *** --------------------------------------------- Today, Naked Security received an out-of-the-ordinary email... ..from a vacationing coder with a penchant for fitting geekiness into regular life! We loved his story. We think you will too. --------------------------------------------- http://nakedsecurity.sophos.com/2014/11/06/navy-gunners-unphased-by-integer… *** Slides zum Thema DDoS *** --------------------------------------------- Slides zum Thema DDoS | 5. November 2014 | Das Abwehramt des österreichischen Bundesheeres veranstaltet jedes Jahr eine Konferenz zum Thema IKT-Sicherheit. Dieses Jahr wurde ich eingeladen, einen Vortrag zum Thema DDoS zu halten.In meiner Präsentaion verweise ich auf diverse externe Dokumente, daher wurde ich gebeten, die Slides zum zum Download anzubieten. Autor: Otmar Lendl --------------------------------------------- http://www.cert.at/services/blog/20141105124802-1293.html *** Advance Notification Service for the November 2014 Security Bulletin Release *** --------------------------------------------- Today, we provide advance notification for the release of 16 Security Bulletins. Five of these updates are rated Critical, nine are rated as Important, and two are rated Moderate in severity. These updates are for Microsoft Windows, Internet Explorer, Office, Exchange, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD). As per our monthly process, weve --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2014/11/06/advance-notification-ser… *** Chinese Routing Errors Redirect Russian Traffic *** --------------------------------------------- In recent weeks, Russian President Vladimir Putin announced a plan to enact measures to protect the Internet of Russia. In a speech to the Russian National Security Council he said, "we need to greatly improve the security of domestic communications networks and information resources." Perhaps he should add Internet routing security to his list because,... --------------------------------------------- http://research.dyn.com/2014/11/chinese-routing-errors-redirect-russian-tra… *** Frankfurt | 04.12.2014 - SAVE us from IP Spoofing and Prefix Hijacking *** --------------------------------------------- DDoS reflection attacks are promoted by IP spoofing and there have been several incidents in the last couple of years where huge networks or whole countries were disconnected from the internet after BGP hijacking. Nevertheless there are countermeasure like RPKI, BCP38 and S.A.V.E that not only protect your network but also help to create a more robust internet. Matthias Wählisch (FU Berlin) and Gert Döring (Space.Net) are going to present these approaches and open the discussion with... --------------------------------------------- http://de-cix.eco.de/2014/events/4-12-frankfurt-spoofing-and-hijacking.html *** Security Holes in Corporate Networks: Network Vulnerabilities *** --------------------------------------------- In this blogpost, we will review in detail the possible vectors for an attack launched on a corporate network from an infected computer within it. --------------------------------------------- http://securelist.com/blog/research/67452/security-holes-in-corporate-netwo… *** Combat Blackhat SEO Infections with SEO Insights *** --------------------------------------------- Blackhat SEO spam is the plague of the internet, and the big search engines take it seriously. One of the worst spam tactics on the internet is becoming more common every day: innocent websites are hacked, and their best pages begin linking to spam. These Blackhat SEO spam tactics are fighting for expensive, high-competition keywords... --------------------------------------------- http://blog.sucuri.net/2014/11/combat-blackhat-seo-infections-with-seo-insi… *** Macro malware on the rise again *** --------------------------------------------- Users taught that having to enable enhanced security features is no big deal.When I joined Virus Bulletin almost eight years ago, macro viruses were already a thing of the past, like porn diallers or viruses that did funny things to the characters on your screen: threats that were once a real problem, but that we didnt have to worry about any longer.A few years ago, I even heard a malware researcher bemoan the fact that "kids these days" didnt even know how to analyse macro viruses. --------------------------------------------- http://www.virusbtn.com/blog/2014/11_07.xml?rss *** Yosemite Beta *** --------------------------------------------- When we first announced that future versions of GPGMail would be available for a small fee, we were pretty scared about the reactions. Despite our expectations, weve received mostly positive responses and we would really like to thank you for that. Today were happy to announce that the first beta of GPGMail for Yosemite is finally ready. --------------------------------------------- https://gpgtools.org/?yosemite *** GnuPG unterstützt Krypto auf Elliptischen Kurven *** --------------------------------------------- Das soeben veröffentlichte Release GnuPG 2.1.0 bringt einige neue Funktionen, bessere Abläufe und es schneidet auch ein paar alte Zöpfe ab. Der 2.0er-Zweig wird als stabile Version weiter gepflegt. --------------------------------------------- http://www.heise.de/security/meldung/GnuPG-unterstuetzt-Krypto-auf-Elliptis… *** Belkin flings out patch after Metasploit module turns guests to admins *** --------------------------------------------- Open guest networks turned on by default Belkin has patched a vulnerability in a dual band router that allowed attackers on guest networks to gain root access using an automated tool. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/11/07/belkin_flin… *** VB2014 video: Attack points in health apps & wearable devices - how safe is your quantified self? *** --------------------------------------------- Health apps and wearable devices found to make many basic security mistakes."I know a lot of you have a Fitbit device."The geeks attending VB conferences tend to like their gadgets, and many of them have the latest ones, so the claim made by Candid Wüest at the beginning of his VB2014 last-minute presentation Attack points in health apps & wearable devices - how safe is your quantified self? was bound to be accurate. But the Symantec researcher really did know how many... --------------------------------------------- http://www.virusbtn.com/blog/2014/11_07a.xml?rss *** Security: Tausende unsichere Webcams im Internet zu sehen *** --------------------------------------------- Über tausende Webcams sind derzeit Menschen zu Hause in ihrem Fernsehsessel oder bei der Arbeit am Rechner zu sehen - ohne dass sie davon wissen. Die unbekannten Betreiber einer Webseite haben dafür weltweit Überwachungskameras angezapft. --------------------------------------------- http://www.golem.de/news/security-tausende-unsichere-webcams-im-internet-zu… *** Vuln: requests-kerberos requests_kerberos/kerberos_.py Remote Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/70909 *** SOL15792: Path MTU discovery vulnerability CVE-2004-1060 *** --------------------------------------------- Description: Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Dont Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." (CVE-2004-1060) Impact: The BIG-IP system may be vulnerable to denial-of-service (DoS) attacks. --------------------------------------------- https://support.f5.com/kb/en-us/solutions/public/15000/700/sol15792.html *** Bugtraq: Open-Xchange Security Advisory 2014-11-07 *** --------------------------------------------- http://www.securityfocus.com/archive/1/533936 *** [R1] OpenSSL Vulnerabilities (20141015) Affect Tenable Products *** --------------------------------------------- November 7, 2014 --------------------------------------------- http://www.tenable.com/security/tns-2014-11 *** RSA Web Threat Detection SQL Injection *** --------------------------------------------- Topic: RSA Web Threat Detection SQL Injection Risk: Medium Text:ESA-2014-135: RSA Web Threat Detection SQL Injection Vulnerability EMC Identifier: ESA-2014-135 CVE Identifier: C... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014110032 *** PHP date_from_ISO8601() buffer overflow *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/98522 *** DSA-3067 qemu-kvm *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-3067 *** DSA-3066 qemu *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-3066 *** DSA-3065 libxml-security-java *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-3065 *** IBM Security Bulletins *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…

1 0

Tageszusammenfassung - Donnerstag 6-11-2014
by Daily end-of-shift report 06 Nov '14

06 Nov '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 05-11-2014 18:00 − Donnerstag 06-11-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Retefe with a new twist *** --------------------------------------------- A few months ago, we blogged about the banking trojan Retefe (Blog post in German) that was and still is targeting Switzerland. First off, Retefe is different because it only targets Switzerland, Austria and Sweden (and sometimes Japan). Contrast this... --------------------------------------------- http://securityblog.switch.ch/2014/11/05/retefe-with-a-new-twist/ *** ENISA calls for Expression of Interest for Membership of the Permanent Stakeholders' Group *** --------------------------------------------- The Executive Director of European Union Agency for Network and Information Security (ENISA) calls for Expression of Interest for Membership of the Permanent Stakeholders' Group (PSG) to be assigned from February 2015 to August 2017. --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/enisa-calls-for-expression-… *** New ENISA report on Cyber Crisis Cooperation and Management *** --------------------------------------------- http://www.enisa.europa.eu/media/news-items/enisa-publishes-new-report-on-c… *** WireLurker malware infects iOS devices through OS X *** --------------------------------------------- Non-jailbroken devices infected via enterprise provisioning program.Researchers at Palo Alto Networks have published a research paper (PDF) analysing the WireLurker malware that runs on Mac OS X, and which is then used to further infect iOS devices connected to an infected machine.WireLurker is found to have infected 467 apps on the Maiyadi App Store, a third-party store based in China. Infected apps have been downloaded more than 350,000 times. Malware targeting OS X has become increasingly... --------------------------------------------- http://www.virusbtn.com/blog/2014/11_06.xml?rss *** VB2014 paper: DMARC - how to use it to improve your email reputation *** --------------------------------------------- Terry Zink presents case study in which he describes setting a DMARC policy for Microsoft.Over the next few months, we will be sharing VB2014 conference papers as well as video recordings of the presentations. Today, we have added DMARC - how to use it to improve your email reputation, by Microsofts Terry Zink.Email is a 30-year-old protocol, designed at a time when the Internet was much smaller and you could basically trust anyone. As a consequence, spammers and phishers can easily send email --------------------------------------------- http://www.virusbtn.com/blog/2014/11_06a.xml?rss *** ZMap 1.2.1 - The Internet Scanner *** --------------------------------------------- ZMap is an open-source network scanner that enables researchers to easily perform Internet-wide network studies. With a single machine and a well provisioned network uplink, ZMap is capable of performing a complete scan of the IPv4 address space in under 45 minutes, approaching the theoretical limit of gigabit Ethernet. --------------------------------------------- http://hack-tools.blackploit.com/2014/11/zmap-121-internet-scanner.html *** ICMP Reverse Shell *** --------------------------------------------- A reverse shell is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved. --------------------------------------------- http://resources.infosecinstitute.com/icmp-reverse-shell/ *** ZDI-14-373: Trend Micro InterScan Web Security Virtual Appliance Information Disclosure Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to read files from the underlying operating system on vulnerable installations of Trend Micro InterScan Web Security Virtual Appliance web application authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-14-373/ *** Vuln: Dell EqualLogic CVE-2013-3304 Directory Traversal Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/70760 *** Bugtraq: ESA-2014-135: RSA Web Threat Detection SQL Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/533912 *** Bugtraq: [The ManageOwnage Series, part VI]: 0day database info and superuser credential disclosure in EventLog Analyser *** --------------------------------------------- http://www.securityfocus.com/archive/1/533916 *** Cisco Unity Connection Information Disclosure Vulnerability *** --------------------------------------------- CVE-2014-7988 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** [R1] PHP Integer Overflow Affects Tenables SecurityCenter *** --------------------------------------------- November 5, 2014 --------------------------------------------- http://www.tenable.com/security/tns-2014-10 *** [2014-11-06] XXE & XSS & Arbitrary File Write vulnerabilities in Symantec Endpoint Protection *** --------------------------------------------- Attackers are able to perform denial-of-service attacks against the Endpoint Protection Manager which directly impacts the effectiveness of the client-side endpoint protection. Furthermore, session identifiers of users can be stolen to impersonate them and gain unauthorized access to the server. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** IBM Security Bulletin: Security vulnerabilities in Node.js modules affect IBM Business Process Manager (BPM) Configuration Editor (CVE-2014-6394, CVE-2014-7191) *** --------------------------------------------- Security vulnerabilities have been reported for some dependent Node.js modules. IBM Business Process Manager includes a stand-alone tool for editing configuration properties files that is based on open source Node.js technology. CVE(s): CVE-2014-6394 and CVE-2014-7191 Affected product(s) and affected version(s): IBM Business Process Manager Express V8.5.5 IBM Business Process Manager Standard V8.5.5 IBM Business Process Manager Advanced V8.5.5 Refer to the following reference --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** IBM Security Bulletin: Multiple Reflected XSS Vulnerabilities in Tivoli Netcool/Impact *** --------------------------------------------- IBM Tivoli Netcool Impact is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. CVE(s): CVE-2014-6161 Affected product(s) and affected version(s): IBM Tivoli Netcool Impact 6.1.1 Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: http://www.ibm.com/support/docview.wss?uid=swg21689130 X-Force Database: http://xforce.iss.net/xforce/xfdb/97710 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…

1 0

Tageszusammenfassung - Mittwoch 5-11-2014
by Daily end-of-shift report 05 Nov '14

05 Nov '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 04-11-2014 18:00 − Mittwoch 05-11-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Tool Tip: vFeed, (Wed, Nov 5th) *** --------------------------------------------- I have had a number of occasions lately to use or talk about vFeed from Toolswatch.org (@toolwatch). NJ a useful Python CLI tool that pulls CVEs and other Mitre datasets. From the vFeed Github repo: vFeed framework is an open source naming scheme concept that provides extra structured detailed third-party references and technical characteristics for a CVE entry through an extensible XML schema. It also improves the reliability of CVEs by providing a flexible and comprehensive vocabulary for --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18917&rss *** Perfider Schädling haust in der Registry *** --------------------------------------------- Viren sind typischerweise in Dateien Zuhause, die mal besser und mal schlechter auf dem System versteckt sind. Ein neuer Trojaner kommt ohne Dateien aus, wodurch man ihn schwer aufspüren kann. Er wird seit kurzem auch über ein Exploit-Kit verteilt. --------------------------------------------- http://www.heise.de/security/meldung/Perfider-Schaedling-haust-in-der-Regis… *** Which Messaging Technologies Are Truly Safe and Secure? *** --------------------------------------------- In the face of widespread Internet data collection and surveillance, we need a secure and practical means of talking to each other from our phones and computers. Many companies offer "secure messaging" products - but how can users know if these systems actually secure? The Electronic Frontier Foundation (EFF) released its Secure Messaging Scorecard today, evaluating dozens of messaging technologies on a range of security best practices. --------------------------------------------- https://www.eff.org/press/releases/which-messaging-technologies-are-truly-s… *** Crypto collision used to hijack Windows Update goes mainstream *** --------------------------------------------- Final nail in the coffin for the MD5 hash The cryptographic hash collision attack used by cyberspies to subvert Microsofts Windows Update has gone mainstream, revealing that MD5 is hopelessly broken. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/11/05/md5_hash_co… *** New Phishing Technique Outfoxes Site Owners: Operation Huyao *** --------------------------------------------- We've found a new phishing technique targeting online shopping sites that may significantly change the threat landscape for phishing sites. Conventional phishing sites require an attacker to replicate the targeted site; a more accurate copy is more likely to fool intended victims. This technique we found allows for the creation of nearly perfect copies... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/SfVy0fROxfs/ *** Novembers Issue of the OUCH Newsletter is available, covering Social Engineering! http://www.securingthehuman.org/ouch, (Wed, Nov 5th) *** --------------------------------------------- -- Alex Stanford - GIAC GWEB GSEC, Research Operations Manager, SANS Internet Storm Center (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18921&rss *** Mehr Updates gegen die UEFI-Sicherheitslücke *** --------------------------------------------- Für die vor Monaten entdeckte Sicherheitslücke in UEFI-Firmware stellen nun mehr PC- und Mainboard-Hersteller Patches bereit, andere geben Entwarnung - und manche forschen noch. --------------------------------------------- http://www.heise.de/newsticker/meldung/Mehr-Updates-gegen-die-UEFI-Sicherhe… *** .onion-Domains: Falsches Zertifikat für Tor-Facebook *** --------------------------------------------- Einem Sicherheitsforscher ist es gelungen, ein gefälschtes Zertifikat für die .onion-URL von Facebook ausstellen zu lassen. Facebook ist seit kurzem über das Tor-Netzwerk erreichbar. (Soziales Netz, Facebook) --------------------------------------------- http://www.golem.de/news/onion-domains-falsches-zertifikat-fuer-tor-faceboo… *** Bugtraq: CVE-2014-6617 Softing FG-100 Backdoor Account *** --------------------------------------------- http://www.securityfocus.com/archive/1/533902 *** Bugtraq: KL-001-2014-004 : VMWare vmx86.sys Arbitrary Kernel Read *** --------------------------------------------- KL-001-2014-004 : VMWare vmx86.sys Arbitrary Kernel Read --------------------------------------------- http://www.securityfocus.com/archive/1/533901 *** Cross-Site Scripting vulnerability in extension phpMyAdmin (phpmyadmin) *** --------------------------------------------- It has been discovered that the extension "phpMyAdmin" (phpmyadmin) is susceptible to Cross-Site Scripting. --------------------------------------------- http://www.typo3.org/news/article/cross-site-scripting-vulnerability-in-ext… *** Advisory (ICSA-14-308-01) ABB RobotStudio and Test Signal Viewer DLL Hijack Vulnerability *** --------------------------------------------- Ivan Sanchez of WiseSecurity Team has identified a dll hijack vulnerability in the ABB RobotStudio and Test Signal Viewer applications. ABB has produced new versions that mitigate this vulnerability. Mr. Sanchez has tested the new version to validate that it resolves the vulnerability. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-14-308-01 *** Axway Secure Transport 5.1 SP2 Arbitary File Upload via CSRF *** --------------------------------------------- Topic: Axway Secure Transport 5.1 SP2 Arbitary File Upload via CSRF Risk: Medium Text:<!-- # Exploit Title: Axway Secure Transport 5.1 SP2 Arbitary File Upload via CSRF # Exploit author: Emmanuel Law # Public ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014110021 *** Multiple Vulnerabilities in Cisco Small Business RV Series Routers *** --------------------------------------------- cisco-sa-20141105-rv --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** DSA-3064 php5 *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-3064 *** FreeBSD setlogin() Lets Local Users Obtain Portions of Kernel Memory *** --------------------------------------------- http://www.securitytracker.com/id/1031169 *** FreeBSD OpenSSH Child Process Deadlock Lets Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1031168 *** IBM Security Bulletins related to POODLE (CVE-2014-3566) *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** Other IBM Security Bulletins *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…

1 0

Tageszusammenfassung - Dienstag 4-11-2014
by Daily end-of-shift report 04 Nov '14

04 Nov '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 03-11-2014 18:00 − Dienstag 04-11-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Smuggler - An interactive 802.11 wireless shell without the need for authentication or association *** --------------------------------------------- I've always been fascinated by wireless communications. The ability to launch seemingly invisible packets of information up into the air without even the need to consider aerodynamics itself seems like some kind of magic. In my quest to become a wireless wizard I started looking at the 802.11 wireless protocol to find out a little more about it. I had always noticed when looking at wireless management frames in various packet dumps that a wealth of additional (and somewhat optional)... --------------------------------------------- http://blog.spiderlabs.com/2014/11/smuggler-an-interactive-80211-wireless-s… *** Some samples in Rotten Tomato campaign not effectively executed *** --------------------------------------------- Researchers at Sophos provided additional details on the malware used in the attacks. --------------------------------------------- http://www.scmagazine.com/some-samples-in-rotten-tomato-campaign-not-effect… *** Whois someone else?, (Tue, Nov 4th) *** --------------------------------------------- A couple of weeks ago, I already covered the situation where a cloud IP address gets re-assigned, and the new owner still sees some of your traffic. Recently, one of our clients had the opposite problem: They had changed their Internet provider, and had held on to the old address range for a decent decay time. They even confirmed with a week-long packet capture that there was no afterglow on the link, and then dismantled the setup. Until last week, when they got an annoyed rant into their... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18911&rss *** New version of Backoff detected, malware variant dubbed ROM *** --------------------------------------------- Researchers at Fortinet detailed the new variant on Monday, and urged businesses to keep their AV up to date. --------------------------------------------- http://www.scmagazine.com/new-version-of-backoff-detected-malware-variant-d… *** Practical Reflected File Download and JSONP *** --------------------------------------------- This week introduced us to a new web attack vector, which the researcher dubbed "Reflected File Download" [RFD] . It's a very interesting attack which has potential to do some severe damage, especially in social engineering contexts. Full details of the reflected file download attack can be found here:... --------------------------------------------- http://blog.davidvassallo.me/2014/11/02/practical-reflected-file-download-a… *** Content Security Policy Builder *** --------------------------------------------- Content Security Policy is a new HTML5 web security feature. Your website can now explicitly tell browsers what sources of content - images, scripts, frames etc - are to be trusted. A new Content-Security-Policy HTTP header is used to announce that policy. --------------------------------------------- https://cspbuilder.info/static/ *** Exploiting CVE-2014-4113 on Windows 8.1 *** --------------------------------------------- On the 14th of October 2014 both CrowdStrike1 and FireEye2 published a blog post describing a new zero-day privilege escalation vulnerability on Windows. The CrowdStrike article explains that this new vulnerability was identified in the process of tracking a supposedly highly advanced adversary group named HURRICANE PANDA and has been actively exploited in the wild for at least five month. ... So I was curious if and how the vulnerability might be exploitable on the most current version of... --------------------------------------------- http://dl.packetstormsecurity.net/papers/attack/CVE-2014-4113.pdf *** Google Releases Nogotofail Tool to Test Network Security *** --------------------------------------------- The last year has produced a rogues' gallery of vulnerabilities in transport layer security implementations and new attacks on the key protocols, from Heartbleed to the Apple gotofail flaw to the recent POODLE attack. To help developers and security researchers identify applications that are vulnerable to known SSL/TLS attacks and configuration problems, Google is releasing a... --------------------------------------------- http://threatpost.com/google-releases-nogotofail-tool-to-test-network-secur… *** Customer confusion over new(ish) gTLDs targeting financial services *** --------------------------------------------- Introduction For the last decade and a bit, banking customers have been relentlessly targeted by professional phishers with a never-ending barrage of deceitful emails, malicious websites and unstoppable crimeware - each campaign seeking to relieve the victim of their online banking credentials and funds. In the battle for the high-ground, many client-side and server-side security technologies have been invented and consequently circumvented over the years. Now we're about to enter a... --------------------------------------------- https://www.nccgroup.com/en/blog/2014/11/customer-confusion-over-newish-gtl… *** Linksys Patches (Most) Routers Running SMART Wi-Fi Firmware *** --------------------------------------------- Linksys released updates for routers running its SMART Wi-Fi firmware, patching vulnerabilities leading to credential theft and information disclosure. Two popular models, however, remain unpatched. --------------------------------------------- http://threatpost.com/linksys-patches-most-routers-running-smart-wi-fi-firm… *** GNU Binutils peXXigen.c denial of service *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/98420 *** ZDI-14-371: (0Day) Denon AVR-3313CI Friendlyname Persistent Cross-Site Scripting Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to insert persistent JavaScript on vulnerable installations of the Denon AVR-3313CI audio/video receivers web portal. Authentication is not required to persist the attack. However, user interaction is required to exploit this vulnerability in that the target must visit a malicious page. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-14-371/ *** ZDI-14-372: (0Day) Visual Mining NetCharts Server File Upload Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Visual Mining NetCharts Server. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-14-372/ *** Cisco Unified IP Phone Local Kernel System Call Input Validation Vulnerability *** --------------------------------------------- cisco-sa-20130109-uipphone --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** DSA-3063 quassel *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-3063 *** DSA-3062 wget *** --------------------------------------------- security update --------------------------------------------- http://www.debian.org/security/2014/dsa-3062

1 0

Tageszusammenfassung - Montag 3-11-2014
by Daily end-of-shift report 03 Nov '14

03 Nov '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 31-10-2014 18:00 − Montag 03-11-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** CVE-2014-4115 Analysis: Malicious USB Disks Allow For Possible Whole System Control *** --------------------------------------------- One of the bulletins that was part of the October 2014 Patch Tuesday cycle was MS14-063 which fixed a vulnerability in the FAT32 disk partition driver that could allow for an attacker to gain administrator rights on affected systems, with only a USB disk with a specially modified file system. This vulnerability as also designated... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/E2Ur54TO5Qo/ *** CSAM Month of False Positives: Appropriately Weighting False and True Positives, (Fri, Oct 31st) *** --------------------------------------------- This is a guest diary submitted by Chris Sanders. We will gladly forward any responses or please use our comment/forum section to comment publicly.">">If you work with any type of IDS, IPS, or other">detection technology then you have to deal with false positives. One">common">mistake I see people make when managing their indicators and rules is">relying">solely on the rate of false positives that are observed. While... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18905&rss *** CVE-2012-0158 continues to be used in targeted attacks *** --------------------------------------------- 30-month old vulnerability still a popular way to infect systems.If all you have to worry about are zero-day vulnerabilities, you have got things pretty well sorted. Although it is true that sometimes zero-days are being used to deliver malware (such as the recent use of CVE-2014-4114 by the SandWorm group), in many cases even the more targeted attacks get away with using older, long patched vulnerabilities, exploiting the fact that many users and organisations dont patch as quickly as they --------------------------------------------- http://www.virusbtn.com/blog/2014/10_31a.xml?rss *** Reversing D-Link's WPS Pin Algorithm *** --------------------------------------------- While perusing the latest firmware for D-Link's DIR-810L 80211ac router, I found an interesting bit of code in sbin/ncc, a binary which provides back-end services used by many other processes on the device, including the HTTP and UPnP servers: I first began examining this particular piece of code with the... --------------------------------------------- http://www.devttys0.com/2014/10/reversing-d-links-wps-pin-algorithm/ *** Adobe: Aktuelle Flash-Sicherheitslücken bereits in Exploit-Kits *** --------------------------------------------- Es wird wieder Zeit, sich bei Sicherheitslücken verstärkt um Adobes Flashplayer zu kümmern. Zwei gerade erst abgesicherte und gefährliche Sicherheitslöcher sind bereits in aktuelle Exploit-Kits integriert worden. Eset glaubt sogar, dass Flash nun wieder Java in der Beliebtheitsskala ablöst. --------------------------------------------- http://www.golem.de/news/adobe-aktuelle-flash-sicherheitsluecken-bereits-in… *** justniffer a Packet Analysis Tool, (Mon, Nov 3rd) *** --------------------------------------------- Are you looking for another packet sniffer? justniffer is a packet sniffer with some interesting features. According to the author, this packet sniffer can rebuild and save HTTP file content sent over the network. It uses portions of Linux kernel source code for handling all TCP/IP stuff. Precisely, it uses a slightly modified version of the libnids libraries that already include a modified version of Linux code in a more reusable way.[1] The tarball can be downloaded here and a package is --------------------------------------------- https://isc.sans.edu/diary.html?storyid=18907&rss *** BE2 Custom Plugins, Router Abuse, and Target Profiles *** --------------------------------------------- The BlackEnergy malware is crimeware turned APT tool and is used in significant geopolitical operations lightly documented over the past year. An even more interesting part of the BlackEnergy story is the relatively unknown custom plugin capabilities to attack ARM... --------------------------------------------- http://securelist.com/blog/research/67353/be2-custom-plugins-router-abuse-a… *** Security: Sicherheitslücke in Mac OS X 10.10 entdeckt *** --------------------------------------------- In Mac OS X 10.10 und 10.8.5 befindet sich eine Sicherheitslücke, die die Übernahme des gesamten Systems ermöglicht. Details hat ihr Entdecker noch nicht veröffentlicht - in Absprache mit Apple. --------------------------------------------- http://www.golem.de/news/security-sicherheitsluecke-in-mac-os-x-10-10-entde… *** OpenBSD 5.6 kickt OpenSSL *** --------------------------------------------- Mit der neuen Version des freien Unix steigen die OpenBSD-Macher von OpenSSL auf LibreSSL um. Dazu kommen zahlreiche kleinere Verbesserungen. --------------------------------------------- http://www.heise.de/newsticker/meldung/OpenBSD-5-6-kickt-OpenSSL-2441288.ht… *** Hacking Team: Handbücher zeigen Infektion Über Code Injection und WLAN *** --------------------------------------------- "Internetüberwachung leicht gemacht": Die italienische Firma Hacking Team gilt neben Finfisher als bekanntester Hersteller von Spionagesoftware. Nun veröffentlichte Handbücher zeigen die Möglichkeiten der Überwachung. --------------------------------------------- http://www.golem.de/news/hacking-team-handbuecher-zeigen-infektion-ueber-co… *** RDP Replay *** --------------------------------------------- Here at Context we work hard to keep our clients safe. During routine client monitoring our analysts noticed some suspicious RDP traffic. It was suspicious for two reasons. Firstly the client was not in the habit of using RDP, and secondly it had a Chinese keyboard layout. This information is available in the ClientData handshake message of non-SSL traffic, and can easily be seen in wireshark. --------------------------------------------- http://contextis.com/resources/blog/rdp-replay/ *** l+f: Analyse des Drupal-Desasters *** --------------------------------------------- Wie konnte das nur passieren? Müssen wir alle sterben? --------------------------------------------- http://www.heise.de/security/meldung/l-f-Analyse-des-Drupal-Desasters-24414… *** Visa: Kreditkarten-Lücke ermöglicht Abbuchen von einer Million Dollar per NFC *** --------------------------------------------- Mittels präpariertem Terminal - Forscher stellen Leck auf Sicherheitskonferenz vor - Visa beschwichtigt --------------------------------------------- http://derstandard.at/2000007655779 *** Ongoing Sophisticated Malware Campaign Compromising ICS (Update A) *** --------------------------------------------- This alert update is a follow-up to the original NCCIC/ICS-CERT Alert titled ICS-ALERT-14-281-01 Ongoing Sophisticated Malware Campaign Compromising ICS that was published October 28, 2014, on the ICS-CERT web site. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01A *** Bugtraq: [SE-2014-01] Missing patches / inaccurate information regarding Oracle Oct CPU *** --------------------------------------------- http://www.securityfocus.com/archive/1/533862 *** HP CM3530 Color LaserJet Printer Lets Remote Users Access Data and Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1031153 *** CBI Referral Manager <= 1.2.1 Cross-Site Scripting (XSS) *** --------------------------------------------- 2014-11-01T18:57:24 --------------------------------------------- https://wpvulndb.com/vulnerabilities/7654 *** GB Gallery Slideshow 1.5 - SQL Injection *** --------------------------------------------- 2014-11-02T13:12:44 --------------------------------------------- https://wpvulndb.com/vulnerabilities/7655 *** Vuln: MantisBT Incomplete Fix Multiple SQL Injection Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/70856 *** VU#210620: uIP and lwIP DNS resolver vulnerable to cache poisoning *** --------------------------------------------- Vulnerability Note VU#210620 uIP and lwIP DNS resolver vulnerable to cache poisoning Original Release date: 03 Nov 2014 | Last revised: 03 Nov 2014 Overview The DNS resolver implemented in uIP and lwIP is vulnerable to cache poisoning due to non-randomized transaction IDs (TXIDs) and source port reuse. Description CWE-330: Use of Insufficiently Random Values - CVE-2014-4883The DNS resolver implemented in all versions of uIP, as well as lwIP versions 1.4.1 and earlier, is vulnerable to cache... --------------------------------------------- http://www.kb.cert.org/vuls/id/210620 *** IBM Security Bulletin: Weaker than expected security with Liberty Repository affecting Rational Application Developer for WebSphere Software (CVE-2014-4767) *** --------------------------------------------- The WebSphere Application Server Liberty profile could provide weaker than expected security when installing features via the Liberty Repository. A remote attacker could exploit this vulnerability using a man-in-the-middle technique to cause the installation of malicious code. CVE(s): CVE-2014-4767 Affected product(s) and affected version(s): IBM Rational Application Developer for WebSphere Software 9.1.0.1 Refer to the following reference URLs for remediation and additional --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** IBM Security Bulletin: Multiple Security vulnerabilities found in WebSphere Commerce XML External Entity (XXE) Processing (CVE-2014-4834, CVE-2014-4769 ) *** --------------------------------------------- IBM WebSphere Commerce Enterprise, Professional, Express and Developer is vulnerable to a denial of service, caused by issues with detecting recursion during entity expansion. CVE(s): CVE-2014-4834 and CVE-2014-4769 Affected product(s) and affected version(s): WebSphere Commerce V6.0 and V7.0 Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors *** --------------------------------------------- There are multiple vulnerabilities in OpenSSL that is used by IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512, CVE-2014-5139). These issues were disclosed on August 6, 2014 by the OpenSSL Project. CVE(s): CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512 and CVE-2014-5139 Affected... --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** IBM Security Bulletin: IBM Notes Traveler for Android client explicit warning against use of HTTP (CVE-2014-6130) *** --------------------------------------------- The IBM Notes Traveler client for Android devices allows the end user to connect to their Traveler server over HTTPS (using SSL) or the open HTTP standard. At present, the client application does not explicitly warn the end user if the Traveler administrator has chosen the insecure HTTP variant as the transport medium. CVE(s): CVE-2014-6130 Affected product(s) and affected version(s): All releases of IBM Notes Traveler for Android prior to version 9.0.1.3. Refer to the following... --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** IBM Security Bulletin: IBM Tivoli NetView for z/OS (distributed components) affected by multiple vulnerabilities that have been identified in IBM Runtime Environment, Java Technology Edition, Versions 6 & 7 (CVE-2014-4263 and *** --------------------------------------------- Vulnerabilities have been identified in IBM Runtime Environment, Java Technology Edition, Versions 6 and 7, utilized by IBM Tivoli NetView for z/OS distributed components. CVE(s): CVE-2014-4263 and CVE-2014-4244 Affected product(s) and affected version(s): This vulnerability is known to affect IBM Tivoli NetView for z/OS v5.3, 5.4, 6.1, 6.2 & 6.2.1 in certain distributed components. Releases/systems/configurations not known to be affected: IBM Tivoli NetView for... --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily November 2014