=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 28-03-2014 18:00 − Montag 31-03-2014 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Siemens ROS Improper Input Validation ***
---------------------------------------------
Researcher Aivar Liimets from Martem Telecontrol Systems reported an improper input validation vulnerability in the Siemens Rugged Operating System (ROS), which could cause a denial-of-service (DoS) condition against the device's management web interface. Siemens coordinated the vulnerability details with NCCIC/ICS-CERT and has provided information for mitigation of the vulnerability.This vulnerability can be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-087-01
*** WiFi Bug Plagues Philips Internet-Enabled TVs ***
---------------------------------------------
Some versions of Philips internet-enabled SmartTVs are vulnerable to cookie theft and an array of other tricks that abuse a lax WiFi setting.
---------------------------------------------
http://threatpost.com/wifi-bug-plagues-philips-internet-enabled-tvs/105119
*** VulDB: Adobe Reader 11.0.06 Sandbox erweiterte Rechte ***
---------------------------------------------
Die Schwachstelle wurde am 28.03.2014 von VUPEN via Pwn2Own 2014 publiziert. Die Identifikation der Schwachstelle wird seit dem 20.12.2013 mit CVE-2014-0512 vorgenommen. Sie ist schwierig auszunutzen. Der Angriff kann über das Netzwerk erfolgen. Zur Ausnutzung ist keine spezifische Authentisierung erforderlich. Es sind zwar keine technische Details, jedoch ein privater Exploit zur Schwachstelle bekannt.
---------------------------------------------
http://www.scip.ch/?vuldb.12723
*** Adobe Flash Player Bugs Let Remote Users Execute Arbitrary Code ***
---------------------------------------------
A remote user can create specially crafted content that, when loaded by the target user on a Windows-based system, will trigger a use-after-free and execute arbitrary code on the target system [CVE-2014-0506]. The code will run with the privileges of the target user.
VUPEN reported this vulnerability (via Pwn2Own at CanSecWest 2014).
A remote user can create specially crafted content that, when loaded by the target user, will trigger a heap overflow and execute arbitrary code on the target system [CVE-2014-0510]. The code will run with the privileges of the target user.
Zeguang Zhao and Liang Chen reported this vulnerability (via Pwn2Own at CanSecWest 2014).
---------------------------------------------
http://www.securitytracker.com/id/1029969
---------------------------------------------
(Notiz: soweit wir bisher herausfinden konnten, sind noch keine Exploits dazu "in the wild" aufgetaucht.)
---------------------------------------------
*** nginx 1.4.6/1.5.11 Heap-based buffer overflow in the SPDY ***
---------------------------------------------
A bug in the experimental SPDY implementation in nginx was found, which
might allow an attacker to cause a heap memory buffer overflow in a
worker process by using a specially crafted request, potentially
resulting in arbitrary code execution (CVE-2014-0133).
The problem affects nginx 1.3.15 - 1.5.11, compiled with the
ngx_http_spdy_module module (which is not compiled by default) and
without --with-debug configure option, if the "spdy" option of the
"listen" directive is used in a configuration file.
The problem is fixed in nginx 1.5.12, 1.4.7.
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030250
*** Chip.de-Forum offenbar gehackt: 2,5 Millionen Nutzerdaten betroffen ***
---------------------------------------------
Forumsmitglieder wurden per Mail über Hack informiert - Passwörter wurden außerdem unzureichend geschützt
---------------------------------------------
http://derstandard.at/1395363600546
*** Who's Behind the "BLS Weblearn" Credit Card Scam? ***
---------------------------------------------
A new rash of credit and debit card scams involving bogus sub-$15 charges and attributed to a company called "BLS Weblearn" is part of a prolific international scheme designed to fleece unwary consumers. This post delves deeper into the history and identity of the credit card processing network that has been enabling this type of activity for years.
---------------------------------------------
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/MxEDIVQPC94/
*** More Device Malware: This is why your DVR attacked my Synology Disk Station, (Mon, Mar 31st) ***
---------------------------------------------
Last week, we reported that some of the hosts scanning for port 5000 are DVRs (to be more precise: Hikvision DVRs, commonly used to record video from surveillance cameras [1] ). Today, we were able to recover the malware responsible. You can download the malware here https://isc.sans.edu/diaryimages/hikvision.zip (password: infected) . The malware resides in /dev/cmd.so . A number of additional suspect files where located in the /dev directory which we still need to recover / analyze from the
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17879&rss
*** Crack team of cyber warriors arrives to SAVE UK from grid-crippling HACK ATTACKS ***
---------------------------------------------
National CERT goes live today The UK is finally getting a national Computer Emergency Response Team (CERT), with the delayed launch of the organisation taking place today.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/03/31/cert_uk_lau…
*** Cisco Security Response Team Opens Its Toolbox ***
---------------------------------------------
With a variety of security tools, CSIRT is able to detect and analyze malicious traffic throughout the network, including virus propagation, targeted attacks, and commonplace exploits. Because CSIRT continually identifies new security threats, the team needs some historical look-back at what occurred on the network. They also need a solution that can dissect the finer details of security incidents while facing the ever-present restrictions with data storage.
---------------------------------------------
https://blogs.cisco.com/security/cisco-security-response-team-opens-its-too…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 27-03-2014 18:00 − Freitag 28-03-2014 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** New PGP keys ***
---------------------------------------------
At CERT.at we had to phase out some old 1024 bit DSA keys as well as create new master-signing keys. This turned out to be a major effort. Key roll-overs are never easy.In order to easy the key roll-over pains, we created a key transition document. This document is signed by the old keys in order to prove authorship. ...
---------------------------------------------
http://www.cert.at/services/blog/20140328155445-1086.html
*** NTP Amplification, SYN Floods Drive Up DDoS Attack Volumes ***
---------------------------------------------
The potency of distributed denial of service attacks has increased steadily but dramatically over the last 14 months.
---------------------------------------------
http://threatpost.com/ntp-amplification-syn-floods-drive-up-ddos-attack-vol…
*** Schneider Electric Serial Modbus Driver Buffer Overflow ***
---------------------------------------------
OVERVIEW Carsten Eiram of Risk-Based Security has identified a stack-based buffer overflow vulnerability in Schneider Electric’s Serial Modbus Driver that affects 11 Schneider Electric products. Schneider Electric has produced patches that mitigate this vulnerability. This vulnerability can be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-086-01
*** Apple Credential Phishing via appleidconfirm.net, (Thu, Mar 27th) ***
---------------------------------------------
ISC user Craig Cox wrote in alerting us of a fairly sophisticated phishing campaign that is currently in progress. The website appleidconfirm.net has a seemingly realistic Apple login page that is being sent out by email. The site even includes JavaScript code which validates your Apple ID as an email in an attempt to obtain only valid credentials. Upon submitting what it considers valid credentials, youre redirected to the /?2 page of the site which contains another form which appears to
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17869&rss
*** SonicWALL Email Security Input Validation Flaw in License Management’ and ‘Advanced Pages Permits Cross-Site Scripting Attacks ***
---------------------------------------------
A vulnerability was reported in SonicWALL Email Security. A remote user can conduct cross-site scripting attacks.
The 'License Management' and 'Advanced' pages do not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser.
---------------------------------------------
http://www.securitytracker.com/id/1029965
*** Word and Excel Files Infected Using Windows PowerShell ***
---------------------------------------------
Malware targeting Word and Excel files has been around for some time, but we recently encountered a new malware family, CRIGENT (also known as “Power Worm”) which brings several new techniques to the table. (We detect these files as W97M_CRIGENT.JER and X97M_CRIGENT.A.) Most significantly, instead of creating or including executable code, CRIGENT uses the Windows PowerShell
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/9hUmCpAOj9M/
*** OpenSSH 6.6 bypass SSHFP DNS RR checking by HostCertificate ***
---------------------------------------------
I've been looking at handling host keys better, and tripped over this bug. Essentially, if the server offers a HostCertificate that the client doesn't accept, then the client doesn't then check for SSHFP records.
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030239
*** [2014-03-28] Multiple vulnerabilities in Symantec LiveUpdate Administrator ***
---------------------------------------------
Attackers are able to compromise Symantec LiveUpdate Administrator at the application and database levels because of vulnerable password reset functionality and SQL injection vulnerabilities. This enables access to credentials of update servers on the network without prior authentication.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014…
*** Python "os._get_masked_mode()" Race Condition Security Issue ***
---------------------------------------------
A security issue has been reported in Python, which can be exploited by malicious, local users to potentially disclose or manipulate certain data.
The security issue is caused due to a race condition within the "os._get_masked_mode()" function (Lib/os.py), which can be exploited to cause certain application-created files to be world-accessible.
The security issue is reported in versions 3.4, 3.3, and 3.2.
---------------------------------------------
https://secunia.com/advisories/57672
*** IBM Security Bulletin: IBM Operational Decision Manager and WebSphere ILOG JRules: Multiple security vulnerabilities in IBM JRE ***
---------------------------------------------
This Security Bulletin addresses the security vulnerabilities that have shipped with the IBM Java Runtime Environment (JRE) included in IBM Operational Decision Manager and IBM ILOG JRules. IBM ODM and ILOG JRules now include the most recent version of the IBM JRE which fixes the security vulnerabilities reported in Oracles Critical Patch Update releases of January 2014. CVE(s): CVE-2014-0423, CVE-2014-0416 and CVE-2014-0411 Affected product(s) and affected version(s): IBM WebSphere ILOG
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…
*** Cisco IOS Software High Priority Queue Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the packet driver code of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a reload of the affected device, resulting in a denial of service (DoS) condition.
CVE-2014-2131
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 26-03-2014 18:00 − Donnerstag 27-03-2014 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Allied Telesis AT-RG634A ADSL router unauthenticated webshell ***
---------------------------------------------
Risk: High, Allied Telesis AT-RG634A ADSL Broadband router hidden administrative unauthenticated webshell ..
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030221
*** HP Multiple StoreOnce Products Unauthorised Access Security Bypass Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/57601
*** Linux Kernel ath9k "ath_tx_aggr_sleep()" Race Condition Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/57468
*** When ZOMBIES attack: DDoS traffic triples as 20Gbps becomes the new normal ***
---------------------------------------------
Junk traffic mostly floods in from botnets DDoS traffic has more than trebled since the start of 2013, according to a new study released on Thursday that fingers zombie networks as the primary source of junk traffic that can be used to flood websites.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/03/27/ddos_trends…
*** DSA-2885-1 libyaml-libyaml-perl -- security update ***
---------------------------------------------
Ivan Fratric of the Google Security Team discovered a heap-based buffer overflow vulnerability in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a specially-crafted YAML document that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
---------------------------------------------
https://www.debian.org/security/2014/dsa-2885
*** Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication ***
---------------------------------------------
Cisco released its semiannual Cisco IOS Software Security Advisory Bundled Publication on March 26, 2014. In direct response to customer feedback, Cisco releases bundles of Cisco IOS Software Security Advisories on the fourth Wednesday of the month in March and September of each calendar year. The publication includes 5 Security Advisories that address vulnerabilities in Cisco IOS Software and 1 Security Advisory that addresses ..
---------------------------------------------
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html
*** Malware Hijacks Android Mobile Devices to Mine Cryptocurrency ***
---------------------------------------------
Several bits of malware targeting Android mobile devices hijack the smartphone or tablets resources to mine digital currency such as Litecoin or Dogecoin.
---------------------------------------------
http://threatpost.com/malware-hijacks-android-mobile-devices-to-mine-crypto…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 25-03-2014 18:00 − Mittwoch 26-03-2014 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** A few updates on "The Moon" worm, (Tue, Mar 25th) ***
---------------------------------------------
It has been over a month since we saw the "Moon" worm first exploiting various Linksys routers. I think it is time for a quick update to summarize some of the things we learned since then: Much of what we found so far comes thanks to the malware analysis done by Bernado Rodriges. Bernado used QEMU to run the code in a virtual environment. QEMU is as far as I know the only widely available virtualization technique that can simulate a MIPS CPU while running on an x86 host.
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17855&rss
*** WordPress Pingback-Funktion für DDoS-Attacken missbraucht ***
---------------------------------------------
WordPress Pingback-Funktion für DDoS-Attacken missbraucht24. März 2014
In den letzten Tagen gab es zahlreiche Medienberichte zu DDoS-Angriffen durch Missbrauch der XML-RPC-Pingback-Funktion von WordPress. Einige dieser Beiträge möchte ich, zur weiterführenden Lektüre für Betroffene und Interessierte, im Folgenden auflisten. Blog Post von Daniel Cid vom Security-Dienstleister Sucuri mit Erklärungen zur Funktionsweise der Attacke. Weiters wird beschrieben,
---------------------------------------------
http://www.cert.at/services/blog/20140324230619-1079.html
*** Bugtraq: CVE-2013-6955 Synology DSM remote code execution ***
---------------------------------------------
webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header.
---------------------------------------------
http://www.securityfocus.com/archive/1/531602
*** OpenSSL 1.0.0l cache side-channel attack ***
---------------------------------------------
Topic: OpenSSL 1.0.0l cache side-channel attack Risk: Medium Text:The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-tim...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030197
*** Xen HVMOP_set_mem_access Input Validation Flaw Lets Local Guest Users Deny Service on the Host System ***
---------------------------------------------
A local user on the guest operating system can cause denial of service conditions on the host operating system.
The HVMOP_set_mem_access HVM control operations does not properly validate input size. A local administrative user on an HVM guest operating system can consume excessive CPU resources on the host operating system.
On version 4.2, only 64-bit versions of the hypervisor are affected.
Device model emulators (qemu-dm) are affected.
---------------------------------------------
http://www.securitytracker.com/id/1029956
*** Walkthrough of a Recent Zbot Infection and associated CnC Server ***
---------------------------------------------
During routine ThreatLabZ log analysis, we encountered the following malicious Zbot executable connecting back to its CnC and exfiltrating data via POST requests.
---------------------------------------------
http://feedproxy.google.com/~r/zscaler/research/~3/kygTD5dMmHo/walkthrough-…
*** MIT Researchers Create Platform To Build Secure Web Apps That Never Leak Data ***
---------------------------------------------
rjmarvin writes: "Researchers in the MIT Computer Science and Artificial Intelligence Laboratory have developed a platform for building secure web applications and services that never decrypt or leak data. MIT researcher Raluca Ada Popa, who previously worked on the Google and SAP-adopted CryptoDB, and her team, have put a longstanding philosophy into practice: to never store unencrypted data on servers. Theyve redesigned the entire approach to securing online data by creating Mylar, which
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/QIuCSrAxslY/story01.htm
*** PAM timestamp internals bypass authentication ***
---------------------------------------------
Topic: PAM timestamp internals bypass authentication
Risk: Low
Text:Hi When playing with some PAM modules for my own projects, I came across some implications of pam_timestamp (which is part ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030216
*** Nmap-Erfinder rebootet Full Disclosure ***
---------------------------------------------
Gordon 'Fyodor' Lyon hat die überraschend geschlossene Full-Disclosure-Mailingliste wiederbelebt. Er habe viel Erfahrung mit dem Administrieren von Mailinglisten und keine Angst vor rechtlichen Drohungen, sagt der Sicherheitsexperte.
---------------------------------------------
http://www.heise.de/security/meldung/Nmap-Erfinder-rebootet-Full-Disclosure…
*** TYPO3 CMS 6.2 LTS is now available ***
---------------------------------------------
... TYPO3 CMS 6.2 LTS, which was released today. As the second TYPO3 release with long-term support (LTS), TYPO3 CMS 6.2 LTS will receive at least three years of support from the development team behind the open-source software.
---------------------------------------------
http://typo3.org/news/article/typo3-presents-the-latest-version-of-its-free…
*** Jetzt VoIP-Passwort ändern: Kriminelle nutzen erbeutete Fritzbox-Daten aus ***
---------------------------------------------
Die Fritzbox-Angreifer haben anscheinend lange Zeit unbemerkt Zugangsdaten gesammelt, ohne sie zu benutzen. Für die Nutzer hat das jetzt ein übles Nachspiel, denn die meisten Passwörter funktionieren weiterhin. Der Schaden geht in die Hunderttausende.
---------------------------------------------
http://www.heise.de/security/meldung/Jetzt-VoIP-Passwort-aendern-Kriminelle…
*** Splunk Unspecified Cross-Site Scripting Vulnerability ***
---------------------------------------------
A vulnerability has been reported in Splunk, which can be exploited by malicious people to conduct cross-site scripting attacks.
Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerability is reported in versions prior to 5.0.8.
---------------------------------------------
https://secunia.com/advisories/57554
*** libcURL Connection Re-use and Certificate Verification Security Issues ***
---------------------------------------------
Multiple security issues have been reported in libcURL, which can be exploited by malicious people to conduct spoofing attacks and bypass certain security restrictions.
---------------------------------------------
https://secunia.com/advisories/57434
*** 10 rules of thumb of internet safety ***
---------------------------------------------
Malicious parties on the internet try to gain access to your computer, tablet or mobile phone and to intercept personal data. Malware, phishing and spam are frequently occurring threats. These 10 rules of thumb provide a basis to protect yourself against these threats.
---------------------------------------------
http://www.ncsc.nl/english/services/expertise-advice/knowledge-sharing/fact…
*** New Metasploit 4.9 Helps Evade Anti-Virus Solutions, Test Network Segmentation, and Increase Productivity for Penetration Testers ***
---------------------------------------------
Metasploit 4.9 helps penetration testers evade anti-virus solutions, generate payloads, test network segmentation, and generally increase productivity through updated automation and reporting features. Since version 4.8, Metasploit has added 67 new exploits and 51 auxiliary and post-exploitation modules to both its commercial and open source editions, bringing our total module count up to 1,974. The new version is available immediately.
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2014/03/26/new-metas…
*** [Honeypot Alert] JCE Joomla Extension Attacks ***
---------------------------------------------
Our web honeypots picked up some increased exploit attempts for an old Joomla Content Editor (JCE) Extension vulnerability. Although this vulnerability is a few years old, botnet owners are heavily scanning for sites that are vulnerable and attempting to exploit them.
---------------------------------------------
http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/v7CME1mpcfQ/honeypot-a…
*** Cisco IOS Software SSL VPN Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
The vulnerability is due to a failure to process certain types of HTTP requests. To exploit the vulnerability, an attacker could submit crafted requests designed to consume memory to an affected device. An exploit could allow the attacker to consume and fragment memory on the affected device. This may cause reduced performance, a failure of certain processes, or a restart of the affected device.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device. To exploit this vulnerability, affected devices must be configured to process SIP messages. Limited Cisco IOS Software and Cisco IOS XE Software releases are affected.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco IOS Software Crafted IPv6 Packet Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the implementation of the IP version 6 (IPv6) protocol stack in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause I/O memory depletion on an affected device that has IPv6 enabled. The vulnerability is triggered when an affected device processes a malformed IPv6 packet.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco IOS Software Network Address Translation Vulnerabilities ***
---------------------------------------------
The Cisco IOS Software implementation of the Network Address Translation (NAT) feature contains two vulnerabilities when translating IP packets that could allow an unauthenticated, remote attacker to cause a denial of service condition.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco IOS Software Internet Key Exchange Version 2 Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of the affected device that would lead to a denial of service (DoS) condition.
The vulnerability is due to how an affected device processes certain malformed IKEv2 packets. An attacker could exploit this vulnerability by sending malformed IKEv2 packets to an affected device to be processed. An exploit could allow the attacker to cause a reload of the affected device that would lead to a DoS condition.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Web Browser Security Revisited (Part 5) ***
---------------------------------------------
In Part 1 of this series, we discussed the importance of web browser security and some security-related issues that are common to all or many of the popular browsers today. In Part 2, we talked about some specific security mechanisms that are built into Internet Explorer and how they're implemented. In Part 3, we looked at how to configure IE for best security. In Part 4, we examined how to do the same with Google Chrome. This time, we'll look at ... Chrome for Business.
---------------------------------------------
http://www.windowsecurity.com/articles-tutorials/Web_Application_Security/w…
*** Vuln: Apple Mac OS X APPLE-SA-2014-02-25-1 Multiple Security Vulnerabilities ***
---------------------------------------------
Apple Mac OS X is prone to multiple vulnerabilities.
The update addresses new vulnerabilities that affect ATS, CFNetwork Cookies, CoreAnimation, CoreText, Date and Time, curl, QuickTime, QuickLook, Finder, and File Bookmark components.
Attackers can exploit these issues to execute arbitrary code, gain unauthorized access, bypass security restrictions, and perform other attacks. Failed attacks may cause denial-of-service conditions.
These issues affect OS X versions prior to 10.9.2.
---------------------------------------------
http://www.securityfocus.com/bid/65777
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 24-03-2014 18:00 − Dienstag 25-03-2014 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Microsoft Security Advisory (2953095): Vulnerability in Microsoft Word Could Allow Remote Code Execution - Version: 1.0 ***
---------------------------------------------
Microsoft is aware of a vulnerability affecting supported versions of Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer.
---------------------------------------------
http://technet.microsoft.com/en-us/security/advisory/2953095
*** Security Advisory 2953095: recommendation to stay protected and for detections ***
---------------------------------------------
Today, Microsoft released Security Advisory 2953095 to notify customers of a vulnerability in Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. This blog will discuss mitigations and temporary defensive strategies that will help customers to protect themselves while we are working on a security update. This blog also provides some preliminary details of the exploit code observed in the wild. Mitigations and Workaround The in the wild
---------------------------------------------
http://blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095…
*** [dos] - Windows Media Player 11.0.5721.5230 - Memory Corruption PoC ***
---------------------------------------------
#[+] Exploit Title: Windows Media Player 11.0.5721.5230 Memory Corruption PoC
#[+] Date: 22-03-2014
#[+] Category: DoS/PoC
#[+] Tested on: WinXp/Windows 7 Pro
---------------------------------------------
http://www.exploit-db.com/exploits/32477
*** Security Notice- Allegro RomPager Information Disclosure Vulnerability in Multiple Huawei Routers ***
---------------------------------------------
Huawei has noticed an information disclosure vulnerability on the RomPager embedded web server, which is developed by Allegro. The vulnerability affects Huawei HG520c, MT880, and MT886 access routers.
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-notices…
*** Bugtraq: Deutsche Telekom CERT Advisory [DTC-A-20140324-001] vulnerabilities in cacti ***
---------------------------------------------
Summary:
Three vulnerabilities were found in cacti version 0.8.7g.
The vulnerabilities are:
1) Stored Cross-Site Scripting (XSS) (via URL)
2) Missing CSRF (Cross-Site Request Forgery) token allows execution of arbitrary commands
3) The use of exec-like function calls without safety checks allow arbitrary commands
---------------------------------------------
http://www.securityfocus.com/archive/1/531588
*** Bugtraq: Deutsche Telekom CERT Advisory [DTC-A-20140324-003] vulnerabilities in icinga ***
---------------------------------------------
Two vulnerabilities were found in icinga version 1.9.1.
These vulnerabilities are:
1) several buffer overflows
2) Off-by-one memory access
---------------------------------------------
http://www.securityfocus.com/archive/1/531593
*** Bugtraq: Deutsche Telekom CERT Advisory [DTC-A-20140324-002] vulnerabilities in check_mk ***
---------------------------------------------
Several vulnerabilities were found in check_mk version 1.2.2p2.
The vulnerabilities are:
1 - Reflected Cross-Site Scripting (XSS)
2 - Stored Cross-Site Scripting (XSS) (via URL)
3 - Stored Cross-Site Scripting (XSS) (via external data, no link necessary)
4 - Stored Cross-Site Scripting (XSS) (via external data on service port, no link necessary)
5 - Missing CSRF (Cross-Site Request Forgery) token allows execution of arbitrary commands
6 - Multiple use of exec-like function calls which allow arbitrary commands
7 - Deletion of arbitrary files
---------------------------------------------
http://www.securityfocus.com/archive/1/531594
*** Net-snmp snmptrapd Community String Processing Lets Remote Users Deny Service ***
---------------------------------------------
A remote user can send a specially crafted SNMP trap request with an empty community string to trigger a flaw in newSVpv() and cause the target snmptrapd service to crash.
Systems with the Perl handler enabled are affected.
---------------------------------------------
http://www.securitytracker.com/id/1029950
*** Trojan.PWS.OSMP.21 infects payment terminals ***
---------------------------------------------
March 25, 2014 Home users aren't the only ones being targeted by today's threats - various financial organisations are receiving their own share of attention from criminals who are crafting malicious applications for ATMs and payment terminals. Doctor Web has issued a warning regarding one such Trojan, namely, Trojan.PWS.OSMP.21. This malware is infecting the terminals of a major Russian payment system.
---------------------------------------------
http://news.drweb.com/show/?i=4259&lng=en&c=9
*** RSA BSAFE Micro Edition Suite (MES) 4.0.x Denial Of Service ***
---------------------------------------------
Summary:
RSA BSAFE MES 4.0.5 contains fix for a security vulnerability that could potentially be exploited by malicious users to
deny access to the affected system.
Details:
This vulnerability may cause unpredictable application behavior resulting in a server crash due to faulty certificate
chain processing logic.
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030193
*** PHP Fileinfo libmagic AWK File Processing Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability has been reported in PHP, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error in the libmagic library bundled in the Fileinfo extension when processing certain AWK scripts, which can be exploited to cause excessive CPU resources consumption via a specially crafted AWK script file.
---------------------------------------------
https://secunia.com/advisories/57564
*** OpenVZ update for kernel ***
---------------------------------------------
OpenVZ has issued an update for kernel. This fixes multiple vulnerabilities, which can be exploited by malicious people to potentially compromise a vulnerable system.
---------------------------------------------
https://secunia.com/advisories/57573
*** Password Hashing Competition ***
---------------------------------------------
Theres a private competition to identify new password hashing schemes. Submissions are due at the end of the month.
---------------------------------------------
https://www.schneier.com/blog/archives/2014/03/password_hashin.html
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 21-03-2014 18:00 − Montag 24-03-2014 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** NSA Targets Sys Admins to Infiltrate Networks ***
---------------------------------------------
The latest Snowden documents show how the National Security Agency targets system administrators, in particular their personal email and social media accounts, in order to access target networks.
---------------------------------------------
http://threatpost.com/nsa-targets-sys-admins-to-infiltrate-networks/104953
*** IBM Security Bulletin: IBM Security Directory Server can be affected by a vulnerability in IBM WebSphere Application Server (CVE-2014-0411) ***
---------------------------------------------
The IBM WebSphere Application Server component provided with IBM Security Directory Server is vulnerable to a transport layer security (TLS) timing attack.
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…
*** BlackOS software package automates website hacking, costs $3,800 a year ***
---------------------------------------------
An updated version of a malicious software package designed to automate the process of hacking websites is being offered up on underground markets for $3,800 a year, according to a blog by Trend Micro.
---------------------------------------------
http://feedproxy.google.com/~r/SCMagazineHome/~3/yw9wyT8CoMQ/
*** WPA2 Wireless Security Crackable WIth "Relative Ease" ***
---------------------------------------------
An anonymous reader writes "Achilleas Tsitroulis of Brunel University, UK, Dimitris Lampoudis of the University of Macedonia, Greece and Emmanuel Tsekleves of Lancaster University, UK, have investigated the vulnerabilities in WPA2 and present its weakness. They say that this wireless security system might now be breached with relative ease [original, paywalled paper] by a malicious attack on a network.
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/GNlVmrhVOM4/story01.htm
*** Android update process gives malware a leg-up to evil: Indiana U ***
---------------------------------------------
Old apps get access to privileges that didnt exist when they were written Researchers from Indiana University Bloomington have tagged a vulnerability in the way Android handles updates, which they say puts practically every Android device at risk of malicious software.…
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/03/23/android_upd…
*** AWS urges developers to scrub GitHub of secret keys ***
---------------------------------------------
Devs hit with unexpected bills after leaving secret keys exposed. Amazon Web Services (AWS) is urging developers using the code sharing site GitHub to check their posts to ensure they havent inadvertently exposed their log-in credentials.
---------------------------------------------
http://www.itnews.com.au/News/375785,aws-urges-developers-to-scrub-github-o…
*** D-Link DIR-600L Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
A vulnerability has been reported in D-Link DIR-600L, which can be exploited by malicious people to conduct cross-site request forgery attacks.
The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to e.g. change administrative credentials when a logged-in user visits a specially crafted web page.
---------------------------------------------
https://secunia.com/advisories/57392
*** Array Networks vxAG / vAPV Undocumented Accounts Security Issues ***
---------------------------------------------
Some security issues have been reported in Array Networks vxAG and vAPV, which can be exploited by malicious people to bypass certain security restrictions.
The security issues are caused due to the device using certain undocumented user accounts with default credentials, which can be exploited to gain otherwise restricted access to the device.
---------------------------------------------
https://secunia.com/advisories/57442
*** PayPal for Android SSL Certificate Validation Security Issue ***
---------------------------------------------
MWR InfoSecurity has reported a security issue in PayPal for Android, which can be exploited by malicious people to conduct spoofing attacks.
The security issue is caused due to an error when verifying server SSL certificate within the WebHybridClient class and can be exploited to spoof a HTTPS connection and e.g. conduct Man-in-the-Middle (MitM) attacks.
---------------------------------------------
https://secunia.com/advisories/57351
*** php-font-lib "name" Cross-Site Scripting Vulnerability ***
---------------------------------------------
Daniel C. Marques has reported a vulnerability in php-font-lib, which can be exploited by malicious people to conduct cross-site scripting attacks.
Input passed via the "name" GET parameter to www/make_subset.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
---------------------------------------------
https://secunia.com/advisories/57558
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 20-03-2014 18:00 − Freitag 21-03-2014 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Taken in phishing attack, Microsoft's unmentionables aired by hacktivists ***
---------------------------------------------
If Microsoft and eBay arent safe from social engineering attacks, who is?
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/B9IE0Uei57U/
*** Kaspersky Internet Security Regular Expression Patterns Processing Denial of Service Vulnerability ***
---------------------------------------------
CXsecurity has discovered a vulnerability in Kaspersky Internet Security, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error when processing regular expression patterns and can be exploited to exhaust CPU resources and render the system unusable.
---------------------------------------------
https://secunia.com/advisories/57316
*** DotNetNuke Unspecified Script Insertion Vulnerability ***
---------------------------------------------
A vulnerability has been reported in DotNetNuke, which can be exploited by malicious users to conduct script insertion attacks.
Certain unspecified input is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.
---------------------------------------------
https://secunia.com/advisories/57429
*** WordPress WP-Filebase Download Manager Plugin Arbitrary Code Execution Vulnerability ***
---------------------------------------------
A vulnerability has been reported in the WP-Filebase Download Manager plugin for WordPress, which can be exploited by malicious users to compromise a vulnerable system.
...
Successful exploitation of this vulnerability requires access rights to upload files (e.g. "Editor" access rights).
The vulnerability is reported in version 0.3.0.03. Prior versions may also be affected.
---------------------------------------------
https://secunia.com/advisories/57456
*** Zeus variant blocks user activity with full-screen pop-ups ***
---------------------------------------------
Infected users are forced to contend with open windows, which are actually legitimate sites being displayed on their desktops.
---------------------------------------------
http://feedproxy.google.com/~r/SCMagazineHome/~3/KHHSZFOdcH0/
*** A peek inside a modular, Tor C&C enabled, Bitcoin mining malware bot ***
---------------------------------------------
Cybercriminals continue to maliciously 'innovate', further confirming the TTP (tactics, techniques and procedure) observations we made in our Cybercrime Trends 2013 assessment back in December, 2013, namely, that the diverse cybercrime ecosystem is poised for exponential growth. Standardizing the very basics of fraudulent and malicious operations, throughout the years, cybercriminals have successfully achieved a state of malicious economies of scale...
---------------------------------------------
http://feedproxy.google.com/~r/WebrootThreatBlog/~3/V6XSH_U-eoU/
*** Siemens SIMATIC S7-1200 Improper Input Validation Vulnerabilities ***
---------------------------------------------
OVERVIEWSiemens has reported two improper input validation vulnerabilities discovered separately by Prof. Dr. Hartmut Pohl of softScheck GmbH and Arne Vidström of Swedish Defence Research Agency (FOI) in Siemens' SIMATIC S7-1200 PLC. Siemens has produced a new version that mitigates these vulnerabilities.These vulnerabilities could be exploited remotely.AFFECTED PRODUCTSThe following SIMATIC S7-1200 PLC versions are affected:
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-079-01
*** Siemens SIMATIC S7-1200 Vulnerabilities ***
---------------------------------------------
OVERVIEWSiemens, Ralf Spenneberg of OpenSource Training, Lucian Cojocar of EURECOM, Sascha Zinke from the FU Berlin's work team SCADACS, and Positive Technologies' researchers (Alexey Osipov, and Alex Timorin) have identified six vulnerabilities in the Siemens SIMATIC S7-1200 CPU family. Siemens has produced a new product release that mitigates these vulnerabilities.These vulnerabilities could be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-079-02
*** Cisco AsyncOS Patch , (Fri, Mar 21st) ***
---------------------------------------------
Cisco released a patch for AsyncOS, the operating system used in its E-Mail Security Appliance (ESA) and Security Management Appliance (SMA). The vulnerability is exploited by an authenticated attacker uploading a crafted blocklist file. The file has to be uploaded via FTP, so this vulnerability is only exploitable if the FTP service is enabled. Once the blacklist is pared, arbitrary commands are executed. This sounds like an OS command injection vulnerability. The parameters (assumed to be
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17839&rss
*** Linux Kernel Netfilter DCCP Processing Flaw Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
Description: A vulnerability was reported in the Linux Kernel. A remote user can execute arbitrary code on the target system.
A remote user can send specially crafted DCCP data to trigger a memory corruption flaw in 'nf_conntrack_proto_dccp.c' and execute arbitrary code on the target system.
---------------------------------------------
http://www.securitytracker.com/id/1029945
*** Horde Framework Unserialize PHP Code Execution ***
---------------------------------------------
Topic: Horde Framework Unserialize PHP Code Execution
Risk: High
Text:## # This module requires Metasploit
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030175
*** Monitoring for unusual network traffic key to banking botnet detection ***
---------------------------------------------
Malware authors have had great success targeting financial institutions in recent years, and in turn those organizations have a vested interest in improving their banking botnet detection capabilities. However, one expert says financial firms are failing because they ignore unusual network traffic.
---------------------------------------------
http://searchsecurity.techtarget.com/news/2240216637/Monitoring-for-unusual…
*** Nokia X Android smartphone security features detailed ***
---------------------------------------------
... the Nokia X comes with the required security features to protect the data stored on the device without downloading third-party security apps. The three main ways to protect the data on the Nokia X smartphone is the screen security, encryption, and SIM card lock.
---------------------------------------------
http://gadgets.ndtv.com/mobiles/news/nokia-x-android-smartphone-security-fe…
*** Linux Worm Darlloz Infects over 31,000 Devices in Four Months ***
---------------------------------------------
The worm is designed to infect computers running Intel x86 architectures, but it's also capable of infecting devices running MIPS, ARM, PowerPC architectures. Routers, set-top boxes and other devices usually have this kind of architecture. Based on its investigation, Symantec has determined that the main goal of Darlloz is to abuse infected devices for crypto-currency mining. Once it's installed on a computer, the worm installs open source mining software (cpuminer).
---------------------------------------------
http://news.softpedia.com/news/Linux-Worm-Darlloz-Infects-over-31-000-Devic…
*** Mass-Produced ATM Skimmers, Rogue PoS Terminals via 3D Printing? ***
---------------------------------------------
On several underground forums, a cybercriminal named gripper is selling ATM skimmers and fake POS terminals, and is making some very bold claims doing so: Figure 1. Underground advertisement. The cybercriminal claims that he can mass-produce VeriFone VerixV point-of-sale (PoS) devices. (Verifone is a US-based provider of POS terminals.) Some specific VeriFone products such as the Vx510...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/YmksHI4j1OM/
*** Spotlight on Java SE 8 Security ***
---------------------------------------------
March 18, 2014 was the long anticipated release of Java SE 8. I though I would spotlight some of the key security features of Java 8 for readers. First, many are not aware of security improvements made to Java 7. Let's begin with a quick review the Java SE 7 security features that were rolled into Java SE 8.
---------------------------------------------
http://www.securitycurmudgeon.com/2014/03/20/spotlight-on-java-se-8-securit…
*** IBM Security Bulletin: IBM WebSphere MQ Internet Pass-Thru - Potential denial of service on the command port listener (CVE-2013-5401) ***
---------------------------------------------
A denial of service vulnerability exists and could be exploited by a remotely connected user to stop the remote administration service. CVE(s): CVE-2013-5401 Affected product(s) and affected version(s): WebSphere MQIPT 2.1.0.0 WebSphere MQIPT 2.0.x Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21666863 X-Force Database: http://xforce.iss.net/xforce/xfdb/87297
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…
*** OpenSSL ECDSA Nonces Recovery Weakness ***
---------------------------------------------
Yuval Yarom and Naomi Benger have reported a weakness in OpenSSL, which can be exploited by malicious, local users to disclose certain sensitive information.
---------------------------------------------
https://secunia.com/advisories/57091
*** OpenSSH "child_set_env()" Security Bypass Security Issue ***
---------------------------------------------
The security issue is caused due to an error within the "child_set_env()" function (usr.bin/ssh/session.c) and can be exploited to bypass intended environment restrictions by using a substring before a wildcard character.
---------------------------------------------
https://secunia.com/advisories/57488
*** Oracle VirtualBox 3D Acceleration Multiple Privilege Escalation Vulnerabilities ***
---------------------------------------------
Core Security has reported multiple vulnerabilities in Oracle VirtualBox, which can be exploited by malicious, local users in a guest virtual machine to gain escalated privileges.
---------------------------------------------
https://secunia.com/advisories/57384
*** Cisco Hosted Collaboration Solution Packet Processing Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability has been reported in Cisco Hosted Collaboration Solution, which can be exploited by malicious people to cause a DoS (Denial of Service).
---------------------------------------------
https://secunia.com/advisories/57496
*** Video zeigt Jailbreak von iOS 7.1 ***
---------------------------------------------
Ein Entwickler hat seine Arbeit an einem Jailbreak von iOS 7.1 demonstriert. Apple hatte mit dem jüngsten iOS-Update die Schwachstellen geschlossen, die für den letzten Jailbreak zum Einsatz kamen.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Video-zeigt-Jailbreak-von-iOS-7-1-21…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 19-03-2014 18:00 − Donnerstag 20-03-2014 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** ZBOT Adds Clickbot Routine To Arsenal ***
---------------------------------------------
The ZeuS/ZBOT malware family is probably one of the most well-known malware families today . It is normally known for stealing credentials associated with online banking accounts. However, ZBOT is no one-trick pony. Some ZBOT variants perform other routines like downloading or dropping other threats like ransomware. We recently came across one variant detected as TROJ_ZCLICK.A,...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/rrelQiGbzao/
*** New BlackOS Software Package Sold In Underground Forums ***
---------------------------------------------
We recently came across this particular post in an underground forum: Figure 1. Underground forum post This particular post in Russian was advertising a new product, known as "BlackOS". Contrary to the name, it is not an operating system. However, it is definitely "black", or malicious: it is used to manage and redirect Internet traffic...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/mA8O58qz-TQ/
*** Phishing: Gehackter EA-Server hostet falsche Apple-Webseite ***
---------------------------------------------
Kriminelle Hacker haben auf Servern des Spieleherstellers Electronic Arts eine gefälschte Webseite untergebracht, die Apple-IDs samt Passwörtern und Kreditkarteninformationen verlangt. Wie viele Nutzer ihre Daten dort eingegeben haben, ist nicht bekannt.
---------------------------------------------
http://www.golem.de/news/phishing-gehackter-ea-server-hostet-falsche-apple-…
*** "goto fail": Apple drängt Nutzer zum Update ***
---------------------------------------------
Der Mac-Hersteller fordert inzwischen dazu auf, das Update auf OS X 10.9.2 alsbald möglich zu installieren - falls noch nicht geschehen. Ältere Versionen von OS X Mavericks und iOS weisen eine gravierende SSL-Schwachstelle auf.
---------------------------------------------
http://www.heise.de/security/meldung/goto-fail-Apple-draengt-Nutzer-zum-Upd…
*** Android: Sicherheitslücken wegen fehlender Updates bleiben Problem ***
---------------------------------------------
70 Prozent aller Android-Geräte weltweit besitzen eine Browser-Lücke, glaubt ein Forscher. Der simple Aufruf einer Website reicht, um sie auszunutzen.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Android-Sicherheitsluecken-wegen-feh…
*** Analysis: Spam report: February 2014 ***
---------------------------------------------
The share of spam in global email traffic decreased by 7.6 percentage points and averaged 65.7% in January. As forecasted, the drop in the share of spam was due to a lull early in January when there is less business activity and a large number of botnets are turned off.
---------------------------------------------
http://www.securelist.com/en/analysis/204792328/Spam_report_February_2014
*** Protokollanalyse: Mogeln im Quizduell ***
---------------------------------------------
Entwickler verlassen sich zu sehr auf HTTPS und verzichten auf grundlegende Sicherheitsmaßnahmen. Über eine Man-in-the-Middle-Attacke konnten Security-Forscher in den Datenverkehr zwischen App-Server und Apps hineinsehen - und entdeckten Sonderbares.
---------------------------------------------
http://www.golem.de/news/protokollanalyse-mogeln-im-quizduell-1403-105276-r…
*** Cisco IronPort AsyncOS Software for ESA and SMA File Validation Flaw Lets Remote Authenticated Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1029937
*** SA-CONTRIB-2014-033 - Nivo Slider - Cross Site Scripting ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2014-033Project: Nivo Slider (third-party module)Version: 7.xDate: 2014-March-19Security risk: Moderately criticalExploitable from: RemoteVulnerability: Cross Site ScriptingDescriptionNivo Slider provides a way to showcase featured content. Nivo Slider gives administrators a simple method of adding slides to the slideshow, an administration interface to configure slideshow settings, and simple slider positioning using the Drupal block system.The module doesnt...
---------------------------------------------
https://drupal.org/node/2221481
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 18-03-2014 18:00 − Mittwoch 19-03-2014 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** Apache Update Resolves Security Vulnerabilities ***
---------------------------------------------
Apache has released version 2.4.9 of its ubiquitous HTTP web server (HTTPD), resolving two security vulnerabilities and a number of other bugs in the process.
---------------------------------------------
http://threatpost.com/apache-update-resolves-security-vulnerabilities/104849
*** Ebury-Rootkit: Zombie-Server greifen täglich eine halbe Million Rechner an ***
---------------------------------------------
Zu den Opfern der Malware-Kampagne "Operation Windigo" gehören unter anderem kernel.org und cPanel. Die mit dem Ebury-Rootkit infizierten Server versenden Spam und attackieren Besucher der kompromittierten Webseiten.
---------------------------------------------
http://www.heise.de/security/meldung/Ebury-Rootkit-Zombie-Server-greifen-ta…
*** Wide Gap Between Attackers, BIOS Forensics Research ***
---------------------------------------------
Advanced attackers are ahead of researchers when it comes to understanding firmware vulnerabilities and BIOS forensics, experts from MITRE and Intel said during last weeks CanSecWest.
---------------------------------------------
http://threatpost.com/wide-gap-between-attackers-bios-forensics-research/10…
*** Avast-Toolbar mit Shopping-Spion ***
---------------------------------------------
Die Browser-Toolbar, die unter anderem mit der Antivirensoftware auf den Rechner gelangt, schaut dem Nutzer beim Einkaufen über die Schulter und baut Konkurrenzangebot in die Shop-Seiten ein.
---------------------------------------------
http://www.heise.de/security/meldung/Avast-Toolbar-mit-Shopping-Spion-21496…
*** Data suggests Android malware threat greatly overhyped ***
---------------------------------------------
Its no secret that many in the security industry perceive Google Inc.s Android mobile platform to be plagued by malware, but Android security team lead Adrian Ludwig has made it his mission to eradicate the disingenuous meme of the burgeoning Android malware apocalypse.
---------------------------------------------
http://searchsecurity.techtarget.com/news/2240216335/Data-suggests-Android-…
*** Mailingliste Full Disclosure macht dicht ***
---------------------------------------------
Die bekannte Sicherheits-Mailingliste wurde von ihrem Betreiber bis auf weiteres geschlossen. Full Disclosure war in der Vergangenheit immer wieder Schauplatz der Enthüllung wichtiger Sicherheitslücken.
---------------------------------------------
http://www.heise.de/security/meldung/Mailingliste-Full-Disclosure-macht-dic…
*** 10 Years of Mobile Malware: How Secure Are You? ***
---------------------------------------------
Believe it or not, but it has been 10 years since the first mobile malware was created! On the infographic below, you can see a brief overview of the most important malware events in the past 10 years, with a short description of each of them.
---------------------------------------------
https://www.linkedin.com/today/post/article/20140316112657-67886711-10-year…
*** New Exploits Arrive for Old PHP Vulnerability ***
---------------------------------------------
New exploits for a two-year-old PHP vulnerability popped up in October that allow hackers to run code on websites running vulnerable versions of the web development framework.
---------------------------------------------
http://threatpost.com/new-exploits-arrive-for-old-php-vulnerability/104881
*** Fake Tor browser for iOS laced with adware, spyware, members warn ***
---------------------------------------------
Title available since November raises questions about App Store vetting process.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/qB_-ioinSh4/
*** WordPress Subscribe To Comments Reloaded Plugin Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/57015
*** Moodle Multiple Security Issues and Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/57331
*** Samba smbcacls security bypass ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/91849
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 17-03-2014 18:00 − Dienstag 18-03-2014 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Google's Public DNS Hijacked for 22 Minutes ***
---------------------------------------------
The attackers hijacked the 8.8.8.8/32 DNS server for approximately 22 minutes. According to BGPmon, networks in Brazil and Venezuela were impacted. A screenshot published by the company shows that the traffic was redirected to BT Latin America's networks.
---------------------------------------------
http://news.softpedia.com/news/Google-s-Public-DNS-Hijacked-for-22-Minutes-…
*** Anonymisierung: Sniper-Angriff legt Tor-Nodes lahm ***
---------------------------------------------
Mit einer sogenannten Sniper-Attacke können Angreifer nicht nur gezielt einzelne Tor-Knoten außer Gefecht setzen, sondern innerhalb von wenige Minuten das gesamte Netzwerk lahmlegen. Ein Patch wurde bereits erarbeitet.
---------------------------------------------
http://www.golem.de/news/anonymisierung-sniper-angriff-legt-tor-nodes-lahm-…
*** Scans for FCKEditor File Manager, (Mon, Mar 17th) ***
---------------------------------------------
FCKEditor (now known as CKEditor [1]) is a popular full featured GUI editor many web sites use. For example, you frequently find it with blog systems like WordPress or as part of commenting/forum systems. As an additional feature, a filemanager can be added to allow users to upload images or other files. Sadly, while a very nice and functional plugin, this features if frequently not well secured and can be used to upload malicious files. We have seen some scans probing specifically...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17821&rss
*** Hintergründe des Typo3-Hacks weiter im Dunkeln ***
---------------------------------------------
Die Typo3 Association hat keine Informationen zu der Schwachstelle hinter dem Casino-Spam-Hack, der viele Typo3-Webseiten betrifft, und vermutet, dass der Hack andere Ursachen hat. Seiten ohne Typo-Installation sollen ebenfalls betroffen sein.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Hintergruende-des-Typo3-Hacks-weiter…
*** Hidden Windigo UNIX ZOMBIES are EVERYWHERE ***
---------------------------------------------
Check and wipe: The la-la-la-its-not-happening plan is no good Hackers using a Trojan seized control of over 25,000 Unix servers worldwide to create a potent spam and malware distribution platform.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/03/18/windigo_uni…
*** Threatglass Tool Gives Deep Look Inside Compromised Sites ***
---------------------------------------------
Trying to enumerate the compromised sites on the Internet is a Sisyphian task. Luckily, it's not a task that anyone really needs to perform any longer, especially now that Barracuda Labs has released its new Threatglass tool, a Web-based frontend that allows users to query a massive database of compromised sites to get detailed information...
---------------------------------------------
http://threatpost.com/threatglass-tool-gives-deep-look-inside-compromised-s…
*** March 2014 Security Bulletin Webcast and Q&A ***
---------------------------------------------
Today we published the March 2014 Security Bulletin Webcast Questions & Answers page. We answered eight questions in total, with the majority focusing on the updates for Windows (MS14-016) and Internet Explorer (MS14-012). One question that was not answered on air has been included on the Q&A page.
---------------------------------------------
http://blogs.technet.com/b/msrc/archive/2014/03/17/march-2014-security-bull…
*** When ASLR makes the difference ***
---------------------------------------------
We wrote several times in this blog about the importance of enabling Address Space Layout Randomization mitigation (ASLR) in modern software because it's a very important defense mechanism that can increase the cost of writing exploits for attackers and in some cases prevent reliable exploitation. In today's blog, we'll go through ASLR one more time to show in practice how it can be valuable to mitigate two real exploits seen in the wild and to suggest solutions for programs...
---------------------------------------------
https://blogs.technet.com/b/srd/archive/2014/03/12/when-aslr-makes-the-diff…
*** Red Hat plans unified security management for Fedora 21 ***
---------------------------------------------
One crypto policy to bind them Red Hat is planning a significant change to how its Fedora Linux distribution handles crypto policy, to ship with the due-in-late-2014 Fedora 21 release.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/03/18/red_hat_pla…
*** Open-Xchange AppSuite 7.4.1 / 7.4.2 Cross Site Scripting ***
---------------------------------------------
Topic: Open-Xchange AppSuite 7.4.1 / 7.4.2 Cross Site Scripting Risk: Low Text:Product: Open-Xchange AppSuite Vendor: Open-Xchange GmbH Internal reference: 31065 Vulnerability type: Cross Site Scriptin...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030134
*** Security Advisory-Y.1731 Vulnerability on Some Huawei Switches ***
---------------------------------------------
Y.1731 is an ITU-T recommendation for OAM features on Ethernet-based networks. Y.1731 provides connectivity detection, diagnosis, and performance monitoring for VLAN/VSI services on MANs.
Some Huawei switches support Y.1731 and therefore, has the Y.1731 vulnerability in processing special packets. The vulnerability causes the restart of switches (Vulnerability ID: HWPSIRT-2013-1165).
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…
*** OpenSSH AcceptEnv Wildcard Processing Flaw May Let Remote Authenticated Users Bypass Environment Restrictions ***
---------------------------------------------
http://www.securitytracker.com/id/1029925
*** DSA-2880 python2.7 ***
---------------------------------------------
security update
---------------------------------------------
http://www.debian.org/security/2014/dsa-2880
*** Bugtraq: 2014 World Conference on IST - Madeira Island, April 15-17 ***
---------------------------------------------
The 2014 World Conference on Information Systems and Technologies
---------------------------------------------
http://www.securityfocus.com/archive/1/531513